ML20062E917
| ML20062E917 | |
| Person / Time | |
|---|---|
| Site: | Yankee Rowe |
| Issue date: | 11/15/1990 |
| From: | Jeffery Grant YANKEE ATOMIC ELECTRIC CO. |
| To: | Sears P Office of Nuclear Reactor Regulation |
| References | |
| BYR-90-150, NUDOCS 9011260188 | |
| Download: ML20062E917 (87) | |
Text
_
=
i YANKEE ATOMIC ELECTRIC COMPANY "C"ll'.s'e'0"*;*'"
g y~~~~.g.
580 Main Street, Bolton, Massachusetts 017401398 e
November 15, 1990 BYR 90-150 United States Nuclear Regulatory Commission Document Control Desk Washington, DC 20555 Attention:
Mr. Patrick Sears Senior Project Manager Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation
References:
(a) License No. DPR-3 (Docket No. 50-29)
(b) Yankee letter to NRC, dated December 20, 1989 (c) NRC Letter to Yankee, dated July 22, 1990 (d) Yankee Lotter to NRC, dated October 16, 1990
=
Subject:
Response to NRC Request for Additional Information Regarding the YNPS Severe Accident Closure Submittal
Dear Mr. Sears:
In Reference (d), Yankee idet.tified its schedule for responding to the staff's request for additional information regarding the YNPS Severe Accident Closure Submittal (Reference (b)). In keeping with that schedule, please find responses to those questions in List (1) of Reference (c) regarding Yankee's Individual Plant Examination (IPE), with the exception that the response to-Question No. 22 will be submitted by December 31, 1990.
2 As noted in Reference (d), we will respond to the remaining questions (Nos. 1, 2, 4, 5, 6, 7, 9, 10, 11, 25, 26, 29, 31, 32, 34) in List (1), which relate to Containment Parformance Improvement (CPI), in the February 1991 time frame. We will be prepared to discuss responses to questions in List (2) and List (3) after December 15, 1990. We request that phone calls and/or meetings, as appropriate, be scheduled by the NRC on, or as soon as possible after, December 15, 1990.
With regard to the IPE External Events (IPEEE), we request the NRC provide the date for issuance of staff questions on the IPEEE portion of our December 20, 1989 submittal to aid us in allocating resources for review and resolution.
Finally, we request a meeting with the NRC in the first quarter of 1991 to discuss the Accident Management content of our submittal and the basis for NRC closure of severe accideuts for Yankee.
Sincerely, p 90il h9
'IIl-D~
go112(+h3.05,00 ne M. Grant ppc PDR S nior Engineer j
F icense Renewal Activities di JMG/gjt/WPP77/215
,I
{
Attachacet
t
}
Question 3 Page 10-4 of PSS:
You acknowledge that "there is a high likelihood of the operating staff of YNPS taking action to align and actuate manual systems."
Are there approved procedures in i
place for taking these actions?
Response 3 Page 10-4 of the PSS identifieu certain systems which were not credited and other systems for which recovery was not credited, in the baseline core damage sequences for the PSS (Section 8.0 " Event Trees").
This information was provided to support the statement that there are conservatisms-in the core damage sequences.
l Approved procedures are-in place for several of these systems.
There are also other systems and actions not identified which demonstrate conservatism and have approved. procedures.
The following table provides identification of which systems, although not credited, are proceduralized.
i l
{-
i i
l
l o
~
Table 3.1 I,
ACTIONS NOT CREDITED BUT PROCEDURALIZED i
i l
EMERGENCY OPERATING PROCEDURE
- ACTION ECA-1.1 Loss of Emesgency Coolant Recirculation I
Charging System to Primary (for LOCAs)
FR-C.1 Respet5e to inadequate Core Cooling FR-H.1 Response to Loss of Secondary Heat Sink FR-C.1 Response to inadequale Core Co 74 i
Emergency FeedwaterTo Primary Ernergency Feedwater with Safe Shutdown System Secmdary ECA-0.0 Loss of all AC Power ECA-0.1 Loss of all AC Pcwor, Recovery without Si required Makeup Pump ECA4.2 Loss of all AC Power Recovery with Si required FR-H.1 Response to Loss of Secondary Host Sink ECA-1.1 Loss b? Emergency Coolant Rocinz/mtion Addition of Makeup to Safety Inl action Tank i
l l
l-n...,
w f
_ouestion 8 Page 10-88 of PSS:
You appear to censider containment isolation failure about half-way through your event trees.
The most
(
Normally it is considered much earlier in the event tree.
important time to consider this so-called " beta" failure mode is for cases that would otherwise not fail, that is those that result
)
in Release Cat. 15 from Event Tree Figure 10-6.
f Why did you exclude containment isolation failure from the most benign and most probable release category?
Also, noting the Event Tree in Figure 10-9, why do you assign a release category of i
15 to a situation where you have a f ailed containment, only passive containment cooling, and a 3 MW heat source in containment?
How does 98% of the noble gases remain in the containment?
I Response 8
\\
The answer to this question
- involves, in
- essence, an explanation of the " containment isolation failure" event for YNPS.
As indicated in Chapter 9 " Fault Trees" section 9.4;6 " Containment Isolation System (CIS), page 9-39:
"A single CIS fault tree was drawn with the top event the failure to isolate all paths from the VC atmosphere to the outside atmosphere.
The probability of this occurrence was required by the containment event trees discussed in Section 10.
A review of the valves closed by the CIAS indicated that there are no CIS valves which control lines that connect the - VC atmosphere to the outside atmosphere.
However, there are four valves that control lines which are periodically open to the atmosphere for-testing or sampling purposes.
In each case, there is a manual valve (or valves) downstream of-the CIS valve which is normally closed but is opened for.
the periodic testing.
The CIS valves analyzed were: VD-TV-203, SA-TV-213, HV-SOV-1, and HV-SOV-2."
- Thus, only these four valves were modeled to contribute 'to
)
" containment isolation failure".
Any other valve failure in CIS
e, j
would also require an additional breach of the closed loop system in which the valve functions, to result in containment isolation failure.
(This information is also discussed in Appendix B
" Detailed System Fault Tree Analysis" section B.4.',3 "CIS Fault l
Tree Development", pages 158,159.)
The four valves indicated are:
(1)
VD-TV-203 Pressurizer Capillary Bleed (2)
SA-TV-213 Bleed Line Sample (3)
AV-SOV-1 Containment Hydrogen Vent (4)
HV-SOV-2 Containment Hydrogen Vent
_}
valve 1 controls a capillary with' insignificant flow.
Valve 2 is in a 3/8" line.
Valves 3 and 4 are in 2" lines.
Therefore, failure of any of these valves would result in negligible to minor flow.
Further, YNPS is operated at positive pressure by technical specification (minimum 0.75 psig to maximum 3.0 psig), which would I
indicate any prior failure of especially the larger two valves.
Note also that valves 1 and 2 do not specifically, connect VC atmosphere to outside atmosphere but require primary boundary -
breach to establish this path.
Therefore, without occurrence of the event
" containment isolation failure", leakage is based on technical specification leakage of 0.2% by weight of containment air per 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> at 31.6 psig, and even with " containment isolation failure" the leakage-rate is still minor as described above.-
Thus, both events were 4
l-assigned to release category 5, "Radionuclide release
...without I
containment failure" described in section 10.9.1'." Methodology for l
Quantifying Release Frequencies", page l'0-96 as well as described in Chapter 11.0 " Fission Product Release and Behavior", page 11-11.
It should also be noted that the dominant contributor to
w
" containment isolation failure" was valve SA-TV-213 failure to l
close on demand coupled with manual valve SA-HCV-210 downstream l
L being in the open position (94.9% of total).
This is-in the 3/8" line, reinforcing the minimal consequence of this event.-
Regarding 98% of the noble gases remaining in containment for release category 5,
Chapter 11.0 " Fission Product Release-and Behavior", section 11.4 " Discussion of Results", page 11-11 states l
l release category (RC5) represents accident sequences in which core melt occurs but containment integrity is preserved.
Release occurs due to normal leakage from the containment.
The release allowable fractions for RC5 are much smaller than those for any of the other release categories."
l
- thus, "The resulting atmospheric releases of the various-radionuclide groups for.'the six release categories are shown in Table 11-5.
For all of the release categories, for RCS, essentially all of the noble gas core except inventory is released into the atmosphere."
Note that Table 11-5 indicates RC5 has a release fraction for noble gases of 0.02, i
_ ~
L.
QUESTION 12 Provide a thorough discussion to justify why the Yankee IPE was performed using a PRA that is out-of-date.
l.
t Discuss how Yankee incorporated the most current design and operations information into the IPE and whether the results and conclusions presented reflect the current plant.
Certify that the IPE represents the as-built, as-operated plant.
Provide the basis for conclusion that the IPE as submitted accounts for the effect of all modifications made to the plant subsequent to the freezing of the design (1981) to perform the Yankee Rowe PSS. Your IPE submittal (Section 3.3.4) describes several plant modifications performed since publication of the PSS in 1983. Provide a concise list of all safety related-plant modifications (both those motivated by the PSS and those made for other reasons) since 1981 (when the PSS design was frozen) and describe the potential downside, if any, of these modifications.
RESPONSE 12 The Individual Plant Examination (IPE) canducted as part of the Yankee Nuclear l
Power-Station Severe Accident Closure Submittal is based on current methods using the most current design and operations information for 'he plant. The conclusions presented refleet the current plant.
The Yankee Severe Accident Closure Submittal.("tre Submittal") includec as a part of its basis the Yankee Nuclear Power Station (YNPS) Probabilistic. Safety Study (PSS) docketed.on January 3, 1983 and ass 1ciated ongoing programs.
l Section 3.3.4 (" Confirmation of PSS Results") of the IPE portion of the Submittal summarizes the impact of examples of' plant modifications implemented since publication of the PSS.
l l
l WPP44/117 4
A.
Plant Modifiestion Evsluations Each change to the plant since publication of the PSS has been evaluated with no resulting change in the conclusions of the PSS. These evaluations consisted of assessment of each plant change for impact on-any segment of the analysis, specifically:
Initiating Events Data Accident Event Trees System Fault Trees-Core, Vessel, and Containment Response Fission Product Relesse and Consequence Analysis Since the evaluations of plant changes did not impact the validity'of the-PSS, the IPE, which is based on the PSS and these ongoing evaluations, also reflects the current plant design.
B.
PSS Review Note that the major plant modifications since publication'of the PSS have been made for purposes of external events.
In particular, the' addition of the dedicated Safe Shutdown System and the seismic modifications constitute the majority of changes at the plant, both in terms of positive impact on safety and analysis extent / modification cost. Each of these modifications has been specifically probabilistically evaluated.
These and other external modifications and analyses are listed and described in Section 4.0 of the Submittal.
1 Section 3.3.4 also describes an additional' formal internal review of the Level I and II portions of the PSS itself which has been.in process since' 1987 and which is documented in internal' calculation files and notebooks. As noted in Section 3.3.4,'this additional review is being perf ormed:
l l-WPP44/117 1
- et
i I
To update the models to reflect the current plant configuration and operating history (e.g., addition of the Safe Shutdown System and other plant modifications listed in Section 3.3.4).
To update methods to allow future modifications in the plant to be more readily incorporated.
l To enhance and extend the scope of the study.
i To train additional personnel in support of YNPS.
Results to date have not altered the conclusions of the PSS.
In particular,Eby updating the PSS Models to reflect the. current plant configuration during this formal internal review,-we have confirmed that the cumulative effects of the modifications have not altered the conclusions of the PSS docketed in 1993.- (Note:
Lach modification has been evaltated as a part of our ongoint program, individually and.
cumulatively, using the YNPS PSS prior to instr.11ation.).The review and-update of the PSS has accounted for the integr ated cumulative change because it consists of the following:
1.
Initiating Events Review and update of plant and ludustry generic data which has l
confir-
- ompleteness of initiating events categorization and has not appreciably changed initiating event frequencies.
For example, update of the initiating' event data with almost ten additional years of-history continues to support the' fact that no unrecovered loss of feedwater-has occurred at YNPS. This, coupled with inspection of industry LOCA data, confirms the continued dominant contribution of-
)
2.
Data l
Review aad update of plant-specific and industry-generic data including systems, common cause and human performance data, which WPP44/117
?.
has not appreciably altered plant specific failure rates and indicates that the YNPS PSS human performance modeling is cons e rvative. For example, similar to initiating events, the inclusion of approximately an additional ten years of history in the~
data used for quantification of all systems continues to confirm the dominance of ECCS Systems (HPSI, LPSI, Recirculation) contribution to core damage frequency.
3.
Accident Event Trees Review and conversion of e' cent trees from modular to functional as-well as verification that conversion of E0Ps from procedure / event-based to standardized symptom / critical safety function-based has not resulted in' change to PSS conclusions.
4.
System Fault Trees Review and conversion of dependency treatment, from Fussell-Vesely factors to an auxiliary event tree approach, as well as expansion and revision of systems modeled to account for plant modifications j
since the issuance of the YNPS PSS, resulting in same dominant system contributions to core damage frequency (HPSI, LPSI, Recirculation).
1 5.
Core Vessel and Containment Responses Analysis of results of Level II portion of PSS'on a separate effects basis as described in the containment performance. improvements l
portion of the Submittal (Section 5) resulting-in direct. potential and actual modificationa as described in the section.
Section 3.7 " Ongoing IPE/PRA Programs" of the YNPS Severe' Accident Closure Submittal included commitment via a formal procedure, PRA 13
" Review of Plant Changes and Documents," to continue the process of 1
L regularly reviewing plant documents and chtnges for impact on the-PSS'in the future.
WPP44/117 J
cy Also, in response to an NRC ' request for comments on the " Risk-Based Inspection Guide" produced for NRC by EG&G Idaho, Inc., Yankee provided -
an additional evaluation of plant changes since publication of the YNPS PSS and the reason for the changes. The review of changes included a summary of' additional insights.
Thus, the IPE is based on current methods and information and has been performed on the most current design of the plant. This is because tre IPE is based on use of the PSS which has been evaluated fer and used to evaluate plant changes and has recently been subjected. to.a formal and ongoing review.
The following table provides a concise list of all major safety-related plant modifications (both' those motivated by the PSS and those made for other reasons) since 1981 and an evaluation of the safety impact of each. The table is an expanded format and content version of the evaluation of significant changes presented in Section 3.3.4 (Pages 15 and 16) of the submittal and includes those items.
Plant Modificatio-Year Safety-Impact Improvement Downside Additions Improvement by Additional:
1.
Containment Isolation 83 Containment Isolation None Valves capability l
2.
Four Emergency 84 Secondary Heat Remov01 Increased l
Atmospheric Steam Dump
- Steam Removal Capability Probability Valves of Minor Cooldown 3.
Shutdown Cooling Valve 84 Prevention of' Interfacing None Interlock LOCA, Primary Reactivity l
and Inventory Control Capability 4.
Safe Shutdown System 86 Secondary Heat Removal and None Primary Inventory Cr.ntrol Capability Replacements-Improver.ent by' Increasing:
5.
Battery. Chargers No. 1 84 DC Sy', tem Reliability None and No. 2 6.
Feedwater Control 85 feedwater Control System None System Reliability WPP44/117-
l Plant Modification Year-Safety Impact j
Improvement Downside i
7.
Pressurizer Safety 86 Primary Pressure Control.
None Relief Valves 8.
Safety-Injection System 87 Primary Inventory Control None i
Relief Valves 9.
Battery No. 3 89 DC System Reliability
.None
- 10. Emergency Diesel 90 Emergency Power Reliability None Generators Upgrades Improved Reliability oft
- 11. Seismic Upgrade for 80/86 Seismic Capability None l
Battery Racks, EFW l
System, Hot Shutdown System, Etc.
- 12. Station Vital Bus 85 Instrumentation / Human None Actions
- 13. Emergency Diesel 85 Emergency Diesel Gererator.
None Generator Cooling Support Systems /Erergency System and Ventilation Power
- 14. Safety Injection 85 Long-Term Core Heat Removal.
None Building Ventilation.
- 15. Reactor Protection 86:
-Reactor _ Protection System None-System (RPS)
- 16. Turbine Trip Logic 87 Reactivity. Control and None Rractor Pressure Vessel e
Integrity
- 17. Nuclear Instrumentation 90 lieactor Protection Systen None i
I f
WPP44,117
QUESTION 13 Discuss how an indep*:. cent in-house review was conducted to ensure the accuracy of the IPE documentation package and to validate both the IPE process and its results. Provide, as a minimum, a description of the internal review performed, the results of the review team's evaluation, and a list of the review team members.
Describe the walkthrough/walkdown activ. ties (e.g., initial walkthrough for plant familiarization; special ones to verify logic trees, dependencies, or aspects of systems interactions; to exa.mine spatial interactions such as internal flooding) including scope and team makeup. Describe Yankee Nuclear's involvement in the plant walkthrough/waikdowns.
RESPONSE 13 A.
An independent in-house revi1w of the four part Severe Accident Closure Submittal, including the IPE was conducted.
In particular, the primary 'ceference for the IPE, the Yankee Nuclear Power Station (YNPS) Probr.bilistic Safety Study (PSS), was extensively reviewed; and the PSS contains a description of the review.
PSS Early in the study, the PSS plant system descriptions, logic models (system f ault trees and accident-event trees) and success criteria were reviewed by Design, Operations, Maintenance, and Analysis personnel both in formal sessions and via informal communications. Luring development of the PSS, sessions to review event trees and initiat.ng events were conducted.
Fic. ally, at the end of the study, a three-week, independent formal review session of the YNPS PSS was condiwted by plant and corporate office personnel. Design, Operacions, Maintenance, and Analysis personnel were the independent reviewers.
This review is WPP44/117
l documented in f.d.les and in an audio recording of the discussions.
Recommendations from this review were incorporated in the final PSS.
As noted in Section 3.3.2, "YNPS Probabilistic Safety Study (Pge),o a further independent review of the PSS was conducted by a Technical-Review
~
Board of acknowledged experts who impartially critiqued 'the PSS. - The reviewers wen- (Section 3.3.2.1):
Professor Norman C. Rasmussen, Massachusetts Institute of Technology.
Dr. Salomon Levy, S. Levy Incorporated.
Mr. Garry Thomas, Electric Power Research Institute (EPRI).
Dr. Robert L. Ritzmann, Science Applications Incorporated (now EPRI).-
Example comments involved reconnendations to investigate impacts-of spatial interactions of initiating events on systems performance, as well as to investigate loss of DC.
These investigations were performed and are included in Appendix G, " Environmental and DC Power Top Event Reviews." The entire record of their comments and resolutions is documented in our files.
SEVERE ACCIDENT CLOSURE SUBMITTAL In addition to the continuous review process described _in the response to Question 1, en internal review of the four-part Severe Accident Closure Submittal was also conducted and consisted of comments and resolution by.
authors and non-participants at the' outline, development and final document stages. Table 1 provides the reviewers titles, disciplines, j
functional positions and their independence status correlated with the sections they critiqued. The results of the reviewer's evaluations are retained in files and are reflected in the submittal made to NRC on December-12, 1989.
hTP44/117
I i
TABLE 1 Severe Accident Closure Submittal Review Matrix Submittal
_Section
_ Title / Discipline / Functional Position Participant Independent Full 3 Executives Submittal X
2 Project Managers X
2 Generic Licensing Engineers X
X Nuclear Engineering Dept. Director X
Manager PRA X
Plant Superintendent YNPS X
Manager of Operations YNPS X
Lead Engineer Lic. Renewal / Severe Accidents YNPS x
PRA Engineer YNPS X
Lead PRA Engineer Maine Yankee X
Consultant Containment X
IPEEE Manager Environmental Engineering x
IPEEE Lead Mechanical Engineer (Seismic) YNPS x
IPEEE Lead System Engineer YNPS x
AM Lead Engineer Seabrook Project l
AM X
Manager Emergency Planning AM Emergency Planning Engineer l
X AM Lead Transient' Analysis Engineer YNPS x
FZRES/AM Fire Specialists X
WPP44/117
TABLE 1 (Continued)
Severe Accident Closure Submittal Review Matrix Submittal Section Title / Discipline / Functional Position Participant Independent x
CPI /AM Manager Transient Analysis x
CPI /AM Lead PRA Engineer Vermont Yankee
?
hTP44/117 1
l B.
All systems at Yankee included in the PSS and IPE have been walked down-by Yankee Analysts, Systems Engineers, and/or_ Plant Personnel. The walkdowns performed in supportlof the PSS were:
Systems walkdowns performed in support of the fault tree models l
(PSS, Chapter 9).
A spatial interactions walkdown performed to determine the environmental effects (e.g., steam or other line breaks) on equipment which was modeled or which could cause an initiating event (PSS, Appendix G).
Subsequent walkdowns in support of the review and update of the'PSS l
described in the response to Item _ A above have also been performed.
Specifically, as part of the Systems' Analysis Review and Update all' systems were walked down by Yankee PRA Analysts.
In addition, a comprehensive spatial interactions walkdown including additional external hazards (such as fire, internal flood) has also been performed by Yankee -
PRA Analysts, Systems Engineers, and Plant Personnel. 'These walkdowns were performed per a formal procedure PRA Ol', "PRA System Walkdown -
1 Procedure," and are documented in system and spatial effects notebooks.
This procedure provides instructions for planning.and performing system walkdowns.
The basic steps are tot Gather and review information pertinent to systems being walked down.
Consolidate information into a pre-walkdown ct.cklist organized in the order of the planned walkdown path.
Record information rec,uired on walkdown form during the walkdown.
Both sets of walkdowns (PSS and PSS review / update) in conjunction with the ongoing verification investigations per another formal procedure, PRA 13 " Review of Plant Changes and Documents," describedoin the response WPP44/117 t
e v
+
-~-
~
t -
to Item A above constitute the process to confirm that the IPE/P SS represent the as-built, as-operated plant (to account for the impact plant modifications).
of l
l
'Y i
l l
l 9
WPP44/117-F e-e y-m., -
--e-----
QUESTION 14 Provide a thorough discussion of the evaluation of the decay heat removal function to address resolution of the USI A-45 " Decay Heat Removal Requirements." The discussion should identify and quantify the contributions of USI A-45 to core damage frequency or unusually poor containment performance.
EESPONSE 14 Generic Letter No. 88-20 requests that potential decay heat removal vulnerabilities be identified, as part of the IPE, to resolve Unresolved Safety Issue (USI) A-45, " Shutdown Decay Heat Removal Requirements."
It' also provides decay heat removal insights in an appendix. Generic Letter No. 88-20. Supplement No.1, requests evaluation of the decay heat removal function.
The decay beat removal function has been evaluated as part of the PSS/IPE and no vulnerabilities have been identified.
The basis is as.follows:.
An inspection of the dominant contributors to core melt frequency in the PSS results in the following conclusions:
The overall YhPS decay heat removal capability is high because of the low total core damage frequency.
Major contributors (although on an absolute basis low) are LOCAs and ECCS.
Specifically, PSS Table 8-2, " Initiating Event Importance Ranking with Respect to Core Melt Frequency," Table 8-3, " Dominant Accident Sequences and Their Contributions to Core Melt Frequency" and Table 8-4, " System Contributiona to Core Melt Frequency," all indicate the' dominance of LOCAs and ECCS. However, the absolute values of the contributions of LOCAs and ECCS'are seen to be very low. Other initiators and systems which.can affect the decay heat removal i
l l
WPP44/117 s
l function essentially do not appear at any significant level in the list of I
contributors to core damage frequency.
l The specific reasons for this are:
1 l
A low frequency of transient initiating events. For example, no l
unrecovered loss of feedwater in 29 years of operation.
Diverse and mitigative secondary heat removal system (more than 10 trains of feedwater delivery capability and multiple delivery paths).
}.
Three (3) emergency diesel generators.
A separate dedicated Safe Shutdown System with its own diesel generator.
A full feed and bleed capability. (ECCS through the PORV as well as charging pumps which can lift the PORV or the pressurizer code safety valves.)
Simple design, including passive containment heat removal (no spray).
Minimal reliance on support systems (e.g., air cooling of diesel generators, ECCS and electric emergency feedwater pumps).
Car ned main coolant pumps.
Substantial thermal hydraulic margins (e.g., large primary volume, large secondary heat capacity, large containment free volume to core thermal power ratio).
Note that several enhancements to the ECCS System have already been incorporated as a result of these PSS findings and are listed in Item'1 of Table 3-9 of the Submittal, specifically:
Relief valves changed.
Check valves investigated.
Ventilation modified.
WPP44/117
Alternative recirculation path f rom containment ' implemented.
High pressure header division from low pressure header.
Resolution of Unresolved Safety Issue (USI) A-45, " Shutdown Decay Heat Removal l
Requirements," is' summarized in Section 3.6 of the Submittal which indicates l
l that the diversity, high reliability, and extensive capability for shutdown
(
decay heat removal at YNPS is based on the following design features:
Multiple cooling sources.
Multiple pumps.
l l
Multiple flow paths.
t.
Section 3.6 of the' Submittal also lists the items which were addressed in the resolution based on the guidance provided both in the Generic Letter E8-20 Appendix 5 insi hts and in NUREG/CR-5230, " Shutdown Decay Heat Removal 6
Analysis Plant Case Studies and Special Issues."
Specifically, the following items were addressed:
Insight / Item Treatment / Disposition Included in Analysis, LOCAs Dominated
Minimal: Support System Reliance at Plant Support System Design and l
Reliance YNPS
- Human Performance
- Errors of-Omission Modeled
- Selected Actions Credited in PSS, Recovery Actions Section.13.3.3, " Core Melt Frequency Sensitivity to Recovery and Operator Errors in Responding to Events" Explicitly Modeled as a Separate
- Loss of Off-Site Power Event Tree Full Capability exists at 1WPS
" Feed and Bleed" Capability ECCS Enhancements Incorporated
- Cost Effective Improvements Thus, the investigation of potential decay heat removal vulnerabilities (none-identified), consideration of prior decay heat removal insights and evaluation of the decay heat removal function as requested in Generic Letter 88-20 and WPP44/117
--~
e-O l
l Supplement No. 1 have been performed during the plant-specific YNPS PSS and l
IPE. Therefore, USI A-45, " Shutdown Decay Heat Removal Requirements," is i
resolved for YNPS.
l l
l L
l 1
'i l'
l.
l WPP44/117 l
.I
i
\\-
coastion 15 l
l The Safe Shutdown System (SSS) appears to enhance Yankee's safety capability significantly, especially with regard to external events.
Provide the probabilistic assessment of the availability of the SSS and treatment for human recovery actions at the SSS for the leading sequences requiring use of the facility.
Response 15 Total unavailability of the Safe Shutdown System (SSS) was quantified using a fault tree.
Results are presented below:
1 Total unavailability:
8.3 E-2 Major contributors:
(1)
SSS Diesel Generator failure to run (24 hrs.)
65%
(2)
SSS Diesel Generator failure to start 14%
(3)
Human error to start and align system 9%
(4)
SSS secondary make-up pump failure to' start 5%
Quantification is based on both plant-specific and generic data.
i Human action to start and align system is part of SSS Fault Tree Model.
Note:
The Safe Shutdown System is not credited in " internal events" analysis because system installation was finished in 1986, after YNPS PSS was completed. 'In the seismic and tornado /high wind analysis, unavailability of the syste:i was estimated since the SSS i
was not yet fully accepted.
l Tornado /High Wind:
SSS Unavailability = 1.0 E-2 l
Seismic:
SSS Unavailability = 1.0 E-1 i
l
In the seismic study, human error to align system correctly was modeled separately and quantified to be 1,73 E-2.
l l
[
}
^l b
i 4
l 1.
ggg3 tion 16 (A) Define core damage as used in the Yankee IPE.
(B) Provide a descript' ion of how vulnerabilicies were defined and; identified, (C)
Discuss the fundamental causes of-any vulnerabilities identified.
(D)
List the core damage and containment failure sequences that were selected by the screening criteria (Appendix 2) of Generic Letter 88-20.
(E) Provide a concise discussion of the level at which the criteria were applied (e.g.,
system or train).
Response 16 (A)
Core damage is the condition of-the reactor fuel which results from f ailure to maintain the following - critical safety functions
+
for a period of 24. hours (minimum) :
1.
Reactivity Centrol 2.
Core Cooling 3.
Primary Inventory Control, (B). The NRC policy statement on severe reactor accidents defined
" vulnerability / outlier" as possible significant risk contributors (sometimes called outliers) - that might' be plant specific and might be missed absent a systematic search".
Generic l
Letter 88-20 states that for the IPE,L ".... reporting guidelines include:
a concise discussion of the criteria used by the utility to define vulnerability.
. the utility should decide if it has identified a specific vulnerability.
The YNPS IPE: consists of the plant specific internal events l
PRAs and NRC reviews cited :in Section 3.3 ~ of the submittal.
Vulnerabilities would be, as stated
- above, plant specific 4
l significant risk contributors.
(C)
No vulnerabilities were found.
Key or dominant contributors
to core damage frequency were determined via the andyses, even though on - an absolute basis they are very lor.
Improvement opportunities for some key contributors were thus identified, and l
selected modifications have already been made.
(Table 3-9 ' of Submittal)
The decision process on whether an identified potential change is warranted is depicted in Figure 1 and the criteria are detailed in Table 1.
(D)
The tables on pages 2-15 and 2-17 of the PSS provide core melt frequencies and release frequencies ranked by initiating event.
The core damage. frequencies represent the gun of all functional sequences stemming from;each initiating event.
On a best estimate basis or " expected" level as specified in GL 88-20,' Appendix 2, none of the sequences exceeds reportino selection criteria numbers 1,
3, or 4 since-the sum'of all sequence Lby initiator do not exceed the criteria..Similarly, on a best estimate basis, Table 3-8 of the submittal, which is also the: sum of sequences by initiator, indicates only LOCAs and ATWS (marginally) and Reactor Vessel Rupture exceed recortino selection criterion number 2, and were thus included <in the submittal.
Note that Reactor Vessel Rupture does not appear in the' conservative assessment and is on an absolute basis very low.
Sequence sums by initiator were used and L
individual. sequences were not' listed (although, they 'are available in Table 8-3) since all-were low in absolute-frequency.
Nevertheless, Table 3-9 of the submittal lists modifications /
lessons /uses which have resulted, demonstrating actual performance which satisfies the intent of criterion 5.
k
l (E)
Note that had any initiating event. category exceeded the criteria, its dominant sequences would.have been investigated at the system and/or train level, both of which are variously modeled, to determine if any significant' contributors existed.-
.i l
1 h
)
t l
, j-l
1 l
DEPICTION OF DECISION PROCESS i
[
N Establish d I
- Saseline i.
Risk &
Contributors
'r g
a r
3 Yes Yes STOP Consensus 4
Insignificant r
(Document)
(
)
L i
i i No w
i denty Q
- Design, Enhancement j
t j
Operations, etc j
r Opportunities Input
/
( neluding Grouping)
No r
a Makes 3
i F
's e
Doit Benefi est en e (Best Estimate)
(Peer Appraisal)j No l
9P Yes I
^ Pass Cost T Benefit Test (Conservative
( Estimate) ;
No mr F
r Cheaper 3 Makes 3
Broader '
Yes L to do than g Doit-pursue -
Sense-r (Peer Appraisal) i t
further
-j
't No No:
STOP (Document)
Figure 1
~
Table 1 DECISION CRITERIA if < $ 1000/ person DoIt Unless:
Extenuating Circumstances:
Personnel Health $ Safety (ALARA)
Economics if > $ 1000/ person Do Not Do It Unless:
Absolute $ Low, with positive safety value Cheaper to do than to analyze i
4
f i
i j
Ouestion 17 The IPE Generic Letter requested licensees to discuss unique plant features that contribute significantly to improved or reduc 9d
)
core damage frequency or good containment performance.
Although your IPE submittal did not address this area explicitly, we believe l
that there are several plant features (e.g.,
the Safe Shutdown System and the passive vapor Containment) that should be highlighted.
Provide a concise discussion of those unique plant features that Yankee Rowe believes provide a substantial safety benefit. Describe those features that require special attention by operating personnel.
Response 17 The following is a concise discussion of YNPS unique plan *,
features that contribute significantly to improved or reduced core damage frequency or good containment performance.
Features that require special attention by cperating personnel are addressed.
(A)
The Safe Shutdown System (SSS) provides a remote, indepencent, additional means of primary inventory, pressure and reactivity control capability as well as an additional secondary heat removal capability.
The SSS has independent instrumentation, motive / control power and water source (Fire Water Storage Tank -
FWST) and a separate building.
The SSS is designed for operation during fire or tornado /high wind or a seismic event or a flood.
The SSS consists of a positive displacement primary makeup pump with a Boron mix tank and a secondary makeup centrifugal pump, both taking suction from the FWST and both powered by an incependent diesel.
1 l
)
The SSS is placed into operation and alignment of flow paths is accomplished by manual operator actions.
(B)
YNPS has Main Co:11 ant System (MCS) loop isolation valves (one on each het and cold leg) which are used for MCS inventory control during a steam generator tube rupture event.
Each valve is remote manually operated from the control room.
Two separate switches must be operated to achieve movement of each valve, to minimize possibility of inadvertent closure.
(C)
YNPS has the capability to achieve Main Coolant System (MCS) inventory control by makeup to the primary system from several secondary systems.
Specifically, Main Boiler Feedwater, Electric Driven Emergency Feedwater or Steam Driven Emergency Feedwater are capable of_being manually aligned to supply MCS makeup.
(D)
Main Coolant System heat removal at YNPS is able to be accomplished by use of the charging pumps in conjunction with either the PORV or the Pressurizer Code Safety Valves.
These positive displacement pumps are capable of lifting either of these type of valves.
(E)
Secondary Heat Removal and Inventory Control may be accomplished at YNPS by uss of Alternate Emergency Steam Generetor I
Feedwater, in addition to normal Emergency Feedwater.
These systems include the Safety Injection System or Charging System aligned to feed a steam generator, the Safe Shutdown System, previously mentioned, as well as use of the condensate pumps if the l
steam gemrators are depressurized.
The systems are manually aligned by the operators via either the normal-feedwater paths or via the Steam Generator blowdown paths.
~
f I
(F)
The containment function at YNPS is accomplished by a Vapor Container (VC) which requires no spray System to dissipate containment atmosphere heat, since it is capable of passive heat transfer through the uninsulated VC metal which dissipates heat to the ultimate heat sink (the outside atmosphere).
Since it is passive, no operator actions are required.
(G)
Recirculation at YNPS is possible via normal ECCS recirculation or by an alternate recirculation using the charging pumps which are remote manually aligned by the operators.
(E)
YNPS has canned Main Coolant Pumps because of its low thermal power ratings.
Thus, it is not susceptible to a Main Coolant Pump Seal LOCA, which results in a significant reduction in overall risk.
(I)
There is minimal reliance on support systems by frontline systems at YNPS.
Examples are Emergency Diesels, Emergency Core Cooling System Pumps and Electric Driven Emergency Feedwater Pumps which do not rely on Component Cooling Water.
(J)
YNPS has substantial margin to design limits.
Examples are i
larger than typical Primary System volume, Secondary System Heat Capacity and Inventory as well as containment free volume to core size ratio.
4
I ouestion 18 Provide train level dependency tables / matrices for dependencies between front-line and support systems as well as for i
dependencies among support systems.
(Note :
this is not a single-failure analysis.)
Particular attention should be paid to de power, component cooling, service water, room cooling, control air l
and pump lubrication.
Identify where sper.1 dependencies were accounted for in the IPE internal events evaluation.
What sequences leading to core damage were affected by spatial dependencies?
Response 18 Dependency matrices for systems and components are given in YNPS PSS (Table 8-1 or B-3; "YNPS System Interdependency Matrix" and Table B-2/ "YNPS Component Interdependency Matrix").
The dependencies were not treated as the frontline-frontline or frontline-support system dependencies because that methodology was not available in time when the original YNPS PSS was completed.
In the YNPS PSS, system interdependencies were addressed at three points:
(1)
Initiating event dependencies were included in event trees.
(2)
Environmental effects of the initiating events were also addressed and quantified.
(3)
Shared component dependencies were addressed during the quantification of the event trees.
The system dependencies were incorporated in event tree quantifications by using Fussel-Vesely importance measures and a pairwise approximation (probability of the entire sequence is set equal to the probability of the minimum pair, where a pair is
defined as a common functional f ailure contribution b0tw;cn two systems).
Conservatism of this approach is proved through ongoing YNPS PSS update where frontline/ support system methodology is applied.
Dependencies between electrical buses (involving de buses) and
f rontline" systems are defined in Table 18.1, from Table B-2, YNPS PSS. Effect of losses of component cooling, service water, control air and heating, ventilation and air conditioning (HVAC) on YNPS systems are defined in Tables 18.2, 18.3, 18.4 and 18.5, respectively.
As it can be seen from the tables, those systems have a
high redundancy and diversity of back-up systems.
Therefore, dependency between them and "frontline" systems is only minor.
Spatial dependencies were accounted for in an Environmental 1
Effects study (Chapter 6.5 and Appendix G, YNPS PSS).
A vital areas analysis was performed for each of the initiating events that could create an auverse environment.
For each unique location and initiating event, the top events of the event tree were examined to:
define equipment and instrumentation in the area, determine-if equipment / instrumentation is qualified for
+
environment, determine if equipment / instrumentation is affected,
+
determine effect severity,
+
determine if the operator is restricted from operating
+
necessary equipment locally.
If possible adverse effect was identified, the failure l
probability of the system was set to 1.
If this resulted in a
]
=
w,-
substantial impact on the core melt frequency, the important I
systems were carefully reviewed to assess the realistic impact and the core melt frequency was recalculated.
The results of a quantitative analysis of the possible environmental effects associated with each initiating event are summarized in Table 18.6.
l
-l i
)
l l
I I
i i
1 i
O
Table 18.1 YNPS Interdependency Matrix Between Electrical Components and Systems i
(frem Table B-2, YNPS'PSS)
Systere Fault Trees Component Component r,n LB Type Descr.
CIS 1,l'SI 11PS I ACC Rectrc. SIT 05G 2tU 11il CSD ERF IIFU NRY RPS Recire.
81AS N
Elec.
480V Bus a
__t> _ _b_
- J:
Buses &-
6-3 Ibtor 480V Dos 3t c_o_O R
l Contr61 4-1 Centers 480V Bus
);
c._o-o
<t-T-3 l
~
5-2 g
400Y Emerg.
M J t_.__
y Jc t
x Dus E-1 480V Emerg.
)t
-K. _ _
_ _ __.);_
q, jt Bus E-2 480V Emerg.
W
);_ _
. r __
I hs E-3 l*
EtCC1
~
l-x ->
~ EIEC2 125V Bus -B
_._.) t r_2_
_jt y
I 125V Vital Bus n
y 125V.DC nos-1 jt at it_);
3;
-wr
=
y 125V DC Dus 2 5
)[
y_
___ __ y; 4,
_Jr n.
125V DC Bus 3 -h j[
y; y;
A
=
125V DC Mus 3A-
_) (
10C1 Bus *.
~
j
,fEC1 Bus 2 llCC2 Bus 1 o
? - f-20C4 Bus 2 O
- - P-IEC4 Bus 2 3
2400Y Bus 2 2400V Bus 3 x-> ;-
1 Component Failure will cause system failure o
Component Failure alone will not cause system failure x
Table 18.2 Effects of Loss of Componenc Coolino System Effect_
Main Coolant Pumps
_Back-up 3
Pump will be ir. operable within 3 minutes of loss of An alternate source is Cooling Water available (Fire Protection System),
connections are provided and they are re dundant, O*t if loss is unrecoverable, plant will be brought to a normal shutdown condition by nonnal means on natural circulation Shutdown Cooling Cooler /
Low Loss of Cooling Water Pressure Surge Tank Cooler Alternate r,ources are available through hose connection to Fire System, j
OR i
If loss is unrecoverable, YNPS procedures provide for alternate methods of cooling the MCS:
(1) Primary Feed and Bleed (2) Restoring SG Cooling l
l
Table 18.3 Effects of Loss of Se mice Water System Effect Back-up Boiler Feedwater Pumps Loss of Cooling Water to Electric and Steam Driven the Lube Oil Coolers Emergency Feedwater pumps, ECCS and CVCS pumps Charging Pumps Loss of Cooling Water to The Speed Controllers can the Speed Controllers of be manually locked at full the No.
I and No.
3 speed Charging Pumps Component Cooling Coolers Results in Loss of Cooling Fire System connection from Water to Primary Plant fire house to Service Water Components.
Require side of cooler could shutdown of Main Coolant restore cooling with fire Pumps water Shutdown Cooling Pumps Loss of Cooling Water to Fire System Connection can Mechanical Seal and the provide diverted water for Lube Oil Coolers limited service Low Pressure Surge Tank Loss of Cooling Water to Fire System Connection can Cooling Pumps the Mechanical Seal and the provide diverted water for Lube Oil Coolers limited service Control Air Loss of Cooling to Control No. 1 and No. 2 Compressors Air Compressors can be supplied with Emergencf Cooling from the Fire Syr. tem Turbine Bypass Loss of SW implies Loss of EASD end SG SVs Circulating Water and Loss of Control Air resulting in Loss of Auxiliary Steam, this results in Loss of Condenser Vacuum e
-s m
y
_,e
i Table 18.4 Effects of Loss of Control Air System _
_Effect Charging Pumps Back-up Disables Speed Controllers of the No.
I and No.
3 The Speed Controllers Charging Pumps (they fail be manually locked at full can as is) speed Turbine Bypass Loss of Control Air results in Loss of Control for with Could be operated locally Turbine Bypass, also handwheel, Turbine can result in Loss of Condenser Bypass is backed Vacuum motor up by due to Loss of operated Atmospheric Emergency Auxiliary Steam Steam Valves and Steam GeneratorDump Main Feedwater Controllers Code Safety Valves Loss of Control Air results in Loss of Main Controllers Feedwater Main Feedwater Controllers are backed up by manual operator control of the VC Isolation Trip Valves Flow Control Valves Loss of Control Air effects many vital VC Isolation For some valves Control Air Trip Valves (fail closed) is backed up by an alternate standby nitrogen system, Valves fail closed
- Steam Driven Emergency on Loss of Air Feedwater - Steam Supply Disables the Steam Reducer from the Main Steam Boiler Operator repositions the 3 (AS-TV-405) way valve to supply nitrogen from the Emergency Station (Control Air is backed up by nitrogen i
system, AS-TV-405 also has a manual bypass valve)2
.e.puz i
m.,.fp fu
i Table 18.5 Effects of Loss of Heating, Ventilation and Air Conditioning (HVAC)
System Effect Back-up Main Control Board (MCB)
Loss of MCB AC can result Opening of both MCB Doors in slow heatup and (proceduralized) provides instruments drift and suf ficient flow for cooling t
possible failure Main Control Room (MCR)
Loss of MCR AC can result Opening of the door to to in sinw heatup, affecting Southwest (SW) staircase instruments and operator and the door from SW actions staircase to outside, (or East turbine floor doors) will provide natural circulation cooling Switchgear Room (SWGR)
Loss of SWGR ventilation Opening of the door to SW will result in slow heatup, staircase (and door from SW which in long
~ ' rm may staircase to outside) or affect equipment the door to turbine building will provide natural circulation cooling Turbine Building (TB) Pump Can result in overheating Opening of TB doors or Room of BFW pumps running of fans of BFW pumps SI Building Loss of HVAC results in Opening of building heatup, slow if injection louvers, door to PAB, 53 DG
- mode, rapid if in cubicle door to outside, recirculation node Battery Room 3
- door, running of DGs with door open (riote:
HVAC is two train system)
NRV Enclosure Loss of ventilation - NRVs Opening of the door and failure hatch Loss of heating NRVs Portable H(ater failure y
gy
>n y -.
p
o Table 18.6 Frecuenev of Environmental Induced Secuences l
Calculated frequency of environmental Initiatine Event induced secuences leadine to core melt.
Excessive Cooldown 4
Insid: Ovatainment 1.9 x 10 4 Outside Containment 1.8 x 10
+
Steam Line Break 5.3 x 104 Very Small LOCA Negligible Omall LOCA No Effects 4
Intermediate LOCA 7.5 x 10 Oteam/Gezierster Tube Rupture No Effects Plant Trip No Effects Loss of AC Power No Effects Decrease in Feedwater Flow Pipe Breaks inside VC No Effects
+
Pipe Breaks outside VC 4
and Turbine Building 1.0 x 10 Pipe Breaks inside the
+
Turbine Building 5.3 x 10d Decrease in Steam Flow -
Loss of Vacuum Fon-Pipe Breaks No Effects
+
Pipe areaks 1.0 x 10d Decrease in Steam Flow -
NKV Closure No Effects Decrease in Steam Flow -
Turbine Trip Ne Effects l
l l
1 l
l gggstion 19 Provide the appropriate minimum success criteria for event trees /fror4tline systems used in the IPE.
Indicate the basis for these criteria and the degree of conservatism (or whether best-estimate or optimistic) used.
Provide the success criteria for initiating events developed in the master logic diagram.
A statement for example that "high pressure safety injection (is required)" does not indicate if one, or three charging pumps are. required or if only two safety
- two, injection pumps are required or perhaps a combination of both is satisfactory.
Response 19 The minimum success criteria for event trees, frontline systems used in the IPE as well as their bases are p*.ovided in Chapter 9
" Fault Trees".
Specifically, Table 9-1 provides the YNPS System Failure Probabilities and provides the failure criteria for each l
system.
In addition, the corresponding text in sections 9.4.1 through 9. 4. 8, pages 9-14 thicugh 9-42, provides the bases for these criteria.
Chapter 13 " Sensitivity Evaluations" provides the degree of conservatism (e.g., in an additional set of evaluations, certain of the conservative system success criteria were replaced with best l
estimate criteria).
In particular, in section 13.3.2, pages 13-22 through 13-36, core melt frequency sensitivity to success criteria is thoroughly discussed.- The evaluation primarily addressed safety injection and charging system fai' lures for various LOCA sizes.
As stated in project approach, section 3.1.4 " Preparation of
Master Logic Diagram", the MLD "was used as the fundamental means of searching for accident initiating events.
In essence, it is a fault tree of the plant in broad overview with ' excessive off-site release' as the top event." The MLD is provided in figures 3-2 and 3-3 on pages 3-57,58.
The 27 basic events at level 10 of the MLD fault tree constitute the initiating event categories and are listed on page 3-19, as well as in Chapter 5 " Initiating Events",
pages 5-2,3.
The categories yielded 19 specific initiating events which were developed into frontline event trees as identified on page 5-15.
Thus success criteria are given for the top events in the frontline tree rather than for the initiating events resulting from the MLD fault tree.
The success criteria for major systems are also given in response to Question 28.
l l
l i
Question 20 Provide a concise description of how and why the component cooling water, service water and control air system failures were lumped into the Plant Trip initiating event tree.
Responsa 20 The reason for treating component cooling water, service water and control air system failures as initiating events in the plant trip event tree is stated in section 8.3.1.8 Plant Trip - Event Tree 13, pages 8-44,45 of the PSS.
Specifically these events were quantified separately because of their. potential " common mode" failure impact on the mitigative systems represented by the top events of Event Tree 13.
The method for treating these system's failures in the plant trip event tree is stated in detail in sections 8.3.2.2, 8.3.2.3 and 8.3.2.4 Complete Loss of Service Water, Component Cooling and Control Air, pages 8-65 through G-76.
In summary, the initiating event frequency was quantified for these systems and the effect of the loss of the system on each of the subsequent top events of the plant trip tree was accounted for by assuming failure probability of 1.
l i
Question 21 Provide a concise discussion of how the initiating events frequency for non-isolable LOCAs was determined for the IPE.
Provide a concise discussion of how intersystem LOCAs were evaluated under the IPE for the shutdown cooling system.
Response 21
^
The identification and quantification of non-isolable LOCAs is thoroughly discussed in Section 5.4.2.6 of the PSS, pages 5-33 through 5-48.
The identification process resulted in the list given on page 5-34.
Each was evaluated in the subsequent sect 4cns.
Section 5.4.2.6.9 "Non-isolable LOCA Event Frequency fummary" indicates that the total frequency is less than 2 x 10*i/ year.
This total frequency is basically the combination of the only two significant contributors from the evaluations detailed in sections 5.4.2.6.1 through 5.4.2.6.8 (most of which were not significant).
Specifically the two contributors are (1) Shutdown Cooling System Isolation Valve Failures, equal to 1.8 x 10*'/ year, and (2) Safety i
Injection Syatem Check Valve Failures, less than 10*'/ year.
A thorotgh discussion of how intersystem LOCAs were evaluated under the IPE for the Shutdown Cooling System (SCS) is provided in PSS section 5.4.2. 6.2 " Shutdown Cooling System Isolation Valve Failures" as part of section 5.4.2.6 "Non-isolable LOCAs outside l
l the Vapor Container".
(Ples.4e refer to pages 5-36 through 5-41.)
A concise summary of the discussion follows.
The isolation valves between the Main Coolant System and the SCS were investigated.
Failure medes were determined.
(Expressed as cut sets.)
The impact of operator errors was assessed by reviewing procedures to
determine probability of failure to close valves.
Failure rates were determined and the probability of a
non-isolable LOCA occurring for the SCS was calculated to be in the range of 1.8 x l
10" to 10*1'/ year.
The former value is consistent with WASH-1400 failure rate distributions and the latter value is consistent with valve disc rupture probabilities.
l I
Question 23 Discuss the impact of loss of servii:e wateron plant systems, and estimate its contribution to core datage fr Response 23 equency.
YNPS Service Water Syst m (SNS) provides cooling for many systems required for normal opuation and shutdown loss of this system was reviewed against each top The effect of
" plant trip" event tree.
event-in the YNPS I
the YNPS PSS are listed in Table 23 1 withThe sys an explanation of the effect loss of Service Water has upon them and with p ossible back-ups.
Table 23.1 is based on information presented i and 18.4 in Response 18.
n Tables 18.3 Given i
systems / equipment backups and the redundancy and diversity of the Service Water System, loss of Service Water doesn't appear among the top 40 core melt s equences and the total contribution to the core melt frequency is less than 0 1 Service Water Syst.wm functions and impacts percent.
on plant systems are analyzed in Sections 4 4.4, 5.4.2.2 and 6.3.2.2 of YNPS PSS.
h y
.p..
Table 23.1 Effects of Loss of Service Water Back-up Effect System Loss of Cooling Water to Electric and Steam Driven Boiler Feedwater Pumps the Lube Oil Coolers Emergency Feedwater pumps, ECCS and CVCS pumps Loss of Cooling Water to The Speed Controllers can the Speed Controllers of be manually locked at full Charging Pumps the No.
I and No.
3 speed Charging Pumps Results in Loss of Cooling Fire System connection from Component Cooling Coolers Water to Primary Plant fire house to Service Water Components.
Require side of cooler could shutdown of Main Coolant restore cooling with fire water Pumps Loss of Cooling Water to Fire System Connection can Shutdown Cooling Pumps Mechanical Seal and the provide. diverted water for limited service Lube Oil Coolers Fire System Connection un Low Pressure Surge Tank Loss of Cooling Water to provide diverted water for.
the Mechanical Seal and the limited service Cooling Pumps Lube Oil Coolers i
I
Table 23.1 (cont'd.)
Effects of Loss of Service Water System Effe Back-up Control Air Loss of Cooling to Control No. 1 and No. 2 Compressors Air Compressors can be supplied with an emergency cooling from the Fire System.
Loss of Control Air Results Turbine Bypass is backed up in Loss of Control for by motor operated Emergency Turbine Bypass Atmospheric Steam Dump valves and Steam Generator Code Safety valves.
Loss of Control Air Results Main Feedwater controller in Loss of Main Feedwater are backed up by manual Controllers operator control of the flow control valves.
Loss of Control Air Effects For some valves Control Air Many Vital VC Isolation is backed up by an Trip Valves (to hold open) alternate standby nitrogen system. Valves fail closed on loss of air.
-Less of
. Control Air Control Air is backed up by.
disables the Steam Reduce i.
an alternate standby from the Main Steam Boiler nitrogen system, AS-TV-405 (AS-TV-405) affecting Steam also h2 s a manual bypass Driven EFW Pump valve.
~-
Cuenion 24 Discuss the need for feed and bleed, ';he probability of success and the impact on core damage frequency from loss of this functior..
Response 24 Feed and bleed is needed if all other means of maintaining the Core Cooling Critical Safety Function by Secondary Heat Removal (SHR) have f ailed.
Note that the probability of failure of SMR and hence the probability of demand for feed and bleed are very low at YNPS because of the numerous diverse and redundant mitigative systems available for SHR.
The probability of success of feed and bleed is high.
This is because feed and bleed is a bona fide capability at YNPS since is consists of not only ECCS operation with the PORV but also Charging System operation with either PORV or Pressurizer Code Safety Valves resulting again in diverse, redundant capabilities. These features are described on page 17 of the submittal.
Conversely, the impact on core damage frequency of the loss of the feed and bleed function is very low at YNPS.
This is because of the numerous other means of core cooling at YNPS and - their corresponding high availability, as stated previously.
l Note, also, that Appendix G provides an assessment of the sensitivity of the mitigative functions / actions to:
l (1) the environment resulting from each initiating event, and (2) each possible combination of the DC bus losses.
Feed and bleed, in - particular the PORV, was assessed for-effects of potential harsh environments caused by the initiating events for each event tree.
For those instances where there was an e
i l
l l
effect, credit for success was appropriately adjusted.
- However, l
the effect on overall results was minimal because of the charging I
pump pressurizer code safety valve capability for feed and bleed, l
as previously mentioned.
With regard to the various combinations of loss of DC buses, no credit was taken for feed and bleed since many of the systems that were included in re-establishing secondary feedwater flow were included in Decay Heat Removal.
l l
?
ouestion 27 Provide a concise description of the additional systems being considered to retain the reactor core within the vessel, as mentioned in the CPI portion of the submittal presented at the May 3, 1990 meeting.
Raaponas 27 Note that brief descriptions of the additional systems being considered are provided in sections 5.3.2, 5.3.3 and 5.5 of the submittal.
The following is additional information.
Deeressurization System As a
result of a
conceptual
- study, two options for depressurizing the reactor warrant further evaluation.
option 1 The depressurization system option consists of four electrically actuated (triggered) valves.
The. series / parallel arrangement provides redundant isolation as well as redundant i
depressurization capacity.
Two normally open MOVs would be provided in the common discharge pipe to allow isolation upon spurious operation of the trigger valves.
The valve inlet would be from the pressurizer safety valve inlet piping.
The valve outlet would be a pipe stub which would include a rupture disk and small i
relief valve.
Optionally, the discharge could go to the existing l
safety valve discharge header piping which is equipped with a rupture disk with a small bypass to the. low pressure surge tank to collect any minor valve leakage.
A portable electric source would be used to trigger the valves when required.
)
Option 2 1
This option consists of five air-operated valves which fail closed on loss of air.
The valves would be arranged in two parallel trains of two series valves with an additional valve cross connecting the trains between the series valves.
This arrangement
)
provides redundant isolation as well as redundant depressurization capacity.
The valve inlet would be off the pressurizer safety valve inlet piping.
The valve outlet would be a pipe stub which would include a rupture disk and ralief val 1.,
optionally, the discharge could go to the safety valve discharge header piping which is equipped with a rupture disk with a small bypass to the low pressure surge tank to collect any minor valve leakage.
Motive power would be provided by three nitrogen bottles which The would provide redundancy located in an accessible location.
bottles would not be connected to the operator tubing until i
operation is required.
A normally closed isolation valve and pressure regulator would be located in the bottle discharoe tubing, I
operation would require connecting the tubing and opening the manual isolation valve.
Iniection System A number of options with variations are under consideration for an injection system.
The system would consist of a water 60 GPM pump, piping and valves, motive power for the pump
- source, valves and any required accessories.
The required pump head would be determined by the point chosen l
for injection.
Either the reactor head, charging system piping, ECCS piping or shield tank _ cavity could be the injection point
l l
depending on the final design criteria required to be met.
The water source would be from either Sherman Pond, an existing site tank new outside tank or wells.
Motive power for the pumps and HOV would be supplied from the security diesel generator which would be modified to allow the generator to power these loads or an additional diesel generator l
which would be installed.
I The pump location, pipe routing and valves required would be dependent on the required injection point, water source and design criteria.
4 i
4 F
k J
ouestion 28 Provide the remaining summary sheets for major systems similar to the ones provided for main feedwater and recirculation.
The major plant systems identified are:
HPSI, LPSI, accumulator, chemical shutdown, emergency feedwater, reactor protection system, and the containment isolation system.
As depicted in the May 3, 1990, 'eeting handouts, the system summary sheets include s mission times, success criteria, failure probability, and major cut set contributors.
Response 28 Attached are summary sheets for:
HPSI LPSI Accumulator Chemical Shutdown Emergency Feedwater Reactor Protection System Containment Isolation System l
l l
l
l l
System:
RPSI (2) l (2 EPSI/1 LPSI Pump) l l
Mission Time:
48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> Success Criteria:
De3ivery of Water From:
The SI Tank with level greater than 11 feet.
By:
At least 2 (of 3) hPSI pumps boosted by at least 1 (of 3) LPSI pumps.
Through:
All 4
cold leg injection lines (3
lines required-for success and one 1.1 assumed lost by LOCA).
To The MCS Failure Probability:
3.54 x 10*8 r
Maior Cut Set Contributors t
(1) 1 of 12 check valves f ails (to open)
> 41%
l (2) 1 of 14 manual valves closed (during maintenance)
> 23t (3)
SI tank out for maintenance 174 1
(4) 1 safety valve f ails (to close) 14%
l l
4 y
1 l
1 Systam:
LPSI.(2)
(2 LPSI Pumps)
Mission Time:
3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> Success Criteria:
Delivery of Water between 120' F and 130' F l
i From:
The SI Tank with level greater than 11 feet.
l l
By:
At least 2 (of 3). LPSI pumps.
Through:
All 4
cold leg injection lines (3
lines required for success and one is assumed lost by LOCA).
To:-
The MCS-
_l 1
Failure Probability:
- 3. 4 8 x 10-3 j
i Maior Cut Set Contributors (1) 1 of 12 check valves fails (to open)-
44%
(2) 1 of 13 manual valves closed (during maintenance) 25%
(3)
SI tank out for msintenance 15%
(4) 1 safety valve f ails - (to close) 13%
0 e
ci
1 System:
Accumulator Mission Time:
12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> I
Success Criteria:
Delivery of-Water after approximately 11 second delay From:
The Accumulator By:
Adequate N Pressurization 8
Through:
All 4 (of 4) cold ' leg injection lines (3 lines required for success and one is assumed lost by LOCA).
To:
The MCS Failure Probability:
4.13 x 10
Maior Cut Set Contributors (1) 1 of 3 relief valves fails (to reseat)-
334 (2) 1 of 12 check valves f ails (to open) 30%
(3) 1 of 12 manual valves closed-(during maintenance) 26%
i l
l l
l l
I
1 system:
Chemical shutdown j
Mission Time:
1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> success Criteria:
Delivery of borated water From:
The BAMT (includes isolation of alternative sources) i By:
3 of 3 charging pumps Through:
The normal charging lines To:
The MCS Failure Probability:
2.44 x'10-8 Maior Cut S_et Contributors (1)
Loss of power (busses or breakers f ail) 56%
-17%
(2)
Pump Failures (3) f 3 safety valves fails (to close) 5.5%
e
l system:
Emergency Feedwater l
Hission Time:
10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> l-Success Criteria:
Delivery of water From:
The DWST or the PWST By:-
At least 1- (of 1 steam driven and 2 electrical driven) emergency. feed pump Through:
The normal steam generator feed lines'or the steam generator blowdown lines To:
At least 1 (of 4) steam generators Failure Probability:
- 4. 8 x 10-'
Maior Cut Set Contributors (1)
Failure of the SDEFW combined with an' 62.4%
operations error in which both motor driven pumps are improperly returned from maintenance (2)
Failure of the SDEFW combined with failure
.21.7%
of 1 motor driven pump and the other pump out for maintenance (3)
Failure of the SDEFW combined with failure 1.77%
of both motor driven pumps l
?
~
System:
(for Cooldown-Transients)
Mission Time:
On demand Success Criteria:
No failure of any two adjacent control rods to insert.
i Failure Probability:
Independent Failures:
- 1. 41 x 10-4 Total (including common mode) :
- 1. 51 x 10-d Maior Cut Set Contributors (to indeoendent failures)-
(1)
Probability of failing to insert two adjacent control rods 99.8%
i j
(2)
Failure of the two scram breakers' to open 0.16%
i
.I 1
i
System:
Reactor Protection System 2 (for Non-Cooldown Transients) l Mission Time:
On demand Success Criteria:
Insertion of 12 of 24 control rods Failure Probability:
Independent Failures:
3,03 x 10-'
Total (including common mode) :
1.0 x 10-8 Maior Cut Set Contributors (to independent ~ f ailures)
(1)
Failure of the two scram breakers-to open 99.9%
l' l
1
'i.
i 6
e
,w 4
un
system:
Containment Isolation system Mission Time:
On demand Success Criteria:
Isolation of all paths from the VC atmosphere to the outside atmosphere-70ilure Probability:
- 9. 8 6 x 10-5 Maior Cut Set Contributors (1)
Failure of bleed line sample isolation valve 94.9%
(SA-TV-213) -to close on demand, given down--
stream manual valve left open after testing (2)
Failure of main coolant vent header trip valve
.2.39%
(VD-TV-203) to close on demand,. given down-stream manual valve-left open after testing (3)
Common mode failure of the CIAS.and SIAS 3%
pressure detectors due.to miscalibration and/
or valving out of the detectors t
i I
Question 30 Steam generator tube rupture -has emerged. as -a major contributor to bypass leakage.
It is _ listed as one of the initiating events that were examined in the. Yankee PSS. No mention was found, however, concerning the possibility of induced steam generator tube rupture.
Discuss = the-extent to which steam generator dryout induced SGTR was considered.
Response 30 As explained in the IPE submittal (section 5.) " Containment Performance Improvements", page 117 and Figure 5-1, page 137), the investigations and results of, in particular, the PSS led to a set-of separate effects analyses (described in section 5.2.3) which explicitly treated the phenomenon of steam generator dryout induced steam generator tube rupture.
The discussion can_ be found on pages 4-2 through 4-4 of the internal report " Containment T erformance Investigation for the Yankee Nuclear Power Station" (attached).
The results of this-investigation have led to considr. ration of both procedural changes (Main Coolant-Pump Operation) and hardware tradifications (additional depressurization capability), as further described in sections 5.3 and 5.5 of the submittal and the respecse.
l to Question 27.
b 4-2 i
t be very useful in extending the plant capabilities for preventing core damage.
Specifically, the procedures are very effective in guiding the operator (s) to use the core injection systems - as well as the extensive capabilities for water injection to the secondary side of f.he steam gener.
ators'for maintaining adequate core cooling. With the comp.iratively,large secondary side water inventory for this smaller reactor sys:em, the time to steam generator dryout is much. longer than for the larger plants considered in the NRC (hvREG 1150 and NUREG 0956) and IDCOR analyses. M us, the secon.
dary side systems accessed by the operator have a longer interval over which they can be implemented to protect the core cooling function.
It follows that they are more influential in reducing the likelihood of = core damage.
The emergency procedures aid the operators in. bringing these systems into -
service when necessary, including the YNPS. plant-specific. Safe Shutdown J
System (SSS).
The review included conditions associated with inadequate core cooling
['
in which the core exit thermocouples could-potentially reach elevated levels, i.e. in accese of 1200'F. Under these conditions, the water inven.
tory within the primary system would be localized to the lower half of the I
core, the lower plenum and a small amount of water -in the. pump suction piping for each reactor coolant loop. When the core exit thermocouples I
1 record temperatures greater than 1200'F. the operator is instructed to start the main coolant pumps (MCP), with the intent being to add the small amount of water to the core inventory and to take advantage of the available secon-dary side cooling in the steam generators.
At this point in the accident, the temperatures within the core would likely be much higher,than 1200'T and initiation of the' reactor coolant an accelerated pumps could transfer hot gases into the steam generators at For scation blackout like conditions, the steam generator tubes would-race.
be protected because counter current natural. circulation would govern the flow of high temperatures gases between the core and the steam generators.
This issue of consequential steam generator tube rupture has been inves.
tigated. (using MAAP) as part of the Seabrook' submittal for a reduced emergency planning zone (41] by INE1. usin6 the RELAP code (4-2] and by the NUREG 1150 expert opinion teams (4 3). All of these analyses focused on the
4-3 t
natural circulation behavior.
While the temperature of the tubes to about 700 K (800'F),
increased i.e., about 1100 K (1520*F). this was not sufficient to cause creep ruptur However, the temperatures in the upper e,
i are well above this phase (gas counter current natural circulation flowlevel an plenum i
suction side of the reactor coolant pumps is an importaThe water seal on t counter current flow.
nt feature in forcing once through natural circulation is addressed in RefThe inc to
. (4 1).
1-This natural circulation flow between the core the
, the upper plenum and steam i.e. the energy transfer rate would be reduced forgenerat
- essure, ing the pressure.
all sequences by decreas-core, it is recommended thatThus, if such elevated temperatures are observed n the the primary system be depressurized the energy transfer rate would be reduced.
such that promote additional water injection from the accumulatorDepressurization cou injection systems.
These or the low pressure are two major reasons for implementing this ac-tion.
i k
i If there generators, starting the mainwere essentially no water on the secondary sid the steam coolant pumps would override the natural circulation flow and rapidly increase the energy transfer rate to th generator-tubes.
Without depressurization and secondary side e steam temperature of the tubes would quickly increase to 1cvels wh
- cooling, the ture failure could be anticipated.
ere creep rup-containment boundary, integrity of the tubes must be protSince the ected.
The procedures call depressurization if the availabl pumps have been started.
e reactor coolant that the procedures be altered to initiate deprFor the reasons sta l
and instruct essurization on elevated core temperatures pumps unless a normal level is measured in the steam gen the main coolant pump being connected to-reduced below'this level through watercearted or until the temperatures have been injection to the Through this approach, the system response will be optimi primary system.
primary system pressure boundary, incPtding the steam zed to protect the generator tubes and t
e
+ - - - - - - - - -
~
-S J
'4-4
~
l will focus 'the operators attention'on reducing the primary system pressure to both provide additional water sources to the primary. system and to reduce the energy transfer from the high temperature core to other regions in the primary system such as the steam generator tubes.
L With respect to accident management, such depressurization instructions are consistent with both accident-recovery and accident mitigation.-
As
(
stated above, this wouldi
- enhance the potential for system recovery since' additional lower pressure water.-injection sources would be potentially made available,
- the inte5rity of the' steam generator tubes would be protected, and the potential -dynamic response associated with a postulat1d a reactor vessel failure that could possibly occur later in' the accident would be reduced or eliminated, l
With respect to the last point, depressurization would substontially mitigate the primary system blowdown and the potential influene s on the h
shield tank surrounding-the reactor vessel.
This is equivalent to address.
ing the NRC concern regarding direct containment. heating (DCH) by depressurizing the primary system.
Therefore, the procedural response already addresses the depressurization issue-discussed for DCH and in par-ticular, reduces the influence in uncertainties with respect to in vessel core melt progression and the mode of RPV failure.
l l
Another section of the procedures to be addressed is _the 'end of ECA.O.0, Loss of All AC Power".
This procedure currently ends with l-recovery instructions.
In keeping with the above discussion, and the cur-rent plant changes considered, it would' be beneficial-to include instructions to depressurize if core temperatures greater than 1200*F are observed.
,w,-.-w i-e v-e v-
Question 33 Discuss, in a paragraph or two, the structural analysis based on a failure criterion of'0.9 yield stress, used to' estimate the containment overpressure capability.
Was it an in-house analysis?
Finite element analysis? When was it. performed?
Have containment i
l l
modifications been made since the time of the original analysis, l
and if so, are the results unchanged?
Response 33 Appendix E " Containment Integrity and Leakage Evaluation" of' l
the PSS provides a description of the YNPS vapor container design / construction and the determination of higher pressure capability.
The vapor container is an ASME Code Section VIII Vessel l
designed by rule.
The concept behind the design by rule approach is to design the basic vessel for code stress limits and-then provide excess material to compensate'- for. ' openings and: Other discontinuities.
l To determine the containment over-pressure. capacity, the ASME Code equation for a sphere was used, but instead of the code allowable stress, 90 percent of actual material yield stress was used based on material data records.
The justification for use of the failure criterion of 0.9 yield stress is the similar treatment in the YNPS Systematic Evaluation program based on NUREG/CR-0098 "Detlopment of Criteria for Seismic Review of Selected Nuclear Power Plants", June' 1978.
This conservative analysis was perfornad by Yankee in-house in February 1982 and did not use finite - element techniques.
No
.I I
containment modifications have been made since the ' original analyses, which would change the results.
I I
i l
t l
l l
l 1
L 1
.i
~
Ouestion 35 What factors influenced the decision to use plant-specific data, generic data, or a combination of both in various applications in PSS?
How would the conclusions of the IPE change if a more up-to-date data base instead of the NPRDS reliability data base were used to provide generic data?
What is your basis for this conclusion?
What were the sources of generic error data from which bounding values were derived for estimating human errors?
Why were these sources selected?
Response 35' The factors influencing use of plant-specific vs. generic data are documented-in the YNPS PSS Section 7.
The following is.a brief description of major steps in the process of YNPS PSS data. base development:
1.
Available generic data sources were identified and searched for the most representative.
A generic data base was developed from this data.-
2.
All important components were identified.
3.
Eor important components, plant-specific data' was collected, where available, from plant records in the form of number of failures, number of demands or cycles and total. operating time.
4.
For those components with no plant-specif 3 J data, the generic data were taken directly from the generic data base developed for YNPS, For those components with insufficient plant-specific data, as well as those components with sufficient plant-specific data, the historical plant-specific data ' were - used to update generic - distribution using Bayes' theorem.
Alse see response to question 46 for more detailed information.
l The NPRDS reliability data base was used for less than ten percent of the total components listed in the'YNPS PSS data base.
Using a more up-to-date data base for those components results in minimum change, if any.
The basis for this conclusion lies in the fact that 1) the failure rates used in YNPS PSS data base are conservative and would not 'be significantly affected by using a more up-te-date data base and 2) NPRDS reliability database was not used for any component which shows as significant-contributor to the risk.
The source of. generic ~ error data was NUREG/CR-1278," Handbook on Human Reliability Analysis with Emphasis.on Nuclear Power Applications," by Swain and Guttman, from April,1980. This source was selected because at that time, the THERP method was " state-of-
~
the art".
Question 36 In light of our understanding today of human reliability, manufacturing defects and maintenance errors, provide a concise discussion of why common mode / common cause failures were found to be negligible contributors to unavailability / failure in each of the 40 major fault trees.
List the component groups subjected to CCF analysis.
Provide a concise discussion of the sources of CCF rates used in the IPE.
When was the human reliability analysis first conducted?
When was it updated?
Was it requantified to account for the change to symptom based procedures?
To what extent does it consider common cause?
Does it take advantage of recent work on common cause?
Response 36 Common mode / common cause failure were not found to be negligible contributors in some of the major fault trees.
On the' contrary, they are i
major contributors in double and triple diesel generators failures and in Reactor Protection System failure in the case of non-cooldown events.
The common cause contribution to the system unavailabilities explanation is given in the next Table 36.1.
The component groups subjected to CCF cnalysis are also listed in the Table 36.1.
At the time the YNPS PSS was completed, insufficient generic data was l
Evailable for CCF rates.
The applied % and 7 factors were the result of oxpert judgement and comparison with other studies.
A modified WASH-1400 l
methodology was applied to EPS dependent failure analysis.
Table 36.1 Common Cause Contribution Common Cause System Common Cause Group Contribution to the Comments System Unavailability 6.6%
Human interaction RPS 1-during the test and Cooldown Transients Detectors calibration of Logic RPS 2 Control Rods 100%
detectors - dominates.
Non-cooldown Breakers l
Transients MFW Negligible
" Single" failures are dominant EFW Maintenance on piping-7.6%
and valves ECCS Negligible
" Single" failures are dominant ~
CVCS Negligible
" Single" failures are
~
dominant 2 DGs Diesel Generators 80%
3 DGs Diesel Generators 66%
DC buses Busses / Ventilation Negligible Humals' error is dominant.
)
t c
-e
~
v
7 The human reliability analysis was conducted in the period from 1981 to 1983.
Update of the analysis is' ongoing as part of the YNPS PSS' update.
Update of the human actions during the event sequences is based on the symptom based procedures.
All action i
f credited 'in the-original YNPS 'PSS are covered by the new.
procedures.
The YNPS 'PSS considers common cause in ' maintenance related human errors ' (test, alignment, calibration).
The original work was comp 12ted before the most recent work on common cause.
(Also see responses to Questions 37 through 44.)
Q m tion 37 What percent of the core damage frequency was' due to human error?
What inferences (insights) are drawn regarding the contribution of human error on overall plant risk?
i Identify those sequences that, but for low assumed human error rates in recovery actions, would have been above the screening i
criteria of Appendix 2 of Generic Letter 88-20.
)
l Eggoonse 37 l
The contribution to core damage frequency from the human error is approximately 26% (see Table 37.1).
Human error is the second i
most dominant contributor to the core damage frequency- (after the Safety Injection System).
The human errors' were estimated conservatively since no credit was taken for recovery actions and no credit was taken for multiple operation personnel in the' control room.
More recent review in conjunction with the update of the PSS by specialists with experience in human reliability analysis has confirmed the conservatism of these results.
1 Since no credit is taken for recovery actions, there is no conservativism which will influence sequences frequencies reported l
in the baseline results of the PSS reported in the submittal.
l (Note :
Some recovery actions were-credited in the Best-Estimate Analysis, Chapter 13, YNPS PSS.)
l l
+
Table 37.1 System Contributions to Core Melt Frequency Contribution to Core Human System (or action)
Melt Frequency (%)
Contribution (%)
[
48.8 negligible HPSI and LPSI Systems 1
17.1 negligible Recirculation System Reactor Protection System and' 10.9 3.7 Chemical ~ Shutdown Syster Operator failure tu-manually depressurize MCS for small 9.5 9.5 LOCAs if HPSI fails
- 6.2 negligible Accumulator Operator Errors in Initiating /
5.3 5.3 Controlling Feedwater*
Failure ~of MCS Loop Isolation Valves to close during Steam Generator tube c
rupture plus operator errors-in 4.6 4.6 responding to event
- Diesel Generators plus-Steam-driven Emergency Feed Pump'(including. operator
-2.4 2.4 errors) - Loss offAC Pressurized Thermal Shock indiced Reactor Vessel failure'due to operator errors during degradation of DC power 0.5 0.5 events
- 97.4 26 TOTAL
- Human Error Contribution Dominates a
~
ouestion 38 List the most dominant human recover'/ actionscidentified in i
the Yankee IPE, alcng with the task analysis performed for each.
i What type of human systems analysis was performed to support plant model development and to identify pertinent human task actions for inclusion in the event and fault trees.
l What types of task actions (both cognitive and physical) were l
How were they chosen?
i analyzed as part of each accident sequence?
Response 38 The most dominant human recovery actions identified in the Yankee IPE, are listed below, together with contribution to core damage frequency.
(see Table 37.1, ' Response 37)
Contribution to Core Human Ac112n Melt Frecuency (%)
9.S%
Manual Depressurization of MCS following Small LOCA with loss of HPSI 5.3%
Initiation and Contaolling of Feedwater (Restart liain Feedwater after trip.
Start 1;mergency Feedwater System.)
4.6%
Isolation of Main Coolant System Loop following Steam Generator Tube Rupture 3.7%
Initiation of Chemical Shutdown 2.4%
Initiation of Steam Driven Eraergency Feedwater Task analysis and-classification necessary for action quantification is documented in Table 7-6,- with reference to Table 7-3, of the YNPS PSS.
The human systems analysis to support plant model development was based on NUREG/CR-1278, " Handbook on Human Reliability Analysis
. j
. l with Emphasis on Nuclear Power Plant Applications," by Swain ~and Guttman, from April, 1980.
Human task actions were identified as part of system / event tree' analysis.
Operator response for any proceduralized action during response to an initiating event was assessed.
Human actions involved:
Manual actions during the event-sequences (manual initiation. of the
- system, actions-following malfunction in automatic system).
These actions are included in event trees, i
Interaction with equipment during routine plant operation (testing, maintenance, valve alignment, calibration, etc.).
These actions are included ~in' fault trees.
No credit was taken for-correcting system alignments during an All human actions were reviewed by YAEC and plant personnel event.
who were familiar with YNPS operation, procedures and training.
The human actions which' wnre analyzed as part of each sccident sequence are listed in Tables 7.4, 7.5 and 7.6 of the.YNPS PSS.
Their selection is based on YNPS operating procedures.
Most of.
these individual actions contain both a cognitive and an execution element.
They are quantified using ' the " generic" data from NUREG/CR-1278 at two levels:
(1) Operator decision. to perform action.
(2) Actions necessary to perform function given operator.
~
decision.
9
Question 39 Provide a concise discussion to justify the operator actions without procedures for which the IPE takes credit.
Quantify their contributions to the likelihood of core damage or containment failure.
Response 39 The selection of the human action which were analyzed as part of accident sequences was based on YNPS operating procedures.
Therefore, the IPE didn' t take credit for any operator actions-without procedure.
(Also see Response'44.)
l' l
l l'
l l
l
i l
Ouestion 40 j
What person-centered (e.g.,
experience,
- fatigue, stress),
l task-centered (e. g.,
- training, procedures),
and environment-centered (e.g., supervision, team support, organizational support).
performance shaping factors (PSFs) were scaled for human task actions included as precursors, initiators, or mediators in the event and fault trees?
How were they chosen?
What methods were used to scale each PSF 7 Why were those methods chosen?
What quantification methods (e.g., THERP, HCR, SLIM-MAUD) were used to estimate human errors on task actions selected for analysis?
Why were these quantification methods chosen?
Response 40 The human factors analysis performed for the YNPS PSS used j
techniques which were then " state-of-the-art".
The specific Performance Shaping Factors (PSFs) evaluated for 'the YNPS PSS human analysis were hostile environment, operator stress, parameter display clarity, complexity of manual action and the time available -
for action.
Evaluation forms are available at YAEC.
In addition to this, a questionnaire was completed by the control room operators in order to access their opinions about quality of procedures, training, displays, annunciators / alarms, environment, i
etc.
No outliers were uncovered for YNPS.
The only PSF applied for quantification of dynamic human actions was. stress.
Stress levels taken into account were very low, optimum, moderate and high.
NUREG/CR-1278 methods were used to scale-each stress level (see Tables 7.3 and 7.6, YNPS PSS).
(Note :
Some other PSFs, e.g.,
tear support, were taken into account when determining stress level
by adjusting the stress-level downward'on level', because of the increased opportunity for supervision and error correction.)
c The THERP method was used to estimate human error in YNPS PSS.
At that time, the THERP method was " state-of-the-art".
l
[
l
[
t 1
I
O E
Question 41 Was-a sensitivity analysis of human error performed?
What characterization or behavioral model of plant' personnel was used to identify multiples and dividends of the base or point estimates of human error for the sensitivity analysis?.
ResDonse 41 l
Sensitivity analysis was only performed for a-limited number of recovery actions (e.g., recovering of main feedwater because one to two hours are available for the' operator to initiate feedwater).
The sensitivity analysis is explained in Chapter 13 of the YNPS PSS.
No behavioral model of plant' personnel was' applied in the. YNPS PSS numan analysis.
No credit was taken for multiple operations personnel in the control room (except in a few cases by adjusting stress level).
l I
l
.1
l Question 42 To what extent were results documented to allow for auditing and/or replicating, or to allow for combining with data from other PRAs?
How was the completeness of the set of human faults verified?
Response 42 l.
Definition and quantification of human actions represented in l'
the. event trees is documented in the YNPS PSS (see Table 7,. 3, 7. 4, 7.5 and
- 7. 6).
Quantification of human actions which are significant contributors to system unavailabilities is also documented in the Table 7.6.
For example, quantification of operator actions necessary !to start Chemica1' Shutdown, Electric or Steam Driven EFW, Aligning ECCS or CVCS to SGs, etc, These actions can be easily audited and/or replicated.
Other minor human actions and test and maintenance errors are part of the fault tree system analyses and are documented in the system fault tree-analyses files (available at YAEC).
L l
The completeness of the set of human faults was verified during review sessions between the contractor, corporate analysts and -key plant staff knowledgeable in each area modeled in the specific fault and event trees.
There were ' individual review l
ser,sions for each tree.
The plant p]rsonnel were trained on the development and background of the trees before the review.
Each session was documented by a secretary.and recorded on audio tape.
The contractor and corporate-analysts then completed and corrected the trees and each was reviewed by an independent member of the team, responsible for a different tree, to ensure accuracy.
-Question 43 Does the PSS consider maintenance induced. events?-
Response 43 As stated in. response to question 38,. test and maintenance induced events are analyzed as human actions during routine plant-operation:and are.modeled as fault tree' basic events.
For human-recovery actions during routine operation-(maintenance, testing, calibration, valve alignment, etc.) a review ;
of plant procedures was performed to_ determine the practices.used to perform the function.
Procedure use and - type of ' checkof f,_
information display and function review process were. examined.
Using information provided in i able 7.3 YNPS PSS, the. HEP was T
determined and used to quantify. associated fault trees.
For many systems an adequate time exists to correct any valve misalignment. However, no credit was taken for corrective actions, which was a very conservative assumption.
p 1
4
Question 44 Provide written' assurance that the procedures and' operator actions for which the IPE takes credit are in place at Yankee Rowe-and that the operators have received training on these procedures.
Response 44 Table 7-4 (page 7-53) presents the." Manual Actions Represented in Event Trees".
Each of the operator actions for which the-.IPE (PSS) takes credit are currently proceduralized at YNPS and-the 4
operators have received training on these procedures with the following' notations.
The event in Table 7-4 titled " Manually Controlled Main Coolant System Pressure with
- Letdown, Drains or PORV" was quantified such that no credit was given to use of letdown or drains.
Thus, the event actually involves just use of PORV which is proceduralized.
The action to '" Reopen Main Steam Line Non-Return Valves to Established Condensor Heat Sink" was modeled as a means of steam removal at th3 time of the PSS.
The current EOPs and model, however, include use of Emergency Atmospheric Steam.' Dumps, (EASDs),
which is proceduralized.
Installation of the EASDs was not completed until after docketing of the PSS.
There is-no I
significant impact on conclusions of the PSS as a result of the effects of the subsequent installation of the EASDs.
It should also be noted that in Appendix G, " Environmental and DC Power Top Event Reviews",
certain operator -actions were i
evaluated if an extended outage or harsh environment was expected.
These actions, although not proceduralized, are not significant and
I are:
i JM
[ygn);,
Operator Action Loss of AC Power EBF (page G-44)
If an extended outage is
- expected, the doors to the switch gear room can be
- opened, and if j
- required, the covers on the electrical enclosure can be opened or renioved for electrical equipment for motor driven EBF pumps.
Loss of AC Power Effect on Control If an extended outage is Room (page G-47)
- expected, the operators will minimize any temperature rises by 1
opening casside doors and removing panel covers where possible.
Any temperature rise would not cause undo discomfort to the operators.
The effect of temperature rise on ecluipment required in th:.s event tree is minimal.
l l
l l
l
cuestion 45 Provide a list of the equipment for which plant-specific data were used in the PSS and provide the plant-specific data failure or initiating event rates particular to the equipment.
BilARABAIL.M Tables 7-2 and 5-11 of the YNPS PSS provide component failure rates (both, generic and plant-specific) and initiating event frequencies for all the equipment and initiating event groups modeled in the study.
A list of the equipment for which plant-specifle failure data was developed has been extracted from the above stnted Table i
7-2 and is shown in Table 1.
The YNPS PSS initiating event frequencies are given in Table 5-11.
Section 5.4," Quantification of Initiating Event Frequencies," (page 5-16) indicates that the first 13 event tree initiating event frequencies (i.e., event trees 1-18) used plant-specific data.
l
[
l I
i Tablo 1 YNPS PSS Plant Specific Data (extracted from PSS Table 7-2)
EQUIPMENT FAILURE MODE MEAN VARIANCE
_ =i Diesel Generator rails to Start 8.61 E-3 2.06 E-5 Fails to Run 1.40 E-3 1,68 E-6 Condenser Loss Vacuum 3.38 E-6 2.C S-11 Feedwater Heater Excess Leakage 4.12 E-5 2.38 E-10 Rupture 1.50 E-7 4.01 E-14 Piping (per section)
Less than 2" Rupture 2.30 E-7 3.21 E-13 2"- 6" Rupture 8.30 E-8 4.16 E-14 Greater than 6" Rupture 3.00 E-8 5.27 E-15 Condensate Pump Fails to Run 4.58 E-5 2.10 E-10 Circulating Water Pump Pails to Run 3.06 E-5 1.43 E-10 Feedwater (BF) Pump Fails to Run 6.49 E-5 4.00 E-10 Charging Pump Fails to Start 1.78 E-3 8.39 E-7 Fails to Run 1.87 E-4 2.97 E-8 Emergency Feedwater Fails to Start 1.07 E-3 6.48 E-7 (EBF) Pump Service Water Pump Fails to Run 8.91 E-6 4.84 E-11 LP Safety Injection Pump Fails to Start 8.38 E-4 3.95 E-7 HP Safety Injection Pump Fails to Start 8.38 E-4 3.95 E-7 Shutdown Cooling Pump Fails to Start 1.40 E-3 7.28 E-7 Fails to Run 1.25 E-5 7.95 E-11 Battery All Modes (hr-1) 7.20 E-6 4.42 E-12 All Modes (d*2) 3.61 E-4 1.20 E-8 No Output (hr*1) 3.80 E-8 8.73 E-15 Charger Battery Static (Inverter)
All Modes 1.23 E-5 1.84 E-12 Motor-Generator No Output 7.07 E-6 1.78 E-11 Transformers Station Srv. (15-115:<V)
All Modes 6.50 E-7 6.00 E-13 Main 30 (115-242KV)
All Modes 1,53 E-6 6.12 E-13 XFER Tie 30 (31-72KV)
All Modes 8.22 E-7 2.26 E-13 Substation 30 (2-30KV)
All Modes 6.75 E-7 8.44 E-14 Substation 30 (31-72KV)
All Modes 9.37 E-7 2.07 E-13 Satation Service All Modes 4.07 E-7 9.39 E-14 (0.46-2.4KV) l
1 i
I l
l Question 46 Provide a concise description of how plant-specific data were combined with generic
- data, particularly when there were i
significant differences between the rates or when there was a statistically significant amount of plant-specific data for a particular component or system.
1 I
pasoonse 46 The response to question 35 explains how, in general, plant-specific data were combined with generic data.
The following is a brief description of the plant-specific data base development in two particular cases a) when there were significant differences between the rates and b) when there was a statistically significant amount of plant-specific data for a paticular component or system.
a)
A careful review of the YNPS PSS data base shows a few components for which generic data rates are significantly different from plant-specific rates.
Combining plant-i specific data wLth generic data for these components as well as most other components for which plant-specific rates were developed has resulted in more conservative numbers.
Using more conservative rates was one of YNPS i
PSS data base development objectives becauset o
Using plant-specific data alone to generate failure rate distribution in most cases was resulting in less conservative numbers due to zero or limited number of failures.
Having zero or limited number of failure was mainly 'secause of a) size of.the l
plant making it easier to maintain and operate b) size of the components which are generally smaller than industry average c) quality of workmanship and material used at the time of plant construction, and d) excellent plant crew, most of them working at the plant since early operation, o
The YNPS PSS was developed to be a living document, therefore any data used in this study should be conservative enough to be unaffected when some components are to be replaced.
b)
For the same reasons as described in part a), for those l
components with statistically significant amount of plant-specific data, generic data was used to produce more conservative data.
...