Text

Ja Fitzpatrick Step-2 IPE: Front End Audit
	ML20070Q429
Person / Time
Site:	FitzPatrick
Issue date:	08/19/1993
From:	Clark R, Darby J, Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20070Q426	List: ML20070Q429; ML20070Q441;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-93-553-01-A, SEA-93-553-01-A:1, SEA-93-553-1-A, SEA-93-553-1-A:1, NUDOCS 9405130231
	Download: ML20070Q429 (73)
	v • d • e

4 i

SEA 93 553-05 A:1 JAMES A. FITZPATRICK STEP-2 IPE: FRONT END AUDIT Contractor Audit Report NRC-04-91-066, Task 5 August 13,1993 Willard R. Thomas -

John L. Darby Robert A. Clark Science and Engineering Associates,Inc.

)

I Prepared for the Nuclear Regulatory Commission 9405130231 940509 PDR ADOCK 05000333 P PDR

Table of Contents Section Page Executive Summary vi

1.0 Introduction 1.1 SEA Audit Process 1 1.1.1 Pre-Site Visit Activities 1 1.1.1.1 Review of FSAR and Technical Specifications 3 1.1.1.2 Kick-Off Meeting at NRC 3 1.1.1.3 Review of IPE Submittal 3 1.1.1.4 Review of Answers to Step 1 Questions 3 1.1.1.5 Letter Report 5 1.1.2 Site Visit 4 1.1.2.1 Site Audit Process 4 1.1.2.2 Horizontal Review 5 1.1.2.3 Selected Vertical Review 5 1.1.2.4 Personnel Interviewed 5 1.1.2.5 Plant Tour 7 2.0 Items of Interest 14 2.1 HVAC Requirements for Important Loads 14 2.2 Common-Cause Analysis 17 2.3 Failure / Unavailability Data 19 2.3.1 Data for Diesel Generator Failure to Start 19 2.3.2 Data for Emergency Service Water Pumps 21 2.3.3 Spurious Signals to Components 21 2.3.4 Failure / Unavailability Data Updates / Trending 22 ,

2.4 Station Blackout 23 2.4.1 Differences in Function /Usefulness of Battery "A" and "B" During Blackout Conditions 24 2.4.2 Battery Capacity / Load Shedding Under Station Blackout Conditions 25 2.5 System Fault Trees 26 2.6 Protection Provided Front End Mitigating System Equipment from Possible Failure of Non-Hardened Containment Vent Path 28 2.7 Interface with Human Factors Review 28

'1 2.8 Interface with Back End Review 29 3.0 Audit Findings per Subtask 1 Review Items 30' I 3.1 NRC Subtask 1 Audit Items A.1 and A.2 - General Approach 30 3.2 NRC Subtask 1 Audit Items B.1 through B.7 Accident Sequence Delineation 34 i

il l

Section Page 3.3 NRC Subtask 1 Audit Items C.1 through C.4 - Quantitative Process 42 3.4 NRC Subtask 1 Audit Items D.] through D.2 - Vulnerability Evaluation ' 45 3.5 NRC Subtask 1 Audit Items E.1 through E.3 - Decay Heat Removal Evaluation 46 4.0 Audit Findings 49 4.1 Overall Findings 49 4.2 Limitations and Weaknesses of the IPE 49 4.3 Resolution of Unresolved and Generic Safety Issues 50 4.3.1 USI A-45: Shutdown Heat Removal 50 4.3.2 Other Issues Addressed in the IPE 50 4.4 Evaluation of Identified Vulnerabilities and Proposed Fixes 50 4.5 Evaluation of Dominant Contributors to Core Damage 51 4.6 Summary of Audit 59 References 53 Materials Obtained From Licensee 55 Appendix A - Front-End Audit Plan 59 i

l List of Figures 1

- Section Page l

l-1 SEA Audit Process for FitzPatrick IPE Front End 2 1-2 FitzPatrick Simplified Site Plan 8 i

-I a

+

l l

1 iv ,

5 i

List of Tables t

Section Page 2-1 Items of Consideration Discussed with the Licensee 15 4

P 5

h a

4 t

,, y. _ . ., _,_ ,a- w v < ' ~ *

t Executive Summary This report summarizes a Step 2 audit of the front-end ponion of the James A. FitzPatrick nuclea* plant Individual Plant Examination (IPE) submittal. This work was performed by Science and Engineering Associates, Inc under contract to the Nuclear Regulatory Commission.

The audit was performed in two major phases. In the first phase, peninent information was gathered and reviewed prior to the site visit. The second phase of the audit process involved a visit to the plant. During this second phase, detailed discussions were held with cognizant plant and IPE personnel, reviews were made of IPE documentation not included in the submittal, and a plant tour was taken.

The overall conclusions of the IPE analysis were judged to be reasonable. Two items were identified in our report that we recommend be addressed in the licensee's "living" PRA program, specifically 1) consideration of additional common cause failure candidates and 2) ,

the updating of the component failure data base and re analysis of the accident sequence analysis to account for the most recent plant experience. However, it is not anticipated that either of these refinements will change the overall conclusions of the IPE.

i Several enhancements to the IPE documentation were also identified. These documentation enhancements will clarify to other readers additional details of the licensee's analysis process.

l

~

i l

)

l

1.0 INTRODUCTION

This repon summarizes a step 2 audit performed by Science and Engineering Associates, Inc.

(SEA) of the front end ponion of the FitzPatrick Individual Plant Examination (IPE) . submittal provided to the Nuclear Regulatory Commission (NRC) [FitzPatrick IPE Submittal]. This audit was focused on postulated accident sequences that le:.;.' to core damage related to internal initiating events or internal flooding. The human factors and back end portions of the IPE submittal were audited by the NRC with contractor assistance from Concord Associates, Inc. and Scientech, Inc, respectively.

This audit repon is divided into four major sections. The remainder of Section i describes the process used by SEA to accomplish the audit. Section 2 discusses the items of major interest in the audit process. Section 3 describes the IPE with regard to the NRC's Subtask 1 Audit items. Finally, Section 4 presents the findings of this audit. Peninent references are provided at the end of the report.

1.1 SEA Audit Process This audit was performed in two major phases. In the first phase, peninent information was '

gathered and reviewed prior to the site visit. The second phase of the audit process involved a visit to the plant. During this second phase, detailed discussions were held with cognizant plant and IPE personnel, reviews were made of IPE documentation not included in the submittal, and a plant tour was taken.

Figure 1-1 provides an overview of our front end audit process. The following subsections describe this process in more detail.

1.1.1 Pre-Site Visit Activities Work was begun on this audit process on August 27,1992. In the intervening time before the site visit was made in January of 1993, peninent information was gathered and reviewed.

1

ACTIVITY RESULT

, Gather Information I

Review FSAR and ----------> List of Items of Interest l Tech Specs Based on Plant Design Attend Kick-Off -------------- ---> Plan and Schedule Meeting with NRC for Audit I

Review FitzPatrick List of Items Interface Issues IPE Submittal and -----> te ce Resolved With Human Factors Step 1 Q&As During Site and Back End Visit Audits Letter Report to NRC Prior to Site Visit During Site visit Generate List of Specific ' Items' to be

' Items' for ------------------> Resolved Listed and Resolution Distributed Resolve ' Items with Cognizant FitzPatrick Staff and Check Detailed IPE Documentation Not in Submittal Tour the Plant

' Documentation of Contidue to Resolve ---------> Resolution of

' Items' as Necessary All ' Items Figure 1.-l. SEA Step-2 Audit Process for FitzPatrick Front End IPE 2

~

,;. _ _ _ _ _ - _ - - - - - - - - - - - - - - - - - - - - - - - - - ^ -

1.1.1.1 Review of FSAR and Technical Specifications On October 23,1992, a visit was made to the White Flint office of the NRR Project Manager for FitzPatrick (Brian McCabe) to review the latest versions of the Fitzpatrick Final Safety Analysis Report and Technical Specifications. .

1.1.1.2 Kick.Off Meeting at NRC A project kick-off meeting was held on October 14,1992, at NRC RES offices in White Flint. During this meeting, an overall plan for the FitzPatrick audit was formulated. This meeting was lead by John Flack of RES. Also present at the meeting were members of the review team, including those individuals involved in the front end, human factors, and back end audits.

During this kick-off meeting, some of the discussion was focused on findings related to a prior plant inspection performed by the NRC's Diagnostic Evaluation Team (DET). A summary of the DET findings and licensee response to IPE-related issues is provided in a letter to T. Murley (NRR) from R. Beedle (Licensee) concerning the licensee's review of the FitzPatrick IPE with findings of the Diagnostic Evaluation Team report.

1.1.1.3 Review of the IPE Submittal Between August 27 and the latter pan of October 1992, the equivalent of several staff-days of effon were spent in reviewing the submittal. A tentative list of items to be resolved was prepared.

1.1.1.4 Review of Answers to Step 1 Questions Before this step 2 audit was initiated, the N.RC had performed a step 1 review of the licensee's submittal. As a result of this review, the NRC fonvarded a number of questions to the licensee to which the licensee provided written responses. These questions and responses were reviewed by SEA. Some of these questions were judged by SEA to be adequately addressed by the licensee, while in other instances, it was judged that it would be necessary to obtain additional information during the site visit to fully understand the licensee's -

3

response. The questions and licensee responses were considered during the preparation of the site visit audit plan. Section 2.0 of this report discusses the questions / responses related to the front end review based on information and insights gathered during the site visit.

1.1.1.5 Letter Report Based on a review of the submittal and information gathered at the kick-off meeting. SEA prepared an audit plan for the site visit. This audit plan identified additional issues to be resolved, additional information required to complete the audit process, and areas of the plant that the SEA lead analyst would like to tour. A copy of this audit plan was provided to the NRC in early November 1992. A copy of this audit plan is attached as Appendix A to this report.

P 1.1.2 Site Visit The visit to the FitzPatrick site took place on January 27,28, and 29,1993. A total of

~

approximately two-and-one half days were spent at the site.

1.1.2.1 Site Audit Process As a result of the pre-site activities described above, a number of ' Items' were identified that would be discussed with the utility staff. These ' Items' were divided into two categories, namely (1) items addressing the breadth of the submittal, and (2) items addressing the depth of the submittal in special areas.

Items identified prior to the site visit were discussed on the first day of the visit. On the moming of the following day, a tour of the plant was taken to gain a familiarity with the plant layout and arrangement. Following this tour, the ' list' of outstanding items was modified to account for information acquired during (1) discussions held on the first day with utility staff and (2) observations made during the plant tour. The aftemoon of the second day was spent discussing these remaining issues.

G 4

Prior to completion of the visit, the NRC and licensee agreed that post-visit telephone contact with the licensee could be made if necessary to obtain modest amounts of additional information.

1.1.2.2 Horizontal Review The horizontal portion of the review process focused on the overall breadth of the submittal.

All the required front end analysis areas were reviewed, with a particular emphasis on those

" Items" of concern. To help ensure the completeness of this review activity, all of the topics identified in the NRC's Subtask 1 Audit review areas were addressed. A further discussion of the comparison of the IPE content with these review areas is provided in Section 3.0 of this report.

1.1.2.3 Selected Vertical Reviews The vertical portion of the review process focused on the resolution of the " Items" of concern.

Because of the limitations associated with the audit process, it was only possible to perform in-depth reviews into selected areas. The areas selected for the vertical review were based on the prior detailed review of the submittal and supporting information.

1.1.2.4 Personnel Interviewed During the site visit, discussions were held with a number of licensee personnel. In addition, discussions were held with one of the contractors retained by the licensee to help with failure

. data quantification. Members of the licensee's Nuclear Systems Analysis Group traveled from the utility's headquarters in White Plains, N. Y. to participate in the site visit.

Clement Yeh, a Senior Engineer in the licensee's Nuclear Systems Analysis Group, was our overall contact during the site visit. He personally answered a number of questions related to .

the analysis and, as required, coordinated the discussion activities with other knowledgeable personnel.

d 5

t - = w r

1 l

I Ken Vehstedt, a Senior Engineer in Nuclear Operations, provided a significant amount of j input on a variety of topics, including diesel generator reliability and station blackout issues. !

He used to be in operations as a maintenance group supervisor for the licensee, and is I

currently working in White Plains on configuration control and risked-based regulation. l Andy Mihalik, a Nuclear Safety Engineer in the Nuclear Systems Analysis Group, provided information concerning details of various system details and models.

John Favara, an Engineer in the Nuclear Systems Analysis Group, provided miscellaneous information related to the analysis models.

Young In, a Senior Consulting Engineer with NUS Corp., provided information r-lated to failure data quantification. He assisted the licensee through a contracting arrangement.

l Terry Hemnann, a Technical Program Consultant based on the plant site, assisted in j information related to plant design and plant systems and lead the plant tour. He is currently involved in the root cause analysis of equipment failures.

.)

Information related to reactor control room operations was provided by Dick Schilling, a Senior Reactor Operator and Simulator Instmetor. He provided a brief tour of the simulator, programmed and operated the simulator to represent the initial phases of a station blackout accident, and answered questions related to operator response during station blackout conditions.

l Peter Donahue, on-site Manager of Preventative Maintenance Engineering, provided -

information related to the trending of equipment failure data.

Plant information related to the design and operation of the plant AC distribution system was provided by Frederick Weinert, who is the Plant Systems Engineer for this system.

6

. .. . . . . = . - - .- . . -- . .-

Robert Hladik, a Plant Engineer (Mechanical), provided information related to diesel generator operation. Until very recently, he was the Plant Systems Engineer for the diesel generators.

Information related to the design and operation of the Emergency Service Water System was provided by Chris Ponzi, who is the Plant Systems Engineer for the Service and Emergency Service Water Systems.

Throughout the site visit the licensee's staff was very cooperative. All of the information f

requested prior to the visit was made available to us, along with a large body of additional documentation related to the analysis process. Several analysts were available at all times to answer questions and to gather required information.

From discussions with the licensee,it was learned that approximately 65% of the work associated with the IPE analysis was performed in house by licensee staff members. The licensee staff was involved in all aspects of the examination.

1.1.2.5 Plant Tour A tour of selected areas of the plant was made on January 28. The overall objective of this tour was to gain an understanding of the plant layout features that are important from a PRA perspective. For example, attention was given to design factors that'can influence the progression and consequences of internal flooding. Other factors noted during the course of the tour included the provisions for equipment ventilation, equipment identification / labeling, and equipment access. Figure 1-2 shows a general overview of the site layout.

l 7

1 g

p :.: 1g .::,

o

- s .:.: n'.

1 i m; '

e l. ,: i!l:,

.. e ,,

,r ^ _

~

.r ::

- ^

~-

,l ,,-

ll i,

i. 2

)

=

b .s

.. ,lm e I,

m ,

n j

_1 .. f i x

a

.. g ._.

1 I d I

,i i ll{ I..I lli -

<h I

1.t '

t, e ,

5 7

i r -

k 9 5-x ..

,i1i w i

E l 1 , n llki i, / /

.l:

l ll x

3 ! j lib $

j i x t

x

, x <t_ {- >

m o ll x x .

II i g

" 43 "

i h

,0 .- , / ,

{l[4 5

, 1 x

,,o;l\ ll ,[h ri ,

t x

x l

x x

c.

a

.e 1 L d a i

x u

x x u

{ m a;[ g >

x x 'I

_ x Hj -

i

_l,f

!r \\\

. - \,\ x av.

1 6c -

j ;

y s( = -

r

>t

\,.\

n\

\

\ \, 2 \t f , , ,r f" sg ,

la 1 >

a a. it g)~

/x $

8 i

1

A preliminary list of desired tour areas was provided to the licensee via the pre-visit audit plan ( Appendix A). These areas were as follows:

1) Battery Rooms '

2) Emergency Switchgear Rooms

3) Area where containment vent path transitions from hardened piping to non-hardened SGTS ductwork containment venting

4) RCIC Enclosure

5) HCPI Enclosure

6) Crescent Rooms

7) Control Room

8) Relay Room

9) Emergency Service Water Pumphouse

10) Diesel Generator Buildings

11) Motor Control Centers BMCC1, BMCC2 The actual tour areas were adjusted to account for information gathered during the first day of the plant visit as well as from observations made during the tour. For example, it was decided that only one battery room need be toured, because oflayout symmetries between areas containing redundant equipment. In summary, the actual tour areas ended up being as follows:

1) Battery Room B-2

2) Battery Board Room 2 ._

3) 600 VAC Switchgear Room Containing Bus L25

4) Area where containment vent path transitions from hardened piping to non-hardened SGTS ductwork (Outside Reactor Building Elev. 272')

5) Reactor Building Elev. 326'

6) Reactor Building Elev. 300'

7) Reactor Building Elev. 272' '

9

8) Reactor Building Elev. 242'

9) RCIC Enclosure (Reactor Building Elev.227')

10) HCPI Enclosure (Reactor Building Elev.227')

11) Crescent Rooms (Reactor Building Elev.227')

12) Simulator (Training Facility)

13) Emergency Service Water Area containing ESW pump B, RHRSW pumps B and D

14) Diesel Generator Area containing EDGs B, D, and 4160 VAC switchgear 10600

15) Motor Control Centers BMCCl, BMCC2 Tour Summary The tour was led by Terry Herrmann, a Technical Program Consultant for the licensee. We were accompanied by Andy Mihalik and John Favara, who are Engineers in the licensee's Nuclear Systems Analysis Group.

The tour began in the 272' elevation of the turbine building. While not identified as a tour area of particular interest, this ponion of the turbine building was entered to gain access to an area that contains emergency diesel generators B and D, and associated 4160 VAC switchgear. It was noted that water from a flood source in one of the B or D diesel areas would have to spill over a low curb (approx. 4") before water could reach the adjacent diesel room or switchgear area. After accounting for room drains and other factors, the licensee concluded that internal flooding accidents involving the diesel generator and 4160 VAC emergency switchgear areas would have very small frequencies compared to other types of core damage accidents. This conclusion appeared to be reasonable.- During the tour of this portion of the plant, the configuration of the die.cl generator ventilation system was also noted, as well a plant modification that provides for separate discharge paths for the jacket water cooling to each diesel generator. Previously, the jacket water cooling paths for each pair of diesel generators were cross-tied, with separate check valves installed in each line 10

upstream of the cross-tie connection. These discharge check valves have now been eliminated.

The next areas that was visited were the Emergency Service Water rooms. Entry was made into the room containing Emergency Service Water pump B, and RHR Service Water pumps B and D. During the visit, the fire door separating the redundant train of the Emergency Service Water and RHR trains was open to provide for maintenance activities. It was possible to view equipment associated with this redundant train, as well a hose and pipe connection that could be used to manually connect the discharge of the plant fire system into the RHR A Service Water Discharge header. The location of recently-installed replacements for two Emergency Service Water pump discharge check valves was also noted. According to the licensee, problems were experienced in past years with the two ESW pump discharge check valves (46-ESW-1 A, IB). These two check valves had experienced oscillation problems. These valves were replaced in 1988. The new valves have lower profile discs that have eliminated the oscillation problems. It was estimated by the plant staff that since installation, the new valves have received in excess of 100 demands to open without a single ;

failure.

Prior to entering the Reactor Building, visits were made to the West Electrical Bay, Battery Room B-2, and Battery Board Room 2. The West Electrical Bay contains, among other items,600 VAC safety related switchgear. It was noted that orange stickers had been placed on some of the equipment items that would assist plant personnel in identifying equipment associated with Abnormal Operating Procedure AOP-43 (" Plant Shutdown From Outside the Control Room"). It was also noted that the utility is in process of improving the identification labeling of electrical switchgear/MCCs and associated loads. During the visit to Battery Room B-2, which contains 125 VDC battery B-2, it was noted that the room does not contain any flooding sources. Furthermore, the room is isolated from adjacent areas by concrete walls and a fire door. During blackout conditions, the shedding of loads connected to this battery is accomplished in the adjacent Battery Board Room 2. This Battery Board Room contains the battery charger and distribution bus for loads fed from 125 VDC battery 11

B-2. Like the battery rooms, this room does not contain any flooding sources, and is isolated from adjacent areas by concrete walls and a fire door.

The next portion of the tour involved a visit to various areas within the Reactor Building, including elevations 326',300' and 272'. Also visited was the area outside the Reactor Building that contains the transition of containment hardened piping to non-hardened SGTS ductwork.

The Reactor Building elevation 326', contains the Standby Liquid Control System pumps, tank, and associated piping. It was noted that this level of the reactor building is a open area.

Reactor Building elevation 300' contains access to the Reactor Water Cleanup System pumps and associated piping. These items are enclosed behind concrete shielding walls and are accessed via a wire mesh door. Very clear notice was posted as to the significant radiation levels inside this area. It was possible to view some of the co:.:ents of this room by viewing a monitor outside the room that was remotely connected to a camera located inside the room.

It was noted that water released as the result of a leak in this area would ultimately migrate to lower levels of the reactor building.

Adjacent to the Reactor Building at the 272' elevation is the area that contains the transition of containment hardened piping to non hardened SGTS ductwork. It was noted that safety-related equipment would not be threatened if the SGTS ducting is breached. In particular, the room does not contain any safety related equipment, and a significant over-pressurization of the room would be relieved through failed doors that lead directly to the outside.

In the fmal portion of the plant tour, a visit was made to the Reactor Building 272',242', and 227' elevations to inspect plant features and equipment related to the RHR/LPCI system, the Core Spray System, the HPCI System, and the RCIC System. It was noted that flood water that discharged in the reactor building will ultimately migrate to one of the crescent areas located on the 227' elevation The West Crescent Area contains RHR/LPCI pumps A and B,

Core Spray pump A, and the HPCI pump, along with associated valves, piping, and other 12

, o .

support equipment for these systems. The East Crescent area contains RHR/LPCI pumps C -

and D, Core Spray pump B, and the RCIC pump. The two crescent areas are separated by barriers that provide protection against common flooding that would disable the entire .

emergency core cooling system. Attention was given to potential flooding scenarios that could simultaneously disable equipment in both crescent areas, in particular backflow through equipment and floor drain systems. Attention was also given to flooding issues related to two

, motor control centers that power required equipment for the HPCI and RCIC systems. These motor control centers, BMCC-1 and BMCC-2, are close to stairwells that make them potentially susceptible to the effects of spraying or splashing effects from certain Reactor Building flooding scenarios. It was noted that these motor control centers have overhead splash shields. One of the recommendations of the analysis is that side protection be added to these motor control centers to further protect against flooding effects. This recommendation was judged to be reasonable, because even though the expected core damage reduction is very small, the work involved in adding side protection to these motor control centers appears to be relatively minor.

f Throughout the entire plant tour, " good housekeeping" was evident, as the various areas were kept tidy and free of extraneous materials and debris.

Following the tour of the phmt areas described above, a visit was made to the plant simulator which is located in the training facility. Dick Schilling, an Senior Reactor Operator and Simulator Instructor, provided a brief tour of the simulator, programmed and operated the simulator to represent the initial phases of a station blackout accident, and answered questions related to operator response during station blackout conditions.

J l

-l l

1 13 l

2.0 ITEMS OF INTEREST As was discussed in Section 1.1 of this report, the audit activities included a focus on selected areas of the submittal to better understand the licensee's analysis process and to resolve

' Items' of consideration that were identified during the pre-visit and on-site audit activities.

This portion of the report provides a summary of findings related to our major focus areas and the resolution of the ' Items' of consideration.

Sections 2.1 through 2.6 below provide a discussicn of the major ' Items' of consideration and their resolution.

For completeness, Section 2.2 provides a summary of insights and judgements related to the ,

licensee's response to NRC's step-one front-end review requests. As previously noted, the licensee provided pre-visit responses to these information requests. During the plant visit, additional infonnation was gathered from the licensee to more fully understand the licensee's response.

Sections 2.7 and 2.8 describe the interfaces with the human factors and back-end review teams, respectively.

A list of the ' Items' of consideration is provided in Table 2-1. The following subsections discuss these ' Items' and their disposition.

2.1 HVAC Requirements for Important Loads During the pre-visit review of the submittal and plant FSAR, it became apparent that additional information would be required to understand the IPE modeling of HVAC system ,

dependencies. The paragraphs below summarize the reasons for our concems and resolution of this ' Item'.

Table 3.1.4.7 of the submittal (p. 3 97) lists four important HVAC loads, specifically the following: ,

14

- = -. ._ _ - __

Table 2 I. Items of Consideration Discussed with the Licensee

1. HVAC Requirements for important Loads i) Emergency Diesel Generator Rooms I ii) Crescent Areas iii) RCIC Enclosure ,

iv) Control Room v) Battery Rooms vi) Switchgear vii) Emergency Sersice Water Pumphouse

2. Common Cause Analysis a) Criteria for Selecting Common Cause Failure Candidates b) " Missing" Common Cause Events il 2 ESW pump discharge check valves ii) supply and exhaust dampers for diesel generators iii) ventilation fans for diesel generators iv) time delay relays used to connect loads to diesel generators c) Common Cause Failures Across Diverse Systems i) Pressure Locking Problem with RHR/LPCI and Core Spray ii) Plans for Diverse System Common Cause Analysis in "living PRA program -

3. Failure / Unavailability Data a) Data for Diesel Generator Failure to Start b) Data for Emergency Service Water Pumps c) Sputious Signals to Components d) Failuremnavailability Data Updates / Trending ,

4. Station Blackout a) Differences in Function /Usefulness of Battery "A" and "B" During Blackout Conditions b) Battery Capacity / Load Shedding Under Station Blackout Conditions

5. Fault Trees a) Rewtor Protection System b) Altemate Rod Insertion System c) Emergency Service Water System d) Emergency Diesel Generator System e) RCIC Enclosure Ventilation System f) RHR/LPCI System g) CRD System (coolant injection function) h) 125 VDC System i) Offsite Power

6. Protection Provided Front-End Mitigating System Equipment from Possible Failure of Non-hardened Containment Vent Path a) Emergency Diesel Generator Rooms b) Crescent Area Cooling ,

c) RCIC Enclosure Ventilation d) Control Room ;

15

On p. 3-257 of the submittal, it is stated that three front-line HVAC systems were modeled, in panicular HVAC systems used to support the emergency diesel generator rooms, crescent area cooling, and the RCIC enclosure. No explicit mention appeared to be contained in the report confirming that control room ventilation was indeed included in the IPE model. It is stated on p. 3-359 of the submittal that room cooling was not modeled for areas that house the CRD system, the ESW pumps, the switchgear, and batteries because of the lack of heat sources. It is also stated on p. 3-245 of the submittal that "since the ESW pumps are in a large area in separate rooms in the screenwell pumphouse, room cooling for the pump motors is not required". However, no calculations or other forms of documentation were referenced to substantiate the exclusion of HVAC considerations for these systems.

Section 9.9 of the FitzPatrick Final Safety Analysis Report FSAR describes HVAC associated with a number of safety-related systems, including the batteries, the screenwell house, the diesel generator building, the control room, and the relay room. For example, on p. 9.9-14, Section 9.9.3.11 of the FSAR, it is stated that the control and relay room air condition systems "must operate at all times during normal, shutdown, and design basis accident conditions" Based on written and verbal responses provided by the utility staff, it is apparent that the licensee has made a major effort to evaluate HVAC requirements for equipment. While at the site, a review was made of documentation that describes calculations performed by the licensee. The calculations accounted for convective and radiative heat transfer through doors, dampers (if open) as well as heat transfer to appropriate room walls and roof structures.

While these calculations were in many respects best estimate, conservatisms were included.

For example, the lowest value for the heat capacity of concrete over the anticipated temperature range was used, even though heat capacity is in fact a function of temperature, and will increase with increases in temperature. The licensee's written response to this ' Item' has been provided. We judged this disposition of this ' Item' of consideration to be adequate.

16

\

2.2 Common Cause Analysis Two ' Items' associated with the licensee's common cause analysis were identified during the pre-visit review activities. The following paragraphs describe these concerns and their resolution.

One of the Items' was related to licensee's criteria for determining the specific groups of equipment .tems to be considered for common cause failures. In particular, the discussion given on p. 3-356 of the submittal is not sufficiently detailed to provide this information. In addition, several potentially important common cause groups were not included in the analysis based on a review of the common cause events listed in Table 3.3.4.1. The following component groups were missing from this table:

a) the 2 ESW pump discharge check valves b) supply and exhaust ventilation dampers associated with the diesel generators c) ventilation fans associated with the diesel generators d) time delay relays used to load the emergency diesel generators after normal power is lost This ' Item' was resolved through written and verbal responses from the utility personnel.

The selection of the equipment groups that were considered as candidates for common cause failures were based on information and guidance contained in six widely-used documents, including [NUREG/CR-4550]. These documents, which are listed in Appendix B, were used as the sole sources for common cause failure data, as no relevant common cause failures have been experienced from the operation of FitzPatrick. These documents do not contain appropriate common cause failure data for the component groups listed above. The selection of documents by the licensee for use in the common cause analysis was judged to be reasonable and consistent with industry practice.

Subsequent to the IPE analysis, additional sources of data have become available, specifically the Beta factors from the Seabrook IPE and a recently-published EPRI report (EPRI Common 17

I Cause Data]. The licensee stated that these new data will be considered in future updates to j the IPE in conjunction with the living PRA program. l To address this ' Item', the licensee has recently performed sensitivity analyses to estimate the increase in core damage frequency with the recently-available common cause failure data. In one of these sensitivity analyses, the licensee calculated that the existing mean core damage frequency estimate of 1.92E-06/yr would increase by 13% to 2.17E-06/yr if common cause failures of the diesel generator ventilation fans, supply / exhaust dampers, and emergency service water check valves were included in the analysis. The licensee noted that the failure of time delay relays used to load the emergency diesel generators had already been included in the original analysis within events that account for common cause failure of powered safeguard loads.

The other

Item' is related to consideration of common :ause failures across diverse systems.

While usually not accounted for in PRA studies, common cause failures across diverse systems may have the potential to be significant contributors to core damage frequency. This

' Item' of consideration is to clarify the licensee's plans for including across diverse systems in the "living" PRA program.

The licensee had stated on p. 43 of their response to the NRC's request for additional information that plans have been made to include pressure locking as a potential common cause failure of injection valves associated with two diverse systems (RHR/LPCI and core spray) in the "living" PRA program. The licensee had explicitly stated on p. 3-357 of the submittal that common cause failures across system boundaries were not considered in the existing analysis. ,

The licensee has indicated that the "living" PRA program will include consideration of !

common cause failures across system boundaries based on appropriate industry and plant specific data.

18

l

. . j i

In summary, it is judged that in the existing analysis, the licensee has addressed most of the potentially important common common cause failures. In conjunction with the l "living" PRA program, the licensee plans to consider additional common cause failures as appropriate data become available. In addition, common cause failures across system boundaries will be considered. The consideration of common cause failures across diverse systems goes beyond the level of analysis detail normally found in other PRA studies.

2.3 Failure / Unavailability Data The failure / unavailability data used in a PRA evaluation has a major influence on the overall core damage estimate, as well as the relative imponance of the contributors to core damage frequency.

Based on the pre-visit review activities, attention was focused during the visit on several areas related to licensee's selection of failure / unavailability data. One of the ' Items' of consideration was related to the unusually low value used by the licensee for the failure of a diesel generator to start. 'Another ' Item

of consideration was related to the reasonableness of the failure data used for the emergency service water pumps. A third ' Item' was associated with the treatment of spurious signals for active equipment. Finally, the fourth ' Item' of consideration involves the fact that the licensee has based the analysis on plant-specific hardware failure and unavailability data that represent 6 years of plant operation between 8/l1/1980 and 9/30/1986. Because of the 1986 cutoff date, more recent experience at the plant has not been factored into the analysis. This concern was previously raised by the NRC in their " Request for Additional Information" [NRC Add. Info. Request).

1 l

The following subsections discuss these various areas of concern.

l 1

2.3.1 Data for Diesel Generator Failure to Start j During a review of the submittal, it was noted that licensee's analysis is based on diesel 1

generator engine failure to start data that are approximately an order of magnitude lower than 19

. i the genene industry data. More specifically, the analysis uses a value of 1.15E-03 for the probability that a diesel generator will fail to start on demand, whereas values between 4E-03

[NSAC-108] and 3.0E-02 are more typical of industry experience. The plant-specific failure rate of an individual FitzPatrick diesel generator unit to run is comparable to the typical generic failure rate of 2E-03fnr.

During the site visit, discussions were held with IPE analysts and plant staff to more fully understand the site's historical experience with the diesel generators. The licensee indicated that at one point in the history of the plant, there had been over 800 individual diesel generator demands without a single failure. This fact is documented in [NSAC-108], which contains data for the three years 1983,1984, and 1895. These data represent 897 FitzPatrick diesel start demands with no failures. The licensee provided a written summary of data from the period 1986 through the third quaner of 1992, during which there were a total of 651 individual diesel generator start demands, and only 1 failure. The single failure of an diesel generator to start occuned in 1986.

To more fully understand the significance of the diesel generator failure data in the context of core damage frequency, the licensee was requested to estimate the change in core damage frequency with a 10-fold increase in the engine failure-to-start probability, including a corresponding adjustment to diesel fail-to-start common cause failures. Given this change in failure data, the licensee estimated that the original mean core damage frequency of 1.92E-1 06/yr would be increased by approximately 7% to 2.06E-06/yr. In adjusting the diesel generator conunon cause failure data, the appropriate beta factors remained unchanged.

i Based on the information discussed above, it was judged that the licensee's use of diesel generator failure data is reasonable and is based on plant historical experience with the j diesel generators. fhe core damage estimates do not appear to be overly sensitive to changes in the diesel failure-to start probability. ;

20

l i

2.3.2 Data for Emergency Service Water Pumps Because of the relative importance of service water pump failures as contributors to core damage frequency, a review was done to compare data used by the licensee with generic industry data. For the failure of individual service water pumps to start and run, the licensee used plant data to derive probability estimates of 1.24E-04 and 1.88E-04/hr. respectively.

Corresponding generic failure probabilities for pumps typically are 3.0E-03 and 3.0E-05/hr, respectively. It can be seen that while the licensee's failure-to-start data are lower than these generic pump values, the failure-to-run data are substantially higher. Overall, the licensee's failure data for the service water pumps were judged to be consistent witi, reneric industry experience with motor driven pumps.

In summary, it appears that the licensee's use of plant specific data for the emergency service water pumps is reasonable.

2.3.3 Spurious Signals to Components Another ' Item' of consideration was related to the licensee's treatment of spurious signals that could affect the operation of active components. On p. 3-166 of the submittal, it is stated that

" spurious signals that cause hardware to enter improper states were not modeled if, after the initial operation, no components are expected to receive an additional signal in the course of the accident to re-adjust or change their operating state." The licensee was asked to provide the basis for this assumption and to note instances where spurious signals were considered as potential system failure modes.

As discussed more thoroughly in Appendix B, the licensee stated that guidance provided in "Probabilistic Safety Aradysis Procedures Guide" [NUREG/ CRUS 15) was followed regarding the consideration of spurious signals that can cause hardware to enter improper states. The licensee also noted in their response that spurious actuation of HPCI and RCIC isolation trip signals was modeled, because spurious actuation of these trip signals would defeat these systems. As noted on pp. 3-255 and 3 290 of the submittal, the analysis also considered operator recovery to restore operation of these systems following a spurious trip signal.

21

The quantification of the spurious trip signals for IIPCI and RCIC was based on data given in IEEE regarding the instrumentation failure of instrumentation out of range. The licensee's selection and use of this source of data was judged to be appropriate.

In summary, the licensee's treatment of spurious signals to active equipment used in mitigai!ng systems was judged te be reasonable.

2.3.4 Fallure/ Unavailability Data Updates / Trending The fourth ' Item' of consideration regarding failure data involves the fact that the licensee has based the analysis on plant-specine hardware failure and unavailability data that represent 6 years of plant operation between 8/l1/80 and 9/30/86. Because of the 1986 cutoff date, more recent experience at the plant has not been factored into the analysis. This concem was previously raised by the NRC in their " Request for Additional Information". In conjunction with the site visit, the licensee was requested to provide any information on the impact of post-1986 plant experience regarding original IPE estimates of component failures rates and unavailabilities. Note that the licensee had earlier responded to the NRC request for information on this topic in " Response to Request for Additional Information".

From a written response and conversations with utility staff during the site visit,it was learned that post-1986 experience shows that maintenance unavailabilities for HPCI and RCIC had increased. However, it was stated that the root cause of the increased HPCI maintenance unavailability (control system problems) has been corrected. The licensee also acknowledged the potential for common cause failure of the RHR/LPCI and core spray injection valves.

The licensee performed a sensitivity analysis in which:

a) the common cause failure of the four LPCI and core spray valves were modeled (common cause failure across system boundaries)_

b) the probabilities'of RHR, HPCI, and RCIC component failures, human errors,

~

and maintenance unavailabilities were increased by factors of 2 and 3. The 22 l

d core damage mean value estimate increased from 1.92E-06/yr to 5.65E-06/yr and 7.26E-06/yr, respectively.

The licensee also indicated that work is currently under way to study the trending of failure data during the post.1986 tirne frame. To date. preliminary data trending has been done on the following:

a) RHR Motor Operated Valves b) Core Spray Motor Operated Valves c) Diesel Generator Circuit Breakers d) Diesel Generator Dampers and Fans e) Emergency Service Water Check Valves These data trending activities have not identified any significant changes in the availability / reliability of the studied components.

i In summary, there are no reasons to believe that the licensee's analysis results will be significantly changed once all the failure data have been updated beyond 1986.

However, it is recommended that the licensee ensure that updating of the entire component failure data base is accomplished as part of the "living" PRA program.

2.4 Station Blackout During the initial kick-off meeting held with the NRC in October, concerns were raised by knowledgeable NRC staff regarding possible differences in the effectiveness or usefulness

- between 125 VDC Battery A and B during a blackout condition. In the analysis, the licensee i had credited.the batteries with equal overall effectiveness in maintaining stable conditions during blackout conditions. Additionally, the licensee's analysis demonstrated that the

- common cause failure of the batteries represents the single most important contributor to core

damage risk increase. Consequently, it was decided to more fully investigate the role of these batteries in station blackout accidents, including the comparative effectiveness of each battery 23 I

i l

_ -_.. ~. . . . _ . _ . - .

and the licensee's battery capacity and load shedding calculations. These ' Items' of consideration are discussed in the following subsections, 2.4.1 Differences in Function /Usefulness of Battery "A" and "B" During Blackout Conditions Two batteries feed a number of important loads, including instrumentation, switchgear circuit breakers, emergency lighdng, and HPCI/RCIC equipment. Battery A can provide power for loads needed to operate and monitor the RCIC system, while Battery B can provide power for loads needed to operate and monitor the HPCI system. The use of either RCIC or HPCI would be sufficient to establish and maintain decay heat removal during an extended blackout condition.

Battery A also feeds an Uninterruptable Power Supply (UPS) that supplies power to various instruments, including comrol room meters for reactor pressure, reactor level, reactor steam flow, and reactor feed flow. In addition, this UPS powers recorders for several parameters, including average power range monitors, source range monitors, feedwater flow, reactor level and pressure and reactor pressure / turbine steam flow.

Abnormal operating procedure F-AOP-49 (Station Blackout) directs the operators to begin shedding certain loads within 30 minutes of the start of a blackout condition, including the UPS. Even without the loads fed from the UPS, the batteries will operate Analog Transmitter Trip System (ATTS) panels 0995/0996. The ATTS provides the following indications to the operators:

a) wide and narrow range reactor vessel water level, b) narrow range drywell pressure, c) main steam isolation valve position, d) scram discharge instrument volume level, and e) HPIC and RCIC steam break protection system status (high ambient temperature, high steam flow and low steam pressyre).

24

~

During the next refueling outage, the licensee will perform modification F1-89-158 that will independently supply panel 27 MAP from the 419 Vdc LPCI battery system via an inverter.

This panel will provide the following indications:

a) wide range drywell pressure, b) wide range suppression pool level, and c) primary containment isolation valve position, excluding check valves.

Currently, these indications may not be available to operators during an extended blackout condition. The installation and design of these indicators will be done per the guidance of Regulatory Guide 1.97 regarding post-accident instrumentation. The battery capacity of the 419 Vdc LPCI electrical system is such that the 27 MAP panel could be operated for times well in excess of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months without the need for battery recharging.

From a PRA perspective, it was judged that the existing plant configuration would provide plant staff with sufficient instrumentation during a blackout condition if either battery is available. However, the modification described above will enhance the operators' ability to monitor core cooling and containment integrity during extended blackout conditions.

2.4.2 Battery Capacity / Load Shedding Under Station Blackout Conditions The bases for estimates of battery load capacity under station blackout conditions are summarized in a calculation note (cale note). The analysis method used in this cale note was found to be conservative. For example, a 25% correction factor was applied to increase the calculated number of required positive plates to accommodate the end-of-life battery conditions. In addition, the electrolyte temperature was assume? to be 60 deg. F, resulting in an additional 10% of conservative margin. The analysis credits the extension of battery discharge times per instructions for load shedding given in abnormal operating procedure F- -

AOP-49 (Station Blackout).

25

With end-of-life and temperature corrections. the calculations demonstrate that both batteries will provide suf6cient output during an eight hour period. A best estimate calculation, by the licensee demonstrates that these batteries can supply required loads for at least 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

Based on a review of the battery capacity calculations and abnormal operation procedure F AOP-49, it was concluded that the licensee was justined in assuming that the batteries can supply required loads for an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months period. It is also noted that the licensee performed sensitivity calculations regarding shorter battery discharge intervals.

As discussed in Section 33.6.4 of the submittal, the core damage mean frequency estimate increases from I.92E-06/yr to 2.47E-06/yr and 2.56E-06/yr as the battery depletion times are decreased to 6 and 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , respectively.

2.5 System Fault Trees As part of the process of understanding the licensee's analysis, selected fault tree models were reviewed. These fault trees were not included as part of the submittal. Because the fault trees form the basis of much of the analysis, it was judged to be important that a representative ponion of the fault tree models be reviewed. Selected portions of fault trees for the following systems were reviewed:

a) Reactor Protection System b) Alternate Rod Insenion System c) Emergency Service Water System d) Emergency Diesel Generator System e', RCIC Enclosure Ventilation System f) RHR/LPCI System g) CRD System (coolant injection function) I h) 125 VDC System j i

i) Offsite Power i

26 1

1 It was noted that the fault tree models are very detailed, and appeared to include required equipment suppon systems, as well as all of the necessary components and failure modes.

The level of detail for the fault tree bottom events was consistent with available failure data. 4 Overall, over 20.000 unique basic events were molleled in the various fault tree models.

The fault tree models for the Reactor Protection and Alternate Rod Insertion Systems were very detailed, and appeared to properly account for circuitry elements as well as potential mechanical failures (such as rod binding). The overall probability of falling to achieve an automatic scram with these systems was calculated to be slightly below the >

value that was used in the accident sequence analysis development (7E-06/yr versus 1E- ,

05/yr). '

At FitzPatrick, an important mutual dependency exists between the emergency service water system and the diesel generators. During conditions involving the loss of normal power, the diesel generators will start and provide electrical power to emergency loads, including the emergency service water pumps. At the same time, the emergency service water pumps are required to provide cooling water flow to sustain the operation of the diesel generators.

When this mutual dependency is modeled, an artificial " break" must be made in the fault trees to prevent the logic from representing a non-solvable continuous " loop". Care must be taken when this logic " loop" is broken to ensure that imponant failure modes of either system are not lost in the modeling process. A review of the emergency service water and diesel generator fault trees indicated that the " looping" had been properly broken. In our judgement, the licensee has structured these fault tree models so that pertinent system failures and failure modes are included in the emergency service water and diesel generator system cut sets.

In' summary, it was judged that the licensee's fault tree models properly account for the failure modes and dependencies of the various mitigating systems. ,

27

.r- ~ , .u..

l 2.6 Protection Provided Front-end Mitigating System Equipment from Possible Failure of Non hardened Containment Vent Path During containment venting, the venting is accomplished via a non-hardened section of piping. We felt that it was important to verify licensee's contention that the rupture of this piping would not disable or degrade accident mitigating systems. The area that contains the transition of containment hardened piping to non-hardened SGTS ductwork is adjacent to the Reactor Building at the 272' elevation. This area was visited on the plant tour described earlier in Section 1.1.2.5. It was noted that safety-related equipment would not be threatened if the STGS ducting is breached. In particular, the room does not contain any safety-related equipment, and a significant over-pressurization of the room would be relieved through failed doors that lead directly to the outside.

In conclusion, we judged that the licensee was correct, namely that this ' Item' of consideration could be dismissed as an issue.

2.7 Interface With Human Factors Review In preparation for the site visit, as well as during the site visit, an effort was made to identify human factors issues that should be considered by the human factors team during the review process.

Prior the site visit, we identified one item to Concord as an issue that might warrant further scrutiny, in particular operator actions during station blackout credited in the analysis.

Load shedding during a station blackout is explicitly included in instructions to operators in Abnormal Operating Procedure F-AOP-49 (" Station Blackout"). During the plant tour described earlier in Section 1.1.2.5, entry was made into one of the two battery board rooms from where load shedding would be performed.

28

~ , l 2.8 Interface with Back End Review Only one potential issue was identified that would also apply to the back end review process, specifically the effects from rupture of non-hardened piping during containment venting. As previously discussed in Section 2.1.7, the area that contains the transition of containment hard:ned piping to non-hardened SGTS ductwork is adjacent to the Reactor Building at the 272' elevation. This area was visited on the plant tour described earlier in Section 1.1.2.5. It was noted that safety-related equipment would not be threatened if the SGTS ducting is breached. In particular, the room does not contain any safety-related equipment, and a significant over-pressurization of the room would be relieved through failed doors that lead directly to the outside.

~. .

29

3.0 AUDIT FINDINGS PER SUBTASK 1 REVIEW ITEMS '

The following paragraphs summarize our audit findings concerning the Task Order subtask I review areas. ,

3.1 NRC Subtask 1 Audit Items A.1 and A.2 - General Approach NRC Subtask 1 Audit Item A.1: ,

The IPE employed a viable process to confirm that the plant models represent the as-built, as-operated plant. Unique design features were appropriately addressed.

The licensee has considered all modifications and operating pm~dures that were implemented prior to December 1990. In addition, the licensee has included plant-specific scram data that occurred between January 1976 and December 1989.

As previously discussed in Section 2.3, an ' Item' of consideration was discussed regarding the licensee's use of component failure data that might not accurately reflect current plant conditions because of the 1986 cutoff date. The licensee also indicated that work is

~

currently under way to study the trending of failure data during the post-1986 time frame. To date, preliminary data trending / updating activities have not identified any significant changes in the availability / reliability of the studied components.

There are no reasons to believe that the licensee's analysis results will be significantly changed once all the failure data have been updated beyond 1986. However, it is recommended that the licensee ensure that updating of the entire component failure data base is accomplished as part of the "living" PRA program.

l Section 6.2 of the submittal provides a summary of the unique safety features that are imponant in reducing the frequency of cenain core damage accident sequences. Unique features identified by the submittal are

\

l 30

1) The protection of essential plant equipment from the potential rupture of the non-hardened portion of the primary containment vent path during containment venting.

2) Provisions for use of alternate boron injection via the CRD pumps to mitigate potential ATWS sequences following the failure to scram and failure of the Standby Liquid Control System.

3) Provisions for use of the fire protection system as an altemate means of supplying water through the LPCI train "A" injection path via a cross-connection between the two systems.

4) The RHR pump seals do not require external cooling to sustain the function of the RHR pumps. Therefore, loss of seal cooling provided by the reactor building closed loop cooling system or emergency service water system will not fail the RHR pumps.

5) Overheating of self-cooled seals used for the core spray pumps will not disable the injection function of these pumps. Thus, the core spray system can be used to inject fluids from water sources that have temperatures in excess of the temperature for which the seals are qualified. ,

6) The high temperature HPCI high turbine exhaust pressure trip setpoint is set at 150 psig. This feature allows operators additional time to mitigate accidents involving containment over-pressurization, for example ATWS sequences.

7) The MSIV isolation signal was lowered from 118 in to 59.5 in, above the Top of Active Fuel (TAF) to increase the availability of the primary coolant system for heat removal and coolant makeup.

8) The plant procedure for station blackout (F-AOP-49) provides directions for operators to prevent high temperature trips of HPCI and RCIC by using keylock switches in the control room. In addition, this procedure also directs operators to open doors to the HPCI and RCIC enclosures so that natural circulation cooling 'can be established during a station blackout.

- 1 31 l

9) There are no auto transfer provisions to switch RCIC suction from the CST to the torus on high torus level. This feature prevents RCIC failure from high torus temperatures.

10) There are a total of four emergency diesel generators, any one of which is ;

capable of providing sufficient power to mitigate a transient involving the loss of normal power.

In addition to the above list of unique features provided by the licensee, we judge that t

another factor is imponant in lowering the frequencies of potential accident sequences, in particular the licensee's demonstration that HVAC is not required for a number of key safety systems. As was discussed in Section 2.1, the licensee performed detailed calculations to determine equipment HVAC requirements, and as a result HVAC was included in the fault tree models as a required support system only for RCIC, the diesel generators, and the crescent areas.

It is also worth noting that the licensee has taken steps to prevent pressure locking of LPCI and core spray valves by installing bonnet vents. In addition, it is worth noting that during the next refueling outage, the licensee plans to make modifications so that backup diesel generator cooling can be provided by a diesel-powered fire water pump.

The licensee used information obtained from the seal manufacturer to address the effects of seal degradation / loss on pump operation. For example, in the case of the RHR pumps, a maximum expected leakage rate of 20 gal /hr. would be expected with scoring of the seals. If a complete disintegration of a seal occurred, the design of the seal flange would limit leakage to 23 gal / min. In any case, the pump performance would not be adversely affected.

i In summary, we judged that the licensee has appropriately assessed the unique design features. We do, however, recommend that the licensee include in any IPE updates reference to the justifications / bases that substantiate the analysis assumption that RHR 1

and core spray pump operation will be unaffected by overheating of pump seals.

l 32

l NRC Subtask 1 Audit Item A.2:

The JPE appropriately considered internalflooding as a potential contributor to core damage.

(Use NUREG-ll74 for review insights)

The licensee has performed a detailed analysis to address issues associated with internal Dooding. The flooding analysis consisted of three major elements, namely: ;

1) the identification of potential flood areas and flood zones,

2) the identification of flooding scenarios and initial climination of unimponant scenarios, and

3) the quantification of remaining potentially important flooding scenarios.

Plant walkdowns were also used as part of the flooding analysis process. l Probabilistic and deterministic arguments were used to estimate core damage frequencies associated with potentially important flooding scenarios. A screening value of IE-08/yr was used to eliminate individual flooding scenarios from further consideration.

Using the above approach and screening criteria, the licensee was able to eliminate all potential flooding scenarios from funher consideration. Various plant features contribute to the elimination of flooding scenarios as significant contributors to core damage. For example, flood water that is discharged in the reactor building will ultimately migrate to one of the crescent areas. These crescent areas are separated by barriers that provide protection against common flooding that would disable the entire emergency core cooling system. During the site visit, attention was given to potential flooding scenarios that could simultaneously disable equipment in both crescent areas. In particular, a walkdown of various reactor building levels and crescent areas was performed during the site visit. In addition, a review of appropriate piping and instrumentation diagrams was made to assess the potential for common flooding of ,

i the two crescent areas caused by backflow via equipment and floor drain systems. !

33 i

i

. . . j It was noted that the analysis has implicitly taken credit for electrical circuit breaker j coordination. Good circuit breaker coordination will prevent the propagation of electncal i faults into other ponions of the electrical distribution system. The assumption of good circuit breaker coordination is reasonable and consistent with other commercial reactor PRA studies.

However, we recommend that the licensee explicitly state this assumption in any updates to the submittal.

F In summary, we judged the results of the licensee's flooding analysis to be valid.

3.2 NRC Subtask 1 Audit Items B.1 through B.7 - Accident Sequence Delineation NRC Subtask 1 Audit Item B.1:

The IPE identified generic / plant specific initiators (including intemalflood) and dependencies which could exist between initiating events and the associated mitigation function. Initiating events are consistent and complete with respect to other PSAs.

The licensee has identified initiating events from several relevant studies and data contained in FitzPatrick scram reports. A review of the FitzPatrick configuration was also done to identify special initiators unique to FitzPatsick, including flooding initiators. Sources of previously published information listed by the licensee in Section 3.1.1.1 of the submittal -

included PRAs for the Limerick and Shoreham plants.

NRC Subtask 1 Audit Item B.2:

The JPE developed appropriatefault trees to identify and analyze front line and support-systems important to the prevention of core damage and mitigation offission product release.

The fault trees used in the analysis are maintained separately from the submittal in work packages. These " work packages" are equivalent to what are commonly known in the PRA community as " system notebooks". During the site visit, use was made of these work ,

34

packages for various systems. The work packages had relevant information in the following areas:

System Function System Description ,

Success Criteria Operation Interfaces /Dep ndencies Instrumentation and Control Test / Maintenance Technical Specifications Operator Interface IPE Model Description Fault Trees Reference Materials (for example, Engineering Diagrams)

The amount of information contained in these work packages was extensive, and it was obvious that a significant amount of effort had been expended to prepare the work packages.

Engineering diagrams contained in the woric packages included relevant P& ids, instrumentation and control diagrams, and electrical distribution diagrams.

The content of the work packages was reviewed by systems engineers and other knowledgeable plant personnel prior to the analysis. The IPE analysts indicated that these reviews were very extensive, and resulted in a number of changes to the analysis models and descriptive material contained in the work packages. This interchange between the IPE analysts and plant staff was confirmed by three systems engineers that were interviewed.

The audit indicates that the licensee has done a thorough job in assembling system information contained in the various work packages.

35

In conjunction with the site audit activities, a number of the fault tree models were reviewed.

In general, the fault tree models were comprehensive and well-documented. ' The fault trees were developed to a level of detail censistent with available component failure data. Overall, over 20,000 unique basic events were nicdeled in the various fault tree models. .

Specific fault tree models reviewed dunng the site visit included the following:

Reactor Protection System Altemate Rod Insertion Syste m Emergency Service Water Sy stem Emergency Diesel Generator S): rem RCIC Enclosure Ventilation System RHR/LPCI System CRD (Coolant Injection Funcuon) 125 VDC System Offsite Power As previously discussed in Section 2.5 of this repon, peticular attention was given to the licensee's model of the mutual dependency between the emergency service water pumps and diesel generators during loss of normal power conditions. The licensee's treatment of this mutual dependency was judged to be sufficiently thorough and complete.

In summary, it was judged that the licensee developed appropriate fault trees to identify and analyze front line and support-systems important to the prevention of core damage and mitigation of fission product release.

l NRC Subtask 1 Audit Item B.3: 1 The JPE treated dependencies (including asymmetries) among plant systems, and that dependencies within a system and between systems were idendfied and documented in a dependency matrixform. Support systems should include as a mi,nimum:-

1 l

l 36

Electrical power (AC and DC)

ESF actuation system Instrument air HVAC Senice water Component cooling water The licensee's analysis includes a comprehensive consideration of system and inter-system dependencies, including the ones listed above. A detailed set of dependency matrices is provided in Appendix A of the submittal.

In Section 2.1 of this repon, a discussion was presented regarding our concerns relative to the treatment of HVAC dependencies. This issue concerning HVAC dependencies was resolved during the visit. We have no additional concerns in this area.

In summary, we judged that the licensee has accurately and comprehensively accounted for system dependencies.

NRC Subtask 1 Audit Item B.4:

The IPE appropriately treated common cause failures employing the beta factor method, MGl.

method, or sensitivity studies (see NUREG/CR 2815 or plant-specific). Common cause failures were carefully examined to reveal possible root causes of such failures and in order to determine likelyfixes.

As explained on p. 3-356 of the submittal, the licensee used the beta factor method described in the " Analysis of Core Damage Frequency: Internal Events Methodology" [NUREG/CR-4550]. At the time of the submittal, only generic common cause data were available, as no common cause failures had been experienced at FitzPatrick.

37

o ,

. 4 It was judged that the licensee's ongoing failure trending program discussed in Section 2.3.4 is sufficiently thorough to be able to identify areas of future concern regarding potential common cause equipment failures. Note that the licensee has already taken steps to prevent potential common cause pressure locking of LPCI and core spray valves by installing bonnet vents.

In our judgement, the licensee has used an appropriate common cause analysis methodology (Beta factor method) and has an ongoing program to address potential common cause equipment failures for input to the "living" PRA program.

NRC Subtask 1 Audit Item B.5:

The system event trees and special event trees appear to appropriately treat the initiating events, associated success criteria, and dependencies between top events.

The licensee has presented a complete set of the event trees that were used in the analysis, along with appropriate descriptive material. Included in the submittal and analysis are event trees that represent potential accident sequences associated with special initiators. Summaries are provided regarding the specific attributes of each of the event tree paths.

Several of the event trees are used to represent special initiators, specifically the loss of a safeguard AC Buses (10500 or 10600), or the loss of a 125 VDC Battery Control Board ("A" or "B"). The licensee has accounted for the loss of other support systems (instrument air, certain types of room cooling, etc.) in event trees that are used to account for various types of general transient initiators. The licensee appears to have taken care to ensure that no " linked" dependencies have been missed by grouping certain types of support system failures in initiating event groups that are accounted for in the event trees representing more general types of transients. The licensee has also noted that a plant scram will not occur if the loss of HVAC to certain critical loads will not cause a reactor trip.

38

The event trees have appropriately treated the initiating events, associated success criteria, and dependencies between top events. Consequently, we have no concerns regarding this portion of the analysis.

NRC Subtask 1 Audit Item B.6:

The JPE appeared to identify the most probable core damage sequences based on insights from other PSAs. Sequences were expanded to identify dominant contributors, i. e., specific components, plant conditions or behavior, commcn cause failures which could potentially contribute to plant vulnerabilities.

During the site visit, it was apparent that the IPE analysts had knowledge of results and insights from other PSAs. In Section 1.4.3 of the submittal, the licensee has made a comparison of the FitzPatrick analysis results with results from a Peach Bottom study given in " Analysis of Core Damage Frequency: Internal Events Methodology" [NUREG/CR-4550).

This comparison includes a discussion regarding the reasons for similarities and differences between the two analyses.

The licensee has used a methodology that is capabic of identifying dominant contributors expressed as accident sequences, individual components, common cause failures, and human errors. The license has applied this methodology to accornplish this purpose. Lists of dominant event contributors to three importance measure categories has been generated. These three importance measure categories are risk reduction, risk increase, and uncertainty. These importance measures were generated for results associated with both the core damage frequency and loss of decay heat removal analyses.

Based on our audit, the licensee's core damage frequency analysis was judged to be slightly under-estimated because several types of common cause events were not included. As previously discussed in section 2.2, groups of equipment items not included in the common cause analysis included the emergency service water pump discharge check valves, and diesel generator ventilation fans and dampers. These items were not included in the original.

39

e ,

analysis because of the lack of appropriate data. Recently, however, additional sources of common cause data have become available, for example the Seabrook IPE [Seabrook IPE Submittal). In response to one of our pre-visit questions, the licensee performed sensitivity analyses to estimate the increase in core damage frequency with the recently-available common cause failure data. In one of these sensitivity analyses, the licensee calculated that the existing mean core damage frequency estimate (without recovery) of 1.92E-06/yr would increase by 13% to 2.17E-06/yr if common cause failures of the diesel generator ventilation fans, supply / exhaust dampers, and emergency service water check valves were included in the analysis.

In summary, we judged that the IPE identified the most probable core damage sequences based on insights from other PSAs. Sequences were expanded to identify dominant contributors, such as specific components, plant conditions or behavior, and most of the common cause failures which could potentially contribute to plant vulnerabilities. The Ilcensee's estimates of the core damage frequency and dominant contributors are reasonable. The common cause ref'mements discussed above do not afTect the overall conclusions of the analysis.

NRC Subtask 1 Audit Item B.7:

The IPE appropriately treatedfront cnd and back-end dependencies:

Imponant sequences were not screened out, Considered containment bypass, Considered containment isolation, Plant damage states considered reactor system / containment system availability, Source term, System mission times, inventory depletion, Dual Usage (spray vs. injection).

I h

I The IPE retained Level I core' damage sequences with frequencies equal to or greater than IE-08/yr. This truncation value was judged to be reasonable and consistent with other PSA analyses.

In Section 3.1.5 of the submittal, a discussion is provided regarding the grouping of accident sequences into " Bins" or " plant damage states" (PDSs). The licensee has grouped the level I core damage results into PDS bins according to characteristics that account for the status of the reactor, containment, and core cooling systems. A given PDS is represented by a specific grouping of cut sets. The licensee prepared a cornprehensive set of questions that were used in the PDS definition process. These questions are described in Section 3.1.5.2 of the submittal. A summary of the PDS grouping of the core damage analysis results is provided in Section 3.1.5.3 of the submittal.

It is our judgement that the licensee has correctly accounted for system mission times, inventory depletion, and the dual usage of systems (i. e., RHR injection, suppression pool ,

cooling, and drywell spray) in the front and back end analyses.

In summary, we judged that the IPE has appropriately treated front-end and back-end dependencies NRC Subtask l Audit Item B.8: For multi-plant analyses, that the JPE considered initiating events affecting more than one unit, and treated systems shared between units.

The FitzPatrick plant site contains only one reactor. Consequently, this review itcm is not applicable.

R 41

3.3 NRC Subtask 1 Audit Items C.1 through C.4 - Quantitative Process NRC Subtask 1 Audit Item C.1:

The IPE quantitatively evaluated the impact ofintegrated system and component failures on plant safety. Data support the use of mean values and licensee employed sensitivity studies to determine the impact of vital assumptions as appropriate.

The methodology used by the licensee identified dominant contributors expressed as accident sequences, individual components, common cause failures, and human errors. Lists of dominant event contributors to three imponance measure categories has been generated. These three importance measure categories are risk reduction. risk increase, and uncenainty. These imponance measures provide a quantitative measure of the impact ofintegrated safety system and component failures to plant safety. Importance measures were generated for results associated with both the core damage frequency and loss of decay heat removal analyses.

Mean value estimates were used for event failure data. Mean, median, and corresponding uncenaimy values were calculated for the accident sequence results. The licensee's input data suppon the use of mean values.

The licensee used a sensitivity analysis to study the impact of battery depletion times on core damage frequency. The results of this sensitivity analysis are described in Section 3.3.6.4 of the submittal. A sensitivity analysis of battery depletion was appropriate because long term station blackout sequences make the dominant contributions to core damage frequency.

In summary, the IPE performed a quantitative evaluation of the impact of integrated system and component failures on plant safety. Data used by the licensee support the use of mean values. In addition, the licensee appropriately employed a sensitivity study on battery depletion times.

l l

42

NRC Subtask l Audit item C.2: The technique used to perfonn data analysis appears consistent with other PSAs, (note: plant specific data is expected to be usedfor important components and systems as identified in NUREG 1335).

The licensee has used a combination of the generic and plant-specific data for quantification of the accident sequences. Plant-specific data were gathered and used wherever possible, generic data were used to supplement cases in which plant data were limited or where there were no plant data. The sources of generic data are clearly referenced, for example in Table 3.3.2.1 on p. 3-367 of the submittal. A detailed discussion of the licensee's approach to the collection, analysis, and aggregation of data is given in Section 3.3.2 of the submittal.

In Section 2.3 of our report, an ' Item' of consideration was discussed regarding the licensee's use of failure data that might not accurately reflect current plant conditions because of the

, 1986 cutoff date. The licensee also indicated that work is currently under way to study the trending of failure data during the post-1986 time frame. To date, preliminary data trending / updating activities have not identified any significant changes in the availability / reliability of the studied components.

We judged that the licensee's data analysis technique is generally consistent with other PSAs. There are no reasons to believe that the licensee's analysis results will be significantly changed once all the failure data have been updated beyond 1986. .

However,it is recommended that the licensee ensure that updating of the entire component failure data base is accomplished as part of the "living" PRA program. J NRC Subtask I Audit Item C.3:

Sources of genericfailure data used in the IPE are idennfied, and a rationale for thsir use provided Data sources should be reasonably consistent with data reported in NUREG-2815, Appendix C.

43

4 #

A list of the sources of generic failure data used in the IPE process are explicitly identified in Table 3.3.2.1 of the submittal. These generic data sources included WASH-1400, the

" Individual Plant Examination Report for the Seabrook Station" [Seabrook IPE Submittal],

and IEEE data (IEEE 500). A rationale for using these data was provided, namely that they include relevant generic data from previous PRAs and reports from organizations such as the NRC and IEEE. These data sources are reasonably consistent with data provided in NUREG-2815.

We judged that the licensee's selection of sources of generic data was reasonable.

l NRC Subtask i Audit Item C.4:

The IPE explicitly quantified common causefailures and identified data sources.

Table 3.3.4-1 on p. 3-422 of the submittal provides a list of the common cause failures that were included in the analysis. These common cause failures were explicitly quantified and data sources were identified. The quantification of these failures was judged to be reasonable.

As previously discussed in Section 2.2, ' Items' of consideration were raised regarding the selection of common cause failure candidates. Based on the licensee's response, we have judged these ' Items' to be resolved. The licensee's staff members have indicated that additional common cause failure events described in Section 2.2 will be included in the "living" PRA. j l

In summary, the licensee has explicitly quantified common cause failures and identified !

corresponding data sources. We do, however, recommend that the licensee include in the "living" PRA program the additional common cause candidates we identified in Section 2.1.2 of our report. I 1

44 l

)

l 3.4 NRC Subtask 1 Audit Items D.1 and D.2 - Vulnerability Evaluation NRC Subtask 1 Audit item D.1:

The IPE supports the licensee's definition of vulnerability with respect to core damage, and that the analysis probed beyond the system level. to train or segment level to uncover vulnerabilities. The licensee's definition provided a means by which the licensee could identify potential vulnerabilities (as so defined) and plant modifications (or safety enhancements) to eliminate or reduce the effect of vulnerabilities.

As discussed in Section 3.1.2 of the submittal, the licensee has defined core damage to occur when the reactor water level is less than 2 feet above the bottom of the active fuel. The licensee has taken this defimition and coupled it with a small event tree, linked large fault tree i methodology to perform a core damage analysis. By using this methodology, the licensee has been able to identify dominant contributors expressed in terms of accident sequences, individual components, common cause failures, and human errors. Lists of dominant event contributors to three importance measure categories has been generated, specifically risk reduction, risk increase, and uncenainty.

By reviewing the analysis results, the licensee has been able to identify plant vulnerabilities, l along with suitable enhancements and modifications that can reduce or eliminate these vulnerabilities.

In summary, we judged that the IPE analysis permitted the licensee's to search for of vulnerability with respect to core damage. In addition, the licensee's analysis probed beyond the system level to uncover potential vulnerabilities. The licensee's approach provided a means by which the licensee could identify potential vulnerabilities and plant modifications / enhancements to eliminate or reduce the effect of vulnerabilities. ,

l 45

NRC Subtask 1 Audit Item D.2:

The identification of plant improvements and proposed modifications are reasonably expected to enhance plant safety.

In Section 7.3 of the submittal, the licensee presents a list of potential modifications /

enhancements that could be used to reduce the risk from core damage and loss of containment heat removal scenarios. As is stated in the section of the submittal, the licensee is evaluating these possibilities to detennine which changes would be warranted in the context of risk reduction versus costs. A decision has already been made regarding one of the possible plant enhancements, In particular, the licensee is planning to modify the plant to provide an alternate source of water to the emergency diesel generators via the fire protection system.

We judged that this modification is reasonable given the relatively high contribution of ESW pump failures to the core damage risk reduction and risk increase measures.

Note that one of the licensee's proposed modifications would involve the placement of side protection to motor control centers BMCC 1 and BMCC-2 to funher protect against flooding.

As discussed earlier in Section 1.1.2.5 of our report, this recommendation was judged to be reasonable, even though the expected reduction in core damage frequency is very small. In panicular, the work involved in adding side protection to these motor control centers appeared to be relatively minor.

In summary, we judged the licensee's identification of plant improvements and proposed modifications can reasonably be expected to enhance plant safety.

3.5 NRC Subtask 1 Audit Items E.1 through E.3 - Decay Heat Removal Evaluation NRC Subtask 1 Audit Item E.1:

The JPE explicitlyfocused on reliability of the DHRfunction. IPEfindings and conclusions are consistent with other PSA findings.

46

The licensee has performed an evaluation of decay heat removal to address USI A-45. This evaluation was performed with the same approach used in the core damage accident sequence analysis The licensee estimated that the overall mean frequency loss of containment heat removal sequences was 1.95E-07/yr. Only a small fraction of the sequence contribution (approximately 27c) represents core damage outcomes.

The licensee compared the FitzPatrick results to PSA results for Peach Bottom that are described in " Analysis of Core Damage Frequency: Internal Events Methodology"

[NUREG/CR-4550). This Peach Bottom analysis demonstrated that the loss of containment heat removal sequences are not dominant, as they are below IE-08/yr versus the overall mean core damage frequency estimate of 4.5E-06/yr.

The difference in the containment heat removal frequency estimates between these FitzPatrick and Peach Bottom (1.95E-07/yr versus <1E-08/yr) can be explained by the respective configurations of the RHR and RHR service water systems. AT FitzPatrick, loss of 4.16 KV Bus 10500 will cause the failure of RHR pumps A and B along with RHRSW pumps A and C, thus leaving a single intact RHR/RHRSW loop (loop D). Likewise, loss of 4.16 KV Bus 10600 will cause the failure of RHR pumps C and D along with RHRSW pumps B and D, thus leaving a single intact RHR/RHRSW loop (loop A). At Peach Bottom, loss of a safety bus causes the loss of only one of four RHR/RHRSW trains.

The IPE has explicitly focused on the reliability of the DHR function. The licensee's evaluation of the differences between the FitzPatrick analysis and the Peach Bottom PSA findings is explained by the unique design of the FitzPatrick RHR/RHRSW configuration.

~

NRC Subtask 1 Audi: Item E.2:

The JPE explored the benefit of diverse means of decay heat removal, e.g. feed-and-bleed, recovery of main feedwater.

47 I l

l

4 s The licensee explored various options for decay heat removal, including recovery of offsite power, shedding of battery loads, the over-riding of MSIV isolation, and the use of the fire protection system as an alternate source of water for the RHRSW system. Some of the possibilities identified by the licensee would require additional modifications to the plant configuration and/or procedures.

In summary, we judged that the IPE comprehensively explored the benefit of diverse means of decay heat removal.

NRC Subtask 1 Audit item E.3: Any uniquefeatures or other means which contribute to increased DHR reliability were substantiated.

As noted in the response to Subtask 1 Audit Item A.1, the licensee has identified unique features that contribute to reducing the frequency of certain core damage accident sequences.

Most of these unique features also contribute to increased DHR reliability.

In summary, we judged that the licensee has appropriately assessed the unique design features that contribute to increased DHR reliability. However, as discussed In the response to Subtask 1 Audit Item A.1, we do recommend that the licensee include in any IPE updates reference to the justifications / bases that substantiate the analysis assumption that RHR and core spray pump operation will be unaffected by overheating of pump seals.

48 i

I 1

1 4.0 AUDIT FINDINGS The purpose of this section is to summarize the overall Endings of the audit.

l 4.1 Overall Findings Responses to Review Team Questions Throughout the site visit, the licensee's staff was very cooperative. All of the information requested prior to the visit was made available to us. along with a large body of additional documentation related to the analysis process 4.2 Summary of the Limitations and Weaknesses of the IPE Provided in the following subsections are the areas of the front end portiou of the submittal and analysis that we feel could be improved or enhanced. Previous sections of this report that contain more detailed discussions of these summary findings are noted.

Items that Should Be Addressed By The Licensee Based on our review, we recommend that the licensee include the following enhancements to future updated analyses:

a) additional candidates for common cause failures (Section 2.2), and b) updates to the data base to reflect the most recent plant operating experience (Section 2.3.4).

Items That Would Enhance the IPE We recommend that the licensee consider including the following enhancements to the documentation:

a) Reference to calet.:ations/ justification for decisions regarding need for equipment HVAC requirements (Section 2.1),

~

b) Explicit mention in"the flooding analysis regarding the assumption of good circuit breaker coordination (Section 3.1, Item A.2),

49

c) Documentation of the assumption regarding spurious signals to components (Section 2.3.3) d) Reference to the justifications / bases that substantiate the analysis assumption that RHR and core spray pump operation will be unaffected by overheating of pump seals (Section 3.1, Item A.1) 4.3 Resolution of Unresolved and Generic Safety Issues 4.3.1 USI A-45: Shutdown Heat Removal The licensee has performed an evaluation of decay heat removal to address USl A-45. This evaluation was performed with the same approach used in the core damage accident sequence analysis. Based on our review, the licensee's analysis method and results are reasonable and valid.

4.3.2 Other Issues Addressed in the IPE The licensee has also performed an evaluation of control system failures to address USI A-47.

An event tree was constructed to model pertinent feedwater control system accident sequences. The total core damage frequency from accidents initiated by feedwater control system malfunctions was estimated to be less than IE-08/yr. We judged the licensee's analysis method and results to be reasonable.

4.4 Evaluation of Identified Vulnerabilities and Proposed Fixes The analysis has identified station blackout as the dominant contributor to core damage.

Important c ntributors to station blackout accident scenarios include the failure of the emergency service water system pumps that are used to provide cooling to the emergency diesel generators. The licensee is planning to modify the plant so that the fire water system could be used as a backup source of cooling water to the emergency diesel generators.

50

4.5 Evaluation of Dominant Contributors to Core Damage Section 7 of the submittal titled " Conclusions" provides a summary of the analysis results as well as the conclusions made from the analysis. The mean core damage internal events frequency was calculated to be 1.92E-06/yr. The dominant contributor to core damage was determined to be station blackout accidents. The station blackout accidents contribute 91.1%

of the core damage frequency.

The next most important contributor is a transient condition involving stuck-open safety-relief valves and loss of all ECCS injection. These accident sequences contribute 6.2% to the core damage frequency estimate.

The third most important contributor to the core damage frequency is transient condition with a loss of containment heat removal. The accidents contribute 1.6% of the core damage frequency.

The other two most dominant categories of accidents, ATWS and LOCAs with loss of all ECCS injection, each contribute less than 1% to the core damage frequency estimate.

We judged that the licensee's assessment of dominant contributors to core damage was reasonable.

4.6 Summary of Audit The FitzPatrick IPE front end analysis appeared consistent with the requirements of the IPE Generic Letter 88 20. Documentation used in the FitzPatrick analysis that was not contained in the submittal is well. maintained and documented.

The overall conclusions of the IPE analysis were judged to be valid. Two items were identified in Section 4.2 of our report that we recommend be addressed in the licensee's "Ilving" PRA program. However, it is not anticipated that these enhancements to the analysis will change the conclusions of the IPE.

51

. . ~ . . .

In addition, several enhancements to the IPE documentation were also identified in Section 4.2 of our report. These documentation enhancements will clarify to other readers additional details of thelicensee's analysis process.

r i

2

, * ^

e 52

References

1. [A: . info. From Lic.] Letter to NRC from R. Beedle (Licensee), " Response to Request for Additional Information," JPN-92-046, September 1,1992.

2. [DET Findings] Letter to T. Murley (NRR) from R. Beedle (Licensee) Concerning the Licensee's Review of the FitzPatrick IPE with Findings of the Diagnostic Evaluation Team Repon, JPN-92-024, May 28,1992.

3. [EPRI Common Cause Data] "A Database for Common-Cause Events for Risk and Reliability Analysis," K. Fleming. t al., EPRI Report EPRI TR-100382, June 1992.

4. [FitzPatrick IPE Submittal] "Fitzpatnck Individual Plant Evaluation," Jin. W. Chung, NRR/RES Interface (no date).

5. [FitzPatrick IPE Submittal], "FitzPatrick Nuclear Power Plant IPE," New York Power Authority, August 1991.

6. [ Gen. Data Base] " Generic Component Failure Data Base for Light Water and Liquid Sodium Reactor PRAs," S. A. Eide, S. V. Clunielewski and T. D. Swantz, EG&G Report EGG-SSRE-8875, Febmary 1990.

7. [IEEE-500] "lEEE Guide to the Collection and Presentation of Electrical, Electronic, Sensing Component, and . Mechanical Equipment Reliability Data for Nuclear-Power Generating Stations," IEEE std 500-1984, Dec.13,1983.

8. [IPE Generic Letter] USNRC, " Individual Plant Examination for Severe Accident Vulnerabilities - 10 CFR 50.54(f)," Generic Letter No. 88-20, November 23,1988. <

9. [NRC Add. Info. Request) Letter to R. Beedle (Licensee) from B. McCabe (NRR),

" Request for Additional Information Regarding Individual Plant Examination - James A. Fit 2 Patrick Nuclear Power Plant " May 20,1992, l l

10. [NSAC-108] "The Reliability of Emergency Diesel Generators at U. S. Nuclear Power Plants," EPRI Report NSAC-108, September 1986.

I

11. [NUREG/CR-4550] " Analysis of Core Damage Frequency: Internal Events l Methodology," Vol.1 Rev.1, January 1990. i l

12. [NUREG/CR-2815] "Probabilistic Safety Analysis Procedures Guide," NUREG/CR-2815, August 1985.

13. [NUREG-1335] " Individual Plant Examination: Submittal Guidance," NUREG-1335,-

August,1989.

53 )

I

l

14. [Seabrook IPE Submittal] " Individual Plant Examination Report for Seabrook Station."

March 1991. ,

I

15. [Sourcebook] "FitzPatrick Nuclear Power Plant System Sourcebook " SAIC 89/1024.

16. [Trans IE Freq.] " Development of Transient Initiating Frequencies for Use in Probabilistic Risk Assessments " D. P. Mackowiak, EG&G, NUREG/CR-3862, May 1985.

s e

a 54

Materials Obtained from the Licensee During the Site Visit for I Post Visit Review Activities A) Printed Materials

1) " James A. FitzPatrick Nuclear Power Plant EDG Reliability Data," memorandum to R. Hladik from K. J. Vehstedt, KJV-91-06, March 15,1991.

2) " Emergency Diesel Generator's Starting Records", memorandum :o calculation No.89-012 K.

J. Vehstedt, KJV-89-12,13 March 1989.

3) " Calculation of Room Temperatures in the Event of a loss of Ventilation", New York Power Authority, Nuclear Systems Analysis Group, draft, pp. ii, Sections 2,3 and 4. Appendices A l and B. '

4) " Station Blackout" Abnormal Operating Procedure F-AOP-49, Rev. 2 March 21,1990.

5) " Post Accident Venting of the Primary Containment", Abnormal Operating Proced're AOP-35, l Rev. 8, January 23,1993.

6) " Reactor Safety", Instructor Lesson Plan for Training Personnel in Operationally Significant Aspects of the IPE, NET-238.13 Rev. 2, January 3,1993.

7) " Pressure Locking and Hermal Binding of Gate Valves", AEOD Special Study, C. Hsu, USNRC, AEOD/S92-07, Dec.1992.

8) " Station Battery Capacity Under Station Blackout Conditions", Calculation Set No.89-013.

Rev. 2, K. J Vehstedt, Approved January 5,1990.

9) Listing of Core Melt Frequency Risk Incmase Importance Measures for Accident Sequence Cut Set Events, Ranked by Risk Increase Importance Measure, Also Ranked Within Systems / System Trains.

10) Portion of Reactor Protection System Fault Tree, p.1, pp.85-124; Printout Dated Dec. 29, 1992.

! 11) Emergency Service Water System Fault Tree, Printout Dated May 15,1991.

12) Overall Performance Indicator Data for Emergency Diesel Generators for 1991 and First Three Quarters of 1992.

13) Portion of Station Blackout Response Dealing With Shedding of UPS Powered From 125 VDC Battery "A", Attachment I to JPN-91-049, pp.31,32.

14) Data Sheet Listing Plant Modification nat Involved Replacement of Emergency Service Water System Pump Discharge Check Valves.

15) Table 3.3-7 From " Individual Plant Examination Report for the Seabrook Station" That Lists Generic and Plant-Specific Beta Factors For Common Cause Analysis, March 1991.

55

. . _ . - . . = . _ _ __ . __ .

16) Written Responses to Front-End Questions for Licensee Subnutted to NRC in the Pre-Visit Site Audit Plan B) Engineering Diagrams FE 1 AB, Rev.14,120 VAC One Line Diagram RPS Bus A & B 7105-6A & 71-05-6B and UPS Bus Distr. Pnl. 71 ACUPS ll825-FE-1 AC, Rev.17,120 VAC One Line Diag. Sh. 2 Safeguard Bus Al & BI Dist. Pnis.

71ESSAl&BI,71 ACUPS 1 & 2 11825-FB-4A, Rev.12, Reactor Building Floor Drainage El. 227'-6" & 256*-6" 11825-FM 1 A, Rev. 8. Mach. Loc. - Reactor Bldg. - Sh. I, Plan El. 369'-6" 11825-FM-1B, Rev.12, Mach. Loc. - Reactor Bldg. Sh. 2. Plan El. 344'-6" 11825-FM-lC, Rev. 8, Mach. Loc. - Reactor Bldg. Sh. 3 Plan El. 326'-9" 11825-FM-lD, Rev. 22, Mach. Loc. - Reactor Bldg. Sh. 4, Plan El. 300'-0" 11825-FM-lE, Rev. 21, Mach. Loc. - Reactor Bldg. Sh. 5. Plan El. 272'-0" 11825-FM IF, Rev.13, Mach. Loc. - Reactor Bldg. Sh. 6. Plan El. 227'-6" 11825- FM-lG, Rev.10, Mach. Loc. - Reactor Bldg. Sh. 7, Section 1-1 11825-FM-lH, Rev.10, Mach. Loc. - Reactor Bldg. Sh. 8, Section 2-2 11825-FM 1J-l1, Mach. Loc. - Reactor Bldg. Sh. 9 Section 3-3 11825- FM lK, Rev. I1, Mach. Loc. - Reactor Bldg. Sh.10, Sections 4-4 & 5 5 11825-FM 2A-7, Mach. Loc. - Turbine Area Operating Floor Plan - El. 300'-0" 11825-FM-2B, Rev.14 Mach. Loc. - Turbine Area Ground Gr. Level Plan - El. 272'-0" 11825- FM-2C, Rev.13, Mach Loc. Turbine Area Basement Floor Plan El. 252'-0" Il825-FM-2D-8, Mach. Loc. - Turbine Area Sections - Sheet 1

. I1825 FM-?E, Rev. 9, Mach. Loc. - Turbine Area Sections, Sheet 2 I1825-FM-3A, Rev. 9 Mach. Loc, - Turbine Area Plan - Heater Bay El. 272'-0" & El. 292'-0" 11825-FM 3B, Rev.12, Mach. Loc. - Turbine Area Plan - Heater Bay, El 252'-0" & Sections -;

FM-4 A, Rev. 30, Mach. Loc. Radwaste Building, Plans, El. 250*-0", El, 272'-0" & El. 284'-0" i

56 l

)

. ~ . - . . =. ..

J 11825-FM-4B. Rev.18, Mach. Loe. Radwaste Bldg. Plan El. 298'-0" & Sects.1-1, 2-2, and 6-6 11825-B14C, Rev.19, Mach. Loc. Radwaste Building, Sections 3-3, 4-4, & 5-5 ll825 FM 5A, Rev.13, Machine Location Emergency Generator Building Plan & Sections 11825-FM-6A Rev. I1, Mach. Loc. - Turbine Area Plan Electrical Bay El. 272'-0" and Sections 11825-FM-7A, Rev. 21, Machine Location Screenwell & Water Treating Plan & Section ;

11825-FM-7B, Rev,16, Machine Location Screenwell & Water Treating Plan & Section, Sh. 2 I ll825-FM-7C, Rev 7, Machine Location, Screenwell & Water Treating Plant & Section, Sh. 3 FM-17A, Rev. 21 Flow Diagram Radwaste - Sys. No. 20 11825-Bi-114A, Rev.12 Personnel Access & General Arrangement Plan, El. 272'-0" 11825-Bi-114-B, Rev. 9. Personnel Access & General Arrangement Plan, El. 300*-0" 11825-FM-114C, Rev. 4 Personnel Access & General Arrangement Below El. 272'-0" 11825-Bi-114D, Rev.1, Personnel Access & General Arrangement Sections 11825-FM-114E, Rev. O, Personnel Access & General Arrangement Sh. 5 FM-46A, Rev. 3. Flow Diagram Service Water System 46 FM-46B, Rev. 24, Flow Diagram Emergency Service Water System 46 & 15 I

I I

1 1

)

l 57

Materials Requested and Obtained From the Licensee Following the Site Visit

1) Additional Text From " Individual Plant Examination Report for the Seabrook Station" That Discusses Generic and Plant-Specific Beta Factors For Common Cause Analysis Given in fable 3.3-7, March 1991.

2) "The Reliability of Emergency Diesel Generators at U. S. Nuclear Power Plants, EPRI Report NSAC-108, September 1986.

3) Page I1-357 from " Reactor Safety Study", WASH-1400; Information Given on This Page Was Used By The Licensee As The Basis For Rod Success Criteria During A Scram.

4) Pages 1 and 9 of " Clarification of Design Basis Requirements for the JAFNPP Emergency Service Water System (46)", JAF-SE-90-067, Rev. 2, Sept. I1,1992.

5) Sheet with Summary of Station Battery Capacity Calculations under Station Blackout Conditions, K. Vehstedt, January 12,1993.

6) " Loss of DC Power System A " Abnormal Operating Procedure F-AOP-45, Rev. 3, June 7,1989.

-7) " Loss of DC Power System B," Abnormal Operating Procedure F-AOP-46, Rev. 4, December 22,1987.

8) " Station Battery Capacity Under SBO Conditions," Calculation TAF CALC-ELEC-00868, Rev. O, February 10,1993.

G 58

t 6

d Appendix A Front-End Audit Plan ,

f I

59

I Identification of Site Visit Needs for Fitzpatrick l l

Science and Engineering Associates. Inc.

W. Thomas This document identifies the focus areas which I feel are appropriate for my involvement in the Fitzpatrick Step 2 site visit. In preparation for this site visit. I have reviewed my notes from the October 14 kickoff meeting, as well as the following documentation:

1) Fitznatrick Nuclear Power Plant IPE, August 1991 (Licensee's IPE Submittal).

2) Fitzpatrick Nuclear Power Plant Svstem Sourcebook. SAIC 89/1024.

3) Letter to R. Beedle (Licensee) from B. McCabe (NRR), " Request for Additional Information Regarding Individual Plant Examination - James A. Fitzpatrick Nuclear Power Plant," May 20, 1992.

4) Letter to NRC from R. Beedle (Licensee)," Response to Request for Additior.alInformation," JPN-92-046, September 1,1992.

5) Letter to T. Murley (NRR) from R. Beedle (Licensee) Concerning the Licensee's Review of the Fitzpatrick IPE with Findings of the Diagnostic Evaluation Team Report, JPN 92-024, May 28, 1992.

6) "Fitzpatrick Individual Plant Evaluation," Jin. W. Chung, NRR/RES Interface (no date).

Based on a review of the information available to me, I have prepared a list of questions I would like answered and a list of information I would like to review. I have also identified specific categories of utility personnel I would like to meet with, as well as areas of the plant I would like to tour. The information requests are intended to help resolve the original Step 1 review comments and to address stems discussed in our kick-off meeting. I have included the questions regarding the treatment of HVAC.

common cause, and spurious operation of equipment to address some additional concems I feel may be important.

60

E QUESTIONS a) IIVAC Question ; Are there calculations or other documentation to suppon the selection of the specific HVAC systems that were modeled in the IPE?

In particular, Table 3.1.4.7 of the submittal (p. 3-97) lists four imponant HVAC loads, specifically ,

the following:

a) Emergency Diesel Generator Rooms b) Crescent Area Cooling c) RCIC Enclosure Ventilation d) Control Room On p. 3-257 of the submittal, it is stated that three front-line HVAC systems were modeled, in ,

panicular HVAC systems used to suppon the emergency diesel generator rooms, crescent area cooling, and the RCIC enclosure. I could find no explicit mention in this section or other sections of the repon that control room ventilation was indeed included in the IPE model. Note that it is stated on p. 3-359 that room cooling was not modeled for areas that house the CRD system, the ESW pumps, the switchgear, and batteries because of the lack of heat sources. It is also stated on p. 3-245 that "since the ESW pumps are in a large area in separate rooms in the screenwell pumphouse, room cooling for the pump motors is not required". However, no calculations or other forms of documentation are referenced to substantiate the exclusion of HVAC considerations for these systems.

Section 9.9 of the Fitzpatrick Final Safety An;tlysis Repon FSAR describes HVAC associated with a number of safety-related systems, including the batteries, the screenwell house, the diesel generator building, the control room, and the relay room. For example, on p. 9.9-14, Section 9.9.3.11, it is stated ,

that the control and relay room air condition systems "must operate at a'l times during normal, shutdown, and design basis accident conditions."

' b) Common Cause Question 1 - What were the criteria for determining the specific groups of equipment items to be considered for common cause failures?

l

-l 61 I

g- --t -

T-- -

. _ . = - .- - - . - -- - -

The discussion given on p. 3-356 is not sufficiently detailed to answer this question. Table 3.3.4.1 of the submittal lists the common cause failure events considered in the analysis. A number of potential common cause groups are missing, for example the following:

a) the 2 ESW pump inlet check valves b) supply and exhaust ventilation dampers associated with the diesel generators c) ventilation fans associated with the diesel generators d) time delay relays used to load the emergency diesel generators after nonnat power is lost.

Question 2: In the licensee's " Response to Request for Additional Information". it is stated on p. 43 that the licensee plans to include pressure locking as a potential common cause failure of RHR/LPCI and core spray injection valves in the "living" PRA program. To what extent will common cause failure mechanisms be considered across other diverse systems in the "living" PRA program?

It is stated on p. 3-357 of the submittal that common cause failures across system boundaries were not considered.

c) Spurious Signals to System Components i

Question: On p. 3-166 of the submittal, it is stated that " spurious signals that cause hardware to l enter improper states were not modeled if, after the initial operation, no components are l 1

expected to receive an additional signal in the course of the accident to re-adjust or l 1

change their operating state. What is the basis of this' assumption?

I 62

Information Requests

1) One line diagrams of the 125 VDC and 419 VDC systems that show interconnections between/among batteries, control boards, and distribution cabinets.

2) A detailed list of all 125 VDC loads from which the function and purpose of eaeb load can be ascertained. The source of 125 VDC power to each load should also be identified.

3) One line diagrams of the plant 4160 VAC and 600 VAC systems

4) Set of Building Equipment Layout Diagrams (the copies I have obtained from the submittal and SAR are not very legible)

5) Plant Procedures:

a) F-OP-6 b) F-OP-7 c) F-OP-25 .

d) OP 1 (Main Steam System) e) OP-9 (Main Turbine) f) OP-24C (Condenser Air Removal) g) AOP-15 (Recovery from an Isolation) h) AOP-31 (Loss of Condenser Vacuum) i) AOP 35 (Post-Accident Venting of Primary Containment) j) AOP-37 (Boron Injection using the CRD system) !

k) AOP-38 (EOP isolation / interlock ovenides)

1) F-AOP-18 .

m) F-AOP-19 n) F-AOP-49 (Station Blackout) o) EOP p) EOP-4 ( Primary Containment Control) a 63

6) Piping and Instrumentation Diagrams that show the dram systems for equipment in the reactor building.

7) Background information used by the licensee to prepare fault trees for the Reactor Protection System and Alternate Rod Insertion System (one line diagrams, system notebooks, etc.).

8) Specific fault tree models a) Reactor Protection System b) Altemate Rod Insertion System c) Emergency Service Water System d) Emergency Diesel Generator System e) RCIC enclosure ventilation system f) RHR/LPCI system g) CRD (coolant injection function)

. f) 125 VDC system g) Offsite Power

9) Load shedding calculations for extending battery capacity during blackout conditions.

10) Information related to the individual time delay relays used to load the emergency diesel generators after normal power is lost, specifically a) test / maintenance / calibration intervals and procedures, and b) design details.

I1) Any information on impact of post-1986 plant experience regarding original IPE estimates of component failures rates /unavailabilities, ,

l 64

)

Areas I Would Like to Tour:

1) Battery Rooms

2) Emergency Switchgear Rooms

3) Area where containment vent path transitions from SGTS ductwork to hardened piping (potential rupture point located outside reactor boundary as described on p. 4-8 of the submittal)

4) RCIC Enclosure

5) HPCI Room

6) Crescent Rooms

7) Control Room

8) Relay Room

9) Emergency Service Water Pumphouse

10) Diesel Generator Buildings ,

11) MCCs BMCCI, BMCC2 65

. . .. . ~ . . . _ . .

Plant Personnel I Would Like to Talk To

1) Control Room Operator

2) IPE Systems Analyst

3) IPE Data Analyst

4) Failure Trending Analysis Group Analyst

5) Maintenance Personnel for Mechanical and Electrical Systems

6) Systems Engineers for the Following Systems:

a)' Emergency Service Water b) Diesel Generators c) Plant Electrical Distribution (4160 VAC,600VAC,125 VDC,419 VDC) d) HVAC n

k P

P 66

~ .

4 0 0 ENCLOSURE 3 FITZPAlRICK INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT (BACK-END)

,

ML20070Q429

Text

1.0 INTRODUCTION

Navigation menu

Search