ML20092E296
| ML20092E296 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 09/11/1995 |
| From: | Stetz J CENTERIOR ENERGY |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| TAC-M74402, NUDOCS 9509150145 | |
| Download: ML20092E296 (75) | |
Text
.-
GNTERDOR 1
%fs ENERGY 300 Madison Avenue John P. SleII Toledo, oH 43652-0001 Vice Pfosident - Nuclear 419-249-2300 Davis Beses Docket Number 50-346 License Number NPF-3 Serial Number 2322
-September 11, 1995 L'
United States Nuclear Regulatory Commission Document Control Desk Washington, D. C. 20555-0001 1
Subject:
Response to Request for Additional Information on Individual Plant Examination Submittal, Davis-Besse Nuclear Power Station, 1 Unit 1 (TAC NO. M74402) 3 Ladies and Gentlemen:
By letter dated June 22, 1995, (Log Number 4562) the Nuclear Regulatory Commission (NRC) issued a request for additional information (RAI) regarding Toledo Edison's (TE's) Individual Plant Examination (IPE) sub-mittal for the Davis-Besse Nuclear Power Station (DBNPS). Attachment 1 contains TE's response to the RAI. As discussed with our Project Manager on August 22, 1995 and September 8, 1995, an extension of the required response date to September 12, 1995 was granted.
Should you have any questions or require additional information, please contact Mr. William T. O'Connor, Manager - Regulatory Affairs, at (419) 249-2366.
Very truly yours, HL/laj Attachment cc: L. L. Gundrum, DB-1 NRC/NRR Project Manager H. J. Miller, Regional Administrator, NRC Region III S. Stasek, DB-1 NRC Senior Resident Inspector Utility Radiological Safety Board P f. O O 5 operating companies-cleveland Electric liluminating 9509150145 950911 PDR I Toledo Edison ADOCK 05000346
.P_ _ _ _ _ .PDR 9 g
1 l
RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION FOR TIIE IPE PROGRAM DAVIS BESSE NUCLEAR POWER STATION .
l
- 1. The submittal states that RCP seals may fail under certain conditions (e.g., loss of all )
seal cooling and injection) if the operators fail to trip the RCPs. No such failure is l postulated if the operators trip the RCPs. This differs from some accepted seal LOCA models. Please describe the seal LOCA model used in your IPE. Be specific about the model (e.g., seal leakage rates and probability of failure vs. time of seal failure) and the operator actions and the timing of those actions to prevent the seal LOCA. There is a discrepancy on the timing of operator actions as stated in different sections of the report.
Section 1.2.2, " Event Tree for Transient Initiators," states that 10 minutes are available for the operators to trip the RCPs following loss of all seal cooling, but Table 3-11 in the HRA section states that 25 minutes are available. Please address this discrepancy. If available, please estimate the increase in CDF if a seal LOCA model were used which predicted seal failure even if the operators do trip the RCPs in such a scenario.
It is not clear from the submittal, if credit is taken for the non-proceduralized action of isolating the seal return line on loss of seal cooling. Please clarify, and justify if credit is taken.
Also, please explain how random failures of RCP seals are incorporated into the model and the initiating event analysis.
Response
Assumptions regarding the potential for failures of the seals for the reactor coolant pumps (RCPs) for Davis-Besse differ from those associated with some seal LOCA :
models-especially those for plants using Westinghouse pumps-because the design and i configuration of the seals for the Byron-Jackson pumps employed at Davis Besse are l 1 substantially different from those for other RCPs. The design, testing, and analysis for i the RCP seals used at Davis-Besse are described in some detail in Section 4.4.2 of Part 3 ;
- of the IPE submittal. For ease of reference, the relevant pages from the IPE submittal are provided as Attachment I at the end of the responses.
The model for failure of the RCP seals appropriate for Byron-Jackson pumps (such as those used as RCPs at Davis-Besse) is relatively simple compared to treatments for some other types of RCPs. It was assumed in the IPE that significant leakage through ;
the seals would result if the RCPs continued to operate for an extended period under ;
either of the following conditions:
. Loss of seal return (e.g., due to inadvertent closure of the seal return isolation valve), or
. Loss of cooling of the pump's thermal barrier by component cooling water ;
(CCW) and seal injection from the makeup system.
I In either case, failure to trip the RCPs in a timely fashion was assumed to lead to a leakage rate of approximately 50 gpm per pump (for a total of 200 gpm if all four pumps 1
l
l l
were affected simultaneously). The success criteria for a seal LOCA specified that i' leakage from two or more pumps (i.e.,100 gpm or more) would be required to constitute a small LOCA. This corresponds to an equivalent break flow area of about 0.002 ft2 , which is actually slightly below the lower bound for the definition of a small LOCA (0.003 ft2). It should be noted that the MAAP calculations performed to investigate core and containment response assumed a leakage rate equivalent to twice the value assumed in the success criteria for failure of the seals for all four pumps (i.e.,
400 gpm). This was done because initial calculations using 200 gpm indicated that the I core would remain covered beyond 24 hr. A higher flow rate was assumed in the calculations to force earlier uncovering to facilitate the calculations. Note that no credit was given for the restoration of makeup flow to the RCS beyond I hr from the inception of the seal LOCA, as was the case for all small LOCAs. Based on the timing for !
uncovering of the core as calculated using MAAP, this is a potentially significant source of conservatism in the analysis.
. The apparent discrepancy in the time available to take action following a loss of all seal 1 cooling results from consideration of two different time periods. It is assumed that there is a total of 10 minutes available for the operators to avoid a RCP seal LOCA by tripping the RCPs following loss of all seal cooling. The total of 25 minutes is the time from the loss of all CCW to when the pumps would need to be tripped to avoid serious seal degradation. The procedures call for the operators to trip the RCPs upon loss of CCW. The additional 15 minutes represents the minimum time for which the makeup pump providing seal injection would be expected to operate following loss of CCW cooling to the makeup pump. Thus, the initial cue to the operators of the need to trip the i RCPs would occur upon loss of CCW; 15 minutes later, the seal injection is assumed to ,
be lost, resulting in a total loss of seal cooling. The operators would have 10 more l minutes from that point in which to trip the RCPs. l l The current set of IPE models and results do not readily lend themselves for use in l obtaining the estimated effect on core-damage frequency (CDF) if it were assumed that i seal failure could occur even if the RCPs were tripped. Because there is considered to be adequate basis for the current set of modeling assumptions, it was judged that the effort to perfomi this assessment was not warranted.
The RCP manufacturer recommended that, upon loss of all seal cooling, the seal return t
line should be isolated. The instructions to accomplish this action were not included in Davis-Besse procedures at the time the IPE was performed. Based on the assessment of system engineers and operations personnel,it was concluded that failure to isolate seal return would have a negligible impact on the potential for seal failure following loss of seal cooling. Therefore, the failure of this action was not included in the model. The non-proceduralized action was not credited in the IPE because it was determined not to be a necessary action to preserve seal integrity.
. A review was made of industry operating experience to provide an estimate of the frequency of the small LOCA initiating event. Any events involving random seal failures corresponding to small LOCA leakage rates would have been incorporated based on this review. The potential for spontaneous seal failures that could affect the response to other initiating events was not considered in the IPE.
2
1 i
i
- 2. NUREG-1335 requests that support system failures be considered in the IPE. Loss of HVAC has been shown at some plants to be an important initiator Please discuss your
- investigation into the impact of loss of HVAC in rooms containing safety-related l
equipment; discuss rooms with pumps, rooms with electrical equipment, and the control l
- room. You should discuss the following
- the relevant systems in the areas considered; the basis for elimination, the description of the method of assessment, relevant 1 calculations and tests; credited operator actions, alarms; procedures; and staged j equipment.
l Also, please clarify the statement that HVAC is not needed in the high-voltage
- switchgear room following a plant trip. (It would seem that loads would be increased by a possible use of emergency equipment.) Please clarify the statement that loss of HVAC i in high and low voltage switchgear rooms is already considered in other initiators. (Loss ,
of HVAC for a certain time period may lead to irrecoverable loss of safety equipment. !
Therefore, no recovery credit may be possible.)
Response
At Davis-Besse, most HVAC systems for critical plant areas are not served by a single i general cooling system or chilled-water system that supplies many portions of the plant.
j Rather, most areas have their own local equipment to provide a suitable environment for associated equipment. )
Loss of HVAC as an initiator was specifically considered, as summarized in Part 3 Section 1.1.2. As noted in this material, while no separate transient initiators were !
defined for HVAC failures, failures of HVAC were modeled as contributing to initiating events for the component cooling water system and the service water system.
l Although HVAC failure was not included as a separate initiating event, HVAC was modeled as a necessary support system in all other areas unless there was a basis to
! conclude that it was not needed. Part 3 Section 2 provides an overview of system l l modeling, and includes specific discussions of system dependencies, including room l cooling. In addition, an overall system dependency matrix (Attachment 2), which also j j includes appropriate entries for room cooling, provides a quick reference to the l particular systems for which HVAC dependencies are applicable. For areas where
! HVAC was modeled, the actual room specific equipment configuration, including power i dependencies, was included in the syste m fault tree.
! An example of a plant area for which HVAC was not included as a dependency is the i
high voltage switchgear rooms. This is consistent with the plant design which does not provide any safety-related ventilation to these rooms. In addition, calculations exist which demonstrate that temperatures do not exceed limits for equipment in the rooms i
even with a loss of power to the HVAC system.
In other cases, although plant design did include a safety-related source of ventilation, best-estimate calculations were utilized to demonstrate that equipment in these areas would remain within operating limits even if HVAC was unavailable. An example of this
- is the auxiliary feedwater rooms, where calculations have been performed which show that room temperatmes remain within limits for equipment to satisfactorily perform its l
l 3
l l
function. This evaluation included the assessment that the room environment would also support operator actions to control AFW equipment locally, if necessary. [ Note: The statement " Room cooling is provided to ensure continued equipment operability" on j page 177 of Part 3 should not be interpreted as meaning that room cooling is required.
IPE Report Figure 2-22 and Table 2-2 are correct in omitting room cooling as a support system dependency.]
The statement "The effects of loss of both systems are also separately reflected by the initiating events for loss of a 4 kv ac bus and by the failures of the de buses" (Part 3, page 24) does not imply that a portion of other initiating events comes from a loss of HVAC to these buses. Rather, the intent is to emphasize that losses of these buses are already included separately as unique transient initiators. These separate initiators encompass the effects of a simultaneous loss of both normal and emergency HVAC for the buses.
- 3. The submittal states that no vulnerabilities exist since the CDF is low and many different failure modes contribute to each sequence. The most significant sequence, a transient with total loss of feedwater and failure of HPI, contributes about 55% to the CDF (or about 3.5E-5/yr). Please submit the breakdown of how the most important components contribute to individual important sequences and the total CDF (numerical values) to I substantiate claims of no vulnerability. If available, please rank different basic events according to importance.
4 Response As the question notes, the sequence involving a total loss of feedwater and failure of makeup /HPI cooling (i.e., functional sequence TBU) contributed about 55% to the total core-damage frequency. The transient initiating events contributing to the frequency of
- this sequence are listed in Table 1, ranked in decreasing order of Fussell-Vesely importance. Because the initiating events are, by definition, mutually exclusive, the importance measures also represent the fractional contribution of each initiator to the
! frequency of functional sequence TBU (e.g., approximately one-third of the frequency for functional sequence TBU results from core-damage sequences initiated by a loss of 1 offsite power). Although the loss of offsite power is the largest single contributor, none
- of the initiators is overwhelming; the top four events contribute about 83% of the TBU frequency.
Importance measures for the basic failures that contribute to the core-damage sequences !
for each of the top three initiating events in Table 1 are listed in the tables that follow. I Tables 2 and 3 summarize the Fussell Vesely importance and risk-achievement worth I values, respectively, for the loss of offsite power initiator (i.e., for sequence T3BU). l
, Tables 4 and 5 present the analogous values for the loss of main feedwater (sequence T 2BU), and Tables 6 and 7 provide the values for the reactor / turbine trip initiator (sequence TiBU). l These tables indicate that cenain failures are important contributors to the frequency of functional sequence TBU, and therefore to the overall core-damage frequency. Among these are events ZHAOSBIE and ZHAOSB2E, especially for sequences initiated by a 4
l loss of offsite power. These events represent the failure to control turbine-driven auxiliary feedwater under station blackout conditions. By inference, therefore, station blackout accidents are also important contributors to the frequency of functional sequence TBU. Among these and the other events listed in Tables 2 through 7, however, none stands out sufficiently or is a large enough contributor to overall core-damage frequency to be considered a vulnerability.
- 4. To clarify the initiating event analysis, please provide a discussion of your consideration of common cause losses of the ac and de buses. Failure of redundant emergency buses, although less frequent than failure of one bus, will have a much more significant impact I on safety systems.
Response
The potential for a plant trip resulting from common-cause losses of ac or de buses was considered on a limited basis. A review of past plant-specific and industry events did not i indicate that such an event had occurred previously. Moreover, no causal mechanism for '
such an event was identified. Therefore, no corresponding initiating events were included in the IPE.
1 5
4 O Table 1. Ranking of Initiating Events Contributing to Frequency of Functional Sequence TBU Fussell Vesely Event Name Event Definition Frequency Importance T3 Loss of offsite power 3.47E-02 3.34E-01 T2 Loss of main feedwater 1.72E+00 2.25E-01 T1 Reactor / turbine trip 6.04E+00 1.47E-01 T16 less of 4ky bus D1 8.63E-03 1.26E-01
'I7 Loss of power from bus YAU l.73E-01 5.44E-02 T8 Loss of power from bus YBU 1.73E-01 2.91E-02 T13I Loss of normally-operating CCW train 3.41E-01 1.60E-02 T17 Loss of de power from bus DIP 1.12E-02 1.48E-02 TIS Loss of 4kv bus Cl 8.63E-03 1.15E-02 T111 Loss of service water train 2 1.62E-01 1.10E-02 T18 Loss of de power from bus D2P 1.12E-02 8.02E-03 T101 Loss of service water train 1 1.63E-01 7.85E-03 T6 less of makeup to the RCS 5.80E-02 6.89E-03 T19 Loss ofinstrument air 1.13E-01 3.87E-03 T12 Totalloss of service water 6.34E 04 1.22E-03 T5 Steamline/feedwater line break 3.62E-03 1.01E-03 !
T9 loss of de power supply NNIX 1.75E-02 6.73E-04 T14 Totalloss of CCW 5.21E-04 6.17E-04 Kev to abbreviations in Tables 1 throuah 7 CCF-common-cause failure; CCW-component cooling wa.er; EDG--emergency diesel generator; HPI-high pressure injection; LVSG-low-voltage switchgear; MCC-motor control center; MDFP-motor-driven feed pump; RCS-reactor coolant system; SBODG-station blackout diesel generator, 1 SG-steam generator; SW-service water; TDAFW-turbine-driven auxiliary feedwater. I l
6 I
I Table 2. Ranking of Fussell-Vesely importance Measures for Basic Events in Cut Sets for )
Sequence T3BU (Locs of Offsite Power Initiating Event)
Fussell Vesely Event Name Event Definition Probability Importance ZilAOSB2E Operators fail to control TDAFW pump 1 2 locally 1.90E-01 4.29E-01 (station b!xkout)
ZilAOSBIE Operators fail to control TDAFW purnp 1-1 locally 1.90E-01 4.17E-01 (station blackout)
ZOIrr309R Failure to restore offsite power (case 9) 2.10E-02 3.88E-01 l
EDG00llF EDG l 1 fails to run 1.46E-01 3.58E-01 EDG0012F EDG l 2 fails to run 1.46E-01 3.26E-01 I l
ZOFT317R Failure to restore offsite power (case 17) 4.80E-02 2.65E-01 l
)
EDG0012A EDG l-2 fails to start 1.44E-02 1.36E-01 EDG0011 A EDG l-1 fails to start 1.44E-02 1.23E-01 l EMMLVSV2 Faults in low voltage switchgear room 428 ventilation 1.1IE-02 8.54E-02 ZOPT325R Failure to restore offsite power (case 25) 4.10E-02 6.74E-02 EMMLVSV1 Faults in low-voltage switchgear room 429 ventilation 1.47E-02 6.72E-02 WMM00016 Start faults in CCW train 2 6.96E-03 6.03E-02 EMMDGilD Ventilation damper faults for EDG l-1 7.55E-03 5.90E-02 ZOIYT302R Failure to restore offsite power (case 2) 2.30E-03 5.61E-02 EMMDG12D Ventilation damper faults for EDG l-2 7.55E-03 5.41E-02 EMBLVSR9 Low voltage switchgear room 429 ventilation in 5.55E-03 4.41 E-02 maintenance WMMCC001 CCF to start of CCW pumps 6.92E-N 4.38E-02 EMBEDG12 EDG l-2 in maintenance 5.0CE-03 4.33E-02 WMM00018 Faults in CCW supply to EDG l-2 5.09E-03 4.13E-02 EMBLVSR8 Low voltage switchgear room 428 ventilation in 5.55E-03 4.03E-02 maintenance WMM00017 Faults in CCW supply to EDG l-1 5.09E-03 3.87E-02 EMBEDGil EDG l-1 in maintenance 5.00E-03 3.82E-02 QMM0028A Start faults for TDAFW pump 1-1 2.36E-02 3.35E-02 ZliACN9E Operators fail to start SBODG and fail to control 5.90E-03 3.11E-02 TDAFW pump 7
Table 2. Ranking of Fussell-Vesely importance Measures for Basic Events in Cut Sets for Sequence TsBU (Loss of Offsite Power initiating Event)(continued)
Fussell Vesely l Event Narne Event Definition Probability Importance ZOl'T320R Failure to restore offsite power (case 20) 1.30E-02 2.69E-02 EDGOSBOA SBODG fails to start 1.44E-02 2.49E 02 ZOl'T316R Failure to restore offsite power (case 16) 1.20E-01 2.47E-02 ZOf'r333R CCF to run of both EDGs and the SBODG 3.80E-02 2.01E-02 EMMCC004 Failure to restore offsite power (case 33) 4.66E-04 2.01E-02 ZHAOVFIE Operators fail to control TDAFW flow (loss of power on 2.80E-02 1.% E-02 one division)
EMBEDGIV EDG l-1 ventilation in maintenance 2.32E-03 1.82E-02 ZOirr30lR Failure to restore offsite power (case 1) 4.50E-03 1.81E-02 EDGOSBOF SBODG fails to run after starting 3.88E-02 1.75E-02 ,
i ZOI'T305R Failure to restore offsite power (case 5) 2.40E-02 1.69E-02 WMM00015 CCW pump 1 1 fails to restart 6.96E-03 1.57E-02 l EMBEDG2V EDG l-2 ventilation in maintenance 2.32E 03 1.55E-02 ZHAMUHPE Operators fail to initiate makeup /HPl cooling 1.60E-02 1.49E-02 QTP0001F TDAFW pump l 1 fails to run after starting 3.00E-02 1.45E-02 QMBOMDFP Motor-driven feed pump in maintenance 8.90E-03 1.42E-02 QMMCC005 CCF of turbine-driven AFW pumps to start 1.19E-03 1.22E-02 l
! EMMCC023 CCF of LVSG ventilation fans to stan 1.94E-N 1.19E-02 i ZOfrr314R Failure to restore offsite power (case 14) 2.10E-02 1.18E-02 ZOPT307R Failure to restore offsite power (case 7) 4.80E-02 1.17E-02 ZOPT308R Failure to restore offsite power (case 8) 2.00E-02 1.16E-02 l
- WMM000N CCW pump l 3 fails due to spurious interlock 2.00E-03 1.08E-02 1
EMMSBODV SBODG room ventilation faults 7.44E-03 1.05E-02 i EMMSBOMV Ventilation faults for SBODG MCC BF81 7.38E-03 1.04E-02 i
l l
J 8
i
l 1
l 4
Table 3. Ranking of Risk-Achievement Worths for Basic Events in Cut Sets for Sequence TsBU (Loss oi Offsite Power Initiating Event) l Risk.
Achievement Event Name Event Definition Probability Worth EMMCC003 CCF to start of EDGs and SBODG 1.12E-05 2.%E+02 ,
WMMCC001 CCF to start of CCW pumps 6.92E-04 6.42E+01 EMMCC023 CCF of LVSG ventilation fans to start 1.94E-04 6.25E+01 1 ZHAC051E Operators fail to control TDAFW flow after loss of one 1.40E-04 6.0$E+01 !
train of de power, fail to start SBODG, and fail to open l makeup pump room door l
EMMCC0ll CCF to open of 4kv bus-tic breakers 9.36E-05 5.74E+01 ZHACO28E Operators fail to control TDAFW flow after loss of one 1.40E-04 5.65E+01 train of de power, fail to start SBODG, and fail to initiate makeup /HPI cooling EMMCC019 CCF of EDG ventilation fans to start 5.83E-05 5.55E+01 EMMCC002 CCF of EDGs 1 1 and 1-2 to start 3.46E-05 5.55E+01 1
EMMCC004 Failure to restore olTsite power (case 33) 4.66E-04 4.41E+01 I SMMCCMFA CCF of service water pump room ventilation fans to start 1.16E-04 3.31E+01 SAV2945K SW strainer air-operated valve SW2945 fails to remain 1.44E-41 2.83E+01 l open ZHAC003E Operators fail to control TDAFW flow after loss of dc 2.50E-Ot 2.78E+01 power and fail to open makeup pump room doors ZOPT302R Failure to restore offsite power (case 2) 2.30E-03 2.53E+01 WHACCW2L Operators fail to restore CCW train 2 after 2.60E-04 2.GtE+01 test / maintenance ZOFT309R Failure to restore offsite power (case 9) 2.10E-02 1.91E+01 ZHAC014E Operators fail to control TDAFW flow after loss of de 1.50E-05 1.85E+01 power, fail to start motor-driven feed pump, and fail to initiate makeup /HPI cooling ZHAC017E Operators fail to control TDAFW flow after loss of de 1.00E-05 1.85E+01 power, fail to start motor-driven feed pump, and fail open makeup pump room doors EMMCC001 CCF of EDGs 1-1 and 1-2 to run 6.45E-04 1.20E+01 QMMCC005 CCF of turbine-driven AFW pumps to start 1.19E-03 1.12E+01 ZHAC002E Operators fail to control TDAFW flow after loss of dc 5.00E-05 1.11E+01 power and fail to initiate makeup /HPI cooling l
l 9 i
. o Table 3. Ranking of Risk Achievement Worths for Basic Events in Cut Sets for Sequence TsBU (Loss of Offsite Power initiating Event)(continued)
Risk.
Achievement Event Name Event thfinition Probability Worth EDG0012A Emergency diesel generator 1-2 fuis to start 1.44E-02 1.03E+01 EMBEDG12 Emergency diesel generator 1-2 in maintenance 5.00E-03 9.61E+00 WMM00016 Start faults in CCW train 2 6.96E-03 9.60E+00 EDG00ll A Emergency diesel generator 1-1 fails to start 1.44E-02 9.39E+00 EMMCC020 CCF of EDG room ventilation fans to run 4.08E-05 9.29E+00 WMM00018 Faults in CCW supply to EDG l-2 5.09E-03 9.07E+00 EMBLVSR9 Low-voltage switchgear room 429 ventilation in 5.55E-03 8.89E+00 maintenance EMBEDGIV EDG l 1 ventilation in maintenance 2.32E-03 8.83E+00 EMMDG11D Ventilation damper faults for EDG l 1 7.55E-03 8.76E+00 EMMLVSV2 Faults in low-voltage switchgear room 428 ventilation 1.llE-02 8.61E+00 EMBEDGil Emergency diesel generator 1-1 in maintenance 5.00E-03 8.61E+00 WMM00017 Faults in CCW supply to EDG l 1 5.09E-03 8.55E+00 1
EC2Z141N 4kv feeder breaker AC110 fails to open 9.36E-N 8.32E+00 i EMBLVSR8 Low voltage switchgear room 428 ventilation in 5.55E-03 8.22E+00 maintenance EMMDG12D Ventilation damper faults for EDG l-2 7.55E-03 8.llE+00 l
EMM00YEl Fault on 120 vac MCC YEl 9.81E-05 7.82E+00 EMM00YF1 Fault on 120 vac MCC YEl 9.81E-05 7.82E+00 EMMCC013 CCF of EDG l-1 and SBODG to start 3.46E-05 7,82E+00 l
EMMCC014 CCF of EDG l 2 and SBODG to start 3.46E-05 7.82E+00 EMBEDG2V EDO l 2 ventilation in maintenance 2.32E-03 7.69E+00 SMM00007 Fault in SWECW heat exchanger 1 1 7.48E-N 7.48E+00 EIN0YVIF Inverter YVI fails to provide output 6.89E-04 7.48E+00 EC2Z000N 4ky feeder breaker AD110 fails to open 9.36E-N 7.36E+00 EIN0YV2F Inverter YV2 fails to provide output 6.89E-N 7.01E+00 10
Table 3. Ranking of Risk Achievement Worths for Basic Events in Cut Sets for Sequence T BU (Loss of Offsite Power Initiating Event)(continued)
Risk.
Achievement Event Name Event Definition Probability Worth i
WMM00004 CCW pump 1 3 fails due to spurious interlock 2.00E-03 6.39E+00 i
ZOl'T317R Failure to restore offsite power (case 17) 4.80E-02 6.25E+00 ZHACN9E Operators fail to start SBODG and fail to control 5.90E-03 6.24E+00 TDAFW pump WMM00002 Failure of CCW train 2 (pump 1-3) components 5.67E-N 5.88E+00 SMMCCMFF CCF of SW pump room ventilation fans to run 4.08E-05 5.88E+00 EMMLVSV1 Faults in low voltage switchgear room 429 ventilation 1.47E-02 5.51E+00 ZilAC046E Operatois fail to control TDAFW flow after loss of de 2.70E-04 5.32E+00 power and fail to start SBODG EMM000F1 Fault on 480v bus F1 1.82E-N 5.30E+00 ZOI'T301R Failure to restore offsite power (case 1) 4.50E-03 5.00E+00 i EC2C109C 4kv feeder breaker AC109 fails to close 9.36E-(4 4.58E+00 i
d WMM00001 Failure of CCW train 1 (pump 1 1) components 3.93E-N 4.49E+00 4
SMM00001 Failure of SW train 1 (pump 13) components 3.38E-N 4.49E+00 SMM00009 Failure of SW train 2 (pump 12) components 3.36E-N 4.49E+00 SPSZO31D SW pressure switch PSLl377A fails to operate 2.55E-04 4.49E+00 EMMCC017 CCF of EDG l-1 ventilation fans to start 1.94 E-N 4.49E+00 EMMCC021 CCF of EDG l-2 ventilation fans to start 1.94E-N 4.49E+00 EMM000El Fault on 480v bus El 1.82E-N 4.49E+00 ECIDINR Circuit interruptor D104 fails to remain closed 7.28E-05 4.49E+00 ECID2NR Circuit interruptor D204 fails to remain closed 7.28E-05 4.49E+00 WMM00027 Failure of CCW pump room ventilation train 1 (winter 1.50E-N 4.30E+00 conditions)
WMM00028 Failure of CCW pump room ventilation train 2 (winter 1.50E-N 4.30E+00 conditions) 11
Table 4. Ranking of Fussell-Vesely importance Measures for Basic Events in Cut Sets for Sequence TsBU (Loss of Main Feedwater initiating Event)
Fussell Vesely Event Name Event Definition Probability Importance ZilAC008E Operators fail to start MDFP and fail to initiate 1.20E-03 5.62E-01 makeup /IIPI cooling QMMCC005 CCF of TDAFW pumps to start 1.19E-03 3.85E-01 QMM0028A Start faults for TDAFW pump 1 1 2.36E-02 3.08E4)1 QMM0032A Start faults for TDAFW pump 1-2 2.36E-02 3.0lE-01 ZHAC08AE Operators fail to start MDFP and fail to initiate 2.70E-04 2.17E-01 makeup /IIPI cooling (delayed failure of TDAFW)
ZilAMUllPE Operators fail to initiate makeup /IIPI cooling 1.60E-02 1.68E-01 QTP000lF TDAFW pump 1-1 fails to run 3.00E-02 1.46E-01 QTP0002F TDAFW pump 1-2 fails to run 3.00E-02 1.26E-01 QMBOMDFP MDFP unavailable due to maintenance 8.90E-03 1.12E-01 QMBAFPII TDAFW train 1 in maintenance 8.01E-03 8.47E-02 QMBAFP12 TDAFW train 2 in maintenance 8.01E-03 7.98E-02 ,
1 QMPMDFPA MDFP fails to start 6.24E-03 6.46E-02 ZilAMUli2E Operators fail to initiate makeup /liPI cooling (delayed 1.80E-03 4.19E-02 failure of feedwater)
QMMCC009 CCF of TDAFW pumps to run 5.40E-04 3.58E-02 QMM00(X)8 Fault in steam supply from SG 2 to TDAFW pump 1-2 1.01E-02 3.17E-02 QilAMDFPL MDFP left unavailable following test or maintenance 2.00E-03 2.33E-02 QMM00011 Fault in supply line from MDFP to SG 2 4.87E-03 1.08E-02 i l
QMM00012 Fault in supply line from MDFP to SG 1 4.87E-03 1.05E-02 ELOOPRT Loss of offsite power following plant trip 7.29E-03 7.10E-03 QMM00056 Faults in valves AF3872 or AF75 4.87E-03 6.52E-03 QMM00036 Failure of TDAFW pump 1 1 turbine 4.82E-03 6.45E-03 QMM00044 Failure of TDAFW pump 1-2 turbine 4.82E-03 6.45E 93 QMM00013 Faults in valves AF3870 or AF72 4.87E-03 6.15E-03 i
12
Table 5. Ranking of Risk Achievement Worths for Basic Events in Cut Sets for Sequence T:BU (Loss of Main Feedwater Initiating Event)
Risk.
Achievement Event Name Event Definition Probability Worth ZilAC08AE Operators fail to start MDFP and fail to initiate 2.70E-04 8.02E+02 makeup /IIPI cooling (delayed failure of TDAFW)
Z11AC008E Operators fail to start MDFP and fail to initiate 1.20E-03 4.68E+02 l makeup /IIPI cooling QMMCC005 CCF of TDAFW pumps to start 1.19E-03 3.25E+02 ZilAC014E Operators fail to control TDAFW flow after loss of de 1.50E-05 3.04E+02 power, fail to start motor-driven feed pump, and fail to initiate makeup /11PI cooling QilA0012L Both TDAFW pump trains misaligned after test or 4.90E-06 2.%E+02 maintenance QMMCC009 CCF of TDAFW pumps to run 5.40E-N 6.72E+01 ZilAMUll2E Operators fail to initiate makeup /liPI cooling (delayed 1.80E-03 2.43E+01 failure of feedwater)
QMM0028A Start faults for TDAFW pump 1-1 2.36E-02 1.37E+01 QMM0032A Start faults for TDAFW pump 1-2 2.36E-02 1.35E+01 !
QMBOMDFP MDFP unavailable due to maintenance 8.90E -03 1.35E+01 QHAMDFPL MDFP left unavailable following test or maintenance 2.006-03 1.26E+01 QMBAFPII TDAFW train 1 in maintenance 8.01E-03 1.15E+01 ZHAMUllPE Operators fail to initiate makeup /IIPI coo!ing 1.60E-62 1.13E+01 QMPMDFPA MDFP fails to start 6.24E-03 1.13E+01 QMBAFP12 TDAFW train 2 in maintenance 8.01E 03 1.09E+01 EMMCCON Failure to restore offsite power (case 33) 4.66E-N 7.70E+00 QTP0001F TDAFW pump 1-1 fails to run 3.00E-02 5.73E+00 QTP0002F TDAFW pump 1-2 fails to run 3.00E-02 5.06E+00 EIN0YVIF Inverter YVi fails to provide output 6.89E-N 4.30E+00 EIN0YV2F Inverter YV2 fails to provide output 6.89E-N 4.30E+00 QMM00008 Fault in steam supply from SG 2 to TDAFW pump 1-2 1.01E-02 4.12E+00 ZilACO28E Operators fail to control TDAFW flow after loss of one 1.40E-04 3.26E+00 train of de power, fail to start SBODG, and fail to initiate makeup /flPI cooling 13 l
l Table 5. Ranking of Risk Achievement Worths for Basic Events in Cut Sets for Sequence T BU (Loss of Main Feedwaterinitiating Event)(continued) J Risk.
Achievement Event Name Event Definition Probability Worth ZHAC051E Operators fail to control TDAFW flow after loss of one 1.40E-04 3.26E+00 train of de power, fail to start SBODG, and fail to open makeup pump room door QMM00011 Fault in supply line from MDFP to SG 2 4.87E-03 3.21E+00 QMM00012 Fault in supply line from MDFP to SG 1 4.87E-03 3.14E+00 QHA000ll TDAFW pump train 1 misaligned after test or 1.10E-04 2.78E+00 maintenance QHA0002L TDAFW purnp train 2 misaligned after test or 1.10E-N 2.78E+00 maintenance QMPMDFPF MDFP fails to run 5.81E-N 2.39E+00 QMM00056 Faults in valves AF3872 or AF75 4.87E-03 2.33E+00 QMM00036 Failure of TDAFW pump 1 1 turbine 4.82E-03 2.33E+00 QMM00N4 Failure of TDAFW pump 1-2 turbine 4.82E-03 2.33E+00 QMM00013 Faults in valves AF3870 or AF72 4.87E-03 2.26E+00 l
I 1
14
i 1
Table 6. Ranking of Fussell Vesely importance Measures for Basic Events in Cut Sets for Sequence T BU (Reactor / Turbine Trip initiating Event) i Fussell Vesely Event Name Event Definition Probability Importance EMMCC006 CCF of batteries 1.37E-06 6.16E-01 ZHAOSBIE Operators fail to control turbine-driven AFW pump 1 1 1.90E-01 3.24E-01 locally (station blackout)
ZHAOSB2E Operators fail to control turbine-driven AFW pump 1.90E-01 3.24E-01 k)cally 1-2 (station blackout)
FMFWTRIP Main feedwater not available after plant trip 8.33E-02 3.(ME-01 QMMCC005 CCF of TDAFW pumps to start 1.19E-03 1.82E-01 ZHAC008E Operators fail to start MDFP and fail to initiate 1.20E-03 1.40E-01 makeup /HPI cooling ZHAMUHPE Operators fail to initiate makeup /HPl cooling 1.60E-02 1.11E-01 ZHAC08AE Operators fail to start MDTP and fail to initiate 2.70E-(M 6.17E-02 makeup /HPI cooling (delayed failure of TDAFW)
QTP0001F TDAFW pump 1-1 fails to run 3.00E-02 5.15E-02 ELOOPRT Loss of offsite power following plant trip 7.29E-03 5.14E-02 QTP0002F TDAFW pump 1-1 fails to run 3.00E-02 5.07E-02 l l
I QMM00011 Fault in supply line from MDFP to SG 2 4.87E-03 4.86E-02 QMM00012 Fault in supply line from MDFP to SG 2 4.87E-03 4.86E-02 QMBOMDFP MDFP fails to run 8.90E-03 4.56E-02 QMM0028A Start faults for TDAFW pump l 1 2.36E-02 3.96E-02 QMM0032A Start faults for TDAFW pump 12 2.36E-02 3.96E-02 QMPMDFPA MDFP fails to start 6.24E-03 2.56E-02 EDG00llF Emergency diesel generator 1-1 fails to run 1.46E-01 2.31E-02 !
EDG0012F Emergency diesel generator 1-2 fails to run 1.46E-01 2.21 E-02 FCONDTRP Condenser or condensate fails after plant trip 2.44E-02 2.20E-02 ZOPAT20R Failure to restore offsite power (case 20) 3.10E-03 1.85E-02 EMMCC0(M CCF of EDGs and SBODG to run 4.66E-04 1.68E-02 ZOPAT33R Failure to restore offsite power (case 33) 1.10E-02 1.68E-02 ZHAMUH2E Operators fail to initiate makeup /HPI cooling (delayed 1.80E-03 1.30E-02 failure of feedwater) 15
Table 7. Ranking of Risk Achievement Worths for Basic Events in Cut Sets for Sequence T BU (Reactor / Turbine Trip initiating Event) i Risk.
Achievement Event Name Event Definition Probability Worth EMMCC006 CCF of batteries 1.37E-06 1.91E+05 ZilAC014E Operators fail to control TDAFW flow after loss of de 1.50E-05 4.31E+02 power, fail to start motor-driven feed pump, and fail to initiate makeup /HPI cooling ZHAC08AE Operators fail to start MDFP and fail to initiate 2.70E-04 2.29E+02 makeup /HPI cooling (delayed failure of TDAFW)
QMMCC005 CCF of TDAFW pumps to start 1.19E-03 1.54E+02 ZHAC008E Operators fail to start MDFP and fail to initiate 1.20E-03 1.18E+02 makeup /HPI cooling ZilAC028E Operators fail to control TDAFW flow after loss of one 1.40E-N 4.38E+0!
train of de power, fail to start SBODG, and fail to initiate makeup /HPI cooling ZHAC051E Operators fail to control TDAFW flow after loss of one 1.40E-N 3.97E+01 train of de power, fail to start SBODG, and fail to open makeup pump room door EMMCCON CCF of EDGs and SBODG to run 4.66E-N 3.70E+01 EMM000El Fault on 480v bus El 1.82E-N 1.87E+01 EMM000F1 Fault on 480v bus Fl 1.82E-N 1.87E+01 QMM00011 Fault in supply line from MDFP to SG 2 4.87E-03 1.09E+01 QMM00012 Fault in supply line from MDFP to SG 1 4.87E-03 1.09E+01 ZilAMUH2E Operators fail to initiate makeup /IIPI cooling (delayed 1.80E-03 8.21E+00 4
failure of feedwater)
ELOOPRT Loss of offsite power following plant trip 7.29E-03 8.00E+00 ZHAMUHPE Operators fail to initiate makeup /HPI cooling 1.60E-02 7.85E+00 ZOPAT20R Failure to restore olisite power (case 20) 3.10E-03 6.94E+00 QMB0MDFP MDFP fails to run 8.90E-03 6.08E+00 QHAMDFPL MDFP misaligned after test or maintenance 2.00E-03 5.51 E+00 QMPMDFPA MDFP fails to start 6.24E-03 5.08E+00 FMFWTRIP Main feedwater not available after plant trip 8.33E-02 4.35E+00 ZOPAT13R Failure to restore offsite power (case 13) 2.80E-N 3.73E+00 4
16
t N
4
- Table 7. Ranking of Risk-Achievement Worths for Basic Events in Cut Sets for Sequence Ti BU (Reactor / Turbine Trip initlating Event)(continued)
Risk.
Achievement Event Name Event Definition Probability Worth QMMCC009 CCF of TDAFW pumps to run 5.40E-N 3.04E+00 QTP0001F TDAFW pump 1-1 fails to run 3.00E-02 2.66E+00 QTP0002F TDAFW pump 12 fails to run 3.00E-02 2.64E+00 QMM0028A Start faults for TDAFW pump 1 1 2.36E-02 2.ME+00 4
QMM0032A Start faults for TDAFW pump 1-2 2.36E-02 2.64E+00 ZOPAT33R Failure to restore offsite power (case 33) 1.10E-02 2.51E+00 ZilAOSBIE Operators fail to control turbine-driven AFW pump 1 1 1.90E-01 2.38E+00 locally (station blackout)
ZilAOSB2E Operators fail to control turbine-driven AFW pump 1.90E-01 2.38E+00 locally 1-2 (station blackout)
ZilACN9E Operators fail to start SBODG and fail to control a 5.90E-03 2.14E+00 TDAFW pump 17
l l
4
- 5. Please elaborate on why the main .feedwater (MFW) can be credited in the success criteria for a transient but not for a small LOCA. Are there procedums to shut off MFW after a small LOCA, and how is this modeled in the IPE7 What are the associated human error probabilities? On page 87 of the IPE submittal, Part 3, the statement is made that MFW flow is automatically throttled to match the decay heat level. Why can't the MFW i then be used in the same manner as the AFW in small LOCAs? l
- Response i
i it is likely that, under most circumstances, MFW would be available to provide decay
- heat removal following a small LOCA. Following a small LOCA, subcooling margin would be lost temporarily. When this occurs, the operators are instructed to trip the RCPs (to avoid the possibility that the collapsed liquid level would be below the top of 1 the active fuel if the pumps were lost later in the accident). With mduced inventory in I
the RCS and the loss of forced circulation brought about by the tripping of the RCPs, i i the steam generators would become de-coupled until high pressure makeup succeeded in restoring inventory. When this occurs, it is possible for the drop in steam production to cause the loss of the turbine-driven MFW pumps.
! When the RCPs are tripped, the auxiliary feedwater (AFW) system is automatically i initiated. For small LOCAs, AFW will be controlled to a high level given actuation of 1
the safety features RCS low pressure signal. The AFW system feeds the steam generators through a header that is separate from and higher than the point at which
- MFW is admitted. The combination of the AFW spray higher on the steam generator
! tubes, higher level-control setpoint, and the colder water (relative to MFW) creates an ;
- effectively higher thermal center in the steam generators that promotes natural l 4
circulation and, if needed, boiler-condenser cooling.
i Analysis is not available to demonstrate acceptably that the MFW system would be able 1 l to support core cooling in a boiler-condenser mode. Given this uncertainty, coupled with
' the substantial added complexity that would be required to model the conditions in i which MFW might be able to provide cooling, the decision was made to credit only
- AFW for providing decay heat removal via the steam generators following a small
- LOCA. This decision was further justified in light of the low frequency of small LOCA l initiators followed by failure of AFW and failure of makeup /HPI cooling, compared to
- transients with total loss of heat removal.
- 6. The submittal states that there were extensive modifications of the plant systems and I procedures as a result of the total-loss-of feedwater event of June 1985. The modification process lasted into the late 1980s. Please describe the modifications and the i process used to verify the "as built, as operated" plant has been modeled in the IPE.
Response
The modifications made in response to the event of June 9,1985 are thoroughly j documented in the NRC's Safety Evaluation Report relating to the restart of Davis-l 18 .
)
j .
4
- Besse following the event (NUREG-1177). The modifications were completed prior to
- the freeze date for the plant design analyzed in the IPE (November,1991).
Several steps were taken to ensure that the IPE models properly reflected the as-built, as-operated plant. Copies of controlled versions of documentation were relied upon for system configuration information. Draft versions of the system fault tree models were i
reviewed extensively by the system engineers responsible for tracking the status of the systems and by operations personnel most knowledgeable about the plant. A controlled
< copy of the emergency procedure was a key document used in support of the model i development and for the human reliability analysis. Walkdowns of plant systems were i also conducted both by the system analysts and on multiple occasions during the internal i flood analysis. While these walkdowns were not intended as a comprehensive check that
- documentation matched the as-built plant, they provided a further opponunity to j identify discrepancies. It was helpful that the Toledo Edison staff responsible for 1 performing the system analyses was located at the plant site, so that issues could be
, addressed immediately by discussions with appropriate plant staff or physical <
- inspections.
l
Response
The event tree for small LOCAs was omitted due to an oversight in the final assembly of the IPE report. The event tree is included as Attachment 3. The descriptive material provided in the IPE submittal is appropriate for the attached event tree.
l 8. There are a number of questions regarding the use of plant specific data in the submittal.
l a) The submittal does not give plant-specific failure data for the MFW pumps (which l are turbine-driven). Was plant-specific data used for these components? If not, i why not? Also, there is no common-cause data for the MFW pumps. Please
- summarize this data, including the plant-specific experience (if available) similar to that given in Table 3 3 for other components.
, b) The submittal indicates that plant-specific data was used for the motor-driven
- AFW (MAFW) pump but generic data was used for the turbine-driven AFW l (TAFW) pumps. Since (1) the MAFW pump was added after the 1985 outage, (2) j there are two TAFW pumps, and (3) experience indicates that the MAFW is 4
usually more reliable than the TAFW, one would assume that plant-specific data would be available for the TAFW pump for the post-1985 period used for the l
MAFW pump. Please verify that the plant-specific TAFW pump experience at Davis-Besse is not inconsistent with the generic data used in the submittal.
l c) There is no data on the fraction of time the PORV block valves are closed (other than a statement that they're normally open). Please submit this data.
, d) It is not clear from Section 3.1.1, how the Davis-Besse experience was used to anive at the plant specific initiating event frequency of loss-of-offsite-power i events. Please submit information on the number of events, the types of events, t
19 j
and the time period in question, and discuss how this data was used in conjunction with the generic data to arrive at the LOOP initiating event frequency.
Response
a) A detailed, component-level fault tree was not constructed for the MFW system.
Hence, plant-specific data were not collected for the MFW pumps or other components in the system. Instead, a simplified fault tree was assembled for the system. The simplified tree tracked dependencies (e.g., on electric power and instrument air), and included an event for unavailability of MFW flow to the steam generators following a plant trip. This overall system-level unavailability was calculated from plant-specific data, based on the fraction of plant trips-other than those caused by loss of MFW, which comprise a separate initiating event category-for which MFW was not available to provide decay heat removal (3 failures following 36 plant trips, for an unavailability of 0.083).
b) Although there is substantial experience with the turbine-driven AFW pumps at Davis-Besse, the pumps underwent critical modifications during and after the 18-month shutdown following the June 1985 event to address problems that had been experienced previously. Specifically, the controls for the pump turbines were modified to make the turbines operate at constant speed, with flow to the steam generators controlled by modulating control valves in the AFW lines. Previously, turbine speed had been modulated to control steam generator flow.
Very limited operating experience was available subsequent to the modifications at the time the IPE was completed, although the experience that was available did indicate that the modifications appeared to be successful in addressing the earlier problems. As a result, it was concluded that generic failum rates were more representative of the current pump configurations than was older plant-specific data. In fact, since the modifications were made to the pumps, there have been no failures to start or to run. This experience will be factored into any updates of the i
reliability data bases that are undertaken in support of revisions to the PRA.
1 i c) There is a single block valve on the pressurizer side of the PORV. Based on interviews with plant operators and a review of operating logs, it was estimated that the block valve was closed about 10% of the time. Therefore, the fault tree for unavailability of the PORV included the potential that the block valve would be closed initially, with an unavailability of 0.1.
d Both the generic and plant-specific operating experience for loss-of-offsite power events that would constitute initiators were broken down into three categories:
- plant-centered events, grid-centered events, and weather-related events. This breakdown was made to make appropriate use of the distributions for non-j recovery of power as a function of time. The generic frequency distributions for l
all three categories were updated with the plant-specific experience in each of the three cases. In all three, there were no losses of offsite power in 11 years of operation of Davis-'Besse. The data are as follows:
i
{
20
I 2
I Type of Generic Davis-Besse Updated Error Factor Event Experience Experience Mean i
Plant- 27 events 1191 unit yr 0 events 11 unit yr 1.97E-2/yr 3.12 centered Grid- 7 events 845 site-yr 0 events 11 site yr 4.81E 3/yr 11.4 centered Weather- 25 events 845 site-yr 0 events 11 site-yr 1.05E-2/yr 9.58 related Total 3.5E-2/yr 3.63 i In addition to the initiating event frequency, the generic and plant-specific experience bases were used to estimate the conditional probability of loss of offsite ,
power following a plant trip. The generic experience was assessed to be 7 events
- in 4,914 unit-trips. The plant specific experience was 1 event in 45 trips. The updated mean probability was calculated to be 7.3E-3 per demand.
- 9. Section 4.3 (DHR evaluation) does not give specifics and insights on vulnerabilities of DilR systems. NUREG-1335 requests a thorough evaluation of the DHR function. In addition, GL 88-20, Appendix 5, indicates that support systems are important to the .
DHR function and suggests that they be considered in the search for DHR related I vulnerabilities. Please discuss insights derived for DHR and its constituent systems, and
(' the contribution of DHR and its constituent systems (including feed and bleed) to core damage frequency and the relative impact of loss of support systems on the frontline systems that perform the DHR function.
Response
As Section 4.3 of Part 3 points out, the evaluation of the DHR function is integral to the analyses that comprise the IPE. The types of challenges that contribute to the core-damage frequency can be expressed in broad terms of safety functions as follows:
Failure to maintain decay heat removal 57 %
Loss of RCS inventory 42 %
Failure to control reactivity 0.27 %
Failure to control RCS pressure 0.25 %
- Thus, the failure of the DHR function accounts for somewhat over half the overall core-damage frequency. The functional sequences that involve failure of the DHR function are summarized in Table 8. As this table indicates, sequences involving transients followed by failure of all feedwater and failure of makeup /HPI cooling dominate the DHR-related core-damage frequency. The types of events that contribute to this sequence are outlined in the response to Question 3. They include a variety of faults 21 l 1
l
- 10. Please explain how the PORV block valves are modeled. Please address specifically feed and bleed operation as well as ATWS scenarios.
Resnonse As noted in the response to part (c) of question 8, the potential for failures of the PORV block valve to lead to unavailability of the PORV relief path was modeled explicitly.
Failure modes that were modeled included the possibility that the block valve had been intentionally closed prior to the plant trip and failure of the block valve to mmain open due to a mechanical or control fault. For cases in which the use of the PORV to support makeup /HPI (typically referred to at other plants as feed and bleed) operation was considered, the ability of the operators to open the block valve remotely if it was previously closed was evaluated. The action to open the block valve is an explicit part of the procedure for entering into makeup /HPI cooling. Failures that could prevent opening the block valve, including hardware faults of the valve and unavailability of motive power to the valve operator, were also explicitly modeled.
Table 8. Functional Sequences involving Core Damage Due to Loss of Decay Heat Removal Functional Fraction of DilR.Related Sequence Overall Sequence Sequence Definition Frequency CDF TBrUr Transient initiating event with total loss of feedwater and 3.5E-5 53 %
failure of makeupAIPI cooling TB i QUr Transient initiating event with total loss of feedwater, RCP 2.9E-6 4.4%
seal LOCA or stuck-open relief valve, and failure of makeup /HPI cooling TBrLXr Transient initiating event with extended loss of feedwater and 3.2E 7 0.49%
failure of high pressure recirculation RBuBa Steam generator tube rupture with extended total loss of 1.lE-7 0.16 %
feedwater RBuBaUn Steam generator tube rupture with total loss of feedwater and 4.2E 8 0.06 %
failure of makeup #iPI cooling FBrUr Internal flood with total loss of feedwater and failure of 3.9E-8 0.06 %
makeupSIPI cooling SBsUs Small LOCA initiating event with total loss of feedwater and 3.8E-8 0.06 %
failure of makeuphiPIcooling Total 3.8E-5 57 %
22
Response to Ouestion 10 (continued)
For cases in which the PORV is called upon for pressure relief in the very short term, such as following failure of the plant to trip, the same faults associated with the block valve were modeled. Operator action to open the block valve to make the PORV available was, however, not credited. Therefore, for a minimum of the 10% of the time the block valve was assumed to be initially closed, the PORV would be rendered unavailable for these types of challenges.
I 1. What is the freeze date for the plant model and the time period for collection of initiating event and failure / maintenance data? Section 3.1.3 states that the failure data for valves was collected in the period 1979-1985 for a previous PRA effort, and that maintenance and testing procedures have improved since that time. Since the incident in 1985, there have been extensive plant modifications. Have valve failure rates improved since that time? The data collection period for the other components is not discussed in the submittal. Please submit this information where available and discuss why the period indicated was chosen.
Response
The freeze date for the plant conGguration was June 30,1990 (i.e., all modifications made through the completion of the seventh refueling outage were incorporated into the IPE as appropriate).
Plant-specific data were collected during both the draft PRA effort that was completed in 1988 and the update effort that was reported in the IPE submittal. The initial data collection period was from July 1,1979 through June 9,1985.
During the update process, a decision was made that the most effective use of the limited available resources would be to collect additional data for only some components. These included major system pumps, circuit breakers, the emergency diesel generators, batteries, and other equipment. The period covered by this review was from the December 1986 restart after the outage that followed the June 9,1985 loss of feedwater event through June 1990. The original set of raw data for most types of valves was retained in the update, rather than expending signincant additional effort in collecting new data for them. The raw data reports for the failures collected for the draft PRA were reviewed again to ensure consistent treatment.
Qualitative reviews of plant experience since the June 9,1985 event (e.g., in support of site Maintenance Rule development efforts) and the overall substantial improvement in ,
plant performance would indicate that measures taken have had the effect of genemlly improved equipment reliability. A detailed, quantitative examination of the more recent operating experience is slated to be undenaken as part of a planned effon to update the IPE models and data for future applications. This update is expected to be initiated following completion of the Individual Plant Examination for External Events (IPEEE).
- 12. There seem to be some low common cause multipliers in Table 3-5, " Common Cause Data," for the diesel generators. Please explain how you derived the beta and gamma 23
factors for the failure to start and the failure to run. If plant specific common cause data on the diesel generators is available, please submit it. j
Response
The common-cause factors for the diesel generators were developed using the methods reported in NUREG/CR-4780 as applied to the data base provided in Electric Power l Research Institute (EPRI) Report TR 100382. This process entailed reviewing a set of operational events that had some element of common-cause potential from among a l larger data base of overall failure events involving diesel generators. The review is aimed at assessing the degree to which the events could be representative of common-cause failures for the equipment at the plant of interest. For the diesel generators, the results of the review were used to calculate the beta and gamma parameters for a three-component system, applying the multiple Greek letter (MGL) approach.
The experience summarized in TR-100382 consisted of seven events involving potential common-cause failures to run, and another seven involving failure to start. All 14 were non lethal failures. Following the method described in TR-100382, these events were reviewed for applicability to the configuration at Davis-Besse, and, where necessary, were mapped from the system sizes for the plants at which the events occurred to one comprised of three generators.
The assessment for Davis-Besse of the seven industry events involving common-cause failure to run is summarized in Table 9. Applying these results yielded a beta value of 0.021 and a gamma value of 0.57. These values are generally consistent with other treatments of common-cause failure to run for diesel generators and with the generic values estimated in TR-100382.
Similarly, Table 10 summarizes the impact assessment for Davis-Besse of the seven industry events that imply potential common-cause failures to start. The assessment yielded relatively small values for beta and gamma of 0.0056 and 0.1388, respectively.
These values were low because there were very few events that implied failures that could have affected all three diesel generators, and because the overall data base included 400 independent failures to start, effectively making the fraction of events that involved common-cause failure small.
To investigate the significance of this treatment, a sensitivity study was performed. His sensitivity study entailed making alternative assessments for four of the events that had occurred. For various reasons these events (denoted as 8,10,11, and 14 in TR-100382 and in Table 10) were assessed not to apply to the Davis-Besse configuration. Although the assessments of these events made for the IPE remains valid, the sensitivity study allows the impact of higher common-cause parameters to be investigated. Assuming that the original assessments for these events in TR-100382 applied directly to Davis-Besse (when mapped to a three generator system), the beta and gamma values would increase to 0.014 and 0.38, respectively. When these factors are incorporated into the quantification of the core-damage sequences, there is a negligible increase in the core-damage frequency (from 6.59E-5 to 6.61E-5). Thus, the results are not very sensitive to the choice of common-cause parameters for failure of the diesel generators to start.
24
l Table 9. Impact Assessment for Common-Cause Failure to Run for Diesel i I
Generators.
Impact Vectors !
Event Pop P. Pi P: P3 P. N/A Comment 1 4 0.0057 1 0 0 0 -
Original assessment 3 0.25 0.75 0 0 0 -
Mapping down to 3 DGs i 2 8 0 0.93 0.07 0 0 - Original assessment 8 0 0.8 0.2 0 0 -
Adjusted to account for increased chance that 2nd DG was affected 1 3 0.2 0.7 0.1 0 0 -
Mapping down to 3 DGs 3 3 0 1.97 0.017 0 0 - Original assessment; used directly for D-B 4 3 0 0 0 1 0 - Original assessment 3 0 0 0 0 0 1 Not applicable since DGs not paralleled at D-B
, 5 2 0 0.010 0.070 0 0 -
Original assessment 3 0 0.005 0.040 0.035 0 -
Mapping up to 3 DGs a
6 3 0 0 0.9 0.1 0 -
Original assessment; used directly for D-B 7 2 0 0 1 0 0 -
Original assessment 3 0 0 0.1 0.9 0 -
Mapping up to 3 DGs 4
N 25
1
, . +
l 1
, Table 10. Impact Assessment for Common-Cause Failure to Start for Diesel )
Generators.
' l Impact Vectors j L
Event Pop P. P P2 P3 P4 N/A Comment 8 5 0 0 1 0 0 - Original assessment j 3 0 0 0 0 0 1 Not applicable due to l post-maintenance )
i testing for D-B DGs 1 9 3 0 0 0.89 0.11 0 - Original assessment; used directly for D-B 10 2 0 1 0 0 0 - Original assessment ;
I 3 0 0 0 0 0 1 Not applicable; 24-hr day tanks for EDGs at D-B 11 2 0 0 1 0 0 - Original assessment 3 0 0 0 0 0 1 Not applicable; trip is bypassed for emergency start signal at D-B j 12 3 0 0.983 0 0.017 0 -
Original assessment; used directly for D B
]
13 4 0 0 0.9 0.1 0 -
Original assessment 3 0 0.45 0.525 0.025 0 -
Mapping down to 3 DGs
- 14 3 0 1 0 0 0 -
Original assessment 3 0 0 0 0 0 1 Not applicable; control 4
switch features not present for D-B DGs i
> 13. Davis-Besse uses a steel containment vessel and a reinforced concrete shield building, l both of which are supported on a concrete foundation. The minimum basemat thickness is specified in Table 1-6 ofIPE submittal Part 4 as 5.7 ft. This seems to be the thickness between the bottom of the normal containment sump and the base of the containment shield building. The thickness between the bottom of the sump and the containment steel shell appears to be significantly smaller. Please provide this thickness. Please explain how this (apparently) rather thin concrete layer was treated in your evaluation of the I 4 probability of basemat melt-through. Presumably, once the steel shell is penetrated, I some release will occur even if the shield building foundation has not been completely
- penetrated. The discussion should address the possibility that a large coherent mass
)
released from the RPV may stay in a clump, spread slowly, and produce a large amount of localized core concrete interaction (CCI). Please also describe how your evaluation of I 26 1
1
- - - - . . ~ - _ . _ _ . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ . _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
l 1
, 1 l the probability of a coolable debds forming in the reactor cavity took this kind of scenario into consideration. Figures 1-12 and 1-14 show other locations where the
! distance from the cavity floor to the steel shell appears to be small, e.g., at the first bend of the incore instrumentation tunnel. How were these other areas considered in your
]
evaluation of basemat melt-through? If they were not considered, please justify their ll omission.
i Response As noted in Table 1-6 of Part 4 of the IPE submittal for Davis Besse, the minimum depth of concrete between the bottom of the normal sump and the base of the shield
. building foundation is approximately 5.7 feet. As shown in Part 4 Figure 1-14, approximately 4.5 feet of this total is the shield building foundation below the embedded i
bottom hemisphere of the containment building. As such, there is approximately 1.2 feet of concrete between the bottom of the nomial sump and the embedded containment
{ vessel. [lt should also be noted that the bottom of the shield building foundation is about 55 feet below grade]. The incore tunnel area close to the reactor cavity region l
also has a minimum total concrete depth which is similar, but has a slightly greater depth j given that the shield building foundation does not follow a true hemispherical shape,
! having a greater depth at distances away from the center of containment. While the j geometries of these locations are similar, the normal sump location was specifically referenced because it represents the lowest elevation in containment and the reactor i cavity floor area is sloped toward this location.
- The depth at which the steel containment structure is located within the basemat was not considered critical to the characterization of fission product releases from containment.
- For the relatively short-term fission product release times under consideration for the IPE, the presence of the embedded steel would provide minimal added containment as 4
compared with concrete alone. The shield building foundation is solid concrete, with specific provisions taken during construction (i.e., during the concrete fill process) to l ensure no voids existed at the interface between the steel containment and the shield
! building foundation. While in the long term it is possible that some gases may migrate through the concrete that would otherwise have been contained by a steel barrier, this l level of detail was considered beyond that necessary for characterizing the release categories for the IPE. Therefore, utilizing the entire shield building foundation was considered appropriate for characterizing postulated fission product releases.
l The precise location of a potential melt-through of the containment basemat was not j critical to evaluating the possibility for this occurrence in the containment event tree. As i discussed in Part 4 Section 5.2.6 and associated Figure 5-9 (see Attachment 4), core debris in the cavity region is assumed to result in basemat failure if a coolable debris bed
- is not formed. The different weighting factors for the associated logic are primarily dependent on the degree of cavity flooding. While the potential depth of the corium was l a factor taken into consideration when assigning the respective weighting factors, the exact location was not considered to be a primary consideration (i.e., if the debris is not
] coolable, whatever depth of concrete is present will eventually be penetrated by j ablation).
1 27 I
l
I
- l. .
- 14. Another mode of containment failure for a steel containment is containment shell melt-through. A side wall failure mode is evaluated in the Davis-Besse IPE. The submittal states that "the lower elevation of containment which would receive much of the !
dispersed debris (via the incore instrument tunnel) is near the wall of the containment vessel." Since the steel containment vessel is protected by a concrete curb, which is 1.5 ft thick and 2.5 ft high, the submittal assumes that the containment shell will fail only after this concrete curb is penetrated by ablation. Failure of the shell by direct contact of i debris is dismissed in the submittal with the statement (page 167) that "for a substantial j amount of debris to come into contact with the steel vessel directly, it would have to be 4
blown preferentially against the wall and remain there. Given the velocity and viscosity i
of the debris and entrained water as it is postulated to leave the instrument tunnel, this is l judged to have a negligible probability." Since the curb is only 2.5 ft high, direct contact
- of core debris by either debris impingement or uneven distribution of the debris near the wall may well be possible, especially since the submittal states elsewhere (page 141) that "The incore instrument tunnel at Davis-Besse provides a possible pathway for the transport of significant amounts of core debris up to the basement level..." Please elaborate on your evaluation of the possibility of direct contact of the containment shell i by debris dispersed via high pressure melt ejection (HPME), and the impact on l
' containment failure probability if this failure mode is possible.
Response
j in the occurrence of a postulated high pressure melt ejection (HPME) event, the material transported from the reactor cavity to the lower elevation of containment would be a mixture of corium and water. For the transport process to occur, corium deposited j initially in the reactor cavity must be entrained by a high velocity gas flow passing i through the cavity region. The elevation between the bottom of the incore tunnel and the
, lower elevation of containment is large enough (~ 28 feet) to preclude the possibility for the corium to hydraulically " jump" this distance. In addition, the combination of j directional changes coupled with the gas flow velocities in the cavity region during this i time period also preclude any reasonable possibility for the coriurn to flow as a coherent j " stream" up to the lower elevation of containment.
- it should also be noted that the access area to the incore tunnel from containment is a relatively small area with essentially one major flow path to the containment at-large. As such, during the time period when reactor cavity gas flow rates would b
- sufficient to entrain corium, there would also be a corresponding substantial gas flow rate in the incore tunnel access area in the direction of the rest of containment (i.e., not preferentially directed toward the containment vessel wall).
- if the corium were to remain liquid during the transport from the cavity region, it would i have a viscosity similar to that of water. Given this low viscosity, it would be difficult to i sustain sufficient shear forces in the corium to enable a buildup of the depth necessary to
- overcome the curb (2.5 ft. high by 1.5 ft. wide) and directly impact the containment i- wall.
If the corium were to be quenched by any water being transported along with the corium from the cavity region, the cooled solid material would then be distributed in the lower 28
- -- , - _ - - - .- y- - , . _ _ . , ,
elevation of containment along with the water. As before, no mechanism could be )
identified for which the corium would preferentially be distributed against the protective curb and containment wall. After this time, if the debris bed was not able to be cooled, <
eventual ablation of the concrete would occur, leading to the potential failure of the )
containment wall. This possibility was modeled for the containment event tree as shown l in Attachment 5.
Given the dynamic nature of a postulated high pressure core melt (HPME) event, the !
above discussion does not dismiss the possibility that minor amounts of corium could make contact with the containment wall. Such an occurrence, however, would not lead to any significant degradation of the containment boundary due to the relatively massive heat sink represented by the nominally 1.5 inch thick steel containment vessel. Whatever small amount of corium would be in contact with the steel wall would be completely cooled in a very short time. [ Note: Based on the response to question 22, the predicted frequency for an IIPME is lower than previously estimated).
- 15. The evaluation of containment failure characterization in Section 4 of Part 4 of the IPE submittal discusses the importance of containment temperature on containment strength.
According to the submittal, the distribution used for containment failure pressure takes into account elevated temperature conditions which could arise during prolonged accident conditions and which lower the yield strength of the metal wall. The temperature used in the IPE is 2M F. Since other sections of the submittal (e.g.,
" Temperature Effects" on page 115 of Part 4) imply that significantly higher temperatures can be reached on the containment boundary, please describe how the 264 F temperature was chosen, and why a higher temperature was not more appropriate. Please discuss any calculations used to arrive at the 264 F value.
Response
i The utilization of the 264 F value as the elevated temperature for use in the containment j failure characterization was derived from design-basis containment response analyses.
For Davis-Besse, this value represents an upper bound of the peak containment l
temperature following the limiting hot leg break. Rather than utilizing a set of multiple containment ultimate strength calculations, the 264 F value was chosen as a
! representative value for elevated temperature transients. As summarized in Part 4 Section 4.1.1, "Because the change in strength is small over relatively small temperature
- differences, it was also judged that this single curve could be applied for all cases involving extended heatup of the containment atmosphere." This simplified approach is supported by the Part 4 Section 4.3 range of values in the mean failure pressures of 95.3 psig at 70 F and 85.2 psig at 264 F.
i Ultimately, the impact of the estimated ultimate pressure capacity calculation is reflected in the containment event tree (CET). For potential early containment failures (i.e.,
during the period from the start of core degradation to shortly after reactor vessel j failure), the containment shell would not be at very high temperatures, given the
- containment atmosphere bulk temperatures during this period coupled with the substantial thermallag involved.
i I 29 i
l
- For potential late containment failures, a specific characteristic containment pressure was not utilized for each plant damage state to estimate a failure probability. Rather, the j following was done (reference Part 4, section 5.2.8)
- 1. For sequences with no containment heat removal, it was assumed the containment
, would eventually be overpressurized and fail. Therefore, the failure probability
! was taken to be the probability of non-mcovery of heat removal capability. For this, a probability of 0.1 was assigned.
) 2. For sequences where containment was predicted to be inert at the time of reactor
! vessel breach but for which containment heat mmoval was available late, a j bounding probability of failure was estimated. The associated calculations took 2 into account that for higher containment pressures, the atmosphere is generally steam-inerted. As such, the region of concern is when the containment atmosphere would be at an increased base pressure and temperature, but not inert due to steam (i.e, this would provide the highest " spike"in pressure from a burn). These bum calculations were combined with the elevated temperature containment failure probability distribution function (pdf) to anive at an overall probability of 0.002.
This value was used to bound all of the applicable cases.
- 3. For sequences where significant core-concrete interactions were postulated and containment heat removal was available, a bounding probability of 0.001 was utilized for all applicable cases. This took into account the elevated temperature i containment failure pdf along with likely base pressures which might be present.
4 Therefore, considering the bounding manner in which the estimated containment mean j failure pressures were utilized, use of the 264 F containment failure pdf was acceptable.
l 16. Section 3 of Part 4 of the IPE submittal discusses the definition of the plant damage
! states (PDSs) and Section 7 gives PDS frequencies. However, the submittal does not l describe the distribution of the front-end sequences among the PDSs. Please discuss this j quantitative infom1ation, i.e., describe the fractional allocation of each front-end
- sequence to the relevant PDSs.
Response
l The correspondence between functional core-damage sequences and core-damage bins and the breakdown of the bins into plant-damage states are summarized in Table 11.
i 30 t
1 l
. . l Table 11. Fractional Contributions of Core Damage Bins to Plant Damage States Core. Fraction of Damage Sequence Core. Core Damage Plant Damage Core Damage Sequence Frequency Damage Bin Bia Frequency State Bin AU4 2.1E 7 AIXYFYYX 67 %
TK iBPn 1.7E-7 => AIX 4.0E-7 => AIXYFINX 7.6%
TK iBL 2.4E-8 AIXYNINX 26 %
MIXYFYCX 31 %
MUu 4.6E 7 =o MIX 4.6E 7 =o MIXYFYYX 50 %
MIXYFINX 19 %
MRXYFYYX 4.7%
MXu 1.6E4 =o MRX 1.6E-6 => MRXYFRYX 95 %
MRXYFIYX 0.17 %
MRXYNYYX 0.08 %
SRYYFYCD 19 %
SRYYFYYD 23 %
TQXr 4.3E-6 SRYYFYYN 11 %
SX 1.5E-6 => SRY 5.9E-6 => SRYYFRCD 0.81% !
R/SRY* 1. lE-7 SRYYFRYD 20%
FQX 1.2E-8 SRYYFRYN 11 % 1 SRYYFlYD 15 %
SRYYNRYN 0.32%
SIYYFYCD 5.2%
SlYYFYYD 42%
S!YYFYYN 4.0%
SlYYFIND 4.2%
TQUr 1.4 E-5 S!YYFINN 0.65 %
SU 5.9E-7 => sly 1.6E-5 => SIYYNYYN 0.04 %
FQU 1.9E-6 SIYYNINN 42%
SIYININN 0.26 %
S!YlFYYD 0.02 %
SlYYFICD 0.05 % j SlYYFRYN 0.03
)
TK iBK2 1.6E-7 => TIY 1.6E 7 => TlYYFYYN 100 %
Vnin 6.4 E-8 Volt 1.7E-7 => V 8.8E-7 => V 100 %
Vals 5.6E-7 Volo 9.1E-8 SINYFYCD 28 %
TB QUr i 2.8E-6 => SIN 2.8E-6 =o SINYFYYD 0.97 %
SBU 3.8E-8 SINYFYYN 70% i SINYLYYN 1.7% !
- R/SRY refers to group of sequences initiated by a steam generator tube rupture (event R) that were assigned to core-damage bin SRY. Because of the large number of sequences from the event tree for tube ruptures, they were solved in groups according to their respective core-damage bins. Separate frequencies for each individual sequence were not generated.
31
Table 11. Fractional Contributions of Core-Damage Bins to Plant Damage States (continued)
Core. Fraction of Damage Sequence Core. Core Damage Plant Damage Core Damage Sequence Frequency Damage Bin Bin Frequency State bin SRNYFYCD 14 %
SRNYFYYD 0.84 %
TBi QXr 2.9E 7 => SRN 2.9E 7 =o SRNYFYYN 4.8%
SRNYFRYD 2.5%
SRNYFRYN 77 %
SRNYNIYN 0.82 %
TINYFYCD 36 %
TINYFYYD 0.79 %
TINYFYYN 7.4%
TBtUr 3.5E-5 =o TIN 3.5E-5 -o
- TINYFRYN 0.18 %
FBrUr 3.9E 8 TINYFIYN 0.27 %
TINYLYYN 0.87 TINYNINN 0.51%
TINININN 2.6%%
TRNYFYCD 3.3%
TRNYFYYD 4.4%
TBi LXr 3.2E-7 =o TRN 3.2E-7 => TRNYFYYN 54 %
TRNYFRYD 29 %
SRNYFRYN 9.4%
RIY* 9.4 E-9 =o RIY =o RIYVFYCD 12 %
RlYVNINN 88 %
RIN* 4.2E-8 =o RIN 4.2E-8 => RINVFYCD 88 %
RINVNINN 12 %
RRY* 1.9E-7 => RRY 1.9E-7 =o RRYVXIND 88 %
RRYVXINN 12 %
1 RRN* 1. l E-7 => RRN 1. lE-7 => RRNVXIND 96 %
RRNVXINN 4.5%
- As indicated in the note on the previous page, because of the large number of sequences from the event tree for steam generator tube ruptures, they were solved in groups according to their respective core-damage bins. Separate frequencies for each individual sequence were not generated.
I 1
l 4
32
)
i i 17. In order to limit the number of release categories, the results of MAAP mns for different !
sequences with relatively similar core damage progression and containment systems ;
i availability were combined in the submittal. Details of the grouping process are not j given. The final grouping seems to combine sequences with quite different release mechanisms.
i For example, RC-2, which is characterized by releases due to a containment isolation failure or an early containment failure, is also considered in the IPE submittal as 4 applicable to sequences involving late containment failures and revaporization of iodine j from the RCS surfaces. RC-3, which is characterized as a bypass failure, isolation failure, or an early containment failure, is also considered applicable to sequences
- involving late containment failure.
I Another example is the release category for basemat melt through. The event tree )
, analysis in the submittal assumes that if ex-vessel cooling of core debris failed and the l containment is not failed by any other mechanism, the outcome corresponds to basemat melt through (see page 126, Event L). According to the CET (Figure 5-2), End States l
! 29 and 30 satisfy these criteria and should, therefore, be assigned to basemat melt-through. However, in the CET these two end states are assigned to Release Categories 9
- and 8, respectively. These release categories are characterized in the submittal as
- corresponding to no containment failure.
Please explain the logic used to group release categories, and justify the grouping used
! in the above examples.
i
- Response 1
1 As stated in Part 4 Section 7.1 of the IPE submittal, the release categories were based
! on the magnitude of total fission products released, irrespective of their relative timing for applicable sequences. This was considered appropriate since a full Level 3 study was j not performed for the Davis-Besse IPE.
i The release categories were based on the results of MAAP analysis. Approximately 45 ,
l MAAP runs involving a spectrum of LOCAs and transients were reviewed to select a i j representative release for each sequence in a panicular release category. A majority of 3
the MAAP analyses indicated that the containment would not fail. Additional sensitivity runs, however, were performed to determine the impact of failure of containment to isolate on the magnitude of the release. The release fractions from these runs were
. compared with the release fractions for sequences where the containment failure occurred late (i.e., greater than 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />). In general, for the sequences with late containment failures, the calculated release fractions for iodines and paniculates are lower, due to the fact that the passive removal mechanisms such as plateout and .
dcyosition are effective. Therefore, for releases which have the same magnitude of I n: leases, the application of early containment failure release fractions for late containment failures is conservative.
As also stated in Section 7.1, for sequences that did not result in a containment failure, the releases were based on a nominal 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> release duration. The fission product i 33
l o
l release categories that were grouped for the IPE were based on potential airborne fission products available for transport to the environment, thereby producing offsite :
doses to the public. The bottom of the shield building foundation is ~ 55 feet below !
I grade. Although the containment basemat melt-through can be considen:d as a containment failure, a large airborne release within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> due to this event is not considered credible. While some gases would likely migrate to the surface, the 1
- magnitude of such a release was judged to be most like that of containment leakage, as ;
opposed to a containment bypass or failure. Since a Level 3 analysis was not being j performed, the use of categories 8 and 9 for these CET endstates was judged to be adequate.
- 18. In the CET shown in Figure 5-2, containment bypass is not considered if there is an in-vessel recovery. However, other containment failure modes (e.g., isolation failure, early failure) are addressed in the CET for the in-vessel recovery case. According to the IPE submittal, no branch psint is indicated for the bypass evem because a temperature-induced bypass will not occur if there is an in-vessel recovery. Since the bypass top event included ISLOCA and SGTR-initiated sequences, in addition to temperature-induced SGTR, the omission of this branch point for all bypass sequences may not be !
appropriate, unless an additional relationship is assumed to exist between in-vessel recovery and containment bypass (e.g., in-vessel recovery is not considered possible for bypass sequences). Please discuss why all bypass events are considered irrelevant if in-vessel recovery is successful.
Response
In vessel recovery was assumed to be precluded for containment bypass sequences. It was assumed in all cases that the inventory of the BWST was either not available for injection or was lost through the break outside containment, and there was therefore no means to restore cooling after RCS pressure had been lowered. For these scenarios, the flag "PDS indicates LPI is not available"(event AAPDSil) was set to "true", satisfying both sides of the top AND gate in Figure 5-3.
- 19. According to the IPE submittal, containment isolation failure is dominated by the failure to isolate either of two types of lines: the line from the normal containment sump, which is normally open and is isolated by two motor-operated valves, and the eight lines containing the vacuum breakers (with normally open MOVs). The probability for isolation failure is not quantified in the submittal, except for the statement that " isolation failures were assessed to contribute a negligible amount to the potential for release from containment for all PDSs: (page 233).
Since some of the dominant sequences involve SBO (e.g., TINYNINN with a CDF of 1.8E-5), the power for the MOVs (actuated to close on an EFAS level 2 signal) may not be available. Please address how the containment isolation failure probability is estimated. The discussion should consider signals and operator actions related to containment isolation for various accident sequences.
l 34 l
Response
The probability of failure for containment isolation was quantified by developing fault trees for each of the pathways that could present a potential release path, including the two noted in the question. Support-system dependencies, including actuation signals and power supplies, were explicitly modeled. The cut sets for the failum states were linked to the core-damage cut sets in the process of quantifying the fmquencies of the plant-damage states. In this manner, the dependencies between the core-damage cut sets and the containment system failures were tracked. Based on this linking, the com-damage cut sets in which all ac power was lost were identified to result in a failure of containment isolation because the loss of power would also cause the motor-operated isolation valves in the drain line for the normal containment sump to remain open.
During the quantification of the containment event tree, this flow path was investigated further. It was determined that the effective flow area through this path was very small, and that the entry to this flow path would always be flooded by water. In addition, the path would terminate in a tank that would remain filled wi'h water. Furthermore, procedures would call for the operators to isolate this line manually, as part of the process of verifying that proper actuation of the engineered safety features had taken place. Because of the very small potential for this line to serve as an actual release path for radionuclides, it was concluded that this line could be neglected.
The potential paths via the vacuum breakers (which are essentially check valves) were retained as potentially large isolation failures. Because the vacuum breakers themselves are not dependent on ac power, however, the conditional probabilities of failure of these lines were small, even for cases in which no ac power was available to close the motor- l operated isolation valve. l
- 20. The discussion presented in the IPE submittal regarding the effects of harsh environmental conditions on the CACs is more qualitative than quantitative. The environmental qualification conditions and the anticipated-severe accident containment l l conditions (e.g., temperature, pressum, and radiation conditicas) are not stated. The i effects of harsh environmental conditions on containment sprays and the DHR system j are not addressed at all. Please discuss environmental effects on the containment sprays and the DHR system, and give more detail about these effects on the CACs. Please q address the survivability of these systems under severe-accident conditions; do not neglect the potential effect of the dispersing debris and debris in the sump.
Response
The ECCS systems in containment are fully environmentally qualified (EQ) for design-
)'
basis post-accident conditions. While these conditions do not always bound severe accident conditions, the qualification process does serve to demonstrate the ruggedness of the various components. For example, the only active components associated with the containment air coolers (CACs) after the safety features are actuated are the air-side fans and electric motors. Examination of the EQ documentation for the fan motors j indicates that the qualification test conditions reached temperatures as high as 350 F and pmssures as high as 92 psia, and were conducted over a four day period. While there is 4
l 35
- - - - _ - - - =. --- -.- - - . . - - - - . - - . -- - . _
l J
j not a direct correlation between the test conditions and postulated severe accident l j conditions, the fact that these components are rugged and can withstand operating
- environments beyond EQ conditions is shown.
i As summarized in Section 5.2.8 of Part 4, the CACs have substantial heat transfer
) margin to accommodate significant fouling and/or the presence non-condensable gases. j
! For example, after about 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> post-trip, nominal CAC capacity is sufficient to ,
l I remove all of reactor decay heat.
- In the containment spray (CS) and decay heat removal (DHR) systems, the only l l components required to change position are various check valves in the systems which l l are not directly susceptible to the potentially severe environmental conditions. All other
~
components required to mitigate initiating events in these systems are piping and valves
, which remain in their actuated position. The only exception to this is the normal DHR
" drop line" valves DH11 and DH12 which are opened at low RCS pressures to enable i the shutdown cooling mode of operation. These valves were credited in the IPE as one j success option for decay heat removal during a small break LOCA (reference Part 3 l Section 1.2.1). In these sequences, however, the success is to achieve DHR operation j
)
, plior to BWST depletion. It is therefore unlikely that containment environmental j conditions would be substantially in excess of the EQ qualification conditions for these i valves in this limited time frame. l a
As shown in Part 4 Figure 1-14, the inlet to the containment emergency sump is located
)'
at the 565' elevation, approximately 30 feet above the normal sump (which is at the l
- lowest point in the containment interior). Only for postulated high pressure melt ejection i scenarios would core material be deposited in the vicinity of the emergency sump.
i [ Note: Based on the response to question 22, the predicted frequency for this event is
! lower than previously estimated].
! In the design of the sump, there is an intake screen designed with 1/4 inch openings l which is provided to prevent large particles from getting into the recirculation lines.
l Adequate free flow area is provided in the screen so that there is negligible flow l resistance even if 50% of the screen is clogged with debris. In addition, the steel frame j supporting the intake screen assures that large debris which may be postulated to be i
carried in the water will not readily damage the screen. The location of the emergency l sump also makes it virtually impossible for potential missiles to penetrate into this area.
! 21. The IPE submittal states that ex-vessel steam explosion is considered as one of the
! potential early containment failure modes (page 141). Figure 5-6 (page 6 of 9) shows
- the probability of this containment failure mode to be 0.1% if the cavity is deeply l flooded before vessel breach. However, this failure mode is not discussed in the submittal. Please discuss how the loading conditions generated by an ex-vessel steam
! explosion may cause containment failure for Davis-Besse. Please address deeply flooded
! as well as moderately flooded scenarios. Please discuss impulse loading, pressure rise, and the possibility of missile generation resulting from the steam explosion.
l 36
., . - - , ,. -- - ~.
.~ _ _ __ _ __ __. _
l Resnonse The potential for containment failure as a consequence of a steam explosion following vessel breach was considered in three elements of the logic presented in Figure 5 6:
direct failure of containment due to the impulse loading produced by the steam explosion (event CEEEVSEF); failure due to the contribution to the peak pressure at the time of vessel breach (developed under gate CEE311); and failun: due to missiles generated by pressure generated in the reactor cavity (event CECTMISL).
The first of these possibilities represents the potential that a steam explosion following vessel breach could result in a structural failure of containment. This was considered to be a possibility only if the reactor cavity were deeply flooded, providing a medium for transmit'.ing the impulse loading to the containment structures. Cases in which the cavity was not deeply flooded were judged not to be able to cause transmission of the loading to the structures.
The total pressure loading at vessel breach included the pressure due to the blowdown from the reactor vessel, the interaction of the core debris with water in the reactor cavity, and the potential for direct containment heating. This treatment is discussed in some detail on pp. 158-161 of Part 4 of the submittal, which is provided as Attachment 6.
The potential for generation of missiles due to the rapid pressure rise in the reactor cavity following vessel breach was also considered, as discussed on p.157 of Part 4. It was concluded that there were no candidate missiles that could be generated as a result of this pressurization. In this respect, the Davis-Besse cavity differs from some others, such as those that have reactor shield plugs.
- 22. On the third page of Figure 5-14, an AND gate is used for CEPRL22 (" Creep Rupture Causes Failure of Hot Leg"). According to the logic, CEPRL22 is true if both CEPRL23 (" Creep Rupture Due to Exposure at Moderately High Pressure") and CEPRL24 (" Creep Rupture Due to Exposure at Very High Pressure") are true. This seems in error. Since CEPRL22 occurs if either CEPRL23 or CEPRL24 occurs, an OR gate should be used for CEPRL22. Please clarify this apparent discrepancy. If this is indeed a logic error, what impact does the error have on the analysis?
Response
The comment is correct; gate CEPRL22 should be an OR gate. The direct impact of the error on the quantification is that gate CEPRL22 would never be satisfied, since gates CEPRL23 and CEPRL24 are mutually exclusive due to the respective plant-damage states relevant to each.
The correction of this error has both positive and negative impacts on the probabilities for the potential outcomes of the containment. event tree. The error prevented depressurization for many of the core damage scenarios that proceeded at high pressure, such that the potential for high pressure melt ejection was overstated. On the other hand, the failure of the reactor coolant system (RCS) hot legs prior to vessel breach 37
p would increase the number of scenarios in which there could be early, large releases of hydrogen from the RCS.
De containment event tree was requantified to take into account the corrected logic.
De overall fractions for the general categories of containment failure are summarized below.
Original Fraction Containment Failure Mode (from Figure 6-21) Revised Fraction No failure 84 % 88 %
Late failure 3.4% 4.0%
Basemat meltthrough 4.1% 5.1%
Bypass 2.6% 2.6%
Side-wall failure 5.9% 0.32 %
Early failure 0.40 % 0.28 %
Because of the resulting reduction in the conditional probability of a high-pressum melt ejection for all small LOCAs and transients in which feedwater was unavailable, the exposure to the potential for a sidewall failum of containment was significantly mduced.
De reduction in the fraction of sequences with vessel failure at high pressure also somewhat reduced the chance for an early failure of containment. The mductions in the fractions for these outcomes were distributed among the late failum categories and the no-failure category.
- 23. Early containment failure as a result of hydrogen burn is evaluated using the logic trees in Figure 5-6. According to Figure 5-6, the probability of containment failum before vessel breach, given hyd.rogen burn, is 1.10E-2 for high base pressure and low hydrogen production (event CEELHHBF, page 2 of 9), and 4.lE-3 for high base pressure with high hydrogen production (event CEEHHHBF). Please explain why the failure probability for high hydrogen production is less than that for low hydrogen production.
If this is a quantification error, what impact does the error have on the analysis?
Response
The values for the referenced two events represent the conditional probabilities that the containment fails due to a hydrogen burn given that a burn occurs in the first place. His is shown in Figure 5-6 by AND gates CEE124 and CEE135, respectively. As such, to get the total probability of containment failure, the referenced events must be multiplied by the probabilities of a burn occurring: The probability of a burn occurring for the low hydrogen production case (denoted by event CEELOHHB) was calculated to be 2.8E-2; the probability of a burn occuring for the high hydrogen production case (event CEEHIHHB) was calculated to be 2.2E-1. Thus, the total probabilities am as follows:
P(low H2, high base pressure) = (1.1E-2)(2.8E-2) = 3.1E-4 38
~
P(high H2, high base pressure) = (4.1E-3)(2.2E-1) = 9.0E-4 4
- . In actuality, the total probabilities were calculated by integrating the products of the
- various distributions for amount of hydrogen produced (implying a total distribution of containment pressure that is the sum of the base pressure and the burn p essure corresponding to the amount of hydrogen available for burning) and the conditional 2
probability of containment failure as a function of internal pressure. This was done for a va-iety of plant-damage states corresponding to high and low containment base pressure and hydrogen production levels, and the highest total probabilities of containment failure calculated for these various cases were selected to represent the four sets of conditions ofinterest.
4 The breakdown of events as shown in Figure 5-6 was selected earlier in the project, before the specific approach to calculating the probabilities was defined. Rather than revise the fault-tree structure to present a single event for each of the four conditions of interest, the structure was retained. The values shown in the figure were therefore back-calculated by first identifying in each case the point on the probability distribution for hydrogen production at which the corresponding concentration in containment would be
- flammable. The total probability of containment failure due to a hydrogen burn was then 4
divided by this value to obtain the conditional probability of failure given that a bum occurred.
Thus, although the value for the conditional probability of containment failure given that a burn occurred for the low hydrogen production case was more than a factor of two higher than the equivalent probability for the high production case, the likelihood of having a burn at all for the low production case was nearly a factor of 10 lower than for i the high production case. The difference in the conditional probabilities of failure results from the relative weights for the portion of the combined distributions above the point at which a flammable mixture would occur (i.e., above 4% hydrogen concentration in containment). Because the values were also calculated for different plant damage states,
- there were also small differences in base pressure and steam concentration in i
containment which affected the conditional probabilities, i
i 24. In the table on page 192, CEHLCRMF is described as " creep rupture of RCS hot leg given very high pressure" and CEHLCRHF is described as " creep rupture of RCS hot
! leg given moderately high pressure." According to the probability values assigned to i
these two events,it seems that the former should be for moderately high pressure, and the latter for very high pressure. Please clarify. If this is an error, what impact does the error have on the analysis?
Response
The headings in the table on p.192 were inadvertently reversed. The higher probability should apply to the case of very high pressure, rather than moderately high pressure.
, The values actually used in the analysis and indicated in Figure 5-14 (pp.184 and 185) were correct.
39
l.
i j 25. PDS RIYVXINN was selected as the representative accident sequence for bypass sequences (page 220). However, RIYVXINN is not one of the possible PDSs shown in Figure 3-7. Since all containment cooling is assumed to be lost in the selected sequence, !
the PDS selected may be RIYVNINN, not RIYVXINN. Please clarify, i
ReSDonSe ;
l Section 6.1.5 page 220 should have referred to the scenario as RIYVNINN to be l consistent with the bridge tree and the definition of the plant-damage states (Part 4, i sections 3.3.2 and 3.4, respectively). It should be noted that operation of the CACs turned out to be essentially irrelevant for the plant-damage states associated with bin
! RIY.
- 26. In Section 3.4, the values of " Availability of BWST injection to reactor vessel or
- l. containment" include C, Y, and N. However, in Table 3-2, Y1 and Y2, in addition to Y, are used to describe the availability of BWST injection to the reactor vessel or l containment. Please define Y, Yl, and Y2.
i
Response
- Event Y is included in the bridge event trees for core-damage bins in which core cooling fails in the injection phase, but injection of the BWST contents might be available l
j without providing core cooling. For example, in the case of a small LOCA, RCS
- pressure might be reduced sufficiently to permit low pressure injection after significant core damage had taken place. Outcome Y refers to cases in which injection of the
. BWST contents does take place, but cooling of the water in the containment is not ;
3 available via low pressure recirculation (that would be outcome C). Outcome N implies l that the BWST contents are rever injected into containment, i For the case of medium LOCAs, further discrimination of outcome Y was required. This ,
stemmed from the success criteria for the injection phase for the medium LOCA, which !
! required both high pressure and low pressure injection. Thus, it was possible to have l injection to the reactor vessel by one or the other of these systems, but still not have j sufficient core cooling. Since the success of one of these systems but not both was not
] distinguished in the definition of the core-damage bins (and hence in the structure of the ;
j core-damage event tree), it was necessary to process the cut sets further in the bridge l
- event tree to separate them into the appropriate damage states. In the case of medium
- LOCAs, Y1 referred to injection of the BWST contents by low pressure injection, and
- Y2 was used for injection by the high pressure injection system.
j 27. The submittal is not clear about how the different sequence-specific dependencies were 3 addressed and treated in the post-initiator HRA quantification. The performance of the
- operator is both dependent on the accident under progression and on past performance
]
of operators during the accident of concern. Improper treatment of these dependencies
- could lead to the elimination of potentially dominant accident sequences and the l consequent identification of significant interactions. Table 3-11 (" Summary of Type CP i Human Interactions") (on page 272) lists a total of 12 post-initiator dependent j combinations (which does not include the Figure 3-3 example-dependent combination i 1
4 40 i
I i .
1 4
j ZHAC008E). Please discuss this concisely and give examples illustrating how sequence-i specific dependencies were addressed and appropriately quantified in the post-initiator l HRA so that important accident sequences were not eliminated. Please address how the points listed below were taken into consideration in your analysis:
i (a) In the fault trees, human initiators [ interactions] (HIs) are modeled as basic events I such as failure to manually actuate. The probability of the operator to perform this
- function is dependent on the accident progression-what symptoms are occurring,
- what other activities are being performed (successfully and unsuccessfully), etc.
j When the sequences are quantified, this basic event can appear, not only in different sequences, but in different combinations with different systems failums. In j addition, when the sequences are quantified, the basic event can potentially be
! multiplied by other human events which should be evaluated for dependent effects.
(b) In the event trees, HIs are modeled as top events. The probability of the operator l
- to perform these functions is still dependent on the accident progression. The quantification of the His should consider the different sequences and the other HIs.
]
! Response f
In quantifying the frequency of each of the core-damage sequences, a master fault tree q that integrated the event-tree logic that defines the sequence, the supporting fault tree logic that further defines the top events that make up the sequence, and the system-level
- fault trees that provide the details of the system failures was formed. Each of these
! master fault trees was solved to obtain minimal cut sets corresponding to the respective
! sequence. In so doing, the distinction between human interactions (HIs) as described in
! items (a) and (b) above (i.e., in the system fault trees and in the event trees) becomes l irrelevant.
- During this solution process, each of the post-initiator HIs was assigned a failure
- probability of 1.0. Therefore, there was no danger that a combination of inter-dependent
! His would cause cut sets to be unjustifiably truncated because the probabilities of the interactions were multiplied together as though they were independent events.
Instead, each of the cut sets was examined by an analyst or group of analysts. When a
! cut set was encountered that included at least one HI (which was the case for virtually every cut set), the probability of each HI was first evaluated individually based on what was generally assumed to be the most limiting set of conditions. For each subsequent cut
- set in which this event arose, a review was made with respect to whether the contest of
! the cut set might present a more severe challenge to the operators than was assurred in the nominal assessment for the Hl. If this proved to be the case, a new assessment was i made based on the more restrictive context. If the assessment was found to be l appropriate for the context presented by the sequence cut set, the nominal probability
- was applied. If the context of the later cut set appeared to make the HI more mliable
{ (e.g., clearer cues or more time available for action), a new assessment was made only if l the cut set would otherwise be among the dominant contributors for the sequence; if the
! use of the probability for the more restrictive nominal case would cause the cut-set frequency to be a relatively small contributor, the nominal probability was used. This 41 i
- .-. - -- - -- - - - _ _ = . - . - - - _ _ - _ -
l i
i
! permitted the available analytical resources to be applied for the most important cases.
The probability for the HI was accounted for in the cut set by adding a new event (typically, the same event name with the firu letter replaced by the letter "Z"). Thus, the cut set would retain the original event representing the HI, with a probability of 1.0, r.nd a new event with the intended probability would be added.
For example, the probability that the operators might fail to initiate flow from the motor-l
) driven feed pump (designated in the logic as event BHAMDFPE) was assessed for the l case in which main feedwater and both turbine-driven auxiliary feedwater (AFW) pumps l were lost at the start of the transient. At this point, the decay heat load would be largest, and the time available to establish flow from the motor-driven feed pump would be
! shortest. An event designated ZHAMDFPE was added to cut sets in which there were 4
no other His and all feedwater was lost at the time of the reactor trip. The only case i found to be more restrictive thar. this was that of certain sequences involving failure of the reactor to trip; in these cases, the probability of failure to start the motor-driven feed j pump in time to prevent core damage was assessed to be 1.0 (i.e., no credit).
I On the other hand, there were several types of cut sets that represented cases in which feedwater would be expected to operate for an extended period before failing. In these
]
{
cases, the conditions might be similar to those considered in the nominal case, but the i time available for action might be longer by a sufficient margin to be important to the assessment. Therefore, a new assessment was made for this case, and for relevant cut i sets this probability was incorporated by adding basic event ZHAMDF2E (essentially, case 2 of event BHAMDFPE).
i
- Many cut sets included more than one human interaction. In these cases, the individual His were evaluated first. A new evaluation was made for the combination of HIs, with a new timeline drawn to indicate their temporal relationship. In this case, the basic
{
3 probability started with the probability of the first HI in sequence. The cenditional
! probability of the second event in sequence was then assessed, based on the context of
) the scenario and the perceived level of dependence (using the guidelines outlined on p.
268 of Part 3 of the IPE submittal). Each subsequent event was likewise evaluated,
~
! conditional on the cut-set context and the human interactions preceding it. When a j composite probability for the combination of human interactions was obtained, a new event was defined, and this event was added to the relevant cut sets. Once again, the l
i original human interactions in the cut set were left in place, each with a probability of i
1.0. A single new combination event was added to reflect the composite probability of the inter-dependent HIs.
- This treatment is reflected by the combination ZHAC008E discussed in the example in
) Figure 3-3 (page 270) of the IPE submittal. In this example, the combination drew upon i independent assessments of the failure to start the motor-driven feed pump (event BHAMDFPE) and failure to establish makeup /HPI cooling (event UHAMUHPE) for
- the limiting case of loss of all feedwater at the start of the transient. The probability corresponding to this calculation was assessed to be the probability for the first event multiplied by a conditional probability of failure of about 0.5 for the second event, based on an assessment of high dependence between the two events. A separate combination (designated event ZHAC08AE) was evaluated for the less restrictive case in which i
i 42
-. .- --- __ --. - - . - - - ~
l 1
feedwater would fail after functioning properly for some time, although in that case the assessment of high dependence (and corresponding conditional failure probability of 0.5) was retained.
The comment refers to 12 event combinations listed in Table 3-11, and notes that combination event ZHAC008E from the example was not included. It is not clear which events were assumed by the reviewers to be combination events; all of the events in Table 3-11 are independent event assessments. There were approximately 120 combination events defined to account for cut sets containing multiple human interactions (including ZHAC008E and ZHAC08AE). There are well documented in the project files, but were not tabulated in the IPE.
- 28. The submittal does not clearly describe which of the 14 post-initiator Type CR (knowledge-based recovery rather than procedure-based or rule-based response) HIs shown in Table 3-12 have available to the plant staff some level of procedural guidance in the form of an ;dready established plant procedure. According to Appendix 4 of the IPE Generic Letter 88-20, there should be an established plant procedure "for any 4
actions taken by the operators for which credit is allowed in the IPE" to assure that during a severe accident the operators "can and will take the required actions." Please identify all those post-initiator, Type CR (knowledge-based recovery) His which do nat have an established plant procedure associated with them. Please discuss in detail the effect on CDF if all these non-proceduralized, recovery HIs were nat taken credit for in the IPE (as per the generic letter).
Response
All but one of the actions identified in Table 3-12 have some level of procedural guidance. The alternate procedure used for these type CR events was selected for a variety of reasons, but generally because the actions were assessed to be different from I the bulk of the post-initiator His evaluated as type CP events in terms of the need for i further integration of plant conditions to arrive at a proper understanding regarding the s event, a less direct progression through the post-trip procedures than was generally the case, or conditions in which the decision process regarding operator actions was almost certain to entail input from the Technical Support Center, supplementing the guidance in the procedures. Most of the actions involve relatively long times after the plant trip ,
(although the time available for action is in some cases relatively short, which for the type CR assessment is taken to be on the order of an hour).
For example, event ZHA1395R refers to failure to isolate service water flow to non-essential loads when the isolation valve for one train failed to close automatically. There is no explicit procedure that calls for checking motor-operated valve SW1395 or that specifies actions to take in the event the valve does not close. There is, however, a specific step that calls for verifying that all safety features actuations have been accomplished. A panel of status lights will provide a clear means to identify actuations that did not take place, and a further tabulation of the proper equipment response is provided in the emergency procedure (DB-OP-02000). When the term " verify" is used in this context, plant operators are instructed to take actions to ensure equipment is in 1
43
-. - ._ = ._-- . - .-- - - . - .- .. __ _ .- -
E i
! the specified position, or take an equivalent action. This was confirmed via interviews 1
of operators, who did not hesitate to state that the proper response would be to close
! the manual block valve in line with valve SW1395 if SW1395 could not be closed from the control room.
i
- Another example is the addition of inventory to the borated water storage tank (BWST) in the event of a steam generator tube rupture (SGTR) whose leakage could not be completely isolated. Although there was no explicit procedural guidance to govern the i decision to initiate this makeup, the time available for action is very long, and there would be substantial technical support available to augment the procedures. Once the
- decision was made to initiate makeup, there was an existing procedure that would be
- used to accomplish it. [It should also be noted that, since the IPE was completed, the l emergency procedure has been changed to call for this action as part of the response to a 4
SGTR].
The only action for which there is no procedural guidance is the establishment of alternate cooling for the service water pump room (event ZHASWVTR) prior to event initiation. This action was credited for cases in which one train of cooling for the service water pump room was lost when the outside temperature was mild, and a slow heatup )'
would commence with only one train continuing to operate (no credit was given to the recovery action if the ambient temperature was above 86 F or if there was no cooling in the room). This action reflected the fact that there is a walkaround that includes the pump room twice per shift (i.e., every 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />), and that the status of ventilation and e
conditions in the room are among the items that are inspected during the walkaround.
l Once again, the operators interviewed readily suggested the opening of pump room ,
doors and, if needed, use of a portable fan to provide alternate cooling. Because of the l
!' long time scale of the heatup and the nature of the walkaround, it was considered to be reasonable to credit this recovery action, and unrealistic not to do so. Without credit for j
' event ZHASWVTR, the core-damage frequency would increase from approximately ;
6.6E 5 to 6.8E-5 per year.
- 29. It is not always clear from the IPE submittal whether the plant improvements described 4 are being proposed for further consideration or were actually implemented. Please j provide the following:
1 (a) The specific improvements that have been implemented, are being planned, or are ;
under evaluation.
(b) The status of each improvement, i.e., whether the improvement has actually been
! implemented already, is planned (with scheduled implementation date), or is under evaluation. j i
(c) The improvements that were credited (if any) in the reported CDF.
i (d) If available, the reduction to the CDF or the conditional containment failure probability that would be realized from each plant improvement if the improvement I 4
was to be credited in the reported CDF (or conditional containment failure
- probability), or the increase in the CDF (or conditional containment failure 44
i
. pmbability) if the credited improvement was to be removed from the reported CDF (or conditional containment failure pmbability).
(e) The basis for each improvement, i.e., whether it addressed a vulnerability, was otherwise identified from the IPE review, was developed as part of other NRC i
rulemaking, such as the Station Blackout Rule, etc.
Rumme b (a) (b) The potential plant improvements outlined in Section 3 of Part 6 were identified j in the performance of the IPE and at the time of the submittal had not been evaluated in detail. 'Ihe present status of these items is as follows:
Front-End Analysisitems:
- 1. Common power supplies for feedwater and makeup /IIPI cooling: technical evaluation complete. A more detailed examination was performed which looked at loss of feedwater transient minimum equipment " mission time" l requirements compared with the timing / effects of de system failures. Based i- on this review, it was concluded that enhancements to MDFP & MU/HPI power supplies are not necessary.
- 2. Shedding of de loads: enhancements have been completed to emergency operating procedums' which direct plant operators to shed specific i
appropriate loads upon a loss of any major ac source to a battery charger.
This guidance includes a loss of either ac power division, or to a complete loss of ac power. !
- 3. BWST refill options
- technical evaluation is complete and procedural changes in plant emergency operating procedures for steam generator tube j rupture events nave been accomplished.
l l 4. Sump recirculation using the makeup system: initial research/ evaluation has been completed. Final evaluation / resolution remains to be completed (estimate overall task is ~ 75% complete). This is scheduled to be completed
- prior to the next update of the site PRA, following completion of the IPEEE j portion of Generic Letter 88-20.
- 5. Isolation of RCP seal return following loss of seal cooling: detailed l evaluation has not been completed. Based on discussions with systems engineering personnel, a broader experience base of operations with the 4
Byrondackson N-9000 reactor coolant pump seals through a greater variety of plant transients is now available. As such, a comprehensive review of the i degree of conservatism currently existing in the IPE RCP seal LOCA models will be accomplished during the next update of the PRA, following completion of the IPEEE portion of Generic Letter 88-20.
L 45
- 6. Service water room ventilation: research indicates that the assumptions utilized in the service water model regarding ventilation are overly conservative. For the service water pumps to remain functional, calculations indicate that fewer fans need to be operating to maintain the environment within acceptable limits. This includes operation during both summer weather conditions and cooler times of the year. These changes will be included during the next update of the PRA, following completion of the IPEEE portion of Generic Letter 88-20.
- 7. Fuel oil for the station blackout diesel generator: operational procedums for the the station blackout diesel generator have been mvised to include
- direction for monitoring the level and consumption rate of fuel oil during
- emergency operations. Specific direction is provided to initiate refill efforts for the supply tank upon level reaching a pre-determined value.
j Back-End Analysis items:
, 1. BWST level at switchover to sump recimulation: initial research/ evaluation i has been completed. Final evaluation / resolution remains to be completed (estimate overall task is ~ 75% complete). This is scheduled to be completed j prior to the next update of the site PRA, following completion of the IPEEE l portion of Generic Letter 88-20.
- 2. Operator actions for inadequate core cooling: this task has been divided into
- two areas -
1 a) RCP restart criteria during potential inadequate core cooling conditions:
technical evaluation is complete and procedural changes in plant emergency operating procedures have been accomplished.
l b) Overall ICC operator actions: a proposed change to the B&W Owners Group Technical Basis Document (TBD) for the site emergency ,
operating procedure has been submitted. Further evaluation and i i implementation will be conducted via the Owners Group TBD change
- process.
- 3. Emergency plan evaluation criteria: this task has been subsumed into the site 3
severe accident management guidelines development effort.
- 4. Monitoring of carbon monoxide levels in containment: this task has been subsumed into the site severe accident management guidelines development effort.
, (c) None of the potential plant improvements summarized in Section 3 of Part 6 of the IPE submittal was credited in assessing the core-damage frequency or conditional probability of containment failure.
l l
46
l (d) The effects of the above changes to the overall plant core damage frequency has l not been estimated. Implemented changes will be incorporated into the next update
- of the site PRA.
l (e) There were no plant vulnerabilities identified by the IPE process. The changes j outlined above were identified as potential improvements by the personnel doing the work during the performance of tasks associated with the PRA analyses for the IPE report. None of these changes are the result of any other formal program, in-i house or NRC.
4 30. It is not clear in the submittal how plant changes due to the station blackout rule were credited in the analysis. Please submit the following:
- (a) Report whether plant changes (e.g., procedures for load shedding, ac power) made in response to the station blackout rule were credited in the IPE and which specific
- plant changes were credited.
(b) If available, give the total impact of these plant changes to the total plant CDF and to the station blackout CDF (i.e., reduction in total plant CDF and station blackout CDF).
- (c) If available, give the impact of each individual plant change to the total plant CDF j and to the station blackout CDF (i.e., reduction in total plant CDF and station blackout CDF).
i (d) Report any other changes to the plant that are separate from those strictly in response to the station blackout rule, that nonetheless may reduce the station
- blackout CDF. In addition:
Report whether these changes are implemented or planned.
i
- Report whether credit was taken for these changes in the IPE.
- If available, discuss the impact of these changes to the station blackout CDP.
Resnonse f
l (a) Plant changes made in response to the station blackout rule were credited in the
- IPE. By far the most important of these changes was the installation of a separate diesel generator, referred to as the station blackout diesel generator (SBODG).
(b) The overall core-damage frequency without credit for the SBODG was estimated 4
to be 7.9 x 10 per year. Thus, with all other factors held constant, the installation i of the SBODG reduced the core-damage frequency by about 20%. The impact on i
the frequency of core-damage involving station blackout could not readily be
- calculated.
(c) The only significant modification was the addition of the SBODG; its impact is
- summarized in part (b) above.
(d) One change that could impact the frequency of core damage due to station blac.kout was to incorporate into the abnormal procedure for loss of each major ac 47 i
j_
i s
power bus a step calling for the shedding of appropriate de loads (refer- to Question 29 part b). This would extend the battery life for the affected train, and allow more time for recovery before additional failures resulted. Previous to this change, the procedural guidance called for shedding de loads only in the event of loss of both major ac power buses (e.g., for an actual station blackout).
This change came about after the IPE was completed, and therefore was not credited in the study. The primary impact would be to reduce the frequency of sequences in which the loss of one train of ac power led to the closing of the PORV relatively early when the battery supplying the corresponding de train was j depleted. With the PORV available for an extended time, the success criteria for makeup /HPI cooling would be less restrictive by the time the PORV was lost, and some important sequence cut sets would be reduced in frequency.
- 31. Concerning the IPE treatment of flooding, no mention is given as to how the water spray effects from the fire suppression system might adversely affect equipment perfomiance (as it did recently for one plant which experienced an inadvertent spray actuation). Please discuss how these effects were tmated in the IPE.
Response l During plant walkdowns for the flooding analysis, potentially significant sources of '
spray that could affect important safety equipment were reviewed. This included consideration of sprinkler systems, eye wash stations, etc. It was noted that equipment such as electrical panels and motor control centers are protected against spray effects.
No vulnerable equipment was identified. A detailed investigation of spray effects was, however, judged to be beyond the scope of the IPE.
The issue of the potential effects of inadvertent actuation of fire suppression systems is ,
being considered more extensively in the context of the IPEEE. l i
1 48
i Attachments J Relevant Att. Question Topic Description of Attachment 1 1 RCP seal LOCA IPE Submittal Pan 3, Section 4.4.2 2 2 HVAC initiators IPE Submittal Pan 3, Table 2-2 3 7 Small Break LOCA Event Tree IPE Submittal Pan 3, Figure 1-7 (revised) 4 13 Containment shell/ foundation IPE Submittal Pan 4, Section 5.2.6 &
Figure 5-9 5 14 Containment sidewall failure IPE Submittal Part 4, Figure 5-10 6 21 Ex vessel steam explosion IPE Submittal Part 4, pp.158 - 161 l
- , ~
a a - - -a u -
-- -- ..w -
- w e
e 3
4 4
1 1
(
e 3
4 i
!I i
l 4
1 1
I Attachment 1 9
i 1
l 4
i i
d e
i J
f
4.4.2 GI-23. Reactor Coolant Pumn Seal Failures Generic Issue 23 involves questions of the adequacy of current licensing requirements as they relate to seal integrity for reactor coolant pumps. The issue is concemed with evaluating the risk associated with seal failures which occur randomly during normal power operation, or occur due to failure of support systems during abnormal operations such as a station blackout or loss of various essential cooling water systems. Initial generic work by the NRC indicated that the overall core-damage frequency due to small LOCAs could be dominated by scenarios involving RCP seal failures. Toledo Edison has reviewed and evaluated the design features of the specific RCP seals used at Davis Besse so that realistic assumptions could be made regarding seal performance for the IPE. The following sections describe the PRA model and its basis.
Davis-Besse has four RCPs, each of which uses a Byron Jackson Model N-9000 mechanical seal cartridge, which has replaced the original seal design. The N-9000 seal, like its predecessor, uses a multi-stage cartridge. Each of the stages is designed to be capable of sealing against full RCS pressure during off-normal operation, thereby providing triple redundancy. Each cartridge consists of three individual, functionally identical stages which are stacked in series between the RCS and the containment atmosphere. Each of the stages is capable of carrying a pressure drop of at least 2,200 psid, but normally only one-third of this pressure drop (or about 750 psid) is carried across each of the stages.
312 PART3
.- -= _ ~ _
FRONT END ANALYSIS The N 9000 design has incorporated several improvements relative to the previous pump seals. He new design eliminates the generation of unbalanced loading due to radial shaft displacement. In the old design, acqua! hydraulic loading forces could be generated as a result of radial shaft displacement, causing uneven wear of the stationary face sealing nose.
Removal of the assembly and secondary seal from the rotating portion of the seal package has eliminated this problem. The balance diameters in the new design have been made equal, thereby eliminating the changes in pump thrust that occur when cavity pressures change. This will result in a reduction of cavity pressure oscillations. Due to an increase in seal face width in the N-9000 design, the seal face unit loading and unit area heat generation rates have been reduced from the old design. He N-9000 design utilizes tungsten carbide as a rotating face ring material. This material offers better fracture resistance and about five times the thermal conductivity of the titanium carbide used in the old design. The stationary face ring material is still resin impregnated graphite. This combination of face materials has had many years of satisfactory field experience in RCP applications. Additionally, many parts of the seals will now be interchangeable between the three stages. This further reduces the potential for any m-assembly errors that could attribute to seal failures.
A stage consists of a stationary face in a holder assembly and a rotating face in an.
assembly which is keyed to the RCP shaft. The stationary face holder is spring loaded so the stationary face is pressed toward the rotating face. A thin-film hydrostatic gap of approximately 100 micro-inches is maintained between the stationary and rotating faces by opposing the closing force of the spring and hydraulic forces with the pressure fields generated between the seal faces. A small leakage of fluid through this gap keeps the faces cooled and lubricated as the RCP rotates. Without this lubrication, the faces could overheat and eventually fail potentially causing the seal to become ineffective.
One of the support systems connected to the RCPs is the makeup system. High pressure water (slightly above normal RCS pressure) is injected into the RCP above the thermal barrier which separates the RCS from the seal cartridge. The seal injection flow splits at this point, with some flow passing up through the seal cartridge through controlled bleed-off orifices (CBOs) and the rest flowing downward to enter the RCS. There is a slight leakage between the seal faces in a path parallel to the flow through the CBOs The seal face path repmsents a higher flow resistance than the CBO, so the larger flow passes through the CBO path. The flow through the CBO path is recycled to the makeup system via the seal retum path. He seal return flow is measured to provide indication of seal problems.
Cooling of the pump seals is also provided by the CCW system. The CCW flow
- passes through a closed heat exchanger within the RCP. The purpose of this heat exchanger 4
is to cool any hot RCS fluid which might flow up into the seal cartridge. While the seal flow is normally seal injection water from the makeup system, should seal injection flow be lost, hot RCS water would flow up into the seals. In order to maintain an acceptable seal temperature, the RCS water is circulated around the heat exchanger before entering the seal cartridge region. His reduces the RCS fluid temperature to an acceptable level, thus ensuring that the seal integrity is maintained.
PART3 313
DAVIS.BESSE IPE l
] In support of the N 9000 development and testing program, a computer model of the seal was developed. A separate, detailed model of the slot configuration of the graphite ring ;
- was constructed. This model operates in conjunction with a 3-D finite element model of the j seal rings. Computations made included the seal face flow field, pressure distribution, heat
- dissipation, and topography. This included a complete computation of the flow and pressure
} fields radially and circumferentially. Areas of cavitation, if they would occur, could be identified. An iterative solution scheme was used which took into account the waviness of the graphite ring, which was solved for by an ANSYS finite element model. The output of parameters from the finite element analysis serves as a starting point for the analysis of the hydropad effect. It is the hydropad effect which is responsible for the forces generated which keep the seal faces apart. He hydropad analysis is computationally intensive, requiring several hundred iterations, together with approximately eight to ten ANSYS runs that are required to arrive at stability for each steady-state condition of the seal. The results of the analysis correspond very closely to the actual performance of the seal as observed in testing.
The analysis of the slots conforms to the engineering specification requirement that seal i behavior be predictable and that a full liquid lubricating film be maintained under all normal operating circumstances. He models were of sufficient detail that significant insights into the basic operation of the hydropad effect were obtained.
The various support systems for the RCP seals can experience several different failures, either singly or in any combination, which could have an impact on the RCP seal
- integrity. Specifically, the following failure modes are postulated: loss of seal injection, loss of CCW flow, loss of seal return, and combinations of these failures. These failures could be caused by numerous scenarios, such as inadvertent valve closures, inadvertent safety system i
actuations, pump failures, or a loss of offsite power. The effects of each of these failure modes on the RCP seal integrity are discussed below.
Loss of Sealinlaction A loss of seal injection flow can occur for many reasons. He net effect of the loss of only seal injection is that the RCS fluid becomes the medium which cools the seals with the j heat of the RCS removed by the CCW system. Consequently, as long as this is the only support system failure, the RCPs can continue to run indefinitely without the seal integrity being challenged.
s i Loss of Seal Return Flow 1 .
Should the seal return path become isolated for any reason, the lower two seals would de stage, causing the full pressure drop of the seal injection or RCS to take place across the last seal face. Each of the stages is designed to withstand the ful! pressure drop for an
- indefinite period of time. Should this seal fail, the middle seal would re-stage and continue to provide sealing with minimalleakage. This sequence also applies to the lower stage. Current
' Davis-Besse procedures direct plant operators to quickly restore the seal return path or to trip the affected RCP(s). If the pump shaft is not rotating, there is no heat generated at the seal i
j 3M PART3 i
4
, . FRONT-END ANALYSIS l interfaces. Without any heat generation, the seal materials would not experience a significant l temperature excursion. Therefore, the seal integrity would not be challenged.
In order to assure that this assessment was correct, the owners of Byron-Jackson j RCPs formed a project team to test the N-9000 RCP seal. Babcock & Wilcox (B&W) l prepared a report which summarizes the test program and the results of the test (Ref. 77).
l The test seal cartridge was subjected to a 30-minute run with the seal return path closed and
- the pump casing side of the seal at full RCS pressure (about 2150 psig). The test was
] performed after the seal had undergone about 5,000 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> of run time. It is important to note i that the test shaft was rotating during this 30-minute test. The test showed no noticeable j change in the seal components from conditions found prior to running the loss of seal return test. The third stage leakage during the test was approximately 0.5 gpm.
Due to the three-stage design of the seal cartridge, the seal assembly has built-in
, redundancy for this particular support system failure. When the seal return path is closed, the CBO orifices cease to work so there is no pressure drop across the first two stages of the seal assembly (i.e., the first two seals "de-stage"). The third stage then carries the full differential pressure drop. If the third stage were to experience gross failure, the second stage should "re-l stage" and begin canying the full pressure drop. This may also occur in the first stage if the j second stage were to then have a significant failure.
! Based on the design and test experience with the N-9000 seal, it is concluded that I
closure of the seal return path for a limited period, while the RCP is running, would not cause l a significant increase in seal leakage. As stated above, the RCP should be turned off to ensure l the seal integrity is not challenged.
l Lossi of CCW Flow If CCW flow to the RCP were lost, there is a potential for the seal cartridge to heat up. Normal seal injection flow should keep the seal cool; however, plant operators are directed by procedures to trip the affected RCP if the seal outlet ternperature exceeds a specified value. If the seal outlet temperature were to continue to climb, the operators would
, be further directed to shut off the seal return path to limit the temperature of the seal. Once j this was accomplished, the seal temperatures should stabilize, since the RCP would not be
, rotating (producing no heat at the seal faces), and little flow would be passing up the seal from the seal injection cavity. The seal would therefore be expected to maintain its integrity l l indefinitely as long as the seal outlet temperature is maintained acceptably low or the appropriate actions are taken to protect the seal.
i i Multiple Support Systems Failures
- Some postulated plant transients, such as a loss of all site ac power (station blackout),
)
! can result in the loss of more than one support system. A station blackout would result in a i loss N seal injection and a loss of CCW. While the RCPs would also be stopped due to the I l loss ot power, the seals must continue to maintain the RCS pressure boundary integrity. In
- this situation, the seal would still heat up, even though it was not running, since the hot RCS PART3 315 l 4
I i 1
, .. - .- _ .= -. . . - ._ . . . . .- - - _ _ _ . .
1 DAVIS BESSEIPE water would be flowing up through the seal without being cooled by CCW. Closing the seal return path would limit the flow through the seal which would help to muumize the temperature rise in the seal. The N-9000 seal was specifically tested for these conditions after
, the normal use testing program was completed (Ref. 78).
4 The; test subjected a static (non-rotating) seal cartridge to 555-575F water over a range of pressures (1700-2250 psig) at the inlet side of the seal. For the first half hour of the test, the seal return valve was left open in order to preheat the seals, thereby maxunizing the severity of the test. In addition, there was no seal injection or seal cooler (CCW) flow throughout the entire eight-hour test. The seal performed essentially as expected throughout the test. There was a marked increase, although still acceptable, in seal leakage after 7.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of testing. This was attributed to a failed third-stage O-ring, which was discovered during a post-test inspection. The specific failure mechanism was later determined to have been precipitated by a manufacturing process defect which has since been corrected. When ,
the O-ring failed, the other two stages of the seal cartridge re staged and picked up the pressure load immediately. This demonstrated the ability of the first and second stages to serve as backups to the third stage. Other observations from the post test inspection included extrusion of the O-rings in the two lower seal stages and indication of two-phase flow across the third-stage seal faces. These conditions were anticipated, and their potential occurrence was accounted forin the seal design.
A concern of the NRC in relation to GI-23 was sistrumentation of the RCP seals.
Davis-Besse has installed the reactor coolant pump monitoring and diagnostic system. This is a computer-based data collection and diagnostic system designed by the B&W. It will generate alarms to alert operators of any critical parameter exceedmg prescribed limits. Other i L parameters are logged and trended for information regarding the seals, the shaft, and general I l pump performance parameters. The diagnostic system focuses on rotor dynamic vibration and I quasi-static parameters related to seal behavior. This system aids the operating staff and i
diagnostic personnel in detecting early signs of seal degradation.
l The Davis Besse plant employs two means of cooling the reactor coolant pump seals, direct seal injection and seal cavity cooling by means of CCW. Loss of either source of j cooling water can produce some temperature changes in the seal cavity, but long-term
- significant effects on seal performance would not result. These dual systems reduce the
] probability of totalloss of seal cooling. In the event of a station blackout, both sources of seal
- cooling would be lost. An alternate source of ac power has been installed at the Davis-Besse i
plant. This new blackout diesel is capable of re-powering the seal support systems, thereby recovering seal cooling.
After examining the information on the testing and design of the Byron-Jackson N-9000 RCP seal, the increased instrumentation to detect seal degradation, and the addition of an altemate source of ac power, it is concluded that the RCP seals will not experience gross failure due to loss of support systems, as long as plant operators take the appropriate actions
, to stop the affected RCP(s). While the test of the total loss of seal cooling was only run for eight hours, the data did not indicate any developing trends that would denote impending e
316 PART3
,. r
l
~ FRONT.END ANALYSIS le
- catastrophic failure. Since the clastomerics in the seals are rated to about 350F before they
- begin to experience breakdown, and the RCS temperature should be approaching this value after eight hours, further degradation of the seal clastomerics should not occur.
Consequently, the seals can be considered to be capable of maintaining their integrity for a sufficient duration to accomplish safe shutdown of the plant under all postulated scenarios.
The PRA model incorporates this conclusion by assuming a seal LOCA only if the plant operators fail to trip the affected RCP following a total loss of support systems; as long as the RCPs are tripped in a timely manner, a seal LOCA is not postulated to occur.
ne design process and design verification testing program associated with the Byron-Jackson N-9000 RCP seal have provided significant confidence in the seals' capabilities to maintain their integrity under a variety of conditions. He frequency of core damage due to seal LOCA was estimated, based on realistic (and, in a few cases, potentially conservative) assumptions regarding the effects of various losses of seal cooling on the potential for seal failure. Although this was among the important contributors to overall core damage, it was not dominant, and no vulnerabilities were implied. Therefore, this generic issue is considered to be resolved.
4 d
i l
1
i k 2
i t I i
- Attachment 2 l 4
l 1 1 l
s
$ 2 Table 2-2 h Overall System Dependency Matrix N
Support Systems 9 m
Ac De Service Room Main Com. Cire.
System Power Power Water CCW IA Coohng BWST SFAS Steam denser Water TPCW Makeup DEIR train 1/2 C1/D1 *
- DIP /D2P *
- HPI train 1/2 C1/D1 *
- DIP /D2P *
- CS train 1/2 El/F1 DIP /D2P * *
- ECCS rm 105/115 El/F1
- Makeup train 1/2 Cl/D1 DIP /D2P * * *
- PORV D2N
- CAC 1-3/1-2 El/F1 *
- Pressurizer spray F1 RON * * * *
- Ctmt. isolation El & F1 Core flood SFAS EDG l-1/12 Yl/Y2 DIP /D2P *
- SBODG *
- De Power El/F1
- y Batteries
- w e
l[ Table 2-2 (continued)
Overall System Dependency Matrix Support Systems Ac De Service Racei Main Cee- Cire.
System Power Power Water CCW IA Coohng BW5T SFAS Steam denser Water TPCW Makeup Service wtr trn 1/2 Cl/D1 DIP /D2P
- CCW train 1/2 C1/D1 *
- DIP /D2P
- SAC 1-1 *
- SAC I-2
- EIAC
- AFW train 1/2
- MDFP *
- MFW train 1/2 *
- E3/F3 * *
- DBP * *
- AVV 1IB/lI A Yl/Y2 DIP /D2P
- MSIV MS101/100 Yl/Y2 DIP /D2P
- Cire water TPCW Q O
9 e
~ N
= a C;
e 5
t)
{
d Attachment 3
1 DAVIS-BESSEIPE TRANSIENT REACTOR OHA VIA CONTROL RCS OH4WVENT LATE RC4 LONo. TERM $EOLKNCE CORE.
TitP SOe OF RCS INTEoNTY ORY MCOVERY WTTORffY COOLN3 DESCNPTION DAMAGE SW PRES & W MAINTAfNED CONTROL OF OHA RE. Of HPR vu SGe ESTAsus2 7 K BT P Q UT L w XT T NCO
, T4 NCO act '#'
TOXT SRY
- M TOtJT SIY T47 NCO m, , T4TM NCO
(
T4TM/IT SRY t , T4T% NCO T9T4/rf TRN l
T4TAJT TW f l
, T9T4 NCO ATot at t ' #
T4TOXT SAN T4 TOUT SW T4TS TIN K
" E" TM FALURE TO SCRAM Figure 1-7. Event Tree for Sequences initiated by a Small LOCA l
1
$2 PART3 m
4 I
1 i
Attachment 4
- 5.2.6 Event C
- Ex-Vessel Coolina of Core Debris
- Event C of the CET defines whether or not a coolable debris bed forms after the debris
) is ejected from the reactor vessel. The potential that the debris may be cooled is important with respect to long-term containment response. If the debris bed were cooled, and if
- containment heat removal was available, a condition could be reached in which containment 2
integrity might be maintained in the long term. If the debris bed were coolable but there were no containment heat removal, the containment would eventually be overpressurized. If the j debris bed were not cooled, core-concrete interactions could lead (1 overpressurization of the l containment (by pressurization due to the generation of non-condensable gases or by burning l of hydrogen and carbon monoxide), ablative failum of the side wall of the containment vessel
! (if the debris had been transported into the lower elevation), or penetration of the containment basemat. In these latter cases, additional fission products could be released during the core-concrete interactions.
The logic for failure to achieve ex-vessel cooling of the core debris is shown in Figure 1
5-9. Three possibilities for failure are indicated:
- For a plant-damage state involving a bypass scenario in which there was
, essentially no water retained in the containment, the only water available to
- cool the debris would be that released from the vessel when it failed. In I
this case, it is assumed that the relatively dry debris would not be cooled i (after being cooled initially), and that core-concrete interactions would take place.
The debris might be largely dis)ersed u) to the basement elevation, where i it could fail to form a coolable 3ed, or tiere could be insufficient overlying
! water to assure long-term coolability.
i
= The debris might be retained in the reactor cavity, where there might be a different probability for forming a coolable bed, with either deep or i relatively shallow flooding.
l i The first case encompasses interfacing-systems LOCAs and some events involving l SGTRs. SGTRs involving long-term failures of core cooling would be assumed to leave the j cavity relatively dry. SGTRs in which there was a failure of high pressure injection could j eventually involve a wet cavity, depending on the availability of low pressure injection when
! the RCS was depressurized.
l For the second case, the possibility that the debris would be dispersed to the lower elevation is developed separately under gate CELC01 (described in Section 5.2.11). If the
- contents of the BWST viere injected into contamment, the reactor cavity would be deeply
! 11ooded, and the lower elevation would be flooded to a depth of a few feet. In this case, it j would be likely that the debris would spread over a wide area. It was judged that a best
- estimate of the spread area would correspond to a depth of corium of approximately 6 inches.
Based on current understanding, there is significant confidence that debris beds less than 10 l inches in thickness can be cooled (Ref. 42). There is uncertainty, however, regarding 162 PART 4
. BACK-END ANALYSIS l
CORE DEBRIS FALS TO BE COOLED EX-VESSEL c boi i ,
PDS INOCATES FALURE TO COOL FAJLURE TO COOL BWASS EVENT THAT DEBRIS DISPERSED TO DEBR6 RETANED IN LEAVES CAvlTY ORY LOWER COMPARTMENT REACTOR CAVITY IAAPbS01I I Page 2 1 i SUBSTANTIAL FALURE TO COOL OlSPERSAL OF CORE DEBRt3 GIVEN DEBRIS TO LOWER OtSPERSAL TO LOWER COMPARTMENT COMPARTMENT C ' Col 1 2
Common Loge r #
l FALURE TO COOL FAILURE TO COOL i DEBRIS N FLOODED DEBRIS GIVEN LOWER LOWER COMPARTMENT COMPARTMENT NOT :
FLOODED l t i i <
POS INOCATES COOLABLE DEBRIS BED PDS NOCATES COOLABLE DEBRIS BED CAVITY DEEPLY FALS TO FORM IN CAVTTY NOT DEEPLY FALS TO FORM N FLOODED AFTER FLOODED LOWER FLOOCEO AFTER UNFLOOOED LOWER VESSEL BREACH COMPARTMT VESSEL BREACH COMP.
c ' t ICECNCDWCl 1AAPOSt0l ICECNCDODI Page 3 100E-C2 g 5.6 Figure 5-9. Logic for Failure of CET Event C-Core Debris Falls to be Cooled Ex-Vessel (page 1 of 3)
PART.t 163
l i
FAILURE TO COOL DEBRIS RETAINSD N REACTOR CAVITY CEb21 p
i i SUBSTANTIAL PORTION COOLABLE DEBRIS BED OF CORE DEBRIS NOT FAILS TO FORM IN EJECTED FROM CAVITY REACTOR CAVTTY I
C C23 I i
- SUBSTANTIAL DEBRi$ BED NOT DEBRIS BED NOT DISPERSAL OF CORE COOLABLE N DEEPLY COOLABLE N CAVITY DEBRIS TO LOWER FLOODED CAVffY WITH SHALLOW COMPARTMENT FLOOOING ICELC01l CC4 iCEC25I b Car =n Love b*'
i ,
PDS INDICATES COOLABLE DEBRIS BED
! CAVTTY DEEPLY FAILS TO FORM N FLOODED AFTER DEEPLY FLOODED VESSEL BREACH CAVITY I CEbis l lCECNCDFCI Page 3 1.00E42 Figure 5-9. Logic for Failure of CET Event C-Core Debris Falls to be Cooled Ex-Vessel (page 2 of 3)
W PART4
e ~
BACK END ANALYSIS PDS NDICATES DEBRIS BED NOT CAVfTY DEEPLY COOLABLE N CAVITY FLOODED AFTER WTTH SHALLOW VESSEL BREACH FLOODNG Page 1 Page 2
[ Page 2 I I PDS INDICATES PDS INDICATE 9 DEBRIS BED FAILS TO CAVITY NOT DEEPLY CAVfTY NOT DEEPLY BE COOLED N FLOODED AFTER FLOODED AFTER SHALLOW-FLOODED VESSEL BREACH VESSEL BREACH l CAVTTY I AAPbS10 l lAAPDS101 CEb26
.=
I I CONTANMENT HEAT COOLABLE DEBRIS BED REMOVAL NOT FAILS TO FORM IN AVA U BLE N THE CAvrTY W/ SHALLOW LONG TERu n.OOD C 1 ICECNCOWC]
1.00E-01 I I PDS INDICATES CONTANMENT HEAT CONTAINMENT COCUNG REMOVAL NOT NOT AVAUBLE RESTORED (LONG TERM)
IAAPbS05l l CELLTCHR l 1.00E41 Figure 5-9. Logic for Failure of CET Event C-Core Debris Falls to be Cooled Ex-Vessel (page 3 of 3)
PART4 165
DA VIS-BESSE IPE the extent to which the debris would spread after transport to the lower elevation. If it were arbitrarily assumed that the debris spread over only half the nominal area, a depth greater than 1 ft would result, and the debris bed might not be coolable. To account for uncertainty both in the potential for fonning a coolable debris bed and in the assessment of the spread area, it was assumed that the failure to form a coolable debris bed in the lower elevation with overlying water was "very unlikely," rather than impossible.
For the cases in which the BWST contents were not injected into containment, the only water in the lower elevation would be that entrained with the core debris as it was transported through the instrument tunnel. This water could cause the debris to be quenched initially, but it would tend to dry out and heat up. Calculations using MAAP indicate that, in this circumstance, decay heat would typically be low enough that convective cooling and radiative heat transfer would be sufficient to prevent ablation of the concrete floor in the lower elevation. There is substantially more uncertainty regarding the degree to which the corium would remain frozen under these conditions. In most prior assessments, it was assumed that a debris bed with no overlying water would not be coolable. In this case, the probability of a coolable debris bed was taken as " indeterminate" to reflect uncertainty in the MAAP models for heat transfer and debris-bed configuration. .
The third case cited above involves conditions in which the corium was largely retained in the reactor cavity. At Davis-Besse, the drains from the basement lead to the containment normal sump, which is located at the cavity elevation. Therefore, unless the accident involved a bypass that left the cavity essentially dry, there would be a substantial amount of water overlying the debris, even if the contents of the BWST were not injected.
The spread area for the cavity is relatively large, and the nominal depth of debris would be expected to be about 10 inches. Here is, however, uncertainty with respect to whether the debris bed would be in a coolable configuration, since the nominal depth could be slightly higher than 10 inches. It was judged that the probability of failure to form a coolable debris bed for this case, with a deeply flooded cavity, could be characterized as "very unlikely."
If the cavity were flooded only by the water originally in the RCS and core flood tanks (i.e., if the contents of the BWST were not injected), there would be a much shallower overlying depth of water. There would be good pathways for the transfer of heat from the cavity to the containment. If containment heat removal were available, the steam generated by cooling of the debris would tend to condense and drain back to the cavity. It was judged that this would be less likely to produce a coolable debris bed than for the case in which the cavity was deeply flooded. Therefore, the failure to form a coolable debris bed given shallow flooding in the cavity was taken to be "unhkely." If containment heat removal were not available, the debris in the cavity would tend to dry out (before or after overpressurizing j containment). It was assumed that, for the case in which debris was retained in the cavity, the l
cavity was not deeply flooded, and containment heat removal was not available, ablation of j the concrete would initiate when the debris dried out. The probabilities for the basic events l associated with top event C are summarized below. I 166 PART4 '
.. m
< BACK END ANALYSIS Quantification of Basic Events for Failure of Debris Bed Coolability (Top Event C) j 1
l'DS/ Case Description Assessment Probability CECNCDWD: cootable debris bed fails to form in flooded lower elevation l l
All All relevant damage states (i.e., with dispersal to very unlikely 0.01 j basement and injection of BWST)
CECNCDDD: coolable debris bed fails to form in unflooded lower elevation All All relevant damage states (i.e., with dispersal to indeterminate 0.5 basement but no injection of BWST)
CECNCDFC: coolable debris bed fails to form in deeply flooded n: actor cavity All All relevant damage states (i.e., with retention in very unlikely 0.01 cavity and injection of BWST) i CECNCDWC: coolable debris bed fails to form in reactor cavity with shallow flooding All All relevant damage states (i.e., with retention in unlikely 0.1 cavity and containment beat removal but no ;
injection of BWST) ;
1 I
I l
+
.l
W i
Attachment 5
4 -
DAVIS BESSEIPE CONTAINMENT SIDE WALL FAILURE FROM ABLATION BY CORE DEBRIS C 1 l
i i SUBSTANTIAL DEBRIS IN LOWER DISPERSAL OF CORE COMPARTMENT CAUSES DEBRIS TO LOWER DIRECT CTMT FAILURE COMPARTMENT lCELCo1l Common Logic .
I i 1'
EX VESSEL COOLNG DESRIS W EMERGENCY OF CORE DEBRIS SUMP CAUSES FAILURE FAILS (FAILURE FOR (COOLED DESRIS BED)
EVENT C)
I AACET03I ICEOWETCFl i.mE.oa Figure 5-10. Logic for Failure of CET Event D-Containment Side Wall Failure from Ablation by Core Debris 168 PART4
--,.au Y"
i J
1 i
d 4
1 i
e Attachment 6 i
J
1
. +
\
l 1
Failure Due to Pressure Rise at Vessel Breach If the core debris were to breach the reactor vessel, the discharge of debris and steam from the RCS would lead to further pressurization of the contamment. This pressure loading could result from several sources, including the steam released from the RCS at vessel breach, from the rapid transfer of heat from the core debris to water in the reactor cavity, and from direct heating of the containment atmosphere by widely dispersed debris.
If the debris were to exit the vessel via high pressure melt ejection, it could be dispersed to the lower elevation. Depending on the amount of debris that was fmely fragmented, there could be a rapid direct transfer of energy to the contamment atmosphere.
Further exothermic oxidation of the fuel could also add energy to the atmosphere. There could also be buming of hydrogen simultaneous with this pressurization. This buming could involve both hydrogen generated during core degradation, and that produced during the oxidation in the containment atmosphere. Local burning at the site of oxidation could occur
, throughout the area in which the debris was dispened.
The pressure rise at vessel breach was calculated using the MAAP code for a representative set of plant-damage states. These pressure rises tended to be quite small when compared to the estimates provided by the experts for NUREG-1150 (Ref. 40.). A sensitivity 138 PART4
BACK END ANALYSIS case was evaluated, in which a parameter representing the fraction of debris that would be fmely fragmented at vessel failure was increased from the nominal value of 0.03 to 0.33. The value of 0.33 we 'onsidered to be a realistic upper bound (Ref. 41). This sensitivity case was performed for a. accident involving a high pressure core melt due to station blackout (plant-damage state TINYNINN). In this case, the pressure rise at vessel breach was about 37 psi, compared to about 24 psiin the base case. In neither the base case nor the sensitivity study was a hydrogen burn predicted to occur at the time of vessel breach.
For cases involving high pressure melt ejection, with the potential for direct containment heating and associated hydrogen bums (as described above), the probability of containment failure was calculated by developing a probability distribution for pressure rise at vessel breach based on the MAAP results, and adding to that pressure rise the pressure associated with a simultaneous hydrogen burn. The pressure rise calculated for the nominal fragmentation parameter (24 psi for FCMDH = 0.03) was assumed to mpresent the median of a lognormal distribution, with the pressure corresponding to a value of 0.33 (37 psi) assumed to be the 954 tile.
Added to this distribution was a pressure rise associated with simultaneous buming of hydrogen. The quantity of hydrogen available for burning was assumed to be comprised of the following two components:
- The hydrogen generated during core degradation, as described earlier for hydrogen bums befom and after vessel bmach. For accidents in which RCS pressure mmained high prior to vessel breach (as would be the case for all accidents with the potential for pmssurized melt ejection), it was assumed that a large portion of the hydrogen would not be released until after vessel bmach. Therefore, this quantity (defined by the distribution described earlier) was assumed to be available for burning.
The hydrogen generated by oxidation of finely fragmented fuel in the containment atmosphere. It was assumed that an amount of zirconium oxidation would take place equivalent to the fraction of fuel that was fmely fragmented (adjusted to account for the cladding previously oxidized in-vessel).
Thus, a distribution for the amount of hydrogen available for buming at vessel breach was develop:d that was a function both of the initial production and the amount of fuel that was fmely fragmented. These cormlated distributions were combined to produce a composite
, distribution for total pressure at vessel bmach. This composite distribution is shown in Figure
- 5-8. The composite distribution was then multiplied by the distribution for probability of containment failum to provide an estimate of the total probability of containment failure due to a high pressure melt ejection. The overall probability of failure at vessel breach given dispersal of core debris to the lower elevation was calculated in this manner to be 0.009.
Therefore, for all cases involving pressurized ejection of core debris beyond the reactor cavity, containment failure was judged to be "very unlikely."
Also shown in Figure 5-8 is the distribution for the case from the NUREG-1150 assessment for Zion that most closely corresponds to this case (Ref. 40). The expert PARIM 159
3 s _ e 2s9$?.m 9m
.' 90 e
s 6 s
e e
s t
a
- B- a c ,' 8 0
e
- i s 0 i s
v 5 R
- a 1 D 1 e r
0 un so
,' 7 si
+
e r c t
e
. )
i Pj
_ s rE
- ' _ p 0
,' 6 h
(
ot f l
- c a n e
/
e r i oM y b t d l
e bz ue
/ 0 s i i
'f 5 se r r t u
'- t v iss a Ds e
'.
- t n
e yr t P
- 04 me i
l io bt r
', c n buae i
e r
o rD
/. 0 u s P h
- 3 se ec
/"
P r i vae t r
/
aB l
ul
+-
0 2 me u s s Ce
.V 8-
. 0 5 1
e r
u i
g F
- O 0 9 8 7 6 5 4 3 2 1 0 1 0 0 0 O 0 0 0 0 0 0
- l k*
i E
ao ksA
B/ n END ANALYSIS elicitation for Zion indicated somewhat higher probabilities of higher pressure increments, although the two distributions converge at higher pressures. Because there is a substantial 4 conditional probability of containment failure only at pmssures above about 80 psia, the important pans of these curves are relatively close together. Two factors tend to minimize the potential for a failure of the containment due to the pressurization immediately following I vessel breach at Davis-Besse:
(1) The containment volume is quite large, and can therefore accommodate significant an'ounts of energy with relatively small corresponding pressure rises. The free volume for Davis-Besse is nearly 10% larger than that for Zion (for a nominal power level for Davis-Besse that is about 15% lower than Zion).
(2) The arrangement of the pathways between the lower and upper compartments would tend to limit the transport of large amounts of the core debris to the upper compartment in the event of pressurized ejection from the reactor vessel. This could mduce the degree to which direct heating of the containment atmosphere would take place.
Other accidents would not lead to significant dispersal of debris beyond the reactor cavity, either because the RCS pmssure was not high enough to cause dispersal, or because deep flooding of the cavity caused the debris to be retained in the cavity (refer to the discussion of dispersal beyond in the reactor cavity in Section 5.2.11). For these cases, the pressure rise at vessel breach was calculated by MAAP to be mlatively small, and none presented a serious threat to containment integrity, A more detailed assessment, as was performed for cases of pmssurized ejection, was not judged to be warranted. Instead, containment overpressurization at vessel breach for these cases was judged to be " remotely possible." Note that the contribution due to hydrogen bums following vessel breach for cases other than those involving pressurized ejection am treated separately, as described earlier.
He probabilities for the two basic events mlating to the potential for overpressurization due to the loads at vessel breach are summarized in the tabulation below.
Quantification of Basic Events for Failure Due to Pressure Rise at Vessel Breach (Top Event E) l PDS/ Case Description Assessment Probability CEEVBNCF: containment fails given loads due to high pressure melt ejection All All relevant plant damage states (i.e., with very unlikely 0.01 ejection of debris from reactor cavity at vessel breach)
CEEVBLCF: containment fails due to loads at vessel breach (no ejection from cavity)
All All relevant plant damage states (i.e., with n:motely 0.001 retention of core debris in reactor cavity) possible PART4 161
. . _ _