Forwards Responses to NRC 950616 RAIs Re IPE

ML20092G455
Person / Time
Site:	Vogtle
Issue date:	09/13/1995
From:	Mccoy C GEORGIA POWER CO.
To:	NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
LCV-0636-B, LCV-636-B, TAC-M74485, TAC-M74486, NUDOCS 9509190310
Download: ML20092G455 (134)
v • d • e

Text

{{#Wiki_filter:p- # f Georg a Power Company 40 inverness Center Parkway ' Post Office Box 1295 Birmingham. Alabama 35201 Telephone 705 877-7122 ) L c.K. Mccoy Georgia Power Vice Present. Nuclear Vogt!c Project the southern electnc cystem September 13, 1995 LCV-0636-B Docket Nos. 50-424 50-425 Tac Nos. M74485 M74486 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D. C. 20555 Gentlemen: VOGTLE ELECTRIC GENERATING PLANT RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION INDIVIDUAL PLANT EXAMINATION The enclosure of your letter dated June 16,1995, contained requests for additional information that were developed during the NRC's review of the Individual Plant Evaluation for the Vogtle Electric Generating Plant. Attached to this letter are the responses to those requests. Sincerely, C, K. McCoy CKM/KWK/HWM/gmb Enclosure cc: See next page .CCG7J dg#l 9509190310 950913 i PDR ADOCK 05000424 it P. _ PDR Ilg_ L

o k Georgia Power n U. S. Nuclear Regulatory Commission Page 2 cc: Georgia Power Company Mr. J. B. Beasley, Jr. Mr. M. Sheibani NORMS U. S. Nuclear Regulatory Commission Mr. S. D. Ebneter, Regional Administrator Mr. L. L. Wheeler, Licensing Project Manager, NRR Mr. C. R. Ogle, Senior Resident Inspector, Vogtle LCV-0636-B 700775

1 l VOGTLE - UNITS 1 AND 2 1 INDIVIDUAL PLANT EXAMINATION SUBMITTAL FRONT-END QUESTIONS Ouestion I i l i Credit was taken in the analysis for three procedure enhancements, as described in i Subsections 1.4. I and 6.1 of the individual plant examination (IPE) submittal. However, the status of these enhancements is not clear. Although in some places in the submittal it is stated or implied that these enhancements have been implemented, the beginning of Subsection 6.1 states that the enhancements have been scheduled for implementation. Please provide the status and schedule for completion of these procedure enhancements. a.

b. The IPE submittal indicates that these enhancements collectively reduce the core damage frequency (CDF) from 8.2E-05/yr to 4.9E-05/yr. If available, please provide an estimate of the CDF reduction resulting from each modification.

Response 1

a. The procedures identified to implement the plant improvements noted in Subsection 6.1 were all implemented in August 1992, prior to the IPE submittal. The specific procedures for each of the three improvement areas identified are as follows:

Opening of power room doors upon loss of ESF Electrical HVAC 13302-l&2; Control Building ESF Ventilation Systems 17050-l&2; Annunciator Response Procedure for ALB 50 on OHVC Panel 17053-l&2; Annunciator Response Procedure for ALB 53 on OHVC Panel Manual control of AFW turbine driven pump during a loss of all AC power and DC power 19100-C, Emergency Operating Procedure, ECA-0 0 Loss of All AC Power 1 1

Response Ia (continued) Establishment of one NSCW pump operation on loss ofNSCW initiating event 18021-C; Abnormal Operating Procedure, Loss of Nuclear Service Cooline Water System

b. The IPE submittal indicates that three procedural enhancements collectively reduce the core damage frequency. The benefit resulting from each procedural modification can be estimated using the most dominant sequences from an updated version of the Vogtle IPE model. This updated Vogtle IPE model has not resulted in significant changes to the major contributors to CDF and is therefore considered to be representative of the base model submitted in response to GL-88-20.

To determine the benefit of each procedural enhancement, a sensitivity case was performed to show the increase in CDF when the recoveg action developed for each procedural change is not credited in the IPE model. This was done by setting the failure probability for the action that models the procedural change to 1.0 and then calculating new failure probabilities for impacted plant response tree top events. Table 1 contains the results of the sensitivity case for each procedural enhancement. TABLE 1 CHANGE IN CDF WHEN PROCEDURAL ENHANCEMENTS ARE REMOVED FROM IPE MODEL Procedure Enhancement Percent Increase in CDF without Enhancement Manual control of the turbine driven 31 % auxilian feedwater pump during a loss of all AC power and loss of DC power (Station Blackout) The establishment of one NSCW pump 9% operation on a loss of NSCW initiating event Opening of the inverter room and 49 % switchgear room doors on a loss of Control Building ESF Electrical Room HVAC 2 l v g --w-, w

Resoonse Ib (continued) The manual control of the turbine driven AFW p 2mp is applicable to the loss of all AC power event (Station Blackout). Station Blackout, as an event, is a dominant contributor to CDF, therefore this procedural enhancement significantly reduces core damage frequency. The establisnment of one NSCW pump operatic,n is applicable to the loss of NSCW initiating event, however, this event has a very low frequency of occurrence and the procedural enhancement has a marginal benefit in reducing core damage frequency. Credit for high temperature Reactor Coolant Pump seals provides additional benefit for this event. The opening of the inverter room doors on a loss of CB ESF HVAC is applicable to all events where one or both trains of Control B.iilding ESF Electrical Room HVAC fait due to component or support system failures. With the loss of Control Building ESF Electrical Room HVAC system, several rooms with iniportant ESF electrical equipment, such as DC buses and panels and 480 V motor control centers reach temperatures that cause electrical equipment failures. This procedural enhanc ement significantly reduces core damage because the impacted electrical equipment is critient for actuating, controlling, and powering other equipment necessary to mitigate the consequences of allinitiating events. Ouestion 2 According to the IPE submittal, the freeze date of the analysis was January 1,1991,"with some exceptions." Subsection 2.1 of the submittal states that these exceptions are explicitly cited throughout the report; however, no explicit discussion of these exceptions was found in the submittal. It appears that one of these exceptions is related to the pending installation of new reactor coolant pump (RCP) 0-rings in Unit I as of the IPE date, as credit for new RCP O-rings was taken in the analysis for both units. The only other possible exception to the analysis freeze date appears to be the procedure enhancements described above in question 1. a. Please identify and describe a!! exceptions t o the analysis freeze date.

b. If available, describe the impact of the " exceptions" on the CDF, both individually and collectively.

Response 2 1

a. The freeze date, January 1,1991, referred to in Subsection 2.1 was the date established for the initial modeling ar.d quantification of the PSA. It was established to provide a

) baseline date for design and equipment reliability data. After the initial quantification, the recovery process commenced, from which model changes were expected and subsequently implemented. As noted above credit was taken for the RCP high temperature O-rings installed on Unit 2 and scheduled for installation on Unit 1 (they have since been installed). Procedure enhancements were also identified and implemented (see response to la above) as a result of the recovery process. Two 3

additional post freeze date items were: 1) the diesel generator reliability data (see IPE report Subsection 1.4.1 and 3.3.2) and 2) essential chilled water reliability data (see Subsection 3.2.2). Both of these systems had benefited from reliability program enhancements. The Independent Review Group recommended that the results of these program enhancements be included in the PSA in order to more accurately reflect the plant as built, operated, and maintained status.

b. The response to question 2a identifies the following exceptions to the freeze date credited in the analysis; RCP high temperature 0-rings, procedural enhancements (see response to la),

diesel generator, and essential chilled water reliability data. Analysis that determines the impact on CDF of old reactor coolant pump (RCP) 0-rings is not available. No analysis using old RCP O-rings is available because the decision to credit high temperature RCP O-rings was made early in the IPE development process. This decision was based upon the fact that, at the time of the IPE analysis, high temperature 0-rings were already installed on Unit 2 and scheduled for installation on Unit 1. The high temperature 0-rings have since been installed on Unit 1. Procedural enhancements credited in the analysis and the impact of each enhancement on CDF is detailed in the responses to questions la and Ib. To assess the impact of using post freeze date diesel generator and essential chilled water reliability data, sensitivity analyses were performed. Cases were run to assess the impact on CDF of using failure data up to the freeze date for components within the diesel generator and essential chilled water systems. Cases to assure each system individually and a case to collectively assure the combined impact of the systems were run. Table 1 contains the results (impact on CDF) of the sensitivity case for the diesel generator and essential chilled water systems. 4

TABLE 1 CHANGE IN CDF USING " FREEZE DATE" DG and ECW RELIABILITY DATA System Dominant Contributor Percent Decrease in CDF Diesel Generator Systein Failure to start DG 19 % Essential Chilled Water Failure to start ECW chiller 62 % System DG and ECW System Failure to start ECW system 67 % Ouestion 3 The IPE includes loss of 120 volt AC instrument panels and de buses as initiating events. However, no mention is made in the submittal of possible consideration of failures of 4,160-Vac and 480-Vac buses as initiating events. Please provide the basis for omitting, as initiating events, equipment failures related to 4,160-Vac and 480-Vac buses. l i i Resnonse 3 Special initiating events (plant-specific initiating events) are those systems or component l failures which result in a reactor trip or LOCA and simultaneously disable or degrade the performance of accident mitigation systems required to respond to the event. These events generally involve the loss of support systems, such as loss of nuclear service cooling water, loss of two 120V vital AC buses or one 125V DC bus, or loss ofinstmment air. For special initiating events, the loss of a system or component directly results in a reactor trip and the need for decay heat removal. Because these events are plant specific in nature, a review of plant information such as the plant's design, abnormal operating procedures and opcrating history was conducted to identify these initiators. In order to determine whether the loss of a plant system or component should be treated as a special initiating event, several factors were considered:

1. If the event frequency was below the frequency of approximately 1E-08/ year, and the expected level of degradation to other plant systems was not significant, then the event was eliminated from further consideration.

5

2. If the event had the same effect on plant systems as a previously defined LOCA or transient event and the estimated frequency was less than that LOCA or transient event frequency, then the special initiating event was subsumed into the LOCA or transient event.

The first source examined for special initiating events was the Vogtle abnormal operating procedures. These procedures were reviewed to determine if 1) the loss of the event causes a reactor trip and 2) to determine what systems would be impacted by failure of that system. In addition, during the systems analysis, a review was conducted for an individual system's impact on other systems and for the potential to cause an initiating event. The Vogtle Units 1 and 2 reactor trip operating histories were also reviewed to determine if any special initiators had occurred at the plant. The loss of a single 4160V or 480V emergency safeguards features (ESF) bus does not result in an immediate reactor trip. TIis event could require a manual shutdown due to Technical Specification requirements,:however, orderly shutdowns such as this were not considered initiating events for the IPE. The loss of both 4160V ESF buses is similar to the station blackout scenario, with the exception that the non-ESF buses could be available. Therefore, the station blackout condition is more limiting. The failure of both 4160V ESF busses is considered in the determination of a station blackout condition given a loss of offsite power, however, the failure probability of both emergency busses is an insignificant contributor. The initiating event frequency for a loss of both busses is also small compared to the loss of offsite power initiating event frequency. Therefore, the loss of both buses was not modeled as a separate initiating event. The loss of a non-ESF 4160V or a non-ESF 480V electrical bus was not included as a specialinitiating event. The loss of a non-lE bus does not have an effect on the systems required for safe shutdown. It does affect the availability of some equipment modeled in the Vogtle IPE, for example, instrument air and main feedwater which were modeled as initiating events. Ouestion 4 The common-cause beta factors used in the IPE for residual heat removal pumps (RHR) and motor-operated valves (MOV) are substantially lower (more than an order or magnitude) than corresponding data in NUREG/CR-4550. a. Please identify the source (s) of the common-cause data for these two component groups.

b. For the above components, explain how it was determined that the common-cause data from the sources used in the IPE are applicable to the Vogtle plant.

6

In your search for vulnerabilities, did you determine if the results of the analysis are c. sensitive to the use of these beta factors for this equipment? Please discuss the impact on the CDF if higher common-cause data had been used for these components. Response 4a. and 4b. Based on NUREG/CR-4550, Volume 1, Revision 1, the common cause factors were estimated based on a combination of the beta factor model from EPRI NP-3967 and the Binomial Failure Rate (BFR) model from Atwood's work in the early 1980's (NUREG/CR-2098, ?770 and 2099). The beta factors from EPRI NP-3967 were used for common cause events of two out of two components. For higher order common cause events, the beta factors derived for the two out of two components were multiplied by the ratio of common cause parameters from Atwood's BFR analysis. In addition, for NUREG/CR-4550, a review and classification of the generic and plant specific data was not performed. However, the data from EPRI NP-3967 was reviewed for applicability to the NUREG/CR-4550 plants and EPRI NP-3967 was the data source used to quantify most of the common cause basic events. Thus, comparison of these factors to the Vogtle-specific factors is not valid. Three references were used as the basis in the formulation of Vogtle IPE common cause factors: NUREG/CR-4780 " Procedures for Treating Common Cause Failures in Safety and Reliability Studies," EPRI NP-3967 " Classification and Analysis ofReactor Operating Experience Involving Dependent Events," and Plant Vogtle specific operating history. When the common cause calculations were performed (1991), the EPRI common cause event data base was in an interim state (draft 1990 document). The data base was documented in a report EPRI NP-3967 issued in June 1985 and was later updated and issued in April 1992. The Vogtle-specific Multiple Greek Letter (MGL) factors resulted from conducting a site specific review of the EPRI events data base (from 1990 draft EPRI document) for applicability to Vogtle and also the investigation into failure events at Vogtle for possible inclusion. Inclusion or exclusion of events was based on a review by cognizant personnel from Southern Nuclear, Plant Vogtle and Westinghouse. The rationale for eliminating or modifying events from the database was documented. In many cases, the common cause event could not happen at Plant Vogtle since the Vogtle-specific equipment configuration did not match the system / component configuration as depicted in the event's description. 7

For motor-operated valves, of the 41 MOV events reviewed by the experts, it was determined that 20 events were applicable to Plant Vogtle. For RHR pumps, of the 7 RHR pump events reviewed,2 events were determined to be applicable to Plant Vogtle. The events were screened based on the following criteria (as described in NUREG/CR-4780): events that did not occur in the same time frame, such as second failures occurring aner the restoration of the first, were discarded from the database events in which the same cause was not readily apparent were discarded from the database off-tolerance conditions, such as packing leaks and setpoint drins, were discarded from the data base because they did not constitute a failure failures that were very easily recoverable were discarded from the database for those events where a defense mechanism exists, the events were discarded from the database. Defense mechanisms are a set of operation, maintenance, and design measures taken to diminish the frequency or consequences of common cause events. These events were then mapped, as recommended in NUREG/CR-4780 with associated probabilities to calculate the MGL factors. The Vogtle Independent Review Group (which included an independent PRA consultant from PLG) reviewed the process and documentation involved in the common cause analysis (see Table 5.3-1 of the Vogtle IPE submittal report) and their comments were included in the common cause analysis documentatien. Response 4c. To assess the impact of using generic beta factors for the common cause failures of motor operated valves and residual heat removal pumps, sensitivity analyses were performed. Cases were run in which the common cause failure probability of basic events for MOVs and RHR pumps were recalculated using the generic beta factors supplied in NUREG/CR-4550. The new CCF values where then used to assess the increase in CDF. Table 1 shows the percent increase in core damage frequency when generic beta factors are used for motor operated valves and residual heat removal pumps. The use of generic beta factors for MOVs and RHR pumps does not significantly impact core damage frequency and would not change the insights from the IPE results. 8

TABLE 1 CHANGE IN CDF WHEN GENERIC BETA FACTORS ARE USED FOR CCF Component Type IPE Beta NUREG/CR-4550 Percent Increase in CDF Factors Beta Factors Using Generic Beta Factors Motor Operated Valves 6.9E-3 8.8E-2 5% Residual Heat Removal 2.5E-3 1.5E-1 2% Pumps Ouestion 5 The plant response tree (PRT) for an interfacing-systems loss-of-coolant (ISLOCA) accident assumes that use of the high-pressure system in the injection mode would be sufficient to provide primary system makeup during the 24-hour post-accident mission time. Please explain how it was determined in the submittal that high-pressure injection could be continued throughout the post-accident mission time, given: a. inventory depletion considerations and

b. possible adverse environmental effects of coolant discharged outside containment on equipment needed to sustain mitigating system operation.

Response Sa. and 5b. The process of determining the interfacing systems LOCA (ISLOCA) initiating event frequency identified the RHR hot leg suction ISLOCA as a dominant contributor. This ISLOCA is generally considered the most severe ISLOCA due to its effect on the long term heat removal capability of the plant. In this event both RHR pumps are assumed to fait due to the ISLOCA, failing low pressure injection and ECCS recirculation from the containment sump. Therefore, as shown in the plant response tree on Figure A.9-4 of the Vogtle IPE submittal, this case was chosen for the ISLOCA model. For this event, two hot leg isolation valves in series fail, exposing the RHR system to the higher pressure of the RCS, The pressure increase fails the RHR pump seal for both RHR pumps and also opens the RHR relief valves. The pump seal failures are assumed to fail the RHR pump motors due to water spray. The flow from the RHR pump seals collects in the RHR pump rooms. The flow from the relief valves is expected to eventually fill the pressurizer relief tank and burst its rupture disc, spilling into containment. The result is a concurrent release of coolant inside and outside containment. Water leakage in the RHR pump rooms, or from the pressurizer relief tank, will not affect the operation of the high pressure ECCS because the active components (e.g., pumps and valves) are not located in these areas. 9

On the ISLOCA plant response tree, the only path which does not lead to core damage requires successful operation of the high pressure ECCS pumps (top event HPI), the containment cooling units (CCU), and operator action (OSR). The containment cooling units are required to prevent containment spray from being actuated due to the RCS flow into containment through the pressurizer relief tank. By preventing the containment sprays from actuating, the inventory in the RWST is available for RCS injection via the high pressure ECCS pumps. The operator action is required to reduce the ECCS flow which extends the water supply in the RWST. Calculations were performed, using minimum required flow data for decay heat removal from Vogtle emergency procedure " Loss of Emergency Coolant Recirculation," to determine how many gallons of water are required for decay heat removal for the 24 hour IPE mission time. Based on this calculation and the flow rates of the high pressure pumps, the time available for the operator to reduce the ECCS flow was calculated. This operator action time and the procedural steps the operator would follow to reduce ECCS flow were used in the determination of the human error probability for top event OSR. Question 6 The IPE submittal provides system success criteria for individual PRT headings. However, the submittal does not list the minimum success criteria for front-line systems that mitigate each initiating event or group of events, as requested in NUREG-1335. Without j information compiled in this manner, it is difficult to determine success criteria pertinent to PRT success paths. Please provide a table that lists the complete set of minimum success criteria for the front-line systems required to prevent core damage for each of the initiating events. Response 6 Tables FE6-1 through FE6-9-4 describe the success criteria for front-line systems in the top events for each plant response tree. Note that separate success criteria for the loss of offsite power initiating event are not included in the tables. The loss of offsite power initiating event follows either the general transients, small LOCA, secondary side break, ATWT, or station blackout plant response tree. For loss of offsite power and station blackout, restart of the operating centrifugal charging pump (CCP), component cooling water (CCW) pump, and containment cooling units (CCU) are included in the system unavailability calculations. 10

Table FE6-1 Large LOCA Plant Response Tree System Success Criteria Top Event Success Criteria Mission Time Refueling Water 2631,478 gal. 22400 ppm 24 hours Storage Tank (TK) boron, tank intact. Low-Pressure 1 out of 2 pumps injecting to 30 minutes Injection (LPI) 2 out of 3 intact cold legs. High-Pressure Not required to prevent core i hour injection (HPI) damage, if LPI fails,2 out of 4 high pressure pumps (CCPs or SIPS) injecting to 2 out of 3 intact cold legs to provide water to containment for long term cooling. Containment Cooling 4 out of 8 CCUs to prevent 24 hours Units (CCU) core damage and for containment cooling if 1 RHR HX not available; 2 out of 8 CCUs to prevent containment failure if 1 RHR HX not available. Containment Sprays Not required to prevent core 30 minutes (CS) damage or containment failure.1 out of 2 CS pumps delivering flow to 1 spray header needed for fission product scrubbing. Component Cooling 1 out of 2 trains of CCW with 24 hours Water (CCW) 2 out of 3 CCW pumps operating supplying the operating RHR train. Low Pressure 1 out of 2 RHR pumps,1 out 10.5 hours Recirculation (LPR) of 1 sump valve on 1 out of 2 trains to 1 out of 3 Intact cold legs. Containment Spray Not required to prevent core 23.5 hours Recirculation (CSR) damage or containment failure.1 out of 2 CS pumps, 2 out of 2 sump valves in series open on 1 out of 2 trains for fission product scrubbing. I1

Hot Leg Not required to prevent core 13 hours Recirculation (HLR) damage or containment failure. Alignment of 1 out of 2 RHR pumps,1 out of 2 cross-connect valves opens, 1 out of 1 hot leg valve opens,2 out of 2 cold leg valves close and flow to 2 out of 2 hot legs, or alignment retumed to cold leg injection to prevent interruption of recirculation flow. Containment Not required to prevent core Not applicable Isolation (Cl) damage. Identified penetrations >2 inches must be closed to reduce offsite doses. 12

1 i Table FE6-2 Medium LOCA Plant Response Tree System Success Criteria Event Tree Top Success Criteria Mission Time Event Refueling Water 2631,478 gal. 22400 ppm 24 hours Storage Tank (TK) boron, tank intact. High-Pressure 2 out of 4 CCPs/ SIPS 1 hour Injection (HPI) injecting to 2 out of 3 intact cold legs. Auxiliary Feedwater 1 out of 3 pumps to 2 out of 4 5 hours (AFW) steam generators (SG) with steam relief from 1 out of 5 safety valves /SG. Secondary-Side 2 out of 4 SG atmospheric Not applicable Depressurization relief valves (1/SG fed by (SGP) AFW). Primary-Side 2 out of 2 pressurizer PORVs Not applicable Depressurization open (and block n'"as if (PZR) necessary). Accumulators (ACC) 3 out of 3 tanks injecting to 3 Not applicable out of 3 intact cold legs. Containment Cooling 4 out of 8 CCUs to prevent 24 hours Units (CCU) core damage and for containment cooling if 1 RHR HX not available; 2 out of 8 CCUs to prevent containment failure if 1 RHR HX not available. Containment Sprays Not required to prevent core 30 minutes (CS) damage or containment failure.1 out of 2 CS pumps delivering flow to 1 spray header needed for fission product scrubbing. Low-Pressure 1 out of 2 pumps injecting to 30 minutes injection (LPI) 2 out of 3 intact cold legs. Component Cooling 1 out of 2 trains of CCW with 24 hours Water (CCW) 2 out of 3 CCW pumps operating supplying the operating RHR train. 13

l l High Pressure 1 out of 2 RHR pumps,1 10 hours Recirculation (HPR) sump valve on 1 out of 2 trains,2 out of 4 high pressure pumps (CCPs or SIPS) and valves to 2 out of 3 intact loops. Low Pressure 1 out of 2 RHR pumps,1 out 10.5 hours Recirculation (LPR) of 1 sump valve on 1 out of 2 trains to 1 out of 3 intact loops. Containment Spray Not required to prevent core 23.5 hours Recirculation (CSR) damage or containment failure.1 out of 2 CS pumps, 2 out of 2 sump valves in series open on 1 out of 2 trains for fission product scrubbing. Hot Leg Not required to prevent core 13 hours Recirculation (HLR) damage or containment failure. Low Pressure: Alignment of 1 out of 2 RHR pumps,1 out of 2 RHR cross-connect valves opens,1 out of 1 hot leg valve opens,2 out of 2 cold leg valves close and flow to 2 out of 2 hot legs, or alignment retumed to cold leg injection to prevent interruption of recirculation flow. l Hioh Pressure: Alignment of 1 out of 2 RHR pumps to 1 out of 2 Si pumps,1 out of 2 1 Si cross-connect valves close,1 out of 1 hot leg valve opens and cold leg valve closes, flow to 2 out of 2 hot legs, or alignment retumed to cold leg injection to prevent interruption of recirculation flow (1 out of 2 CCPs). Containment Not required to prevent core Not applicable Isolation (Cl) damage. Identified penetrations >2 inches must - be closed to reduce offsite doses. 14

i 4 h Table FE6 3 Small LOCA Plant Response Tree System Success Criteria Top Event Success Criteria Mission Time Reactor Trip (RT) Reactor trip breakers open. Not applicable Refueling Water 2631,478 gal. 22400 ppm 24 hours Storage Tank (TK) boron, tank intact. Auxiliary Feedwater 1 out of 3 pumps to 2 out of 4 5 hours (AFW) SGs with steam relief from 1 out of 5 safety valves /SG. High-Pressure 1 out of 2 pumps injecting to 3 hours Injection via CCP 3 out of 4 cold legs. l (CCP) High-Pressure 1 out of 2 pumps injecting to 6 hours injection via SIP 3 out of 4 cold legs. (SIP) High-Pressure 1 out of 2 pumps injecting to 3 hours injection via CCP 3 out of 4 cold legs. (HPI) Secondary-Side 2 out of 4 SG atmospheric Not applicable Depressurization relief valves (1/SG fed by (SGP) AFW) or 3 out of 3 steam dumps open. Primary-Side 1 out of 2 pressurizer PORVs Not applicable Depressurization open (and block valves if (PRP) necessary). Primary-Side 1 out of 2 pressurizer PORVs Not applicable Depressurization open (and block valves if (PZR) necessary). I Accumulators (ACC) 3 out of 4 tanks injecting to Not applicable cold legs. Containment Cooling 4 out of 8 CCUs to prevent 24 hours Units (CCU) core damage and for containment cooling if 1 RHR HX not available: 2 out of 8 CCUs to prevent containment failure if 1 RHR HX not available. 15

Contrinment Sprays Not required to prevent core 1 hour (CS) damage or containment failure.1 out of 2 CS pumps delivering flow to 1 spray i header needed for fission product scrubbing. Low-Pressure 1 out of 2 pumps injecting to 1 hour injection (LPl) 3 out of 4 cold legs. Component Cooling 1 out of 2 trains of CCW with 24 hours Water (CCW) 2 out of 3 CCW pumps operating supplying the operating RHR train. Normal Charging i out of 2 CCPs and the 21 hours (NCH) opening of valves in the normal charging flow path Normal RHR (RHR) 1 out of 2 RHR pumps,2 out 21 hours of 2 hot leg suction valves j open on 1 out of 2 trains and j discharge to 2 out of 4 cold ) legs. I High Pressure 1 out of 2 RHR pumps,1 out 21 hours for CCPs Recirculation (HPR) of 1 sump valve on 1 out of 2 18 hours for SIPS trains, and 1 out of 2 CCPs or i out of 2 SIPS to 3 out of 4 cold legs. Low Pressure 1 out of 2 RHR pumps,1 out 23 hours Recirculation (LPR) of 1 sump valve on 1 out of 2 trains to 2 out of 4 cold legs. Containment Spray Not required to prevent core 23 houts Recirculation (CSR) damage or containment failure.1 out of 2 CS pumps, 2 out of 2 sump valves in series open on 1 out of 2 trains for (ission product scrubbing. Containment Not required to prevent core Not applicable isolation (Cl) damage. Identified penetrations >2 inches must be closed to reduce offsite doses. 16 = -

.--_____.__m__._ l Table FE6-4 Steam Generator Tube Rupture Plant Response Tree System Success Criteria Top Event Success Criteria Mission Time Reactor Trip (RT) Reactor trip breakers open. Not applicable Auxiliary Feedwater 1 TDAFW pump or 2 5 hours (AFW) MDAFW to 3 out of 3 intact SGs with steam relief from 1 out of 5 safety valves /SG. Refueling Water 2631,478 gal. 22400 ppm 24 hours Storage Tank (TK) boron, tank intact. High-Pressure 1 out of 4 pumps 3 hours injection (HPI) (CCPs/ SIPS) injecting to 3 out of 4 cold legs with AFW. 1 out of 2 CCPs injecting to 3 out of 4 cold legs without AFW. Terminate AFW to 2 out of 2 AFW valves to Not applicable Ruptured SG (AFR) ruptured SG close. MSIV Closure (MSR, 1 out of 2 MSIVs on ruptured Not applicable l MSI) SG close (MSR); 1 out of 2 MSIVs on 3 out of 3 intact SGs close (MSI). Secondary-Side 3 out of 3 intact SG ARVs Not applicable Depressurization open or 3 out of 3 steam i (SGP) dump valves open (MSR successful) Or 3 out of 3 intact SG ARVs open (MSR fails). Primary Pressure 1 out of 2 pressurizer PORVs Not applicable Relief (PRP) open (and block valves if necessary) Primary Side 1 out of 2 pressurizer PORVs Not applicable Depressurization open (and block valves if (PZR) necessary) Containment Cooling 4 out of 8 CCUs to prevent 24 hours Units (CCU) core damage and for containment cooling if 1 RHR HX not available; 2 out of 8 CCUs to prevent containment failure if 1 RHR HX not available. 17

Containment Sprays Not required to prevent core 1 hour (CS) damage or containment failure.1 out of 2 CS pumps delivering flow to 1 spray header needed for fission product scrubbing. Component Cooling 1 out of 2 trains of CCW with 24 hours Water (CCW) 2 out of 3 CCW pumps operating supplying the operating RHR train. Normal RHR (RHR) 1 out of 2 RHR pumps,2 out 21 hours of 2 hot leg suction valves open on 1 out of 2 trains and discharge to 2 out of 4 cold legs. High Pressure 1 out of 2 RHR pumps,1 out 21 hours Recirculation (HPR) of 1 sump valve on 1 out of 2 trains, and 1 out of 2 CCPs or 1 out of 2 SIPS to 3 out of 4 cold legs. Containment Spray Not required to prevent core 23 hours Recirculation (CSR) damage or containment failure.1 out of 2 CS pumps, 2 out of 2 sump valves in senes open on 1 out of 2 trains for fission product scrubbing, j Containtnent Not required to prevent core Not applicable Isolation (Cl) damage. Identified penetrations >2 inches must be closed to reduce offsite doses. 18

_ _ -. - - ~ _ - ~ - -. l l Table FE6-5 Secondary Side Break Plant Response Tree System Success Criteria Top Event Success Criteria Mission Time Reactor Trip (RT) Reactor trip breakers open. Not applicable Refueling Water 2631,478 gal. 22400 ppm 24 hours Storage Tank (TK) boron, tank intact. Steam Generator Isolatable Break: 1 out of 2 Not applicable isolation (SGI) MSIVs and a MFIV or MFRV (and associated bypass valves) close on 3 out of 4 SGs. Non-Isolatable Break: AFW to faulted SG isolated and; 1 out of 2 MSIVs and MFIVs (and associated bypass valves) close on faulted SG, or 1 out of 2 MSIVs and a MFIV or MFRV (and associated bypass valves) close ori 3 out of 4 intact SGs. Auxiliary Feedwater 1 out of 3 pumps to 2 out of 3 5 hours (AFW) intact SGs with steam relief from 1 out of 5 safety valves /SG. High-Pressure 1 out of 4 pumps 3 hours for break injection (HPI) (CCPs/ SIPS) injecting to 3 outside containment out of 4 cold legs with AFW. (no CS); 1 hour for 1 out of 2 CCPs injecting to 3 break inside out of 4 cold legs without containment (with AFW. CS) RCS Bleed (PZR) 1 out of 2 pressurizer PORVs Not applicable open (and block valves if necessary) Containment Cooling 4 out of 8 CCUs to prevent 24 hours Units (CCU) core damage and for containment cooling if 1 RHR HX not available; 2 out of 8 CCUs to prevent containment failure if 1 RHR HX not available. 19 i

_.._m_.__ Containment Sprays Not required to prevent core 1 hour (CS) damage or containment failure.1 out of 2 CS pumps delivering flow to 1 spray header needed for fission product scrubbing. Component Cooling 1 out of 2 trains of CCW with 24 hours Water (CCW) 2 out of 3 CCW pumps operating supplying the operating RHR train. High Pressure 1 out of 2 RHR pumps,1 out 21 hours without CS Recirculation (HPR) of 1 sump valve on 1 out of 2 23 hours with CS trains, and 1 out of 2 CCPs or 1 out of 2 SIPS to 3 out 4 cold legs. Containment Spray Not required to prevent core 23 hours Recirculation (CSR) damage or containment failure.1 out of 2 CS pumps, 2 out of 2 sump valves in senes open on 1 out of 2 trains for fission product scrubbing. Containment Not required to prevent core Not applicable isolation (Cl) damage, identified penetrations >2 inches must be closed to reduce offsite doses. a 20 1

Table FE6-6 General Transients Plant Response Tree System Success Criteria Top Event Success Criteria Mission Time Reactor Trip (RT) Reactor trip breakers open. Not applicable Turbine Trip (TT) Turbine tripped (stop valves Not app!icable close). Auxiliary Feedwater 1 out of 3 pumps to 2 out of 4 5 hours (AFW) SGs with steam relief from 1 out of 5 safety valves /SG. Condensate Feed 1 out of 3 condensate 5 hours (CON) pumps,1 out of 4 bypass feedwater reg. valves open, 1 out of 4 bypass feedwater isolation valves open,1 out of 4 main feedwaterisolation valves open, SG feed pump discharge valves open, with flow to 1 out of 4 SGs. Main Feedwater 1 out of 2 SG feed pumps 5 hours (MFW) with associated equipment providing flow to 1 out of 4 SGs. Secondary-Side 1 out of 1 SG ARV or 3 out of Not applicable Depressurization 3 steam dumps open. (SGP) Refueling Water 2631,478 gal. 22400 ppm 24 hours 1 Storage Tank (TK) boron, tank intact. High-Pressure 1 out of 2 CCPs injecting to 3 3 hours injection (HP!) out of 4 cold legs. j RCS Bleed (PZR) 1 out of 2 pressurizer PORVs Not applicable open (and block valves if necessary) Containment Cooling 4 out of 8 CCUs to prevent 24 hours Units (CCU) core damage and for containment cooling if 1 RHR HX not available; 2 out of 8 CCUs to prevent containment failure if 1 RHR HX not available. 21

f Containment Sprays Not required to prevent core 1 hour (CS) damage or containment failure.1 out of 2 CS pumps delivering flow to 1 spray header needed for fission product scrubbing. Component Cooling 1 out of 2 trains of CCW with 24 hours Water (CCW) 2 out of 3 CCW pumps operating supplying the operating RHR train. High Pressure 1 out of 2 RHR pumps,1 out 21 hours Recirculation (HPR) of 1 sump valve on 1 out of 2 trains, and 1 out of 2 CCPs or 1 out of 2 SIPS to 3 out 4 cold legs. Containment Spray Not required to prevent core 23 hours Recirculation (CSR) damage or containment failure.1 out of 2 CS pumps, 2 out of 2 sump valves in series open on 1 out of 2 trains for fission product scrubbing. Containment Not required to prevent core Not applicable Isolation (Cl) damage. Identified penetrations >2 inches must be closed to reduce offsite doses. i 22

_ ~. ~. - - - -.. -. - - -........ -.. - _ ~.-. 1 Table FE6-7 ATWT Plant Response Tree System Success Criteria 3 Top Event Success Criteria Mission Time l CRDM MG Sets 2 out of 2 MG sets Not applicable (MG) deenergized. t Control Rod System Control rods inserted at least 1 minute (CR) 48 steps for at least 1 minute. { i AMSAC (AM) Turbine tripped and AFW Not applicable actuated. Auxiliary Feedwater For power level above 40% 5 hours (AFW) and MG fails,4 out of 5 safeties open on 4 out 4 i SGs, and either 3 out of 3 AFW pumps to 4 out of 4 SGs, or 2 out of 2 MD AFW pumps or 1 out of 1 turbine-driven AFW pump to 4 out of 4 SGs. For powerlevel less than l 40%, or if MG successful,1 out of 3 pumps to 2 out of 4 SGs with 1 out of 5 safeties open/SG. Primary Pressure 3 out of 3 pressurizer safety Not applicable Relief (PPR) valves and either 2 out of 2, 1 out of 2, or no PORVs (and block valves if necessary). Pressurizer PORVs 3 out of 3 pressurizer safety Not applicable - 1 Close (PVC) valves close and either 2 out of 2 PORVs or block valves close,1 out of 2 PORVs or block valves close, or no PORVs or block valves close. Secondary-Side All secondary ARVs and Not applicable Valves Close (SSC) safeties reclose after SG pressure decreases. Main Steam isolation 1 out of 2 MSIVs on 3 out of Not applicable (MSV) 4 SGs close. Refueling Water 2631,478 gal. 22400 ppm 24 hours Storage Tank (TK) boron, tank intact. 23 m --~-" '+'"-

._.. _ _ _ _ _... _ _ _. _ _ _ _ _.. _. _ - _. _ _ ~ i s Emergency Boration 1 out of 2 boric acid transfer 6 hours (EBR) pumps and boric acid storage tank to 1 out of 2 CCPs, and t CCP suction valve opens. High-Pressure 1 out of 4 pumps 3 hours injection (HPI) (CCPs/ SIPS) injecting to 3 out of 4 cold legs with AFW. 1 out of 2 CCPs injecting to 3 out of 4 cold legs without AFW. RCS Bleed (PZR) 1 out of 2 pressurizer PORVs Not applicable open (and block valves if necessary) Containment Cooling 4 out of 8 CCUs to prevent 24 hours Units (CCU) core damage and for containment cooling if 1 RHR HX not available; 2 out of 8 CCUs to prevent containment failure if 1 RHR HX not available. Containment Sprays Not required to prevent core 1 hour (CS) damage or containment failure.1 out of 2 CS pumps delivering flow to 1 spray header needed for fission product scrubbing. Component Cooling 1 out of 2 trains of CCW with 24 hours Water (CCW) 2 out of 3 CCW pumps operating supplying the operating RHR train. High Pressure 1 out of 2 RHR pumps,1 out 21 hours Recirculation (HPR) of 1 sump valve on 1 out of 2 trains, and 1 out of 2 CCPs or i out of 2 SIPS to 3 out 4 cold legs. Containment Spray Not required to prevent core 23 hours Recirculation (CSR) damage or containment failure.1 out of 2 CS pumps, 2 out of 2 sump valves in senes open on 1 out of 2 trains for fission product scrubbing. Containment Not required to prevent core Not applicable Isolation (Cl) damage. Identified penetrations >2 inches must be closed to reduce offsite doses. 24

Table FE6-8 Station Blackout Plant Response Tree System Success Criteria Top Event Success Criteria Mission Time Pressurizer PORVs 3 out of 3 pressurizer safety Not applicable Close (PVC) valves and 2 out of 2 PORVs stay closed or reclose after opening. AFW Turbine-Driven Flow to 3 out of 4 SGs with 4 hours Pump (TDP) steam relief from 1 out of 5 safeties /SG. Secondary-Side 3 out of 4 ARVs open and 4 Not applicable Depressurization out of 4 accumulators inject. (SSD) AFW Turbine-Driven Flow to 3 out of 4 SGs with 4 hours with Pump Continues steam relief from 1 out of 5 cooldown (TDC) safeties /SG (manual flow 20 hours without control). Cooldown AC and DC Power One train of AC and DC 24 hours Restored (RPW) power (Note: restoration of two trains was modeled in the IPE). NSCW Restored 2 out of 3 NSCW pumps 24 hours (RWS) provide flow (Note: restoration of two trains was modeled in the IPE). Auxiliary Feedwater 1 out of 3 pumps to 2 out of 4 5 hours (AFW) SGs with steam relief from 1 out of 5 safety valves /SG. Refueling Water 2631,478 gal. 22400 ppm 24 hours Storage Tank (TK) boron, tank intact. High-Pressure 1 out of 4 pumps 3 hours injection (HPI) (CCPs/ SIPS) injecting to 3 out of 4 cold legs with AFW. 2 out of 2 CCPs injecting to 3 out of 4 cold legs without AFW. Pressurizer PORVs 1 out of 2 pressurizer PORVs Not applicable (PZR) open (and block valves if necessary) l 1 l i 25

Containment Cooling 4 out of 8 CCUs to prevent 24 hours Units (CCU) core damage and for containment cooling if 1 RHR HX not available; 2 out of 8 CCUs to prevent containment failure if 1 RHR HX not available. Containment Sprays Not required to prevent core 1 hour (CS) damage or containment failure.1 out of 2 CS pumps delivering flow to 1 spray header needed for fission product scrubbing. Component Cooling 1 out of 2 trains of CCW with 24 hours Water (CCW) 2 out of 3 CCW pumps operating supplying the operating RHR train. High Pressure 1 out of 2 RHR pumps,1 out 21 hours Recirculation (HPR) of 1 sump valve on 1 out of 2 trains, and 1 out of 2 CCPs or 1 out of 2 SIPS to 3 out 4 cold legs. Containment Spray Not required to prevent core 23 hours Recirculation (CSR) damage or containment failure.1 out of 2 CS pumps, 2 out of 2 sump valves in series open on 1 out of 2 trains for fission product scrubbing. Containment Not required to prevent core Not applicable Isolation (Cl) damage. Identified penetrations >2 inches must be closed to reduce offsite doses. l l 26 i l

1 Table FE6-9-1 Loss ofInstrument Air Plant Response Tree System Success Criteria Top Event Success Criteria Mission Time Unit 2 Air 4 out of 7 air compressors, 24 hours Compressors (U2C) and isolation valves between l the units open. Table FE6-9 2 Loss of Nuclear Service Cooling Water Plant Response Tree System Success Criteria Top Event Success Criteria Mission Time NSCW One Pump 1 out of 2 NSCW standby 24 hours Operation (RSW) pumps and associated valves. Establish Seal 1 out of 2 charging pumps 24 hours injection (SINJ) and associated valves providing RCP sealinjection, j Containment Not required to prevent core Not applicable isolation (Cl) damage. Identified penetrations >2 inches must be closed to reduce offsite doses. 27

Table FE6-9-3 Reactor Vessel Rupture Plant Response Tree System Success Criteria Top Event Success Criteria Mission Time Containment Cooling 2 out of 8 CCUs to prevent 24 hours Units (CCU) containment failure. Containment Sprays Not required to prevent core 30 minutes (CS) damage or containment failure.1 out of 2 CS pumps delivering flow to 1 spray header needed for fission product scrubbing. Containment Not required to prevent core Not applicable Isolation (Cl) damage. Identified penetrations >2 inches must be closed to reduce offsite doses. Table FE6-9-4 Interfacing System LOCA Plant Response Tree System Success Criteria Top Event Success Criteria Mission Time Refueling Water 2631,478 gal. 22400 ppm 24 hours Storage Tank (TK) boron, tank intact. High-Pressure 2 out of 4 pumps 24 hours Injection (HPl) (CCPs/ SIPS) injecting to 2 out of 4 cold legs. Containment Cooling 2 out of 8 CCUs to prevent 24 hours Units (CCU) containment failure. Containment Sprays Not required to prevent core 1 hour (CS) damage or containment failure.1 out of 2 CS pumps j delivering flow to 1 spray header needed for fission product scrubbing. 28

Ouestion 7 It is not clear from the submittal whether plant changes as a result of the Station Blackout rule were credited in the analysis. Please provide the following: Identify whether plant changes (e.g., procedures for load shedding, alternate ac power) a. made in response to the blackout rule were credited in the IPE and identify the specific plant changes that were credited.

b. If available, identify the totalimpact of these plant changes on the total plant CDF and on the station blackout CDF (i.e., reduction in total plant CDF and station blackout CDF)

If available, identify the impact of each individual plant change on the total plant CDF c. and on the station blackout CDF (i.e., reduction in total plant CDF and station blackout CDF) P

d. Identify any other changes to the plant that have been implemented or are planned to be implemented that are separate from those in response to the station blackout rule that reduce the station blackout CDF Identify whether the changes in d. above are implemented or planned e.

f. Identify whether credit was taken for the changes identified in d. above, in the IPE

g. If available, identify the impact of the changes identified in d. above, on the station blackout CDF.

Response 7

a. The only plant improvement specifically identified, resulting from the Station Blackout rule that was taken credit for in the IPE, was the opening of the Control Building electrical equipment room doors. As indicated in Section 6.3 of the IPE report no credit was taken for load shedding or possible sources of alternate AC power.

b. The total specific impact of the plant change due to implementation of the procedure noted in 7.a above is not available. This change was one of numerous items noted in the recovery process. The changes which resulted from a recovery meeting were taken collectively and incorporated into the model and a new CDF was calculated. The revised model was then used as the basis for the next recovery meeting. The impact, however, is included as part of the 49% CDF change noted in the response to question 1.b.

29 .I

c. This information is not available (see 7.b. above).

d. An additional offsite power source, the standby auxiliary transformer (SAT), has been added to the low voltage switchyard. The SAT will serve as a swing offsite power source capable of connecting to any one of the 4160 Volt, Class lE safety busses on either unit. The high side of the SAT is connected, by underground cable, to the Plant Wilson combustion turbine switchyard of GPC's Plant Wilson. The underground cable for the SAT can be fed either from the offsite grid or from Plant Wilson. Plant Wilson is a combustion turbine plant (6 CT's) adjacent to the Plant Vogtle boundary and is under the direct authority of Plant Vogtle management. Proposed Technical Specification (TS) changes associated with this design change will extend the allowed outage time (AOT) for the diesel generators from 3 to 7 days (provided the SAT is available) and provide for a one time per refueling cycle AOT of 21 days to allow on line diesel maintenance (again provided the SAT is available).

The Unit I design (noted in d above) was installed and functionally tested during 1994 e. Fall refueling outage. The Unit 2 design was installed and tested during the Spring 1995 outage. The TS changes have been submitted to the NRC for approval. f. No, the SAT was a post IPE submittalimprovement.

g. The Plant Wilson (SAT) design decreases the IPE CDF by 33.3 percent based on a conservative analysis performed on the top 85 IPE accident sequences which contribute a total of 71% of the CDF. The station blackout contribution to the CDF changes from 61% to 47%.

Ouestion 8 The IPE submittal does not provide the basis for the RCP seal LOCA model. a. Provide the basis for the IPE RCP seal LOCA model.

b. As stated on page 6-12 of the submittal, current procedures related to loss of nuclear service cooling water (NSCW) instruct the operator to trip the RCPs. However, the operator's failure to trip the RCPs is not included in the PRT for loss of NSCW.

Explain why the failure of the operator to trip the RCPs in not reflected in the PRT for loss of NSCW.

c. Provide a discussion of the time-to-seal failure and the resultant leakage for the situation in which all cooling to an operating RCP is lost and the RCP is not tripped by the operators.

30

Resoonse 8 The following responses provide information regarding the RCP seal LOCA model. a. The probabilistic RCP seal LOCA model outlined in Reference 1, with the added conservatism outlined in Reference 2, is used for the calculations of seal failure leading to core uncovery as a function of time., Three postulated failure mechanisms for the reactor coolant pump (RCP) seal system binding and/or seal popping open are addressed for the number 1 and number 2 seals. Seal binding and seal popping open of either the number 1 seal or the number 2 seal are modeled as immediate failures (within the first 10 to 15 minutes of the event). The third seal is assumed to failif both the number 1 seal and the number 2 seal bind or pop open. Binding or popping open of the second sealis also modeled as a possible immediate failure if the number 1 seal does not bind or pop open or if the number 10-ring extrudes. Failure of the third seal (binding or popping open) is postulated only if the third seal is subjected to exposure, i.e., the number 2 seal fails. O-ring extrusion is modeled as a time dependent failure with the failure rate changing (increasing) as a function of time. Two 0-rings in each seal are conservatively considered to be critical to sealing in each seal section. If either critical 0-ring fails, then the seal leakage is postulated to increase. If the number I critical 0-rings do not fail in the first hour, there is an increased probability that one will fail in the second hour. O-ring extrusions of the second and third seals are only postulated if the seal is exposed to high temperature, or if the preceding seal fails. The model was simplified for use in the Vogtle IPE because the Vogtle RCP seal 0-rings have been replaced with 0-rings qualified for high temperature conditions. Therefore, following a loss of all cooling, only the failure mechanism identified as catastrophic binding of the pump shaft or seal popping are addressed. These postulated seal failures would occur within the first hour and would result in a seal LOCA of 480 gpm/ pump. There is no other time dependence associated with the model when considering the O-rings installed at Vogtle. If there are no seal failures, the expected sealleakage is 21 gpm. If the number i seal and the number 2 seal either bind or pop open, the maximum seal leakage is postulated to be 480 gpm. 31

An event tree was developed to model the seal failures at each hour. However, only the event tree for the first hour applies to the Vogtle IPE because of the high temperature O-rings, as described in the second paragraph of this response. In this event tree, only the immediate failures are addressed (seal binding and seal popping open). If no failures occur, then the sealleakage rate of 21 gpm is shown on the first path. The combinations of binding and popping failures define the potentialleakage rates. If the number 1 seal does not bind or pop, and the number 2 seal does, then the leakage rates depend on whether the number 3 seal remains intact. If the number 3 seal does not fail the leakage rate is 57 gpm; if the number 3 seal fails, the leakage rate is 183 gpm. If the number 1 seal either binds or pops and the number 2 seal remains intact, the leakage rate increases to 76 gpm. If the number 1 and number 2 seal both fail from either binding or popping, then the leakage rate increases to the maximum of 480 gpm. The leakage rates shown on Figure 1 om postulated to begin in the first hour and continue at these rates at succeeding hours. 32

M M M M M M MMM MM P P P P P P PPP PP G G G G G G GGG GG 1 7 3 7 3 6 006 00 2 5 8 5 8 7 887 88 1 1 44 44 SGT NO 3INL .R I O OA r NODF uo H 3S L .ETI t OOOA s NDNF r i F SGT e NO h 2INL 1t .R I O OA eg NODF rn 1 ui 1 gr 2S iu .ETP FD OOOO NDNP eg a 2S D k .ETN a OOOI e NDNB L l S a GT e NO S 1INL .R I O OA NODF S 2.E T P OOOO NDNP ,i 2S D .ETN OOOI NDNB 1S.ETP OOOO NDNP 1S D .ETN OOOI NDNB F G O N I SLL SAO OEO LSC

. b. For the loss of nuclear service cooling water initiating event, plant response tree top event OSW is the operator action to establish one NSCW pump operation by continued operation of the auxiliary component cooling water system while reducing the heat loads to keep the RCP seals cooled, then establishing the single NSCW pump by isolating NSCW loads and starting the standby pumps. This top event is shovm on Vogtle IPE Submittal Figure A.9-2. The description of the one NSCW pump operation is in submittal Section 6, Plant Improvements and Unique Safety Features (page 6-2). Operator action OSW models a subset of the actions listed on submittal page 6-3 for this procedural improvement. The actions modeled for OSW maintain RCP seal cooling. The actions modeled include reducing the ACCW and NSCW loads and starting the standby NSCW pumps. The actions do not explicitly include tripping the RCPs, however, it is judged that the actions modeled would still dominate the OSW failure probability ifit included the failure to trip the RCPs. Based on the IPE core damage frequency results, OSW is not an important contributor and small changes in the OSW failure probability are not significant.

c. The probability of a complete loss of RCP seal cooling is low due to the systems which provide cooling. The RCP thermal barrier heat exchanger is cooled by auxiliary component cooling water (ACCW), which is cooled by nuclear service cooling water.

As mentioned in the part (b) response, ACCW does not immediately fail upon loss of NSCW cooling allowing time for operator recovery action. The charging pumps provide seal injection, which will cool the seals if ACCW fails. The charging pumps are also cooled by NSCW. As shown on Vogtle submittal Table 3.1-1, the yearly loss of NSCW is calculated to be 1.4E-04 which makes the loss of RCP seal cooling a low probability event. If RCP seal cooling is lost and the pumps are not tripped, then the maximum seal leakage of 480 gpm is assumed because the seal failure would be an immediate failure as described in part (a). References 1. Westinghouse Electric Corporation, " Reactor Coolant Pump Seal Performance Following a Loss of All AC Power", WCAP-10541, Revision 2, November 1986. 2. Westinghouse Electric Corporation, "RCP Seal Integrity, Generic Issue B-23 Slides Presented to the NRC", WCAP-11550, July 1987. Ouestion 9 The PRT for station blackout contains two recovery actions that are not clearly explained in the IPE submittal. These events are ORS," operator action to restore systems following loss of offsite power / station blackout," and RPW, " restore power systems." Pleasa liicmiiy: l a. The specific recovery activities modeled, 34

b. The time available for these activities, and

c. How sequence-specific considerations were addressed.

Response 9 a. b. & c. The station blackout plant response tree top event ORS is the operator action to restore systems following loss of offsite power / station blackout. The primary and immediate objective of this action is to restore power to and operation ofessential systems after at least one AC emergency bus has been energized. Following plant procedures, the operator would perform the following actions after AC power is restored: Restore DC loads Energize 480V AC switchgear Energize battery chargers, instrumentation and control, emergency lighting, communications, and batterf room fans Reset containment isolation phase A (if actuated) Verify instrument air available Start ACCW and CCW pumps Align reactor makeup system Start CCP or CCP and SIP Align for either normal charging or ECCS injection Start containment fan coolers Start RHR pump (if SI required) Establish RCP seal cooling These actions were included during the determination of the human error probability for ORS. The time available to complete these actions is 30 minutes, which represents the time the operator has from restoration of power to establishing core cooling prior to core damage. Sequence-specific actions have been addressed by the incorporation of the maximum number of actions which would be required at the point in the event tree where ORS is addressed. For example, the operator action includes starting the RHR pump, although it may not always be required based on the success of prior top events in the plant response tree. The station blackout plant response tree top event RPW (restore power systems) models the AC and DC systems restored by the operator action ORS. Following restoration of AC power, the ESF AC buses and DC buses must energize. The battery chargers are loaded onto the ESF AC buses to provide DC power to the DC buses. To obtain the failure probability for RPW, the equipment failure probabilities for all trains of AC and DC power were combined. RPW models only equipment failures for the electric systems restored. It does not include operator failures. Success for RPW is defined as energizing both trains of AC and DC power. 35

m. Question 10 The PRT for station blackout includes events related to the recovery of offsite power, however, an explanation of the model for offsite power recovery could not be found in the IPE submittal. Please explain the offsite recovery model used in the analysis, specifically: a. The basis for the recovery model,

b. How plant-specific considerations were accounted for in the recovery model, and The offsite power recovery curve or data used in the analysis.

c. Besnonse 10 a. b. & c. Recoven of offsite power is quantified as a probability distribution. The distribution is based on the power recovery curve for cluster group 1 in NUREG 1032 (Reference 1). The probability of recovering power is categorized in NUREG-1032 by factors which are determined for the site: the plant's switchyard configuration (I), losses of offsite power from grid-related events (GR), the probability oflosing ofTsite power from severe weather conditions (SR), and the probability oflosing offsite power from extremely severe weather events (SS). Recovery factors are also applied. These definitions are also consistent with the definitions and methodology outlined in Regulatory Guide 1.155 (Reference 2). Plants are categorized as belonging to one of five offsite power cluster groups, based on the factors I, GR, SR, SS and the recovery factors. Figure A.15 of NUREG-1032 shows the distributions of the estimated frequency of occurrence oflosses of offsite power exceeding specified durations for 5 offsite power cluster groups. Analysis of the factors for Vogtle Units 1 and 2 showed that these plants could be placed in power recovery cluster group 1. Therefore, the power recovery distribution for cluster group I was used to model the recovery of offsite power. The frequency distributions were converted to probabilities (normalized to 1.0 at time 0) and are used to determine the probability ofrecovering power for each of the power cluster groups. The table below shows the data used based on cluster group 1. Probability of Non-Recovery of OfTsite Power, and Conditional Probabilities, at Each Hour Probability Power Conditional Hour Not Recovered Probability 0 1.00E+00 1 2.48E-01 0.248 2 6.15E-02 0.248 3 4.27E-02 0.694 4 2.96E-02 0.693 36 .r ._N6y_--

5 2.46E-02 0.831 6 2.05E-02 0.833 7 1.71E-02 0.834 8 1.42E-02 0.832 9 1.27E-02 0.894 10 1.14E-02 0.898 11 1.02E-02 0.895 12 9.17E-03 0.898 13 8.22E-03 0.897 14 7.36E-03 0.895 15 6.60E-03 0.897 16 5.92E-03 0.897 17 5.30E-03 0.895 18 4.75E-03 0.896 19 4.26E-03 0.897 20 3.82E-03 0.897 21 3.42E-03 0.895 22 3.07E-03 0.898 23 2.75E-03 0.896 24 2.47E-03 0.898 The conditional probability is the probability of failing to recover power in a specific hour given the failure to recover power in the previous hour. For example, the probability of not recovering power at hour 3 is 4.27E-02. The conditional probability of not recovering power at hour 3 is.694 given that the probability of not recovering power at hour 2 is 6.1SE-02 (i.e.,.694 = 4.27E-02/6.1SE-02). The power recovery distribution is used for the station blackout event tree to evaluate three top events: lHR, XHR and YHR lHR -(AC Power Restored in 1 Hour)- This top event is successfully restoring AC power within I hour. AC power must be restored within I hour if either a pressurizer safety relief valve fails open or the turbine driven AFW pump fails to start. The failure of this top event is quantified as the probability that power is not restored at one hour as determined from the power recovery distribution. XHR -( AC Power Restored Before Core Damace Occurs in X Hours) - Conservatively l assuming the turbine-driven AFW pump loses DC control power at four hours, and the I pump cannot be manually controlled, the secondary side begins to boil and eventually decay j heat removal would be lost and the core would start to uncover. Following the loss of flow j from the turbine-driven AFW pump, AC power must be restored within about the next 2 hours to prevent core damage if the RCS cooldown was not successful (XHR = 6 hours). This success criterion is coupled with high pressure SI recovery. If the cooldown was ] successful, AC power must be restored within the next 4 hours (XHR = 8 hours). If RCS cooldown is successful, the condensate storage tank (CST) inventory would last for approximately 8 hours and AC power must be restored within about the next 5 hours (XHR l 37 I l l j

= 13 hours). If the RCS cooldown is not successful, the CST will contain sufficient inventory for over 24 hours. AC power must be restored within 16 hours to address core uncovery from the minimum RCP seal LOCA (XHR = 16 hours). The conditional failure probability is determined from the power recovery distribution. YHR -(AC Power Restored Before Containment Failure Occurs in Y hours)- If AC power is not restored in time to prevent core damage, then this top event addresses restoring AC power to prevent containment failure. If core damage occurs, then AC power must be restored within some time period following vessel failure to activate containment aystems. To conservatively bound the situation in which a pressurizer relief valve sticks open or RCP sealleakage becomes high early in the transient, a single time of 20 hours following the start of station blackout is selected for YHR. Based on XHR times of 1,6, 8,13, and 16 hours, power must be restored within 19,14,12, 7, and 4 hours respectively, following these core uncovery times to prevent containment failure. The failure probability of YHR is determined as a conditional probability from the AC power recovery distribution at each of the designated hours. References 1. U. S. Nuclear Regulatory Commission, " Evaluation of Station Blackout Accidents at Nuclear Power Plants," NUIEG-1032, June 1988. 2. U. S. Nuclear Regulatory Commission, Regulatory Guide 1.155, Station Blackout, June 1988. Question i1 The IPE submittal does not appear to identify all the types of failures considered in the modeling of an interfacing system LOCA (ISLOCA). Quantification of an ISLOCA initiating event is provided in Table 3.1-1 of the submittal with no accompanying discussion of the types ofISLOCAs that are represented. Pages 4-64 and C-4 of the submittalindicate that the base-case ISLOCA was modeled as a 0.1 square foot break in the RHR hot-leg outside containment and that this area was based on an upper bound of the pump seals. However, it is not clear whether other ISLOCAs beyond this base case were considered. NUREG-1335 requests that the rationale for grouping ofinitiating events be provided. a. Describe the method used to identify ISLOCAs.

b. Describe all the types ofISLOCA that are accounted for in the IPE analysis.

c. Provide the basis used to exclude any category ofISLOCA from the analysis. 38

Response 11 a. ISLOCAs can be divided into two categories according to the location of reactor coolant system loss relative to containment: those for which the coolant remains within containment and those for which the coolant escapes the containment. In general, the potential consequences of an ISLOCA outside containment are more severe than those of an ISLOCA inside containment. The limiting factor in an ISLOCA inside containment is the loss of the function performed by the breached interfacing system. The limiting factors in an ISLOCA outside containment are the loss of the function performed by the breached interfacing system, the failure of containment isolation, and the loss of emergency core coolant inventory for long term core cooling. If an ISLOCA outside containment cannot be isolated before a significant fraction of the reactor coolant inventory escapes the RCS, a significant release of fission products to the environment may result. Because they are generally more severe, the Vogtle Electric Generating Plant (VEGP) IPE assumed ISLOCAs outside containment bounded those inside containment. The ISLOCAs were identified from the systems which interface with the Reactor Coolant System (RCS) and may be subjected to normal RCS operating pressure. Specifically, the emergency core cooling system (low pressure injection, accumulators, high pressure injection), chemical and volume control system, auxiliary component cooling water to the reactor coolant pumps, and the sampling system were examined. VEGP piping and instrumentation drawings were examined to identify all significant ISLOCA flow paths. Significan* ' ..iths are those with a diameter greater than 3/8 inch and through which low p

a. piping outside containment could be exposed to RCS pressure. Further, low pressure piping is any piping system whose pressure boundary would be expected to fail in whole or in part when exposed to normal RCS operating pressure. Two examples of pressure boundary failure are pipe rupture and pump seal failure. Significant ISLOCA pathways were also examined to identify instrumentation and valves which may be useful in diagnosing and isolating an ISLOCA.

The normal alignment, accident alignment, and setpoint or actuation signal were then identified for use in the ISLOCA frequency calculation. l b. In general, all significant pathways from the RCS interfaces to piping outside containment rated for pressures below that of the RCS were examined during the ISLOCA analysis. The total ISLOCA initiating event frequency is the sum of the following individual event frequencies: Reactor Coolant Pump Seal Water Return Line, Reactor Coolant Pump Thermal Barrier Heat Exchanger, Lines to Charging Pump Discharge Header, Safety Injection Pump Discharge Lines, 39 i

RHR Discharge Lines and, RHR Suction Lines. The process of determining the interfacing systems LOCA (ISLOCA) initiating event frequency identified the RHR hot leg suction ISLOCA as a dominant contributor. This ISLOCA is generally considered the most severe ISLOCA due to its effect on the long term heat removal capability of the plant. In this event both RHR pumps are assumed to fail due to the ISLOCA, failing low pressure injection and ECCS recirculation from the containment sump. Therefore, this ISLOCA was chosen for the case to model as shown in the plant responce tree on Figure A.9-4 of the Vogtle IPE submittal. c. Pathways through pipes with an inside diameter less than or equal to 3/8 inches were not considered significant since the maximum RCS flow rate through these pipes is less than the capacity of the normal charging system. Any ISLOCA through pipes this small would not be expected to directly generate a reactor trip or SI signal, giving the operators sufficient time to identify and isolate the leak or take the plant to cold shutdown per the plant Technical Specifications (Reference 1). More specifically, pathways between the accumula. tors, pressurizer relief tank (PRT), and reactor coolant drain tank (RCDT) and piping outside containment are not considered significant pathways for ISLOCA outside containment because the pressure ratings of the accumulators, PRT, and RCDT are significantly below normal RCS pressure. Therefore, the pressure relief valves and/or rupture disks installed on these components would result in primary coolant loss inside containment rather than outside containment. Additionally, pathways through the normal letdown line are not considered significant ISLOCA pathways because ofletdown orifices installed in the lines. The three parallel letdown orifices installed in the normal letdown line are sized to allow a combined maximum RCS letdown flow which, in addition to normal RCP seal injection flow, is below the capacity of normal charging. There is also no credible failure mechanism whereby the effective inside diameter of the letdown orifice is dramatically increased without rupturing the orifice itself. Any catastrophic rupture of a letdown orifice would effectively be a pipe break inside containment at the orifice. Finally, leakage of reactor coolant through the steam generator tubes is excluded from consideration because tube rupture events are addressed as a separate initiating event. References 1. Vogtle Electric Generating Plant Technical Specifications, Limiting Condition for Operation 3.4.6.2. 40

VOGTLE - UNITS 1 AND 2 INDIVIDUAL PLANT EXAMINATION SUBhilTTAL IIUMAN RELIABILITY QUESTIONS I Ouestion i l To identify the more likely accident sequences that could occur and to determine the potential vulnerabilities as a consequence of these severe accidents, an understanding of the potential of the human contribution to an accident is required. Identification of the human events that can disable a system, such as failure to properly restore after test or maintenance or miscalibration of critical instrumentation, are essential to the human reliability analysis. The submittal includes consideration of restoration of a limited number of manual valves after testing. However, no mention is made in the submittal of consideration given to the disabling of a system as a result of miscalibration of critical instrumentation. Please provide a discussion of the rationale and justification for not considering miscalibration of critical instmmentation in the IPE analysis. Resnonse 1 The method used for including pre-initiator human errors in the fault trees used the following guideline. The failure of test and maintenance personnel to return valves, pumps, and other safety system components to their normal position after test and/or maintenance is considered as a credible fault in development of fault tree models if: 1) proper valve positioning cannot be detected using specified pump flow tests; and/or 2) valve or other component misposition is not immediately detectable by status lights and/or alarms at the main control board, and the valve is not automatically realigned by an ESFAS signal. Miscalibration errors were not modeled in the IPE, since such errors would be as likely to produce an early actuation as a delayed or prevented actuation. Moreover, there are normally multiple input signals or actuation devices. Miscalibration errors have seldom been shown to be important in past probabilistic risk assessments. There are numerous procedures that take equipment out of service for test and maintenance, and require operator action to restore that equipment to service. For most powered equipment, the failure of these steps would result in either an annunciator or a status light indication in the control room, alerting the operators to the misposition. The instrument status lights provide clear indication, and checks during each shift and at shift changes would reveal burned out indicators. Further, most safeguards equipment receives confirmatory signals to assume the correct position if an ESFAS signalis generated. Therefore, misposition failures are not included for such equipment, per item 2)in the above guideline. 41 j

For non-powered equipment, such as manual isolation valves, failure to restore to the correct position following a test or maintenance would not be readily detectable by control room personnel. Therefore, misposition errors were included for any manual valve that would disable the functioning of systems modeled in the IPE. Ouestion 2 l The submittal does not clearly describe the method used to identify and select response and recovery-type actions for analysis. The method used should confirm that the plant procedures, design and operational practices and policies were examined and understood in order to identify potential severe accident sequences. Please provide the following: A description of the process that was used for identifying and selecting the response-a. type actions evaluated.

b. A description of the process that was used for identifying and selecting the recovery-type actions evaluated.

Response 2 a. The response-type operator actions were identified and selected through an iterative i process with the use of event sequence diagrams (ESDs). The ESDs, prepared by the event tree or system analysts, show the accident progression, in a block logic format, for the major categories ofinitiating events: large LOCA, medium LOCA, small LOCA, steam generator tube rupture, general transients (e.g., reactor trip, loss of offsite power, steam line break), and anticipated transient without scram. The ESDs display success and failure paths of critical safety functions and operator actions, and take into account (1) Engineered Safety Features (ESF) equipment which actuates automatically following reactor trip or SI signals, (2) the consequences of failure of ESF equipment, and (3) any key decision points or operator actions called for in the e;nergency operating procedures (EOPs) which significantly alter the progression of the accident. As stated previously, development of the ESDs was an iterative process. The event tree / system analyst prepared the draft ESD in collaboration vah the human reliability analyst. Talk-throughs were then held at the site with the analysts and plant operations personnel to review the ESDs and form agreement on the response-type operator actions to be selected. The ESD developed for the large LOCA initiating event is provided as an example; Table 1 identifies the symbols and notes, Table 2 lists the acronyms, and Figure I shows the large LOCA ESD. 42 l

b. The recovery analysis for the Vogtle Electric Generating Plant (VEGP) IPE was i

conducted, after the majority of the plant response tree and fault tree modeling had been completed, through an iterative process generally consisting of the following steps: reviewing quantification results to determine where contribution to core damage a frequency of dominant contributors could be reduced through credit for appropriate and reasonable actions or equipment not already in the IPE models; modeling these actions or equipment; requantifying the results; and repeating the process to address new dominant contributors. In general, operator actions called for in the VEGP emergency or aonormal procedures were considered to be expected rather than recovery actions, as long as there was a clear path through the procedures for each event being considered. Actions that could be taken from the control room (e.g., manually starting a pump that failed to start automatically, operating valves that failed to actuate automatically, and so forth), and for which the operators would receive indication as to the need for the action, were treated as anticipated responses rather than recovery actions. Such actions are generally included in the fault tree quantification for the appropriate top event. Actions for which all or most of the diagnosis and response required outside-control-room activity were generally considered as recoveries. For the recovery analysis process, the specific steps included: identifying possible recoveries in the fault tree models, plant response tree (PRT) models, support system models, or combinations of these; identifying necessary additional modeling; discussions and meetings among IPE analysts and SNC personnel familiar with VEGP and the IPE to clarify and verify the actions to be taken or equipment needed; modifications to the various models and quantification input values (including additional human reliability and success criteria analysis, where needed) to accommodate the recoveries; requantification of results; and modify / improve plant procedures, if necessary, to credit recovery actions assumed in the IPE. 43

The modeled recoveries generally take one of several forms: credit for existing systems or procedures that were not included in the initial models; j credit for procedural enhancements that were proposed by the IPE analysts or SNC l personnel, and, after review, deemed acceptable by VEGP personnel and committed to be implemented at the plant; credit for equipment modifications that were proposed by the IPE analysts or SNC personnel, and, after review, deemed acceptable by VEGP personnel and committed to be implemented at the plant; or combinations of the above. For most of the items selected, a summary description was prepared. These summary descriptions briefly describe the situation for which a recovery is needed, provide information on the operator actions and time available and any plant equipment required, reference to the HRA quantification of the modeled actions, information on available procedural guidance, and an indication as to how the recovery is to be factored into the event tree and/or fault tree models. Each of the summaries was reviewed and commented on by SNC and VEGP personnel, corrections were made, and the necessary modeling changes were made. Question 3 The submittal does not indicate whether a screening process was used to help differentiate the more important post-initiator human events. If a screening process was used, please provide the screening value(s) used and the basis for the value(s); that is, provide the rationale for how the selected screening value did not eliminate (or truncate) important human events. Also, as requested in NUREG-1335, provide the list of errors that were screened. Resoonse 3 The Vog'.le IPE did not use a screening approach as part of the human reliability analysis. As discussed in the response to HRA Question 2, the post-initiator human errors are identified as imponant to the overall plant response during the process of defining the event sequences. This process included reviews of the VEGP Emergency Operating Procedures, Abnormal Operating Procedures, and System Operating Procedures, and discussions with VEGP and SNC personnel. This resulted in the development of event sequence diagrams and the event tree models, which were also reviewed with VEGP and SNC personnel with operations and training background. 44

-.-------~.-.-- - - Ouestion 4 Although the SLIM method provides a way ofinterpolating between " anchor point" failure probabilities provided outside the SLIM method, inappropriate selections for anchor points will produce inappropriate results from the SLIM process. Limitations in the method (s) used to calculate the anchor points may " flow through" to the SLIM - derived probabilities. Please provide a detailed rational for, and description of, the selection of the human error events identified as anchor points in the submittal. Resoonse 4 The selection of the success likelihood index method (SLIM) " anchor points" operator actions was based upon accepted industry methodology. The first step in the process was to l relate the Vogtle specific success likelihood index (SLI) values to known or accepted values of error probabilities (P.) for two specific Operator Actions (OA) contained within a specific group of operator actions. This required the use of" reference" OAs that were very similar ifnot identical to the Vogtle IPE operator actions being evaluated. The methodology, which was followed, was to select specific operator actions that had been evaluated through means other than SLIM, (e.g., empirical simulation data; THERP HRA methodology) to arrive at their estimated values for P.. Following the SLIM technique, the selection of the anchor point operator actions must address two criteria. First, it must reference the psychological model that underlies the SLIM methodology. This holds that if expert ratings reflect the actual state of the defined performance shaping factors (PSFs) at the plant, then positively-rated PSFs (leading to high SLIs) indicate a plant environment that is conducive to avoiding error for their OAs. Likewise, negatively-rated PSFs (Iow SLIs) indicate an environment that is error-prone for their OAs. Second, the estimated relationship between P. and SLI for each group of operator actions must extend over the range of P. to approximate the range achieved by other methodologies. For a function relating Logw(1-P.) to SLI, this suggests the optimal slope is a positive one between those two OAs selected as the anchor points. Ideally, at one extreme of the function, the OA from a correlation group with the highest P. would match an OA that has the lowest SLI. At the other end, the OA from the same correlation group with lowest P would match an OA with the highest SLI. Thus, the selection of which specific operator actions to use as anchor points was based on: Operator actions that were very similar if not identical to the Vogtle IPE operator actions being evaluated, such as the need to open/close valves, stan/stop equipment, etc. 45

Operator actions that were modeled within the same context for which the Vogtle IPE operator actions were being evaluated, such as the same initiating event, event sequence, and timing. Operator actions that would have the similar Performance Shaping Factors (PSFs) as the Vogtle IPE operator actions being evaluated. Operator actions that were commonly modeled in industry PRA studies such that suflicient data exist to select a typical operator error probability. Operator actions with the highest or lowest SLI values within a group. If no industry data could be found or conflicting data was found, the appropriate operator actions with the next highest or lowest SLI values were used. The selection of operator action anchor points was done for four (4) specific groups of operator actions that were grouped together based on their similar PSFs profiles. Thus, four times as many reference points were used in the calculation of the Vogtle IPE SLIM operator action values as would have been the case if using one group consisting of all operator actions. When the operator actions were selected as anchor points, care was taken to ensure that the corresponding SLI values bounded the range of SLI values within the group of operator actions being considered. By following this practice a more accurate mathematical relationship can be developed that will avoid calculating erroneous operator action error probabilities. Based on the above considerations, the following operator actions were selected as anchor points for each group: Group 1 OALa Realign ECCS low pressure system for hot leg recirculation OARb Establish / realign ECCS high pressure system for cold leg recirculation Group 2 SGI Isolate faulted steam generator OABb Establish feed and bleed cooling of RCS (actuate SI) Group 3 OCIb Isolate containment - with power - auto align OSR Minimize ECCS flow following Interfacing Systems LOCA Group 4 ORT Initiate manual reactor tr p OAPa Depressurize primary side (MLOCA, SLOCA) 46

_ _.. m - __ __ __ __ >.. VOGTLE - UNITS 1 AND 2 INDIVIDUAL PLANT EXAMINATION SUBMITTAL Ouestion 5 Use of PRA-generated anchor points as SLIM anchors requires assessment of the performance shaping factors (PSFs) used in the SLIM assessment for the anchor events. It is not clear in the submittal that some Vogtle PSFs, such as complexity, would be described in the sources of the anchor points selected from other PRAs. Please provide a description of the assessment of PSFs to these " anchor point" events to show that the anchoring process was performed correctly. Resnonse 5 As discussed in the response to Vogtle IPE HRA question 4, one aspect of the selection of the operator action anchor points was to consider operator actions modeled in other Probabilistic Risk Assessment (PRA) studies that would have similar Performance Shaping Factors (PSFs) as the Vogtle IPE operator actions being evaluated. Before the operator action anchor points were selected, a general assessment was performed of the Vogtle IPE PSFs and how they would compare to the known or expected PSF profiles for the reference PRA operator actions. This general assessment or comparison can be illustrated by reviewing the Vogtle IPE PSFs and the manner in which they were considered during the selection of the reference plant operator actions as anchor points.

1. Complexity of the Operator Action (CPX) - The reference operator actions were reviewed to determine if the number of tasks, type of tasks, task sequencing, and relationships among the tasks were similar to those considered in the Vogtle IPE. For example, would the operator be required to perform similar tasks to realign the emergency core cooling low pressure injection system for hot leg recirculation (OALa) or establish / realign ECCS high pressure system for cold leg recirculation (OARb).

2. Time Factors (TIM)- The reference operator actions were reviewed to determine if the time factors were similar to those considered in the Vogtle IPE. For example, the Vogtle operator action to initiate a manual reactor trip (ORT) was defined as having a six minute time window for the operator to complete the required actions. The reference operator actions were then reviewed to make sure that the time windows for the similar operator action was comparable to the Vogtle time window.

47 = a =-o=* m e t w eeme- +.i.- eeem eg, y-g

3. Crew's Level of Knowledge, Training, and Experience (TRN) - The Vogtle IPE assumed that the Vogtle operating crew's level of knowledge, training, and experience was at least similar to if not better than that of the operating crews of the reference PRA plants. There were no indications of any negative operator performance issues that would impact or change this assumption.

4. Adequacy of Guidance Materials (PRC) - The Vogtle IPE assumed that the guidance material available to the operating staff, such as procedures, databases, job performance aids, and technical specifications were at least similar to if not better than those available to the operating crews of the reference PRA plants. This is based on the fact that the reference PRA plants are all Westinghouse NSSS plants and as such all utilize the Westinghouse Owners Group (WOG) Emergency Response Guidelines as the basis for developing their plant specific Emergency Operating Procedures. In addition, all the anchor point operator actions that were selected for the Vogtle IPE are specifically contained in the WOG Emergency Response Guidelines. Based on this information and a review of the emergency operating procedures for Vogtle and the reference PRA plants, this assumption was considered to be valid.

5. Characteristics of the Interface relevant to this task (MMI) - The reference plant operator actions were reviewed to ensure that the " interface" of the anchor point operator action, such as where the actions are to be performed (remote or local), the need to dispatch an operator to perform a specific action (i.e., trip a breaker, install a jumper, or operate a valve), was similar to the corre3ponding " interface" of the operator action being evaluated for Vogtle.

6. Previous, Subsequeat, and Concurrent Actions (ACT)- The reference plant operator actions were revir.wed to determine if the effects of other actions that are not part of the operator action heing evaluated were or were not considered. For example, in order to assess the appropriateness of the operator action to isolate the faulted steam generator (SGI), it was necessary to review portions of the reference plant event sequences in l

which this action was modeled. Modeling of events, such as a steam generator tube rupture, generally includes several operator actions, some of which are dependent on the success or failures of preceding operator actions.

7. Stress (STR) - The Vogtle IPE assumed that the level of stress experienced by the operating crew was the same for the operating crews of the reference PRA plants. This PSF considers that some aspects and levels of stress may actually be beneficial from the standpoint of PRA analysis, by bringing the crew to a higher state of alertness, j

decreasing their likelihood of committing an error. Other aspects and degrees of stress i can create a more error-likely situation. Other elements of stress may include the operators' perceptions of threat to themselves or theirjobs; physical stressors such as noise, vibration, radiation, humidity, temperature, and light levels; belief by the crew that their knowledge and understanding of the current plant status is inadequate (degree of 48 1

surprise) and that they may not have adequate resources (including time) to deal satisfactorily with the event; and the nature of expected surveillance in the event by plant management, regulatory personnel, or others. It was judged that the stress brought-on from the need to perform a particular operator action in response to an accident sequence that is similar from one plant to the next, in terms of the other PSFs (timing, training, complexity, etc.), would be the same. Question 6 It is not clear from the submittal what the bases were for calculating response-action human-error probabilities (HEPs) through the application of the seven plant-specific PSFs in the SLIh1 process. Please provide a discussion and examples of the process used to determine the appropriateness of applying these PSFs to post-initiator response-action human events. Please illustrate this discussion with Operator Action Summaries and PSF assessment suivey sheets for each of the following human errors: - OhiG - OABa and OABb - OCla - ORS - OARaLP - OAS Resnonse 6 For each Operator Action (OA), SLIh1 was used to generate a Success Likelihood Index (SLI) that provides a basis for deriving an error probability (P.). The SLI was generated through the use of expert sessions (plant operators) to evaluate the degree to which the seven performance shaping factors (PSFs) influence the probability of human error in carrying out that OA. For each OA, expert ratings of both the importance and the effects of all seven PSFs were combined mathematically to compute the SLI, which can then be transformed into a P.. Prior to conducting the SLIh1 expert sessions, the IPE analysts prepared written summaries of each operator action to be evaluated. These summaries described the operator action and the sequence in which the operator action is being modeled, identified success criteria and the available time window for performing the action, and summarized the applicable portions of the Vogtle emergency procedures that the operators would be following to accomplish the action. These written summaries were reviewed by SNC personnel with experience in Vogtle Operations. The objectives of these reviews were: to ensure that the descriptions in the IPE summaries utilized the same terminology used by plant operators and the emergency procedures; to enhance the ability of the operators to quickly recognize the scenario being described by the IPE personnel; and to make any necessary corrections to the summaries so that they included the proper emergency procedure steps and references. The summaries were revised as necessary before the expert sessions. 49

The requested Operator Action Summaries and operator evaluation sheets for the requested operators actions are provided at the conclusion of this response. The next step was, to collect data from experts about how these PSFs influence the OAs. This was done by using two Vogtle operating crews to assess the specific influences of each PSF on their own performance of each OA. Each crew consisted of a Supervisor (licensed Senior Reactor Operator (SRO)), and two licensed Operators. The data collection session was conducted by an IPE team, consisting of an HRA expert who was knowledgeable about SLIM, a PRA analyst, the IPE project leader, and an IPE liaison from the Vogtle project. The latter three were available to resolve questions concerning the way IPE actions were modeled. Since the crew members were not necessarily familiar with the ongoing IPE, they were provided with an introduction of the initiating events, the list of operator actions, and an explanation of the SLIM process. The PSF descriptions, and the manner in which the operating crews evaluated them, are as follows: PSF 1: Comolexity of the Ooerator Action This PSF looks at the number, kind, sequence, and relationships aracng elements within the task. This includes requirements for synthesizing multiple sources ofinformation: keeping track of the crew's progress through a long series of steps which may iequire coordination and communication among members of the crew, or with other plant staff outside the control room; assessing whether the resources required for this task are immediately available, or require a significant degree of preparation (e.g., assembly, alignment) before they can be brought to bear, During the sessions, for a given action, the operators tended to evaluate the number and complexity of the selected Vogtle emergency procedure steps for the current action against Vogtle procedure steps for other actions with which they also had experience. PSF 2: Adequacy of Time Factors This PSF takes into account the adequacy of time available to accomplish the action under consideration. Depending on the action and its context, adequacy of time can apply in different ways. One application of the timing PSF is: what is the window for diagnosing and starting the action, and how is this window defined? For example, the time window for some actions may be defined in the IPE in terms of minutes from the start of the event until the time an action is required; but if the operators may not be immediately aware of event initiation, their available time for taking action may be less. For other actions, the time window might be defined in terms of" compelling signals" (e.g., alarms, equipment status, and so forth), so that the timing definition may be clearer. During the sessions, the operators were provided, for each action, information from the Vogtle IPE success criteria analyses regarding the available time window for initiation 50

l and/or completion of the action. Specific timing simulations were not performed for the IPE. However, review of this information with the operators tended to result in a discussion of the IPE-defined time window boundary conditions (e.g., the amount of time between the occurrence of a steam generator tube rupture and isolation of the ruptured steam generator by the operators) relative to the operators' experience with time needed to perform the identified emergency procedure steps on the Vogtle simulator. PSF 3: Crew's Knowledce. Skills. Trainine. and Exoerience This PSF assesses what the crew brings to the event, in the form of ready-to-use knowledge and skills that are assumed to result from the combined training and experience of all members of a crew. This includes assessments of skills in communication, team training, and leadership, as well as knowledge of procedures, the reasons for them, and familiarity with the plant, its components, and the relevant controls and displays. It is also expected to l assess the degree of confidence the crew has in dealing with the event in question, which in turn may affect assessments of other factors. For example, a crew that has recently performed well in rigorous training on the event, and specifically on the operator action in question, is expected to be less likely to be negatively influenced by factors such as " stress" ) or " adequacy of time" The expert sessions were conducted with Vogtle operating crews, with similar and plant-specific training, and a similar mix of operating experience among each crew. Each crew's assessment of this PSF reflects its experience in working together in operating the plant. PSF 4 Adequacy of Guidance Materials This PSF references the quality of all guidance materials expected to be available to the crew as they perform a particular action. The guidance includes any sources that might be used in accomplishing the action being modeled, such as procedures, databases, job performance aids, technical specifications, and the like. Assessments considered both form and content of the guidance items. Are they complete, well-written, clearly formatted, with a minimum of ambiguity? Are they written at a level appropriate to the expected level of knowledge of the users? Are they consistent, complete, and up to date? The operators based their evaluation of this PSF on their familiarity with and use of the Vogtle guidance materials (e.g., normal, abnormal, and emergency procedures). PSF 5: Characteristics of the Interface This PSF assesses the quality of human engineering of both hardware and interactive software in the control room and in other locations, as well as the design of the actions themselves. Does the " interface" for the action include manual, local actions that require physically dispatching an operator to trip a breaker, install ajumper, or operate a valve? Is the task organized so that the same individual who detects a signal is also responsible for acting on it, or must this requirement be communicated? This PSF assesses the extent to which the sum ofinterface conditions help or hinder error-free accomplishment of the action. 51 . _ _ _.. _ _ _ ~. j

E The operators based their evaluation of this PSF on their familiarity with Vogtle in general, and with the Vogtle control room layout and interfaces in particuiar. Where appropriate, the operating crews factored into their evaluations the need for communications with operators in the auxiliary or turbine buildings, and other outside-control room interfaces particular to Vogtle. PSF 6 Previous. Subseauent. and Concurrent Actions This factor considered the effects of other actions that are not part of the operator action being evaluated, but may occur in close temporal, spatial, or logical proximity. Some of these actions may actually improve likelihood of success in the modeled action by leading the operator in a helpful direction. On the other hand, some " neighboring" tasks can lead operators in counterproductive directions. Of particular interest are those operator actions that may have input to the operator action being evaluated. During the sessions, the operators relied upon their experience in performing a given action on the Vogtle simulator, as well as their knowledge of Vogtle procedures, for their assessment of the impact of previous, current, and ::ubsequent additional actions. PSF 7: Stress This performance shaping factor is multidimensional. Some aspects and levels of stress may actually be beneficial from the standpoint of this analysis, by bringing the crew to a higher state of alertness, decreasing their likelihood of committing an error. Other aspects and degrees of stress can create a more error-likely situation. Elements of stress which may be taken into account include operators' perceptions of threat to themselves or theirjobs; physical stressors such as noise, vibration, radiation, humidity, temperature, and light levels; belief by the crew that they do not understand what is going on (degree of surprise) and that they may not have adequate resources (including time) to deal satisfactorily with the event; and the nature of expected surveillance during the event by plant management, regulatory personnel, or others. This was perhaps the most subjective of the PSFs, but again the operators based their assessments on their experiences at and familiarity with Vogtle. The expert sessions were conducted by providing a copy of each operator action summary to each crew member and providing them time to read it through Following this, questions, comments, improvements or corrections to the OA Summary were solicited. In a few cases, the OA Summary was modified on the spot to more accurately reflect reality for that OA at the plant prior to evaluating the OA. Once everyone had agreed on the summary for the OA, the crew was then asked to provide two evaluations for each PSF on each OA. First, as a group, they were asked to rank, on a numeric scale from 1 to 10, as shown below, the importance of each PSF relative to the others for this OA. 52

10 MAXIMUM CONCEIVABLE IMPORTANCE OF i 9 THE MOSTIMPORTANT FACTOR (S) ON 8 THIS OPERATOR ACUON i 7 6 5 SOME IMPORTANCE 4 3 2 1 O ABSOLUTELY NOIMPORTANCE Importance was defined as the weight that should be given to the efTect of this PSF on successful performance of the kind of task represented by the OA, without regard for how that OA happened to be implemented at this particular plant. A cited example was the importance of PSF 4, guidance and procedures, on a hypothetical OA that, as modeled for the IPE, requires immediate response (e.g., on the order of seconds). For successful performance of such an action, the importance of PSF 4 would be low: since there is no time to use procedures for such an action, their quality, v;hether helpful or harmful, would have little impact, or weight for this PSF on this OA. The same kind of OA could be used as a counter example for high importance on another PSF (e.g., PSF 3 - knowledge, training and experience) which would in general be expected to be important (although not necessarily most important). Discussion of PSF importance was facilitated by the SLIM analyst who also "kept score" for the group, writing the importance scores on the blackboard, and changing them as necessary, as the group arrived at its successive decisions for all seven PSFs. The final scores were recorded on a data collection form. To facilitate the initial discussion, the group was asked to first determine the one or more PSFs that were most important, and give that (those) PSF (s) a score of 10. The importance of the remaining PSFs could then be estimated relative to this conceptual " anchor" For example, another PSF viewed as half as important as the " heaviest hitter" would receive a score of 5. This consensus-building phase of the data collection served to get all members of the group thinking sensitively about the ways in which PSFs could relate to the OA in question. This had a " consciousness-raising" efTect that was a helpful lead-in to the second phase of data collection., i.e., rating the effects of PSFs on the OA under discussion. In some cases, the weightings discussion led to additional refinement of OAs, i.e., the definition of variant OAs that were judged to be significantly different enough (from those that had been pre-defined by the IPE analysts) to require a separate evaluation in terms of both weights and ratings. In 53

a very few cases, a prior distinction between two OAs (or variants of one) that had also been made by the IPE analysts, was judged to be insignificant, and the two categories would be collapsed into one for scoring purposes. Following arrival at the group consensus on the seven PSF importance weights, the experts were then asked to individually provide a numerical rating of the plant-specific effects, of the same seven PSFs, on the same OA whose PSF importance had just been determined. They performed this task as individuals, with no discussion, using a second 10-point numeric scale as shown below to define the numeric scores that they wrote onto the scoring sheet. 10 GOOD: as much help as conceivable for this action 9 8 7 [ of the error-avoiding variety g 5 neutral 4 of the error-Inducingvariety 3 2 1 0 BAD: as much hindrance as conceivable for this action Scorers were given as much time as needed to complete their answers. Following the completion of this scoring procedure, the group then moved on to the next OA, and iterated the procedure described in this section until all the OAs were evaluated. As requested, data collected through this process is provided at the conclusion of this response. An explanation of the tables which contain the data is provided below. Copies of the evaluator's score sheets for operator action OCI are also provided as an example. The calculation of the SLI is demonstrated in Figure 1. First, the calculated group average importance weights are entered as shown by the dotted-line boxes (1). These are the averages for the group of similar operator actions. Second, the group average importance weights from row (1) are normalized to 1.0, yielding the row of results in (2). Then the average effect ratings are calculated for each of the seven PSFs (3). The average effect ratings were divided by 10 to produce a value less than 1.0. (This is not a requirement of the methodology, and has no effect on the subsequent calculation of P.). For clarity, the results of these last two sets of calculations are repeated as shown in the dashed-line box (4). Each pair of weights and ratings is then multiplied to produce the set of PSF scores (5). This is the multiplication step of the formula: 1 SLI = [ w, r, 54"

Finally, the PSF scores are summed per the formula to produce a single SLI for this OA (6). i . c,* i ,m. au. ai.6 - u..... g( 7, y 7 - 7 7 y 7, e s si.e G.ou, a n.t.a.s ,e ,o ei .s F (2 b.in .,,,4 .i., ..i . in .i. m.. t______________.n.___a 0 (F,EEY.A,I.6 ,e= j nam 3 9 1,. 9 3 5, 9 se ,J. 5

.5 S.

S, 3 2 3 (3 .m .,.,.,s. . m, .m, ~.. L.._______________J - -. ~.. ( 4 k. _i >. . i.,, . i,.n, ,c ., m.. .= .n, ,,.1

u..

.m ..u .. m /s) (5) ~,,,,_ _ .>=__.m,__3 ru- ,. n, ..n, o mi. Figure 1 Tabulation for Calculating SLis Note that lines subj 1, subj 2, etc. are the ratings provided by the individual evaluators. d 55 , ~ ' ~

• _ ~ ~ ~ " ' ' ~ * * * ~ " * * *

- - - * ' - ~ * ' * ' - - - ~ ' --. - ~. -

VEGP IPE HRA OPERATOR ACTION

SUMMARY

l for Action Nr:_l 4_0L PRT Variable: OMG Action: Trio the Control Rod Drive Mechanism (CRDM) motor-aenerator (MG) sets Applicable Event Tree (s): Anticioated Transient Without Trio (ATWT)

SUMMARY

DESCRIPTION OF REQUIRED ACTION: The primary goal behind this action is to attempt to limit peak RCS pressure to below the ASME Code Level C service limit in any transient where reactor trip is a normally expected plant response, but has not occurred. This action seeks to accomplish this by reducing the heat being generated from fission in the reactor, by causing the control rods to drop into the core. The immediate objective of this action is to deenergize the supply of power from the Control Rod Drive Mechanisms' Motor / Generator (MG) sets to the CRDM rod-gripping magnets to allow the control rods to drop into the core. This action is accomplished by manually tripping the supply breakers to the buses which supply the MG sets. This action [0MG] is carried out only if the j operator action to manually trip the reactor [0RT] has failed to insert control rods into the core. i CONTEXT - ACTIONS & EVENTS Preceding: Transient has occurred for which automatic reactor trip is expected but did not occur (see ATWT initiating events in E-0). Limiting ATWT initiating event is loss of MFW/ loss of condenser vacuum with no reactor trip. Unsuccessful 0A to trip reactor [0RT] Concurrent: Verify turbine trip ano AFW actuation Subsequent: If this action is not successful: - OA to manually insert control rods [0CR] - OA to depressurize RCS (if necessary) [0AP), and to establish emergency boration [0BR]) SUCCESS / FAIL CRITERIA: Supply breakers tripped for Buse which supply CRDM MG sets 11/5/91 m

VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 2 of 3) for Action Nr:_J 4g_ PRT Variable: OMG Action: Trio Control Rod Drive Mechanism (CRDM) Motor-Generator (MG) sets, for event tree (s): ATWT l9000 - D o v e i n -%-:, p re cedur e_ n m APPLICABLE PROCEDURE (S): 193tt-C, FR.S-1, " Response to Nuclear Power Generation /ATWT", Rev 4. TIME WINDOW AVAILABLE TO INITIATE THIS ACTION: FRO _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I2d'. ____Mboundary condition T0 boundary condition - ATWTa _IRQ h / JBU'm power < 40% and no Rx trip SG dryout G (ATWT PRT Tb14; ATWT SCNB p. TBO) - ATWTb TBD h / wm power > 40%, MFW available SG dryout for 5 min, and no Rx trip / (ATWT PRT Tb1 4; ATWT SCNB p. TBD) - ATWTc _THQ h / _IER'm power > 40%, no MFW, and SG dryout no Rx trip (ATWT PRT Tbl 4; ATWT SCNB p. TBD) (This is the case being modeled in event tree.) TIME WINDOW AVAILABLE TO COMPLETE THIS ACTION: FROM boundary condition T0 boundary condition 1 to 10' min per conditions cited above 6 Eve <+ mh'a Am ............ /..c=<_ 3G- &v MIN TIME WINDOW REQUIRED TO COMPLETE THIS ACTION: min. 11/5/91 57

VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 3 of 3) for Action Nr:.lShL,PRTVariable: OMG Action: Trio Control Rod Drive Mechanism (CRDM) Motor-Generator (MG) sets. for event tree (s): ATWT TASK ELEMENTS Subtask Step Equip't, MMI d/c Location Procedure N't%) gq m Diagnose Rod bottom Rod bottom lights ctrl rm 19 bbl-C /'6 V/S. event lights not P" 5.1-rno lit s1 -or-Reactor trip Rx trip & Bypass & bypass breaker indication breakers closed -or-Neutron flux Power Range nuclear not decre1 sing instruments I9 000 Trip CRDM MG Supply feed breakers ctrl rm 19$ki-C set bus to INB08 and INB09: T .1 supply s1.1 breaker CB INB08-01 CB INB09-01 t i e 11/5/91 58 I

f t 27.0 ONG: TRIP CROM MG SETS (OPEN NGO8 & M809 FEEDERS FORM MAIN CR) i PSF: cpx tim trn prc muni act str PSF: A B C D E F G PSF: 1 2 3 4 5 6 7 Ave. group importance weights GROUP 4 AVERAGE 3.4 8.2 8.4 6.0 8.4 5.4 8.3 l a Kormalized ave. group importance weights 0.071 0.170 0.175 0.124 0.175 0.113 0.172 = 1 ~ OMG EFFECT RATINGS N= 6 subj 1 8 7 10 10 9 7 6 f sub) 2 7 4 6 7 7 5 3 L sej 3 7 4 7 8 8 5 4 sej 4 7 5 9 9 9 4 4 I subj 5 9 1 9 7 7 8 1 sej 6 5 9 10 10 7 5 6 l {

===================================================

Mean group effect ratings 0.717 0.500 0.850 0.850 0.783 0.567 0.400 .t OMG SCORES Kormalized group importance weights 0.071 0.170 0.175 0.124 0.175 0.113 0.172 Mean group effect ratings 0.717 0.500 0.850 0.850 0.783 0.567 0.400

============================k======================

i PSF Scores 0.051 0.085 0.149 0.106 0.137 0.064 0.069 i OMG SLI: 0.660 i s r h I I i i I L i I t i e h i 59-

VEGP !PE HRA OPERATOR ACTION

SUMMARY

for Action Nr:1 PRT Variable: OAB Action: Establish bleed and feed cooline of RCS Applicable Event Tree (s): SMALL LOCA (SLOCA) SECONDARY BREAK (SSB) SG Tube Ruoture (SGTR) GENERAL TRANSIENTS IAould g d.n2.fc AT WITHOUT TRIP (ATWT) STATION BLACKOUT (590) neto a urmwa.+c. n h ul ST tu rbactics r-e.o m red. (ST Manal) C-Gitos & ) O gen <w -to Wr~e

SUMMARY

DESCRIPTION OF REQUIRED ACTION: The primary goal of this action is to ensure adequate removal of core decay heat through continued covering of the core with cooled inventory, plus removal 1 of heat that is transferred to the RCS. The intermediate goal is to establish an alternate path for removing core decay heat following loss of secondary heat sink (i.e., neither MFW nor AFW to the SGs). ~ -The immediate objective of this top event is to establish bleed and feed cooling of the RCS following loss of secondary heat sink (i.e., loss of Main Feedwater (MFW) AND Auxiliary Feedwater (AFW) AND condenser / condensate to the l SGs). This is accomplished by ipening both Pressurizer (PZR) Power Operated Relief Valves (PORVs) to provide the bleed from the RCS, in coordination with controlled High Pressure SI (i.e., either CCPs or SIPS) to provide feed to the RCS. For all above listed event trees except General Transients,-SI is assumed to have occurred. For General Transients, this action OAB also includes the alignments and setups required for starting SI. This action (all of OAB) must be accomplished before the SGs dry out in order to prevent core damage due to over temperature / pressure in the RCS. If a loss of secondary heat sink occurs and (1) wide range level in any 3 SGs is less than 25% [40% for adverse containment) with no feedwater established or (2) pressurizer pressure is 2 2335 psig due to.a loss of secondary heat sink, then the RCPs are tripped and bleed and feed is immediately initiated. Otherwise actions to establish main feedwater are performed. CONTEXT - ACTIONS & EVENTS Preceding: loss of AFW loss of condenser / condensate loss of MFW Concurrent: bleed & feed path alignment with or without prior SI signal monitor containment pressure Subsequent: PZR fills, PORY relieves to the PZR relief tank, which ruptures to containment RWST depletes, requiring shift to cold leg recire 60 110791/KG0 7

VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 2 of 3) forActionNr:j3_ PRT Variable: OAB Action: Establish bleed and feed coolino to RCS for event tree (s): SLOCA SGTR ATWT SSB SB0 TRANSIENTS SUCCESS / FAIL CRITERIA: alternate decay heat removal via PZR PORV(s) prior to SG dryout, balanced by inventory maintenance via HPSI APPLICABLE PROCEDURE: 19231-C(FR-H.1), Response to Loss of Secondary Heat Sink, Rev. 11. 19200-C(F-0.3), Heat Sink Status Tree, Rev. 6. TIME WINDOW AVAILABLE............................................................................ TO INITIATE THIS ACTION: FROM boundar _____________ycondition T0 boundary condition - SLOCA h / JZC m event initiation SG dryout (SLOCA PRTNB Tb1 4) - SGTR h /.2d) m event initiation SG dryout (SGTR PRTNB Tbl 4) - ATWT h/ /c? m power < 40% AND AFW not SG dryout available (ATWT PRTNB Tb1 4) ATWT h/ m power > 40% AND MGs tripped SG dryout and MFW available and AFW not available (ATWT PRTNB Tb1 4) - SSB h / J20 m event initiation (SSB PRTNB SG dryout Tb1 5) event :pouxa rwtovery - 580 h/ m niti:tica (SE PRTNB SG dryout Tb1 4 - (tbd)) - TRNSIENT h/ ~7 m MFW pump trip (GT PRTNB SG dryout Tb1 5 .......)..................... TIME WINDOW AVAILABLE TO COMPLETE THIS ACTION: FROM boundar _____________ycondition TO boundary condition /0 ym ._L *hka'ONt 0 3G.d eaf ..re..o ve....a..c.h..em MIN TIME WINDOW REQUIRED TO COMPLETE THIS ACTION: for all except TRANSIENT, model assumes HPSI is on and operator only verifies its function. This may take _.1, min. for TRANSIENT, model assumes HPSI requires manual start b i ....................................y operator. This adds __ m to time required 11079uKGo 61 m

VEGP 2PE HRA - OPERATOR ACT10N

SUMMARY

(p. 3 of 3) for Action Nr:1 PRT Variable: 0A8 Action: Establish bleed and feed coolino to RCS for event tree (s): SLOCA SGTR ATWT SSB SB0 TRANSIENTS TASK ELEMENTS Subtask Step Equip't, MMI d/c Location Proedure Recognition NR level in all 19200-C, of loss of SGs < 5%(27%) F-0.3 heat sink AND symptoms total feedwater flow to SGs < 570 gpm Recognition WR level in any 19231-C of bleed and 3 SGs < 25% s 1.0, feed (40%) with no Second initiation MFW established Caution symptoms OR PZR pressure > - 2335 psig trip all RCPs 19231-C s 1.0, Second Caution % b 8d 19231-C Verify RCS Actuate SI OPOf6 f feed path both agdvd t dr-s10.0 ,) cotd % 4x u.1 S T~ i Verify or ag-s11.0 initiate HPSI -at least 1 CCP sll.a or 1 SIP run-ning -ECCS valve s11.b alignment Establish RCS -verify power s12.a bleed path to PZR PORY block valves -verify PZR s12.b & PORY block s13.0 valves open -Open PZR PORVs s12.c -Verify PZR s13.0 PORVs open -Monitor RWST s18.0 level caution 4 62 110791/KGO

i 4.0 OA8a: ESTABLISM FEED & SLEED COOLING OF RCS (AUTO Si in progress) PSF: cpx tim trn prc meni act str PSF: A B C D E F G PSF: 1 2 3 4 5 6 7 Ave grow importance weights GROUP 2 AVERAGE 7.2 7.9 9.1 8.4 8.4 6.4 6.5 t' rmatized ave. group importance weights 0.134 0.147 0.169 0.155 0.156 0.119 0.120 1 a C,*Sa EFFECT RATING N= 6 subj 1 7 7 to 9 8 5 5 subj 2 8 5 7 4 8 3 2 subj 3 7 9 9 10 9 3 5 subj 4 6 3 8 9 8 4 3 sihj 5 5 5 8 5 5 3 2 subj 6 3 5 8 9 7 4 2 333E=3333=EEEk3333333333333333333333333333333333E333323333333E3 nean grow effect ratings 0.600 0.567 0.833 0.767 0.750 0.367 0.317 r R OA8a SCORES Eormatized group importance weights 0.134 0.147 0.169 0.155 0.156 0.119 0.120 Mean grow effect ratings 0.600 0.567 0.833 0.767 0.750 0.367 0.317 azzazsEssanssammazzazREszEsassazzsazzazRzazazzzzaz==zzazzassssa PSF Scores 0.080 0.083 0.141 0.119 0.117 0.044 0.038 i OA8a SLI: 0.622 I r i i f + 2 d f 9 L 4 a { 2 1 i I e i s 63

? T l. 6 5.0 CA8b: ESTABLISH FEED & SLEED COOLING OF RCS (marAlal SI) PSF: cpx tin trn prc suni act str i PSF: A 8 C D E F G ll PSF: 1 2 3 4 5 6 7 L i Ave. groip importance weights GROUP 2 AVERAGE 7.2 7.9 9.1 8.4 8.4 6.4 6.5 Corsalized ave, groi,importance weights 0.134 0.147 0.169 0.155 0.156 0.119 0.120 = 1 l OA8b EFFECT RATING N= 6 i subi 1 6 6 to 10 9 7 3 9 sej 2 4 5 6 3 5 3 2 subi 3 4 6 to 10 8 3 5 sej 4 5 3 8 9 8 5 3 i subi 5 1 2 9 8 9 3 1 subj 6 3 5 6 7 3 2 2 I 1 ^

================E=========================================E

Mean group effect ratings 0.383 0.450 0.850 0.783 0.700 0.383 0.267-DA8b SCORES i Normattred grote importance weights 0.134 0.147 0.169 0.155 0.156 0.119 0.120 t Mean group effect ratines 0.383 0.450 0.850 0.783 0.700 0.383 0.267 I

=EE=====================E=E===ES======EE=====E=========EE

PSF Scores 0.051 0.066 0.144 0.122 0.109 0.046 0.032 I OABb SLI: 0.570 i h d a a I 1 i l 1 r; L t 41

) VEGP IPE HRA OPERATOR ACTION

SUMMARY

for Action Nr:J 7_, PRT Variable: OCI Action: Manually isolate Containment l Applicable Event Tree (s): All Events. Station Blackout (580) Se-po.rA Sbo e vem.t s mu. P" m ~""+ """l"b !"

SUMMARY

DESCRIPTION OF REQUIRED ACTION: The primary goal of this action is to limit any offsite dose should core damage. occur as a result of the event. The immediate objective of this action is to verify containment Phase A isolation, and if isolation has NOT occurred, to manually actuate containment Phase A isolation. This is accomplished by first checking the status of CI-A MLB (indicators correct for SI), and if not correct for SI, then actuating either of two switches on the main control board. CONTEXT - ACTIONS & EVENTS Preceding: The conditions for safety injection / containment j isolation signal have been met, but containment isolation has not occurred. Concurrent: Subsequent: Verify that either the containment isolation valves close or that the appropriate indicators on CI-A MLB are lit. SUCCESS / FAIL CRITERIA: Operator sucessfully identifies failure of contain-ment isolation, and then successful manually actuates containment Phase A isolation APPLICABLE PROCEDURE: 19000- C (E-0), Reactor Trip or Safety Injection, Rev. 9. 7 - .--65

VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 2 of 2) for Action Nr:)7 PRT Variable: OCI Action: Manually isolate Containment Applicable Event Tree (s): All Events TIME' WINDOW AVAILABLE TO INITIATE THIS ACTION: FROM boundary condition TO boundary condition h/ m Event initiation prior to core exit T/Cs 9 1200 degF TIME WINDOW AVAILABLE TO COMPLETE THIS ACTION: FROM boundary condition TO boundary condition / 0 BOW 06/2 hn e. V-2SSz/ btfure ' y MIN TIME WINDOW REQUIRED Only the action of checking the CI-A MLB lights, TO COMPLETE THIS ACTION: then actuating one of the two containment isolation phase A switches is modeled. Total time for these actions may take 1 min. i TASK ELEMENTS Subtask Step Equip't, MMI d/c Location Procedure Isolate entmt Cntmt not CI-A MLB indicators Ctrl rm 19000-C isolated - not correct for SI; s7.0 manually actuate CTMT ISO actuate Phase A PHASE A and CTMT ventilation isolation $ 60 n e W3,, kocai / 9/cm-c Oh4 ( W/# CmAm.mW B,0lD Note: The appropriate time window is from event initiation to potential core damace, not post-core damaoe as indicated above. The time window considered durino the operator evaluation was from event initiation to potential core damage. 66 ~

=. r i I r i 32.0 OCla: MANUALLY INITIATE CONTAINNENT ISOLAil0N (S80) r PSF: cpx tim trn prc mi act str PSF: A B C D E F G ' PSF: 1 2 3 4 5 6 7 i i j 'I Qve. group importance weights GROUP 3 AVERAGE 8.0 6.9 9.5 a.6 8.0 7.5 7.5 Norsnellred ave. grow importance weights 0.143 0.123 0.170 0.154 0.143 0.134 0.134 = 1 .i [ li OCla EFFECT RAllNG N 6 subj 1 4 7 10 9 9 5 5 sub) 2 3 5 4 6 5 3 4 subi 3. 4 5 8 8 8 5 5 subj 4 3 5 7 8 7 3 3 l subj 5 2 4 8 8 7 6 3 i subj 6 5 5 8 9 6 3 4 sazzzazzzzzzzsazzazzzzazzzzzzazzsazzazzzazzz===========mazzz==z I Mean gro g effect ratings 0.350 0.517 0.750 0.800 0.700 0.417 0.400 OCla SCORES [ Normalized group importance weights 0.143 0.123 0.1 70 0.154 0.143 0.134 0.134 f Mean gro w effect ratings 0.350 0.517 0.750 0.800 0.700 0.417 0.400 i [ azzz=sas=zazzazzsazzzzazzzzazzzzzzzzzzzzzzzzzzzzazzzzzzazzzzzza PSF Scores 0.050 0.063 0.127 0.123 0.100 0.056 0.054 OCla SLI: 0.5 73 l q j i e f i I r t

H DDVEGPIPE Operator Action Evahration Session l Evaluator Opees40e i Date *1-lC fe r ForAction - fY1 Man a '1 TCoeATE 0%T ($6n ,i l OA IDENT l ' PERFORMANCE SHAPING FACTOR (PSF) l 1 2 3 4 5 6 7 l TASK TIME KNOWLEDGE. GUIDANCE & PLANT PRECEDING. STRESS OPERATOR FOR COMPLEXITY FACTORS TRANING & PROCEDURES NTERfACE: CONCURRENT. & ACT m NITATING EXPERIENCE CONTROLS & SUBSEQUE*lT t IPE NAME EVENT NDICAlmS ACTIONS to MAXIMUM conceivable importance for t*k. operator action i PSF 54PORTAh0E WEIGHT:' 59 some importance E 0" ABSOLUTELY NO IMPORTANCE DbD T ID 9 N 4 7 t0 9 I 7 N ( ft%W( kmwtr t[ s I to T GOOD: se snuch h '%a conceivable for thle actiors = PSF EFFECT RATING: ' S9 neutral E A = =.% e 1 0-BAD: se rnuch Ahdrante as cxmceivable for lhle adlon f jQ $ 6 C' N 7 10 9 i [ E 2g c= %6u 9l 1 io q q 7 r7 =B '"a '? S t Y 8 t k

Vzt VEGPIPE OperatorAction Evaluation Session Z Evaksator_ Qp rdor 2 Date Ws*/91 ForAction CXX TS M T C^'M i l OAIDENT PERFORMANCE SHAPING FACTOR (PSF) ~ { 1 2 3 4 5 6 7 TASK TIME KNOWLEDGE, gut 0ANCE & PLANT PRECEDING. STilESS OPERATOR FOR COMPLEXITY FACTORS TRANING.& PROCEDURES NTERFACE: CONCURRENT.S ACTION NITATNG EXPERIENCE CONTROLS & SUBSEQUENT IPE NAME EVENT NDICATIONS ACTIONS 3 -{ to y MAXIMUM conalvable tr9ertence los thle operator action PSF NPORTANCE WEIGHT:< 5 some importenu O L ARSOLUTELY HO NPORTANCE V f /b Q ,9" <f- ] v re.sze uv a

• • Mhm 4

44 /O 9 ff n J h 1 ?, A t0 - GOOD: ae much help ee concetveblo lor lhle actlan 'p = =- .ei PSF EFFECT RATING: 5 L neutral j = u_ ; % 1 O E BAC: se much hh&sn5 se concolvable for thle action yQ STA CLAotsT b h3 b T -!, 'O - ( 5 Tr f 5 1 + =au b 69 i

M \\ C b lkS VEGPIPE OperatorAction Evaluation Session l Evaluator _ O erv~4ar 3 Date f ForAction YU6 *' VL il4 130 Nc CO dC 0GT 2 OA IDENT PERFORMANCE SHAPING FACTOR (PSF) 1 2 3 4 5 6 7 TASK TIME KNOWLEDGE. GUIDANCE & PtANT PRECEDING. STRESS OPERATOR - FOR COMPLEXfiY FACTORS TRANING, & PROCEDURES NTERFACE: CONCURRENT & ACTION NITATNG EXPERIENCE CONTROLS & SUBSEOUENT IPE NAME EVENT NDICATK)NS ACTIONS to e MAXIMUM conceivable importance for thle operator action PSF NPORTANCE WEIGHT.< 5 some importance o= ABSOLUTELY NO IMPORTANCE INuos lin ? 6 K ib 4 Y 'l ') M Th a tA.' ~;. Q t (( N

• • k

/0 ') T '~) '] Fo u> cA. to & GOOD: as much help as conceivable for this actl.m = % = =.= _ , l PSF EFFECT RATING: 5 E= neutral A * ~.% -we I 0= BAD: es much hhdrance se conceivable for this action =u n YO Y $.f

g eo wet NN O I E

• N B

S Fr P P G S k Vow a ? is 1.. '70

()0VEGPIPE OperatorAction Evabation Session I Evahator_ Opacdoc Lt Dat;p\\% C1 1l l ForAction I'l O C-T H^N$ A $5-'A* % U .-9 OAIDENT PERFORMANCE SHAPING FACTOR (PSF) 1 2 3 4 5 6 7 TASK TIME KNOWl EDGE. GUIDANCE & Pt. ANT PRECEDING. STilESS OPERATOR FOR COMPLExtTY FACTORS TRANING. & PROCEDURES NTERFACE: CONCURRENT,& -4 ACTION NtTATN G EXPEntENCE CONTHOLS& SUBSEQUENT IPE NAME EVENT NDICATIONS ACTIONS 5 10 MAXIMUM concolvable importance for thle opetetor actiori PSF 58PORTANCE WEIGHT? 59 some knpoetence ~ ~. = ~ 0 L ABSOLUTELY NO OFORTANCE r

1. (e m 6

Y (o 9 8 t 7 i,. I' ht k fotJell 4 to 9 8 7 '7 x ' s r-

l. I,

.y 10 m GOOD: se much help es conceivable Sor thle action 's. = % au= .g 59 neutral

c. '

PSF EFFECT RATNG: 4 ~. A===- .mI 0-BAD: es much hhdrertcw as concehoble for thle action { *._ .',n tb f-tac ~ 3 5 7 8 ~7 3 _3 .7, f ..g -n N1b foM b h b b b ?O i' E 9 71 I

Y O VEGP IPE Operator Action Evakation Session l Evabator_ O ecchar s" Dal3 /2 -S ~ W p ForAction Wl l ? OA IDENT PERFORMANCE SHAPING FACTOR (PSF) t 2 3 4 5 6 7 ? TASK TBE KNOWLEDGE. GUIDANCE & PLANT PRECEDING. STTESS l OPERATOR FOR COMPLEXITY FACTORS TRANING.& PROCEDURES NTERFACE: CONCtmRENT.& ACTK)N NITATNG EXPERIENCE CONTHOLS& SUBSEOUENT NDICATIONS ACTlONS i IPE NAME EVENT ti. i I [j 10 p MAXIMUM conceivable importance lot thle operster actiort S h= comeimportance J ~ . psf REPORTANCE WEKME = O E ASSOLUTELY NO RAPORTANCE tora R S /n 9 3 A' 7 (0useL l-/ 5N /O I y y .o <O t' X Sd 7 wAs~M 4 Y Mk /0 9 y 9 7 10T GOOD: as much helpas concehrsble for thle action = % m.-- - .m l PSF EFFECT RATNG: 59 neuttat E A === =-% m I 0" BAD: as much hhdrance se conceivable for this action lQ Y W D .D k .-I </ 9 /, 5 4 4 S 5h Eae 73

VEGP IPE HRA OPERATOR ACTION

SUMMARY

for Action Nr: d PRT Variable: ORS Action: Restore systems followino loss of offsite oower/ station blackout Applicable Event Tree (s): Station Blackout (S80)

SUMMARY

DESCRIPTION OF REQUIRED ACTION: The primary goal and immediate objective of this action is to restore power to and operation of essential systems after at least 1 AC emergency bus has been energized. The operator would perform the following actions after AC power is restored: Restore DC loads Energize 480V AC switchgear Energize battery charges, instrumentation and control, emergency lighting, comunications, and battery room fans Verify NSCW operation Reset Phase A (if actuated) Verify instrument air available Start ACCW and CCW pumps Align reactor makeup system Start CCP or CCP and SIP Align for either normal charging or ECCS injection

• Start containment fan coolers

< Start RHR pump (,with SI re uired &~sM lok HCP Saa.f-Note,leakagefromtheRCPsealsdur$gthestationblackouteventcould eventually cause the pressurizer to empty and the RCS to reach saturation. As a result, SI may also be required after power is restored. CONTEXT - ACTIONS & EVENTS Preceding: Loss of all AC power Defeated autostart of safeguards equipment TD-AFW controlled to maintain SG levels DC loads minimized 1 Begin SG depressurization SI reset j AC power restored RCP seals isolated Concurrent: ) Subsequent: Cont.rol SG narrow range level and pressure Control pressurizer level and pressure Verify natural circulation, adequate shutdown margin 110791/KGD y w. --.:.~.

VEGP IPE HRA - OPERATOR ACT10N

SUMMARY

(p. 3 of 6) for Action Nr: !6 PRT Variable: ORS Action: Restore systems followino loss of offsite oower/ station blackout for event tree (s): 580 TASK ELEMENTS Subtask Step Equip't, MMI d/c Location Proedure Restore DC See E0P 19100-C, 19100-C loads Attachment A s23.0 previously shed. Align deenergized inverters, per 13431, prior to closing DC feeder breakers Verify equip. -480 V AC switchgear: s25.0 loaded on Unit 1 energized AC TRAIN A TRAIN B emergency bus 1AB04 18806 1AB05 18807 1AB15 18816 INB01 INB10 Unit 2 TRAIN A TRAIN 8 2AB04 2BB06 2AB05 28807 2AB15 2B816 2NB01 2NB10 Essential 480V AC loads: o Batter chargers o Instrumentation and control o Emergency lighting o Communications o Battery room fans. Verify NSCW - Verify valves open: s26.a operation TRAIN A TRAIN B HV-1806 HV-1807 HV-1808 HV-1809 HV-1822 HV-1823 HV-1830 HV-1831 - 2 NSCW pumps running s26.b & on each of 2 trains 19101-C s3.0 110791/KQD 76

VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 2 of 6) for Action Nr:_]b_ PRT Variable: ORS Action: Restore systems followino loss of offsite oower/ station blackout for event tree (s): 580 SUCCESS / FAIL CRITERIA: The operator must establish essential systems within __ minutes after AC power is restored. APPLICABLE PROCEDURES: 19100-C (ECA-0.0), Loss of All AC Power, Rev. 5 19101-C (ECA-0.1), Loss of All AC Power Recovery Without SI Required, Rev. 8 19102-C (ECA-0.2), Loss of All AC Power Recovery With SI Required, Rev. 4 TIME WINDOW AVAILABLE TO INITIATE THIS ACTION: FROM boundary condition T0 boundary condition - SB0 h/ m AC Emergency Bus Energized Potential core damage (SB0 PRT NB Tb1 4) TIME WINDOW AVAILABLE TO COMPLETE THIS ACTION: FROM boundary condition TO boundary condition 230_ minutes AC Emergency Bus Energized Potential core damage MIN TIME WINDOW REQUIRED TO COMPLETE THIS ACTION: __ min. i 4 110791/KG0 75

-

_=, _ - _ _ _ _ - _

VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 4 of 6) for Action Nr:__J bt PRT Variable: ORS Action: Restore systems followino loss of offsite oower/ station blackout for event tree (s): 580 TASK ELEMENTS - continued Subtask Step Equip't, MMI d/c Location Proedure Restore Phase A - If Phase A actuated 19101-C (Inst. Air) and inst. air pressure s2.0 normal, then check HV-9378 open - If Phase A actuated and inst. air pressure not normal, then start air compressor per 13710, and (when inst air pressure normal) check HV-9378 open Start an ACCW (without SI) 19101-C pump s3.b Start one ACCW (with SI req.) 19102-C & 2 CCW pumps s7.a& s7.c Align makeup (without SI) - CCP Suction valves }9101-C source from VCT: s3.C.1 LV-01128 open LV-0112C open - VCT makeup control system set for greater than RCS boron concentration and automatic control - Charging line isolation valves: HV-8105 shut HV-8106 shut - CCP normal miniflow isolation valves-open norsuru 77

i i VEGP IPE HRA - OPERATOR ACTf0N

SUMMARY

(p. 5 of 6) i for Action Nr:__J 6_ PRT Variable: ORS Action: Restore systems followino loss of offsite oower/ station blackout 1 for event tree (s): 580 TASK ELEMENTS - continued Subtask Step Equip't, MMI d/c Location Proedure Align makeup (with SI req.) - RWST level > 39% 19102-C source sl.0 (continued) - CCP suction from s3.a RWST valve-open - CCP suction from s3.b VCT valve-open - RCP seal injection s4.b isolation valves-shut Start CCP (without SI) 19101-C s3.C.2 Start CCP & (with SI req.) 19102-C SIP s2.0 & s4.C Align CCP (with SI req.) - CCP alternate s5.a flow through miniflow isolation BIT valves - open - CCP normal s5.b j miniflow isolation i valves - shut - BIT isolation s5.c valves-open - Charging line s5.d isolation valves: HV-8105 shut HV-8106 shut Start safe-(without SI) - Start CTMT fan 19101-C guards equip. coolers s3.d i (with SI req.) - Start RHR pump 19102-C - Start CTMT fan s7.b coolers s7.d 110F91/KGD 78

• F

VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 6 of 6) for Action Nr:__Jbt PRT Variable: ORS Action: Restore systems followino loss of offsite oower/ station blackout for event tree (s): SB0 TASK ELEMENTS - continued Subtask Step Equip't, MMI d/c Location Proedure Establish (without SI) - HC-0182 - set to 19101-C charging flow maximum seal flow s4.a HV-0182 shut - Charging line s4.b isolation valves: HV-8105 open HV-8106 open - Establish charging s4.c flow using control valves: FV-0121 HV-0182 0 110791/KGD 79

.,m A i - i a i .I 31.0 ORS: RESTORE SYSTEMS FOLLOWING LOSP (WITHOUT SI REQUIRED, St REQUIRED) i PSF: cpx tim, trn prc uni act str l PSF: A B C D E F G PSF: 1 2 3 4 5 6 7-i. s Ave. group importance weights GROUP 3 AVERAGE 8.0 6.9 9.5 8.6 8.0 7.5 7.5 e Normalized ave. group importance weights 0.143 0.123 0.1 70 0.154 0.143 0.134 0.134 = 1 L C25 EFFECT RATINGS N= 6 i subj 1 4 7 8 10 9 6 6 sub) 2 3 5 6 5 6 4 4 + sub) 3 3 4 7 9 9 4 5 ( subj 4 2 3 7 9 8 3 3 subi 5 2 2 8 7 6 6 4 i subj 6 6 6 7 9 9 5 4 3=333333==2=E===E=3333333E=3E=33333E=EE3=3:2=E===3======3E=3=33 Mean group effect ratings 0.333 0.450 0.717 0.817 0.783 0.467 0.433 7 ORS SCORES cormelized group importance weights 0.143 0.123 0.170 0.154 0.143 0.134 0.134 i Keen group effect ratings 0.333 0.450 0.717 0.817 0.783 0.467 0.433 l

===============usss================us==============

PSF Scores 0.048 0.055 0.122 0.126 0.112 0.063 0.058 1 i I C2S SLI: 0.583 t I t u h f i i ) i 80 l l

VEGP !PE HRA OPERATOR ACTION

SUMMARY

for Action Nr: k PRT Variable: 0 ara Action: Realion ECCS low oressure system for cold leo recirculation Applicable Event Tree (s): SMALL LOCA (SLOCA) MEDIUM LOCA (MLOCA) LARGE LOCA (LLOCA) SG Tube Ruoture (SGTR)

SUMMARY

DESCRIPTION OF REQUIRED ACTION: l For all of the above events, the primary goal is to provide a source of cooled water to the RCS to ensure the core remains covered and that adequate removal of decay heat continues after SI depletes the RWST. In support of that goal, the immediate objective of this action is to establish cold leg recirculation by realigning the RHR pumps to take suction from the containment sump, cool the fluid using the RHR HX to transfer energy to the CCW loop in the RHR HX, and i discharge the cooled fluid from the RHR HX into the RCS cold legs. Note that RHR HXs discharge is also opened to provide suction to the CCPs and SIPS, although for this action, success on the high-pressure part of the procedure is not modeled. The rationale for discharging RHR HXs to both low and high pressure paths to the RCS is that as pressure in the RCS drops below the low pressure recirculation shutoff value, this flow path with its larger pumping capacity will automatically begin to add inventory to the RCS. It is assumed that RHR pumps are already on, drawing suction from the RWST, and discharging either to miniflow or to the RCS cold legs. For this operator action, the containment sump level is verified to be sufficiently full, RHR pumps are verified to be running and suction is aligned from the RWST to the sump. CCW to the RHR HXs is verified (at least 2 CCW pumps rtmning per train), and the CCW pump discharge pressures and flows and NSCW cooling to the CCW heat exchangers are verified. CONTEXT - ACTIONS & EVENTS Preceding: SI has occurred: ECCS Injection occurring RHR pumps are on, injecting or on miniflow RWST level < 39 percent i 1 to 8 Containment Cooling Units removing heat 1 or 2 spray pumps drawing on RWST 1 1 Concurrent: align ECCS high pressure for cold leg recirc [0ARb) requires success in this action as a subset Subsequent: Align for hot leg recirculation at 11 hours for medium and large LOCAs 11/8/91 81

== VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 2 of 4) for Action Nr:_jige PRT Variable: 0 ara for event tree (s): SLOCA MLOCA LLOCA SGTR Action: Realian ECCS low oressure system for cold lea recirculation SUCCESS / FAIL CRITERIA: ECCS low pressure cold leg recirculation APPLICABLE PROCEDURES: 19010-C, E-1, " Loss of Reactor or Secondary Coolant," Revision 10. 19013-C, ES-1.3, " Transfer to Cold Leg Recirculation," Revision 7. TIME WINDOW AVAILABLE to INITIATE THIS ACTION: FROM boundary condition T0 boundary condition - LLOCA 4r h / J26/ m RWST low-low level alarm complete realignment " LOC?- with containment spray operation - MLOCA h//syG)m RWST low-low level alarm, complete realignment no containment spray operation - SLOCA & h / /;fc? m RWST low-low level alarm, complete realignment SGTR no containment spray operation l TIME WINDOW AVAILABLE TO COMPLETE THIS ACTION: FROM boundary condition TO boundary condition (as above) MIN TIME WINDOW REQUIRED TO COMPLETE THIS ACTION: 11/8/91 82 c

VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 3 of 4) forActionNr:ji2, PRT Variable: 0 ara for event tree (s): SLOCA MLOCA ll0CA SGTR Action: Realian ECCS low oressure system for cold leo recirculation TASK ELEMENTS Subtask Step Equip't, MMI d/c Location Predre 19010-C verify cold leg ctrl rm E-1 rs: ire power to: step 12 c.nebility RHRP suction HV 8811A/B RHR pump RHR pump A/B RHRP discharge HV 8809A/B RHR HX operable RWST < 39 % E-1 s14 & foldout page Reset SI 19013-C ES-1.3 si verify CCW two CCW pumps ES-1.3 for RHR HX per train s2.a discharge s2.b press & flow NSCW cooling 2 NSCW pumps / train s2.c to CCW HX 4 NSCT fans / train align ECCS ES-1.3 for CL recire RHR pumps running s3.a RHR HL suc HV-8701A/B s3.b shut HV-8702A/B RHRP sump suc HV-8811A/B s3.c.2 valves open RHR disch HV-8716A/B s3.c.5 valves shut close RHR HV-8812A/B s3.f RWST valve s3.h , 83

.... _._. _ _... _ _. _._ _.__ _. _ _... _ _.m VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 4 of 4) for Action Nr:_jiar PRT Variable: 0 ara for event tree (s): SLOCA MLOCA LLOCA SGTR Action: Realian ECCS low orassure system for cold leo recirculation TASK ELEMENTS Subtask Step Equip't, MMI d/c Location Predre 19013-C verify flow paths ctrl rm ES-1.3 for RHR pumps CNMT sump LI-764 s4.a level > Sin LI-765 s5.a [23 in] RHR pumps s4.b running s5.b RHR isolation HV 8809A/B s4.c valves open s5.c RHR HX flow FI-618A s4.d > 500 gpm FI-619A s5.d 11/8/91

8.0 OARa: ALIGN ECCS LOW PRESSURE SYSTEM FOR COLD LEG RECIRCULATION PSF: cpx tim trn prc semi act str PSF: A B C D E F G PSF: 1 2 3 4 5 6 7 Ave. group importance weights GROUP 1 AVERAGE 4.6 6.1 9.7 9.1 7.1 4.3 5.1 Cornalized ave group importance weights 0.099 0.133 0.211 0.198 0.155 0.093 0.111 = 1 C.Ra EFFECT RATING N= 6 stej 1 8 7 10 10 7 7 7 tubj 2 5 4 8 8 7 5 5 subj 3 5 5 7 9 7 5 5 stbj 4 7 7 8 9 8 5 5 sub) 5 6 6 7 8 7 5 5 subj 6 6 5 8 7 4 5 4 23=ERE=3==EEEESSEE=EEEEEEEEEEEEEE=E=EEE==E=E===E===E===2=EEEEES Mean group effect ratings 0.617 0.567 0.800 0.850 0.667 0.533 0.517 C.Ra SCORES formalized group importance weights 0.099 0.133 0.211 0.198 0.155 0.093 0.111 Mean grote effect ratings 0.617 0.567 0.800 0.850 0.667 0.533 0.517 3E3332323E23333333333333332=E=EE33E=33333322332=E=S33=E=E233333 PSF Scores 0.061 0.075 0.168 0.168 0.101 0.050 0.058 j OARS SLI: 0.684 l Y I k I i e a + 1 i b I I t l l i ? t 85' l )

VEGP IPE HRA OPERATOR ACTION

SUMMARY

for Action Nr:_I_Q. PRT Variable: 0AS Action: Establish containment sorav recirculation Applicable Event Tree (s): Laroe LOCA (LLOCA) Medium LOCA (MLOCA) Small LOCA (SLOCA) SG Tube Ruoture (SGTR) AT without Trio (ATWT) Secondary Side Break (SSB) General Transients 4 / Ma. set have.-lo esh.b hsh S rec.i ee. -r-e e 2ecc>w

SUMMARY

DESCRIPTION OF REQUIRED ACTION: hq The primary goal behind this action is to maintain containment integrity to prevent / mitigate escape of fission products to the environment. Intermediate supporting goals are to avoid breaching containment integrity through overpressurization due to hydrogen combustion or steam concentration. Other intermediate goals of this action are to provide fission product scrubbing within. containment, and to provide cooling for the containment atmosphere and control sump pH. The immediate objective of this action is to realign the spray suction from the RWST to the containment sump in time to prevent cavitation of the spray pumps. CONTEXT - ACTIONS & EVENTS Preceding: Containment spray setpoint (Hi-3 cont. pressure (21.5 psig)) reached Spray pumps running and drawing from the RWST HHSI &/or LHSI aligned for cold leg recirculation RWST Empty (9%) level alarm setpoint reached Concurrent: Subsequent: Trip spray pumps when containment pressure < 15 psig SUCCESS / FAIL CRITERIA: At least one containment spray pump must be running and aligned to take suction from the containment sump. APPLICABLE PROCEDURE (S): 19013-C, (ES-1.3) " Transfer to Cold Leg Recirculation", Rev. 7 11/5/91 86 l _J

VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 2 of 3) for Action Nr:_fai PRT Variable: OAS Action: Establish containment sorav recirculation for event tree (s): LLOCA MLOCA SLOCA SGTR ATWT SSB TRANSIENTS TIME WINDOW AVAILABLF, TO INITIATE THIS ACTION: FROM boundary condition TO boundary condition - LLOCA d6 h / _IRQ' m Event initiation RWST Empty level - MLOCA CL 6 h / 23 Dim Event initiation (without RWST Empty level fan coolers) - SLOCA l'O h / IHQ'm Event initiation (without RWST Empty level AFW and fan coolers) - SGTR I'6 h / _ Igg'm Event initiation (without RWST Empty level AFW and fan coolers) - ATWT l'O h /,IRQ'm Event initiation (with a RWST Empty level consequential LOCA) I "3 h / _ Igg m Event initiation (with a RWST Empty level - SSB break inside containment) I'6 h / _ Igg'm Event initiation (with a RWST Empty level - TRANS consequential LOCA) TIME WINDOW AVAILABLE TO COMPLETE THIS ACTION: FROM boundary condition TO boundary condition - ABOVE h / IBQ'm RWST Empty level alarm RWST empty LIST 10 MIN TIME WINDOW REQUIRED TO COMPLETE THIS ACTION: __ min. (check with valve close/open times) e 11/5/91 87

VEGP IPE HRA - OPERATOR ACTION

SUMMARY

(p. 3 of 3) for Action Nr: /6L PRT Variable: 0AS Action: Establish containment sorav recirculation for event tree (s): LLOCA MLOCA SLOCA SGTR ATWT SSB TRANSIENTS TASK ELEMENTS Subtask Step Equip't, MMI d/c Location Procedure Verify RWST ctrl rm 19013-C Empty level (ES-1.3) (9%) s8 Reset Cont. slo.a Spray Establish

• communication Shut spray HV-8894A closed ctrl rm slo.b add tank iso HV-88948 closed valve closed Open CTMT HV-9002A open ctrl rm s10.c spray pump HV-9003A open sump isolat.

HV-9002B open s10.f valves HV-90038 open Close CTMT HV-9017A closed slo.d spray pump HV-9017B closed slo.g RWST isolat. valves Verify PI-0972 > 7 psig s10.e continued PI-0974 > 190 psig slo.f satisfactory PI-0973 > 7 psig operation

• PI-0975 > 190 psig
• Note:

Satisfactory containment spray pump operation after isolating the spray additive tank is verified by local observation of the containment spray pump suction and discharge pressure gauges. Communication with an operator stationed locally must be established prior to realigning containment spray for recirculation. 11/5/91 88: ..=

1 i 24.0 OAS: ESTABLISH CONTAINMENT SPRAY RECIRCULATION PSF: cpx tim trn prc semi act str PSF: A B C D E F G PSF: 1 2 3 4 5 6 7 d[ Ave gro@ importance weights GROUP 1 AVERAGE 4.6 6.1 9.7 9.1 7.1 4.3 5.1 ** Corsalized ave. group leportance weights 0.099 0.133 0.211 0.198 0.155 0.093 0.111 = 1 OAS EFFECT RATINGS N= 6 ~; subj 1 10 7 10 10 10 8 6 l subj 2 8 5 8 5 7 5 4 sub) 3 8 5 8 8 9 6 5 sub) 4 10 5 9 8 9 6 5 subj 5 8 3 9 8 7 7 8 i sihj 6 9 5 8 9 10 5 4 E3333333333333E=3333333333=3333E22==233s=33E===E===333s=3s223=3 ( mean gro g effect ratings 0.883 0.500 0.867 0.800 0.867 0.617 0.533 i COS SCORES Normalized group importance weights 0.099 0.133 0.211 0.198 0.155 0.093 0.111 j Mean group effect ratings 0.883 0.500 0.867 0.800 0.867 0.617 0.533 EEEEE33332EE=SE=2=Ez=EEEESEEEE3323=3E=3EE=232sas==z=3mz==233332 . PSF Scores 0.088 0.067 0.182 0.159 0.134 0.057 0.059 OAS SLI: 0.746 4, 6 I i i r i i i f t I i

Ouestion 7 The technique for human error rate prediction (THERP) is identified in the submittal as the method used to model recoven actions and the limited number of pre-initiator human errors. However, no details are provided in the submittal as to the specific human error types, data, and PSFs that were selected to quantify these errors. For instance, no examples of THERP event trees are provided in the submittal to indicate the level ofdetail ofmodeling using THERP. Please provide a discussion and example of the process used to quantify pre-initiator and post-initiator recovey-action human error events. Please illustrate this discussion with THERP event trees and data for each of the following human errors: - 206-EX1 - CBHV-BOPD - OLP-MLB - OFCI - RIAHXB i Resnonse 7 i i Application of THERP in the Vogtle IPE included the modeling of operator actions according to the associated hardware success criteria and incorporation of recovery factors where sufficient amounts of slack time exist for the tasks. These considerations provided a refined plant-specific HRA model of Vogtle plant. THERP event trees were not used in modeling the Vogtle human errors because incorporating the slack time recovery and the different combinations for the hardware success criteria becomes j extremely cumbersome. By modeling the operator actions with the LOTUS spreadsheet program, the essence of the THERP event tree is captured along with the applications of slack time recovery and hardware success criteria. The details in modeling and quantifying the operator actions 206-EX1, CBHV-BOPD, OLP-MLB and RIAHXB are provided in the following excerpts from the Vogtle HRA notebook. Operator action OFCI is a dependent event and is included in the details on dependency evaluation provided in the response to Question 9. 3.6.2 OPERATOR ACTION: ICWXV206-EX1 RESTORE VALVE U4-206 AFTER TEST During performance of ESF Chiller Pump and Discharge Check Valves Insenice Test, the operator is required to restore valve U4-206 to full open position. The test procedure is considered to be a long list and valve U4-206 does not have control room indication for immediate detection ofits misposition. 90

The restoration of valve U4-207 is completely independent of restoration of valve U4-206. That is, the test on valve U4-206 is completed and this valve is restored, then testing and restoration ofvalve 'U4-207 is conducted. l Reference Procedure (Steel VEGP 14809-1, Rev. 6; ESF Chiller Pump and Discharge Check Valves Inservice Test (5.1.11.1] The applicable procedure steps are provided as a markup in Appendix D i Subtask (s)

1. Open ESF chiller pump discharge valve 1-1592-U4-206 to full open position.

Note (s): 1. It is assumed that an independent verification is conducted on the re-alignment of components in this test. This verification is modeled as recovery. 2. For this equipment restoration activity, commission error is not credible; therefore, only enor of omission is modeled. l 1 i b 91 Y ^.-.-. -..~.T~::-, - ~~ ~~

m. m m._,m... ._.m TABLE 3.6.2a FAILURE MODEL RESTORE VALVE U4-206 AFTER IN-SERVICE TEST 1CwXV206-EX1 N Description QNd QNo QNe QNm QNr Notes I. ACTION (with use of procedure) 1,. Failure to restore valve U-206 to open Qlo C1m Q1r (see notes 2, 4, 5) position; (14809-1; step 5.1.11.11 II. ACTION (without use of procedure) 2 Failure to restore valve U.206 to open Q2o Olm Q1r (see notes 2, 4, 5) position; 114809 1; step 5.1.11.1) Calculated Parameter Formula 01m (1-Olm) Notes 1. QNd. Initial operator response during diagnosis 2. QNo. Errors of Omission; where CNo indicates formula for multiple components 3. QNc. Errors of Commission; where CNc indicates formula for multiple components 4. QNm. Failure to use procedure; where CNm a 1-QNm i S. QNr - Unproceduralized checking; where CNr indicates formula for unproceduralized checking multiplied by procedural 12ed recovery checking or verification ) where; 'N' (in general) corresponds to the row number of the described step; except in cases where an HEP is repeated. 92 .= ;

.-- ~.. - - .a TABLE 3.6.2b DATA FOR QUANTIFICATION RESTORE VALVE U4-206 AFTER IN-SERVICE TEST 1CWXV206.EX1 Nominal Probabilities Mult Data Comment Failure Description Mean variance Factor HEP Source Q1m Use written procedures during normal opwrating condition 1.30E 02 8.80E.05 1.000 1.30E-02 8 3 Q1o Omission (use procedure with checko!!) long L. int >10 items s.80E-03 7.90E.06 1.000 3.80E-03 15 3 Q1r Checiting routine tasks checker using written materials 1,6CE-01 4.20E-02 1.000 1.60E-01 31 3 Q2o omission wnen available written procedures are not used 8.10E.02 1.00E-02 1.000 9.10E-02 18 3 C1m (1-Q1ml 9.87E-01 -- HEP is equal to Nominal Mean times Multiplicative Factor -- Data is taken from Appendix C, table C-2. Item numbers from table C-2 are quoted as source of data, commen*c 1. Due to the assumed operating crew experience. it is believed that failure to diagnose the event by not responding to.the appropriate alarm (s) is less than nominal: thus, a multiplicative factor of 0.1 is applied. 2. Commission errors are believed to be less than nominal due to operator experience and proper labeling of equipment and controls; thus, a multiplicative tcetor of 0.1 is applied. 3. Low stress level is assumed; a multiplier of 1.0 is applied, (Reference 6, Table 20-16). 4. Moderate stress level is assumed; a multiplier of 2.0 is applied, (Reference 6. Table 20-16). 5, High stress level is assumed; a multiplier at 5.0 is applied, (Reference 6, Table 20-16). 6. Unproceduraltred checking by 2 people; a multiplier of 0.1 is applied to item 33 of DATA SOURCE. 7. Step is not proceduralized: a multiplier of 2.0 is applied. 8. Slack time recover / is applied: medium dependency is applied to the HEP for unproceduralized checking; this is evaluated ass (1 + 6N) / 7, where N a 6.1E.02. Thus, a multiplier of 0.21 is applied. 9. slack time recovery is applied; high dependency is applied to the HEP for unproceduralized checking; this is evaluated ast (1 + NI / 2, where N = 0.1E-02. Thus, a multiplier of 0.54 is applied. 93

TABLE 3.6.2c QUANTIFICATION CF RESTORE VALVE U4 206 AFTER IN-SERVICE TEST ICWXV206-EX1 Index Formula Calculation Resu ....................................................................................................................l - I. ACTION (with use of procedurel 1, Q1r'Cim'tQ1o) 1.60E-01 9.87E 01 ' ( 3.80E-03 6,00E.04 II ACTION (without use of procedure) 2. Q1r*01m*(02cl 1.60E.01 1.30E-02

• ( 8.10E.02 1.68E.04 I

Total 7.69E-04 i 1 1 1 i l l i 94

V 3.6.15 OPERATOR ACTION: CBIIVAC-SBO OPEN INVERTER ROOM DOORS ON LOSS OF ALL AC During station blackout, the control building HVAC system is unavailable to cool the DC bus and inverter rooms. The operator is required to open the doors to the inverter rooms so that DC power will be available to run the turbine driven AFW pump. Success is defined as opening 4 of 4 inverter room doors within 60 minutes; the actual time to complete the actions is estimated to be about 10 minutes. Reference Procedure (Sten] VEGP 19000-C, Rev. 9; E-0 Reactor Trip or Safety injection [3] VEGP 19100-C, Rev. 9 ECA-0.0 Loss of ALL AC Power [14c] The applicable procedure steps are provided as a markup in Appendix D Subtask (s) 1. Recognize no power to AC emergency busses 2. Openinverter room doors Note (s): 1. It is assumed that the operators are trained in performing this task. 2. High stress level PSF is applied because of the station blackout accident scenario. 3. The entire operating crew (including shift supervisor and shiR technical advisor) is assumed to be present and slack time is believed to exist. Therefore, unproceduralized checking recovery is applied to all steps. 95

.. ~ .-..... -... ~.. , --..~.- . -. ~. TABLE 3.6.15a FAILURE MODEL OPEN ItNEPTER ROOH DOORS ON LOSS OF ALL AC CBHVAC-SBO N Description QNd QNo QNC QNm QNr Notes I. DIAGNOSIS 1. Failure to recognize no power to AC Q1o Q1r (see notes 2, 5) emergency busses; (19000-C. step 31 II, ACTION 2. Failure to open 1 of 4 inverter room C2o 02r (see note 2) doors; (19100-C, step 14c) Calculated 4 Parameter Formula C2o Q2o*4 Notes 1. QNd. Initial operator response during diagnosis 2, QNo - Errors of Omission; where CNo indicates formula for multiple components 3. QNc - Errors of Commission: where CNc indicates formula for multiple components 4. QNm - Failure to use procedurer where CNm = 1-QNm S. QNr - Unproceduralized checking; where CNr indicates formula for unproceduralized checking multiplied by procedurali:ed recovery checking er verification where:

• N' tin generall corresponds to the row number of the described step; except in cases where an HEP is repeated.

96

. ~. ..-._..m._ TABLE 3.6.lSb DATA FOR QUANTIFICATION OPEN ItWERTER ROOM DOORS ON LOSS OF ALL AC CBHVAC-SBO Nominal e. Probabilities Mult Data Comment Failure Description Mean variance Factor HEP Source Q1o Omission tuse procedure with checkoff) Sho rt List <=10 items 1.30E-03 8.80E-07 5.000 6.50E-03 16 5 Q1r Special short-term, one.of.a.ktnd checking with alert factors 8.10E.02 1.00E-02 0.500 4.05E-02 33 5,6 Q2o Omission (use procedure with checkoff) Short List <=10 items 1.30E-03 8.80E-07 5.000 6.50E-03 14 5 Q2r Checking routine taskoi checker using written materials 1.60E.01 4.20E-02 5.000 8.00E-01 31 5 C2o Q20*4 2.60E-02 -- HEP is equal to Nominal Mean times Multiplicative Factor -- Data is taken from Appendix C. table C-2. Item numbers from table C.2 are quoted as source of data. comments 1. Due to the assumed operating crew experience, it is believed that failure to diagnose the event by not responding to the appropriate alarmtst is less than nominal; thus, a multiplicative factor of 0.1 is applied. 2. Commission errors are believed to be less than nominal due to operator experience and proper labelling of equipment and controls; thus. a multiplicative factor of 0.1 is applied. 3. Low stress level is assumed; a multiplier of 1.0 is applied, (Reference 6. Table 20-16). 4. Moderate stress level is assumed; a multiplier of 2.0 is applied, (Reference 6, Table 20-16). 5. High stress level is assumed; a multiplier of 5.0 is applied, (Reference 6 Table 20-16). 6. Unproceduralized checking by 2 people; a multiplier of 0.1 is applied to item 33 of DATA SOURCE. 7. Step is not proceduralized: a multiplier of 2.0 is applied. 8. Slack time recovery is applied; medium dependency is applied to the HEP for unproceduralized checking; this is evaluated ass (1 + 6Ni / 7, where N 8.1E-02. Thus, a multiplier of 0.21 is applied. = 9. Slack time recovery is applied; high dependency is applied to the HEP for unproceduralized checking; this is evaluated as: t1 + N) / 2, where N 8.lE-02. Thus, a multiplier of 0.54 is applied. I i 97

TABLE 3.6.1Sc QUANTIFICATICN OF OPEN INVERTER ROOM DOORS ON LOSS OF ALL AC CBHVAC-5BO Index Formula Calculation Result I. DIACNOSIS 1. Q1r*(Q1ol 4.0!E-02

• (

6.50E-03 i 2.63E.04 i II. ACTION ( 2.60dO2 ) l 2. Q2r*(C2ol 8.00E-01 2.08E.02 i 1 Total 2.11E 02 98

3.6.7.1 OPERATOR ACTION: OLP STOP RHR PUMPS (WITHIN 30 MINUTES) DURING SLOCA OR MLOCA The operator is required to prevent operating RHR pumps on miniflow for longer than 30 minutes, during an accident, if the RCS pressure exceeds 300 psig. Stopping the RHR pumps is necessary to protect them, in cs.se there is inadequate component cooling water to the pumps or heat exchangers. The operator is also required to monitor the RCS pressure, and restart the RHR pumps if the RCS - pressure falls below 300 psig. l Success is defined as stopping both RHR pumps within 30 minutes from the accident initiation. Restarting at least 1 of 2 RHR pumps, when required, is sufficient to supply water to the RCS. The actual time to complete this task is estimated at 5 minutes. Reference Procedure ISten! VEGP 19010-C, Rev. 7, E-1 Loss of Reactor or Secondary Coolant [9a,b,c; CAUTION] The applicable procedure steps are provided as a markup in Appendix D Subtask (s) 1. Recognize RCS pressure > 300 psig 2. Reset SI 3. Stop 2 RHR pumps 4. Start RHR pumps when R.CS pressure < 300 psig ) l Note (s) l. It is assumed that the operators are trained in performing this task. i 2. High stress level PSF is applied to all steps in this event since this task is performed in the early part of the LOCA accident; stress level is believed to be moderate or low much later in the LOCAs sequences. 3. The entire operating crew (including shift supervisor and shift technical advisor) is assumed to be present and slack time is believed to exist. Therefore, unproceduralized checking recovery is applied to all steps. 99

1' TABLE 3.6.7.la FAILURE MODEL STOP RHR PUMPS (WITHIN 30 MINUTES) DURING SLOCA CR MLOCA OLP l N-Description QNd QNo-QNc QNm QNr Notes 1. -DIAGNOSIS 1. Failure to realize RCS pressure greater Olo Q1c Qlr (see notes 2, 3, 5) than 300 psig; (VEGP 19010-C4 (9a.1]) .II. ACTION 2. Failure to reset SI; Q2o Q2c Qlr (see notes 2, 3, 5) (VEGP 19010; (9bl) 3, . Failure to stop 1 of 2 RHR pumps; C3o C3e Q1r (see notes 2, 3, 5) (VEGP 19010; (9c)) 4'. IFailure to realize RCS pressure lowers to Q4o Q4c Q1r (see notes 2, 3, Si c 300 psig; (VEGP 19010-C; (CAUTION]) -5. . Failure to restart 2 of 2 RHR pumps; C5o C5c Q1r (see notes 2, 3, 5) (VEGP 19010; (CAUTION]) Calculated Parameter Formula - C3o Q3o*2 C3e Q3c'2 C5o 05o*0.15 C5c QSc*0.15 Notes 1. QNd - Initial operator response during diagnosis 2. QNo - Errors of Omission; where CNo indicates formula for multiple components 3. QNc - Errors of Commission; where CNe indicates formula for multiple components 4. QNm - Failure to use procedures where CNm = 1-QNm 5. QNr - Unproceduralized checking; where CNr indicates formula for unproceduralized checking multiplied by proceduralized recovery checking or verification i l where 'N' (in general) corresponds to the row number of the described step; except in cases t where an HEP is repeated, I s 100 i V -... -. ~. _.. -.

+ u.. -....mm. .~ .m -._~.---m..- - _ _ ~. - .mm .a_-x s-. TABLE 3.6.7.1b DATA FOR QUANTIFICATION STOP RHR PUMPS IWITHIN 30 MINUTES) DURING SLOCA OR MLOCA OLP Hominal Probabilities Mult Data Coment rallure Description Mean Variance Factor HEP Source Q1c Misread display on Digital Readout N. 4 digits) 1.20E-03 8.80E-07 0.500 6.00E-04 52 2,5 Q1o Omission (use procedure with checkoff) long List slo items 3.80E-03 7.90E-06 5.000 1.90E-02 15 5 Q1r Special short-term one-of.e-kind checking with alert factors 8.10E.02 1.00E-02 0.500 4.05E-02 33 5,6 Q2c Select wrong control from panel with clearly drawn mimic lines 1.30E-03 1.10E-05 0.500 6.50E-04 22 2,5 j Q2o omission (use procedure with checkoff) long List >10.tems 3.80E-03 7.90E.06 5.000 1.90E-02 15 5 Q3c Select wrong control f rom panel with clearly drawn mimic lines 1.30E-03 1.10E-05 0.500 6.50E-04 22 2,5 Q3o Omission tuse procedure with checkoff) long List 210 items 3.80E-03 7.90E-06 5.000 1.90E-02 15 5 Q4c Misread display on Digital Readout W. 4 digits) 1.20E-03 8.80E-07 0.500 6.00E-04 52 2,5 Q4o Quission (use procedure with checkoffl long List slo items 3.80E-03 7.90E-06. 5.000 1.90E-02 15 5 ) QSc Select wrong control from panel with clearly drawn mimic lines 1.30E-03 1.10E-05 0.500 6.50E-04 22 2,5 Q5o Onission tune procedure with checkof fl long List >10 items 3.80E-03 7.90E-06 5.000 1.90E-02 15 5 j c3o Q3o*2 3.80E.02 c)e Q)c'2 1.30E-03 c5o Q5o*0.15 2.85E-03 C5c QSc*0.15 9.75E-05 -. HEP is equal to Nominal Mean times Multiplicative Factor

• • -- Data is taken from Appendix C, table C-2.

Item numbers from table C-2 are quoted as source of data. Comments 1 Due to the assumed operating crew experience. It is believed that failure to diagnose the event by not responding to the appropriate alarmtsi is less than nominal; thus, a multiplicative factor of 0.1 is applied. I 2. Commission errors are believed to be less than nominal due to operator experience and proper labeling of equipment and controls; thus, a multiplicative factor of 0.1 is applied. 3. Low stress level is assumed; a multiplier et 1. 0 is applied, (Reference 6, Table 20-16). l i 4. Moderate stress level is assumed; a multiplier of 2.0 is applied, (Reference 6, Table 20-16). 1 l 5. high stress level is assumed; a multiplier of 5.0 is applied, (Reference 6, Table 20-16). 6. Unproceduralized checking by 2 people; a multiplier of 0.1 is applied to item 33 of DATA SOURCE. 7. Step is not proceduralized; a multiplier of 2.0 is applied. 8. Slack time recovery is applied; medium dependency is applied to the HEP for unproceduralized checking; this is evaluated as: (1 + 6N) / 7 where N : 8.1E-02. Thus, a multiplier of 0.21 is applied, 9. Slack time recovery is applied; high dependency is applied to the HEP for unproceduralized checking; this is evaluated as: (1 + N) / 2, where N a B.1E-02. Thus, a multiplier of 0.54 is applied. 101 1

m._ __m._.m TABLE 3.6.7.1c QUANTIFICATION OF STOP RHR PUMPS (WITHIN 30 MINUTES) DURING SLOCA OR MLOCA OLP Index Formula Calculation Result 1. DIAGNOSIS 1. Q1r'401o+01cl 4.05E-02 ( 1.90E-02 + 6.00E-04 1 7.94E-04 II. ACTION 2. 01r*(02c+02c) 4.05E-02 ( 1.90E.02 + 6.50E-04 1 7.96E-04 3, Q1r*(C3o+C3c) 4.05E-02 ( 3.80E-02 + 1.30E-03 1 1.59E-03 4, 21r*(Q4c+04c) 4.05E-02 1 1.90E-02 + 6.00E-04 1 7.94E-04 5. 01r*(C5o+C5c) 4.05E-02 ( 2.85E-03 + 9.75E-05 1 1.19E-04 Total 4.09E-03 l l l I 102

3.6.16 OPERATOR ACTION: 1DCIIURGXFMRIAIIXB TRANSFER 120V AC TO REGULATED TRANSFORMERS Loss of two 120V AC panels, l AYl A AND 1BYlB, causes a reactor trip and failure of power to the SSPS cabinets. - Assuming that failure of the two 120V AC panels is due to the power supplies and not the panels themselves, the operator is required to transfer the panels to the regulated transformers. Success is defined as transferring 2 of 2120V AC panels to the regulated transformers within 30 minutes; the actual time to complete the actions is estimated to be 16 minutes. Reference Procedure lSteni VEGP 18032-1, Rev. 4; Loss of 120V AC Instrument Power [A13, Cl3] VEGP 13431-1, Rev 6; 120V AC IE VitalInstmment Distribution System [4.2.1.l; 3; 4] The applicable procedure steps are prosided as a markup in Appendix D SubtaskM 1. Respond to l AY1 A & 1 AYlB panel alarms 2. Dispatch operator to perform local transfer 3. Ensure regulated transformer breaker closed 4. Open AC breaker from transformer 5. Close AC breaker from regulator transformer source Note (s): 1. It is assumed that the operators are trained in performing this task. 2. High stress level PSF is applied because of the urgency of the accident scenario. 3. The entire operating crew (including shift supervisor and shift technical advisor) is assumed to be present and slack time is believed to exist. Therefore, unproceduralized checking recovery is i applied to all steps. 103

TABLE 3.6.16a FAILURE MODEL TRANSFER 120VAC TO REGULATED TRANSFORMERS 1DCHURCXFMRIAHXB N Description QNd QNo QNc QNm QNr Notes I. DIAGNOSIS 1. Failure to tespond to 1 of 2 alarms Qld Q1r (see notes 1, 5) for failed 1AY1A & B panels II, ACTION 2. Failure to dispatch operator to transfer C2o Q1r (see notes 2, 5) 1AY1A or B; (18032-1, steps A13, C131 3. Failure to ensure Reg. Trans. bkr closed; C3o C3e Q2r (see notes 2, 3, 5) (13431-1, step 4.2.1.1) 4. Failure to open instru. dist, panel AC bkr C40 C4c Q2r (see notes 2, 3, 5) from Trans; (13431-1, step 4.2.1.3) 5. Failure to close instru. dist. panel AC bkr C50 C5c Q2r (see notes 2, 3, 5) from Reg. source; 113431-1, step 4.2.1.41 Calculated Parameter Formula C2o Q2o*2 C3o Q3o*2 C3e Q3c'2 Coo Q40'2 C4c Q4c'2 C5o 05o'2 C5c 05c'2 i Notes 1. QNd Initial operator response during diagnosis 2. QNo - Errors of Omission; where CNo indicates formula for multiple components 3. QNC - Errors of Commission; where CNe indicates tormula for multiple components 4. QNm - Failure to use procedure; where CNm = 1-QNm 5. Qr!r - Unproceduralized checking; where CNr indicates formula for unproceduralited checking multiplied by procedurall-ad recovery checking or verification where:

• N' (in v.Leral) corresponds to the row number of the described stept except in cases I

where an HEP is repeated. 104 s

--....~ - .a I TABLE 3.6.16b DATA FOR QUANTIFICATION TRANSFER 120VAC TO REGULATED TRANSFORMERS 1DCHURGXFMRIAHXB Nominal Probabilities Mult Data Comment Failure Description Mean Variance Factor HEP Source Qld Respond to 1 of N alarms with 2 annunciator alarming 1.60E-03 1.60E-05 0.500 8.00E-04 40 1,5 Q1r Special short-term, one-of-a-kind checking with alert factors 8.10E-02 1.00E-02 0.500 4.0$E-02 33 5,6 . Q1o omission tune procedure with checkoff) Short List c.10 items 1.30E-03 8.80E-07 5.000 6.50E-03 14 5 Q2r checking routine tasks: checker using written materials 1.60E-01 4.20E-02 5.000 8.00E-01 31 5 C3C Select wrong circuit breaker in a group of circuit breakers 6.20E-03 2.20E-05 0.500 3.10E-03 29 2,5 Q3o omission tuse procedure with checket t) Short List c.1U items 1.30E-03 8.80E-07 5.000 6.50E-03 14 5 Q4c select wrong circuit breaker in a group of circuit breakers 6.20E-03 2.20E-05 0.500 3.10E-03 29 2,5 Q4o cuission tuse procedure with checkof f s Short List==10 items 1.30E-03 8.80E-07 5.000 6.50E-03 14 5 Q5e Gelect wrong circuit breaker in a group of circutt breakers 6.20E-03 2.20E-05 0.500 3.10E-03 29 2,5 Q5o omission tune procedure with checkof f) Short List <=10 items 1.30E-03 8.80E-07 5.000 6.50E-03 14 5 C2o Q2o*2 1.30E-02 C3a Q30'2 1.30E-02 C3c Q3c'2 6.20E-03 C4o 940'2 1.30E-02 i c4c Q4c'2 6.20E-03 c5o 05c'2

1. 30 E-02 4

c5e Q5c'2 6.20E-03 1 1 -- HEP is equal to Nominal Mean times Multiplicative Factor Data is taken from Appendix C, table C-2. Item nurr.bers f rom table C-2 are quoted as source of data, 1 comments 1. Due to the assumed operating crew experience, it is believed that failure to diagnose the event by not responding to the appropriate alarm (s) is less than nominal; thus, a multiplicative factor of 0.1 is applied. 2. Commission errors are believed to be less than nominal due to operator experience and proper labeling of equipment and controls; thus, a multiplicative factor of 0.1 is applied. 3. Low stress level is assumed; a multiplier of 1.0 is applied, (Reference 6. Table 20-16). 4. Moderate stress level is assumed; a multiplier of 2.0 is applied, (Reference 6, Table 20-16). 5. High stress level is assumed; a multiplier of 5.0 is applied. IReference 6, Table 20-16). 6. Unproceduralized checking by 2 people; a multiplier of 0.1 is applied to item 33 of DATA SOURCE. 7. Step is not procedura11 zed; a multiplier of 2.0 is applied. 8. Slack time recovery is applied; medium dependency is applied to the HEP for unproceduralized checking; this is evaluated ast (1

• 6N) / 7, where N = 0.1E-02.

Thus, a multiplier of 0.21 is applied. 9. Slack time recovery is applied; high dependency is applied to the HEP for unproceduralized checking; this is evaluated as: 11 + Ni / 2, where H = 8.lE-02. Thus, a multiplier of 0.54 is applied. 1 105 l l 4 c --m e.=: v e--- e + er-ar p.. -.w.,-- .. ~. -., -.... -... -... - = - - - - - _ -.

TABLE 3.6.16e QUANTIFICATION OF TPANSFER 120VAC TO REGULATED TRANSFORMERS 1DCHUBGXFMRIAHXB Index Formula Calculation Result l 1 I DIAGNOSIS i 1. Olr*(C1d) 4.05E-02 ( 8.00E-04 1 3,24E-05 II. ACTION 2. 01r*(C2o) 4.05E-02 ( 1.30E-02 1 1 5.26E-04 3. Q2t*(C3o+C3cl 8.00E-01 ( 1.30E.02 + 6.20E-03 ) 1.54E-02 I 4. Q2r*(C4o.c4c) 8.00E-01 ( 1.30E-02 + 6.20E.03 ) 1.54E-02 5. 02r*(C5c+C5c) 8.00E-01 ( 1.30E-02 + 6.20E-03 ! 1.54E-02 Total 4.66E-02 t i 106

Ouestion 8 In applying PSFs the consideration of time is imponant. The submittalis not clear on how " time factors" (available time and required time) were calculated and incorporated in the analysis of the various response-and recovery-type post-initiator human events. Please provide the information requested in 8a and b below for the following human actions: - OATa - OFCI - OATb - OFC2 - OATc

a. The available time estimated for the operator action and the bases for the time chosen.

Include in your discussion how different available times were calculated for the same task but different sequences.

b. The required time estimated for the operator action and the process used to determine the time required. For example, simulator observations, walk-down inspection of procedures, operator interviews, and so on, could be used to measure or estimate the time necercy for the operator (s) to complete the action.

Response 8a. and 8b, Time windows (that is, the available time) for post-initiator human actions were generally based on event sequence timing from the IPE success criteria analyses. Times required to perform response-type actions were initially estimated by the HRA and IPE analysts, and subsequently reviewed by SNC personnel familiar with Vogtle operations. Those actions quantified using the SLIM method (e g., OATa, OATb, OATc) were then presented to the Vogtle operating crews during the SLIM expert sessions. The operators were asked to comment on the timing specified for each action assessed, and where there were any discrepancies between the listed timing and the operators' stated experience for the actions, the operators evaluated the timing performance shaping factor based on their experience and training (e.g., simulator exercises, available job performance measure information, and so forth). For the SLIM assessment, the operators evaluated the procedural steps required and i the time available to accomplish a given action, and assigned an appropriate weighting and ranking to the timing performance shaping factor; a specific time to complete was not assessed. If the operators considered the available time to be suflicient to accomplish the task, an appropriate ranking was assigned; however, if the operators considered the available time to be insuflicient, credit would not have been taken for the action as defined. Recovery-type actions were identified and defined in conjunction with the Independent Review Group reviewers and Vogtle operations personnel. The times required to perform such actions were based on input from these operations personnel using, where available, specific timing data from job performance measure (JPM) exercises. 107

For the specific actions mentioned in this question, the peninent information is as follows. Actions OATa, OATb, and OATc are response-type actions quantified using the SLIM method. These are variations of the action to terminate safety injection following different events, each involving somewhat different procedural steps and event-specific timing. The timing information was obtained from the detailed event-specific thermal / hydraulic analyses performed tojustify the Vogtle IPE success criteria. Additional information regarding the IPE success criteria analysis methodology is provided in Section 3.1.3 of the Vogtle IPE Report. Action OATa is defined as the action to terminate safety injection following a secondary side break in order to avoid overfilling the pressurizer. The time window (available time) for this action, per the Vogtle IPE success criteria analysis for secondary side break events, is the time from event initiation to the time the pressurizer would overfill, and is approximately 10 minutes. Action OATb is defined as the action to terminate safety injection in order to avoid overfilling the steam generatcr, and transfer to normal charging and letdown following a steam generator tube rupture. The available time for this action, per the Vogtle IPE success criteria analysis for steam generator tube rupture events, is the time from successful isolation of the ruptured steam generator to the time the steam generator would overfill, and is approximately 10 minutes. Action OATc is defined as the action to terminate safety injection and transfer to normal charging following a small LOCA. The available time for this action, per the Vogtle IPE success criteria analysis for small LOCA events, is the time from event initiation to the time that normal RHR can be aligned, and is approximately 3 hours. As discussed earlier, since these actions were quantified using SLIM, required action times were not defmed, but were implicitly considered by the operators in their assessment of the viability of the task and of the timing performance shaping factor. Actions OFCl and OFC2 are recovery-type actions quantified using the THERP method. These both represent local control of the turbine-driven AFW pump using the trip / throttle valve following a station blackout and loss of DC power (either upon depletion of the station batteries or following their failure due to loss of room cooling), but evaluated under two different sets ofconditions. Action OFC2 applies to the condition where the batteries become depleted. The time window (available time) for this action is 20 minutes, per the Vogtle IPE success criteria analysis for station blackout. The required time is 12 minutes, per a Vogtle Control Room Operator JPM for this action. Action OFCI is a version assumed in scenarios also involving failure of the operators to open the invener room doors, resulting in loss of DC power. Because of the possibility that indications from instrumentatio'n might not be available if equipment has failed due to loss of room cooling, the human error probability for OFCI was quantified using a high dependency relationship, OFCl = (1+0FC2)/2, Thus, it was assumed that the action could still be performed under these conditions, but that the operators might need more time and might be under more stress than would be the case if room cooling were available. This resulted in an HEP of 0.515 (i.e., verv little credit) for OFCl. 108

I Ouestion 9 4 It is not clear from the submittal how dependencies were addressed and treated in the post-initiator human reliability analysis (HRA). The performance of the operator is both dependent on the accident in progress and the past performance of the operator during j the' accident of concern. Improper treatment of these dependencies can result in the elimination of potentially dominant accident sequences and, therefore, the identification of significant events. Please provide a concise discussion and examples illustrating how dependencies were addressed and treated in the post-initiator HRA such that important accident sequences were not eliminated. The discussion should address the following: The 12 human error events modeled as dependent (listed on page 3-124 of the a. submittal) were identified as being modeled using 5 PSFs (stress in prior event, and time window, slack time, complexity, and type of procedural guidance for the second event). However, definitions and bases for these factors are not described in the submittal. P'.ase provide definitions of these factors and the basis for their use in modeling dependent events.

b. Quantification values associated with these factors are not described in the submittal.

i Please provide descriptions of how these factors were used in quantifying the 12 l dependent events. Response 9a. and 9b. The dependency evaluation covers positive dependency between events whereby failure on the first task increases the probability of failure on the second task. The evaluation does not cover negative dependency which implies that failure on the first task reduces the probability of failure on the second task; application of negative dependency produces results that may not be realistic. Dependencies are evaluated by the equations provided by THERP (NUREG/CR-1278, Tables 20-17 and 20-18). The dependency modeling is addressed as conditional probabilities based on the following set of criteria: a) Dependencies in manipulating 2 or more of the same type of component, by the same operator in the same procedure step are modeled as follows: 109

1. Failure to operate 2 of 2 controls (e.g., failure to start 2 of 2 pumps)is modeled with the second action having a low dependency of the first action. The model will reflect base human error probability (BHEP) x 0.05. However, we have applied moderate dependency which results in BHEP x 0.15.

If the operator manipulates both controls together, then complete dependency is assumed; that is, if one control is missed, the other is missed also.

2. Failure to operate 3 of 3 controls is modeled with the second action having a low dependency of the first action, and the third action having a moderate dependency on the previous actions. The model will reflect BHEP x 0.05 x 0.15.

3. Failure to operate N of N controls (N > or = 4) is modeled with the second action having a low dependency of the first action, the third action having a moderate dependency on the previous actions, and fourth and subsequent actions (each) having a high dependency on previous actions. The model will reflect BHEP x 0.05 x 0.15 x 0.5 x.. x 0.5. In general, we have assigned one high dependency value (0.5) for all founh and subsequent actions. Therefore, the joint conditional probability, for N > than 4, is evaluated by BHEP x 0.05 x 0.15 x 0.5.

4. Failure to operate hi of N controls (2 < Ni < N) is modeled by applying the appropriate dependency level (shown in 1,2 or 3 above) based on the value of hi. The binomial coeflicient of"hi out of N" shows up in this evaluation. For example, failure to operate 2 of 4 controls will reflect BHEP x 0.15 x 6. b) In selecting the critical subtasks for an operator action, each step of the applicable procedure (s) must be examined to determine its significance relative to system success. In most cases, subtasks that are recovery actions of, or redundant to, other previous subtasks are screened out because failure of those subtasks arejudged to be dependent on failure of the previous subtasks; total dependency relation between such actions is i assumed. This is particularly true in the selection of omission errors; depending on the structure of the procedure, if a step in one column of the procedure is missed, then i recovery steps provided in the alternate path will most likely be missed. i Some operator actions that involve verification of component status or system parameter are screened out because of total dependency relationship between the verification step and a previous step, or because the effects of not performing such verification could be realized in a subsequent step that is judged to be critical. In some scenarios, redundant subtasks are modeled using the dependency technique described in (a) above. An example of this is the actions in performing depressurization using the condenser (steam dumps) or using the atmospheric relief valves; the second option is modeled as being dependent on the first. I10 i m_. I

c) Dependencies between different (top) events are evaluated, based on factors such as: time window, slack time, complexity of tasks, and type of procedural guidance available. For this type of conditional probability evaluation, the analysis is performed using the event tree provided in Figure 1. The appropriate event tree path, for a given operator action, is agreed upon by the cognizant system analysts and HRA analyst. The starting point in Figure 1 is to determine the stress level of the first (or preceding) task. Iflow stress level was used for the first task, then use sheet 1 of 3; if moderate stress was used for the first task, use sheet 2; and if high stress, use sheet 3. The exercise continues with the aim of determining factors specific to the second task such as time window, slack time, complexity of the tasks (taking into account workload), and the type of procedural guidance. The end result is the deducing of the dependency level for the second task. Conditional Probabihties are then documented in Table I which summarizes and captures the factors considered in Figure i for each task. I11 l

. - -. ~ . ~.. _.. . ~... ~ FIGURE 1-. _ - - -. -.... - -. -.., r. .a..--.. stetst 6CvC. '! < el=Dow taav%f COMPLCatfY Cf tv*t or DCattenticy r02 Cr 890CCQUEAL Or r!sst 'Atg SC00hD YASE SLACE ?!"C SC0"N3 TA$E Gut DassCC LCvCL , r=, are.w n een' "CD t *.a._ t St.*Cd '!"C(5) =tGM ts15-=> 2as 'at< 00 .c

5 - a

.gc +

ws. tv 4C3

,gg, 1( t( 5 alGM IS LOW t f e.C "C S =CD t15 "CD 15 ( ?. (_ 30 ' !!"*' f

• NCC uggy S( $( 9 M[CM IU LQW tt* t ist fASE

) (LOW $totss) gy i "CD 5 L $ < 30 I CU MCD 3e e

t. < 60 CU"8tEY MCO w[GH 3( $( 5 M[GM ES LCW t t *_f WD MCD 5 1. 30 C2 LOW CSuptEX NCD

=0D CD LOW

t. > 60 StuptC

<D uc0 5L$( 30 CD

1. CD COMPLEY NCD wggm 0e5t5 MiGd I

rt< st=Dow SHEET 1 0F 3 112 _. _ _ _ _ _.. = _, _ _. _ _ _ _ _ _,. _ _ _ _ _ _ _

FIGURE 1 i sfacts wCWCL ' l =C w i = 0CPJ amount C:>*LCxtTv Or tv*C Or CCSCN0CasCT raA

r 8COCCDues4, Or ristf 'ata SCC::hD fatx SLACx 7tuC SCCONO TatX Gul:A<C LCvCL

rm. we ewn,en' "CD t f mo'. C

$. ACE *I"C(1) =tGM t *.a> tt Ja g fast 00 = LCM ". ( 15 = a t us'_ C r "C3 =tGM 0( t( 3 .tGw II LOW s f MO'.C NCO .c3 115 C5 atGH 15 ( '= <_ 35 C""*' C ' NC3 .ggu 0< $( 5 w!GH US LOW t t wtt tot fask < <etea f t tietts) T =0D 5L5( 33 CS =CD 30 ( f. <_ 60 CC wtCT NCD w[GN l 0( t( 5

• 1GM I

i f* LOW ttw'f NCD =0D $ 130 CS uCD crema EX NCD wtGH C3 LOW Te > 60 S t wtC TO wCD Si5( 30 CD MOD CCMptEY NCD wgGm 0( t( 5 MIGH to e et < vt=Dow SHEET 2 OF 3 113

---. ~. ..... -.. - -. - -.._.. ~ . - ~.. - -.. ~ - - -.. -. - _.. -. -. - - ~..., ~..... FIGURE 1 steC$1.CvCL 't=C vlN:CW A=0LNf captCxtiv 7 "8C 7 2C*CNDENCY ros y '#UCC:LanL y riest 'ASc SCOND fatu SLACE f!"C SC:",ND fASE OulCANCC LCvCL i .m..~...., ., c., i t un' f d 3,agg,..ggg3 me treat

• we.cs wn al@

(t 2 5 = a i !=s rest IU =;Cm

• . <_ l5 a.a
• "ust f u NCD

,9 3( t( 5 atGM I CS "CD T f u#'.C kCC utcn t1S .lcw 15 ( '. L 30 C0" f ' NCD .ggg 1<t<S MIGH IS ucg s t uot t 1st TASE (wicm sfacts) NCU atCM 5L$( 30 CS uCD 30 ( t. L 60 COM EY NCO wIGM ] Of 1( 3 MIGH { e L:w sto t i NCS wCD I t 130 ES uCD CatsPLEY NCD wtGM CS LOW ,...a tr e c NCD 5is( 30 CD wCD C3sPLEY NCD ugGs 0( t( s im

e..

ri<.iN o SHEET 3 0F 3 i 114

1 FIGURE 1 (continued) Notes

1. If Event Unconditional Failure Probability is less than or equal to 1.0E-02, then apply the conditional failure probability as follows a) 0.05 for low dependency; b) 0.15 for moderate dependency; and c) 0.5 for high dependency.

2. If Event Unconditional Failure Probability is greater than 1.0E-02, then evaluate conditional failure probability by the applicable equation as follows:

a) (1+19N)/20 for low dependency; b) (1+6N)/7 for moderate dependency; and c) (1+N)/2 for high dependency; Where, N is the unconditional failure probability of the dependent event. 3. Defmition of terms (used in Figure 1) are provided as follows: a) Time window - Available time to perform the required tasks before system failure occurs; b) Actual time - Estimated time to perform the required tasks; c) Slack time - " Time window" minus " Actual time"; d) Simple task - Activities consisting ofless than 10 steps, and not involving any specific operator interaction or dependency; e) Complex task - Activities consisting of 10 or more steps, and/or involving more than normal operator dependency; f) Clearly defined - Steps are such that operators do not have to shuffle between procedure procedures, and/or steps are not confusing or ambiguous. i l15 1 + ..ese e -s e er..s w = wp.e

d b. n o or CP dn. ob c o n r UP ycne dnel pe e v Dle Y R AM er M u r U d a e /e r S c alc o r le n N P CU O I T sc A it x s l/e e l U. s ir k pp I t a imm e s A o c T S c V a 1 E ra E. Y h 6 T C I 1 B I 1 t l A L n a T e u IB v tc A E A H tn s O e e m R d i n P T l e e p b I e a A D l N ia v O A IT I D N O e C maN s s e t r n t e S vE gn ide e c m er a P N e e m sa a C N e

APPENDIX Examoles of Dependency Evaluation for Vogtle II E This Appendix provides the dependency evaluation among operator actions in the Vogtle IPE. The dependency levels determined from this evaluation are summarized in Table HRA-Q9, below. Dependency evaluation is conducttd for the following events in the Vogtle HRA: a. OAC (cooldown & depressurize RCS) -- dependent on OAP (depressurize the primary side) during a SGTR event b. OAD (depressurize secondary side) -- dependent on OAI (isolate ruptured SG) during a SGTR event c. OAP (depressurize primary side) -- dependent on OAD (depressurize the secondary side) during a medium LOCA d. OAP (depressurize primary side) -- dependent on OAI (isolate ruptured SG) during a SGTR event e. OAR (establish cold leg recirculation) -- dependent on OAN (establish normal RHR) during a small LOCA f. OAS (establish CTMT spray recirculation) -- dependant on OAR (establish cold leg recirculation) during a large, medium or small LOCA, ATWS, transient, station blackout, or SGTR i g. OAT (terminate SI and transfer to normal charging and letdown)-- dependent on OAP (depressurize the primanj side) during a SGTR l h. OCR (insert control rods) -- dependent on OMG (trip MG sets) during an ATWS. i. OFC (Control of TDAFW pump) -- dependent on opening of doors during SBO j. CBHVAC-LOPD (Open inverter room doors) -- dependent on LOSP initiator 117

l ATWT Seauence One additional conditional probability evaluation is performed on a sequence of operator actions in ATWT initiating event sequence. This sequence of operator actions and their unconditional failure probabilities, derived from the SLIM methodology, are as follows: 1) ORT - 8.00E-03 (failure to initiate manual reactor trip); followed by 2) OMG - 4.40E-03 (failure to trip MG sets); followed by 3) OCR - 1.43E-02 (failure to insert control rods); followed by 4) OBR - 1.40E-02 (failure to execute emergency boration). The following dependency relationship is believed to exist among these events: a) OMG has a high dependency on ORT due to the time constraint b) OCR has a high dependency on ORT and OMG due to the time constraint c) OBR has a moderate dependency on OCR due to the actions toward the same goal. Therefore, the quantification of this sequence of events is as follows: HEP = 8.00E-03 x 5.00E-01 x 5.07E-01 x 1.55E-01 = 3.14E-04. This HEP is approximated to 3.00E-04. 118

TABLE HRA-Q9 CONDITIONAL PROBABILITY EVALUATION

SUMMARY

CASE PRECEDING EVENT DEPENDENT EVENT CHARACTERISTICS NAME NAME STRESS NAME TIMES TASKS PROCEDURE DEPENDENCY UNCOND. COND. LEVEL PROB. PROB. (Initiator) AVAILABLE ACTUAL SIMPLE / CLEAR / l COMPLEX UNCLEAR l LLOCA OAR-Moderate OAS-10 min < 2 min Simple; Clear Moderate 4.73E-04 1.50E-01 LPLL LLF 8 steps MLOCA OAD-Low OAP-20 min < 5 min Simple; Clear Low 2.00E-02 6.90E-02 MLA MLF 8 steps l MLOCA OAR-Moderate OAS-10 min < 2 min Simple; Clear Moderate 4.73E-04 1.50E-01 LPMLB MLFL 8 steps MLOCA OAR-Moderate OAS-10 min < 2 min Simple; Clear Moderate 4.73E-04 1.50E-01 HPML MLFH 8 steps SLOCA OAN-SL Moderate OAR-130 min < 5 min Complex; Unclear High 1.57E-03 5.00E-01 LPSLB > 10 steps l SLOCA OAR-Moderate OAS-10 min < 2 min Simple; Clear Moderate 4.73E-04 1.50E-01 LPSLD SLF 8 steps i SLOCA OAR-Moderate OAS-10 min < 2 min Simple; Clear Moderate 4.73E-04 1.50E-01 l HPSLB SLFH 8 steps TRANS OAR-Moderate OAS-10 min < 2 min Simple; Clear Moderate 4.73E-04 1.50E-01 j HPTR TRF 8 steps SSBO OAR-Moderate OAS-10 min < 2 min Simple; Clear Moderate 4.73 E-04 1.50E-01 HPSSO SSOF 8 steps P k i. l1 l ? 119

TABLE HRA-Q9 (Continued) CONDITIONAL PROBABILITY EVALUATION

SUMMARY

CASE PRECEDING EVENT DEPENDENT EVENT CHARACTERISTICS NAME NAME STRESS NAME TIMES TASKS PROCEDURE DEPENDENCY UNCOND. COND. l LEVEL PROB. PROB. (Initiator) AVAILABLE ACTUAL SIMPLEI CLEAR / COMPLEX UNCLEAR SSBl OAR-Moderate OAS-10 min < 2 min Simple; Clear Moderate 4.73E-04 1.50E-HPSSI SSIF 8 steps 01 ATWT OMG Moderate OCR-B 1 min < 1 min Simple; Clear High 1.43E-02 5.07E-1 step 01 ATWT OAR-Moderate OAS-10 min < 2 min Simple; Clear Moderate 4.73E-04 1.50E-HPATB ATF 8 steps 01 SGTR O Al-S G Moderate OAD-60 min 10 min Simple; Clear Low 3.97E-03 5.00E-SGN 5 steps 02 SGTR OAl-SG Moderate OAP-20 min < 5 min Simple; Clear Low 7.14E-03 5.00E-SGN 4 steps 02 I SGTR OAP-SGN Moderate OAT-10 min < 5 min Complex; Clear High 3.83E-03 5.00E-SGN > 10 steps 01 I SGTR OAP-SGI Moderate OAC-60 min 10 min Complex; Clear Moderate 8.37E-03 1.50E-SGIN > 10 steps 01 SGTR OAP-SGN Moderate OAC-60 min 10 min Complex; Clear Moderate 8.37E-03 1.50E-SGNN > 10 steps 01 SGTR OAR-Moderate OAS-10 min < 2 min Simple; Clear Moderate 4.73E-04 1.50E-3 HPSGB SGF 8 steps 01 120

TABLE HRA-Q9 (Continued) CONDITIONAL PROBABILITY EVALUATION

SUMMARY

CASE PRECEDING EVENT DEPENDENT EVENT CHARACTERISTICS NAME NAME STRESS NAME TIMES TASKS PROCEDURE DEPENDENCY UNCOND. COND. LEVEL PROB. PROB. l (Initiator) f AVAILABLE ACTUAL SIMPLE / CLEARI COMPLEX UNCLEAR SBO N/A High OFC 20 min 12 min Complex; Unclear High 2.93E-02 S.15E-01 LOSP N/A High CBHVAC-60 min 10 min Simple; Unclear Moderate 7.33E-02 2.06E-01 i ] LOPD 1 step ATWT N/A High ORT; ~ 10 min - 5 min Simple Clear High / See: 3.00E-04 OMG; moderate ATWT OCR; Sequence OBR Section in Appendix I i 4 l 121

Ouestion 10 The submittal provides no detailed discussion of HRA performed for post-core damage operator actions reported in the summary descriptions of the dominant sequences. In particular, sequences 2, 8,10,11,15,18,19 and 20 identify that " operator action is credited for isolation of cenain containment penetrations." However, very limited information is provided as to how this action was modeled using HRA methods. Therefore, please supply the following: Discuss the process used to identify and select this operator action for inclusion in the a. model. For example, the process may include review of operations procedures, discussion with operators or other plant support personnel on interpretation of procedures, on expected emergency response team activities, and so on. Include the steps taken to assure that selection of post-core damage recovery actions was based on careful examination of plant conditions, procedures, and practices.

b. The process used to quantify the human error probabilities of post-core damage human events was reported as SLIM. SLIM involves the assessment of plant-specific PSF information as a basis for interpolating between " anchor point" human error probabilities. Please explain how anchor points were selected for post-core damage human error probabilities and how the selection and evaluation of PSFs for the post-core damage actions were made.

c. How were dependencies addressed and treated in the post-core damage HRA? The performance of the operator is both dependent on the

ident ir progress and the past performance of the operator during the accident sequence of concern. Improper treatment of these dependencies can result in the elimination of potentially dominant Level 2 sequences and, therefore, the identification of significant events. Please provide a discussion, with examples illustrating how dependencies were addressed and treated such that important Level 2 sequences were not eliminated. If the IPE did not address such dependencies in the quantification, please justify this omission.

Resoonse 10 The Vogtle IPE did not include post-core damage operator actions. Only those actions that the operating crew would perform prior to core damage were included in the IPE model. Moreover, only those actions for which written procedures exist were specifically modeled. The operator action, OCI-Manually Isolate Containment, which was the source of this question, would be performed by the operators prior to core damage. This operator action is specifically identified in the Vogtle Emergency Operating Procedures, E-0 Reactor Trip or Safety Injection (Procedure No.19000, Revision 9), Step 7. The Vogtle Emergency 122

Operating Procedures are structured such that the operators are required to verify Containment Isolation Phase A has occurred following either manual or automatic Safety Injection which would proceed any accident sequence that would result in core damage. If Containment Isolation Phase A did not occur, the operators are instructed to manually actuate Phase A Containment Isolation which is the action specifically modeled by the Vogtle IPE. The operator action, OCI-Manually Isolate Containment, is not modeled as a post-core damage operator action. Although this operator action would be addressed very early in any core damage accident sequence as discussed above, it was purposely placed at the end of the Plant Response Trees (PRTs) for several reasons. First, the operator action to manually initiate Containment Phase A Isolation is not a core damage mitigation feature and therefore has no impact or influence on the out-come of the accident sequences in terms of preventing or mitigating core damage. Second, by placing this operator action at the end of the accident sequence, the PRT structures are simplified by not having to address this operator action for success sequences. Third, placing this operator action at the end of the PRTs provides for an orderly sequencing of only the core damage mitigation features which aides in the understanding and use of the PRT models. Lastly and most importantly, this operator action was specifically included to aid in the determination of the resulting core damage category assigned to each core damage accident sequence. This provides an important link between the Level 1 Plant Analysis and the Level 2 Containment Analysis. Since the Vogtle IPE did not include post-core damage operator actions, responses to parts a, b, and c are not applicable. 123

t VOGTLE - UNITS 1 AND 2 INDIVIDUAL PLANT EXAMINATION SUBMITTAL BACK-END QUESTIONS Ouestion 1 The Vogtle Units I and 2 IPE back-end results in the submittal showed that steam l generator tube rupture (SGTR) would lead to more than 10 percent release of volatiles with a frequency of 1.56E-6 per reactor year However, you have defined four SGTR functional sequences, SGE02BH, SGLIIBH, SGL20BH, and SGE158BH, that fall below the i reporting criteria and differ mainly by the core and containment cooling status defined in l Table 3.1-4, page 3-30. Because the containment cooling status is generally unimportant for SGTR sequences, please justify your position on not combining these sequences into one functional sequence. Response 1 The process of establishing a plant damage state encompassed the assignment of a designator reflecting the ECCS status as well as that for the containment heat removal. This designator was applied to all the PRT end states independent of the initiating eveut. This facilitated a consistent approach in establishing the link between Level I and Level II. The plant damage states then become the Level II functional sequences. Functional sequences are screened to form bins used for sequence selection in the source term analysis, this process is delineated in Section 4.7.2 of the submittal. The process recognized that the steam generator tube rupture cases were not dependent upon the ECCS injection or the status of containment heat removal. The four damage states or functional sequences SGE02BH, SGLilBH, SGL20BH and SGE15BH were combined as a single source term bin (ref. Table 4.7-3). Thus, although the process did not begin with the combination of these sequences into a single functional sequence, the process followed did combine them, thereby precluding their elimination due to screening on frequency. Question 2 In using the back-end screening criteria, the submittal has not listed the sequences that met the screening Criterion 3 ("any functional sequence that has a core damage frequency greater than or equal to IE-6 per reactor year and that leads to containment failure which can result in a radioactive release magnitude greater than or equal to the PWR-4 release category of WASH-1400") because this criterion was bounded by Criterion 1 ("any functional sequence that contributes lE-6 or more per reactor year to the core damage frequency (CDF)")(page 31 o the submittal). However, because of the potential risk importance, please identify whether any sequence met Criterion 3. If a sequence did meet criterion 3, describe the sequence and its contribution to predicted radionuclide releases. 124 ..~ - -,

Response 2 Sequences which meet criterion 3 have a frequency greater than IE-06 and a release greater than that specified in WASH-1400 as PWR-4. All functional sequences with a frequency greater than the specified cutotT frequency were identified through criterion 1. Releases meeting the PWR-4 results are equated to a volatile fission product release greater than 10%. Referring to Table 4.7-4, these would be release categories J, M, V and W (the other release categories in Table 4.7-4 exceeding 10% volatiles and not included in the above listing did not involve containment failure. These were cases of either a bypass or impairment). Assignment of release categories to the source term bins is contained in Table 4.7-7. A review of this table indicates that there are no bins with the release categories listed above, thus there are no sequences which resulted in a release of greater than that of PWR-4 with a frequency of IE-06, no sequences satisfied criterion 3. Ouestion 3 In response to the request from the Internal Review Group (IRG) to provide the technical basis for selection of 2-inch screening criterion for addressing containment isolation failures in the Vogtle IPE, Table 5.3-1, page 5-16 of the submittal, notes the following: A systematic review of the Vogtle containment penetrations concluded that there are no penetrations which connect directly to the containment atmosphere, penetrate the containment boundary, and are less than 2 inches in diameter that constitute potential isolation failures. What was the basic used for identifying " potential isolation failures?" What would be the release over 48 hours from a 2-inch containment isolation failure? Response 3 j Potential containment isolation failures as referred to in Table 5.3-1 are based upon the configuration of the line penetrating containment. A potential containment isolation failure would meet the following criteria:

1) The line must connect directly to the containment atmosphere, and

2) Penetrate the containment and end outside containment, (several smalllines loop out of containment through a sampling type device and return without being exposed to conditions outside containment), and

3) Remain normally open during plant operation, and

4) Receive an automatic signal to close and isolate.

I25 l I

A two inch line meeting these criteria would constitute a potential containment isolation failure. The review process for two inch lines is summarized in the submittal sub-section titled Containment Isolation Failure (under section 4.4.3 Failure Modes). It is stated that eight penetrations from Table 6.2.4-1 of the FSAR were identified which connect directly to containment atmosphere. Six are closed to the environment outside containment and the remaining two are isolated during normal plant operation. Hence, the conclusion noted above and on page 5-16 of the submittal, that there are no potential isolation failures of two inch diameter or less containment penetration lines. The release for a two inch line would be dependent upon the accident and timing of events. A sensitivity case for a failure to isolate was analyzed for a three inch line. These results are summarized in Table 4.7-12 of the submittal as sequence ll-N13. The three inch failure released 4.3% of the volatile fission products compared to 2.8% for the 8 inch line (base case). A two inch isolation failure would be comparable to that for the three inch line and the results would not necessitate a change in release category. Mo'deling of the line losses (not included in our analysis) would act to further reduce the predicted release. Question 4 As noted in Section 4.4.2, page 4-15 of the submittal, a 14.3-percent concentration of hydrogen for the Vogtle containment was calculated by assuming 100-percent oxidation of all zirconium and the lower core plate. Using a procedure of Sherman and Berman, you concluded that failure of the Vogtle containment as a result of hydrogen detonation was very unlikely. This conclusion is based on the condition that no obstacles exist in the path of the expanding unburned gases. However, obstacles in the path would cause detonation at lower concentrations thus increasing the likelihood of containment failure. Please describe whether, or how, you considered obstacles in the containment before arriving at such a conclusion. Resoonse 4 Deflagration to detonation transitions (DDT) were considered separately for the Vogtle annular, lower, and upper compartments in FAI/91-72, "Vogtle Electric Generating Plant Units I and 2 Phenomenological Evaluation Summary on the Probability and Consequences of Deflagration and Detonation of Hydrogen in Support of the Individual Plant Examination." All three containment regions were analyzed based on their geometric i configurations according to the methodology of Sherman and Berman. Additionally, since the lower and annular compartments were considered as channels with transverse venting, they were also assessed according to their mixture reactivity. 126

--u.e A The mixture reactivity assessment utilized scaling of detonation cell widths between the FLAME facility (small scale) and the reactor geometry. Results presented in FAI/91-72 indicate that the necessary detonation cell width is larger than the physical boundaries of either the annular or lower compartment. For instance, the minimum channel size required at the reactor scale to accelerate a flame to DDT given a 14.3% hydrogen concentration is 360 ft x 480 ft This compares to the annular and lower compartment dimensions between the 171 -9 and 213 elevations of 21 x 40 and 23 x 41, respectively. Based on the scaling assessment, there is no potential for DDT in the lower and annular compartments of the Vogtle containment. The Sherman and Berman methodology provides a procedure, based on engineering judgement, to estimate the potential for DDT. The procedure assumes that the potential for l DDT can be evaluated based on the mixture intrinsic flammability (detonation cell width) and type of geomety. Five classes of mixture sensitivity are defined ranging from class 1, most detonable, to class 5, least detonable. The mixture class can be readily assigned given a hydrogen mole fraction. Five geometry classes are also defined, ranging from 1, very favorable to DDT and featuring large geometries with obstacles and partial containment, to class 5 veg unfavorable to DDT and featuring large scale and complete unconfinement. The combination of mixture class and geometry class leads to a matrix of result classes which qualitatively describe the DDT potential. The result class matrix, taken from FAI/91-72 is shown in Table 4-1, below. Table 4-1 Matrix of Result Classes MIXTURE CL AS S Geometric Class 1 2 3 4 5 hiost Least Detonable Detonable 1 (Very favorable to DDT) 1 1 2 3 4 2 (Favorable to DDT) 1 2 3 4 5 3 (Neutral to DDT) 2 3 3 4 5 4 (Unfavorable to DDT) 3 4 4 5 5 5 (Very unfavorable to DDT) 4 5 5 5 5 l 127 m m

Result Class Description Result Class 1. DDT is highly likely. Result Class 2. DDT is likely. Result Class 3. DDT may occur. Result Class 4. DDT is possible but unlikely. i Result Class 5. DDT is highly unlikely to impossible. Based on a hydrogen molar concentration of 14.3%, the mixture class for any of the containment regions was selected as class 4: detonation unlikely. Based on containment walkdowns and a review of plant drawings, the lower and annular compartments were assigned geometric class 4: geometries unfavorable to flame acceleration Examples are large volumes with hardly any obstacles and a large amount of venting transverse to the flame path. DDT will usually not occur in a class 4 geometry. Both the annular and the lower compartment can be considered as channels with transverse venting due to extensive grating which allows good communication with the upper compartment. Similarly, upward flame propagation in both compartments will also be " vented" sideward because of the ring shape of the compartments. According the Table 4-1, a mixture class of 4 and a geometry class of 4 lead to a result class of 5: DDT is highly unlikely to impossible. Due to its large open volume, the upper compartment was considered an unconfmed geometry at large scale (geometric class 5) which is very unfavorable to flame acceleration. The combination of mixture class 4 and geometric class 5 again leads to result class 5: DDT is highly unlikely to impossible. Since the Sherman and Berman procedure is subjective, the sensitivity of the results to engineering judgement can be investigated by assigning each containment compartment a more conservative geometry class. That is, suppose that the lower and annular compartments are designated as geometric class 3: geometries that yield moderate flame acceleration, but are neutral to DDT. An example of this geometry is a large tube without obstacles. The result class changes to class 4: DDT is possible but unlikely. However, when this sensitivity result is considered in conjunction with the mixture reactivity assessment presented above, it is still sound to conclude that DDT is a highly unlikely event. 1 128

If the upper compartment geometry class changes from 5 to 4, the result class remains class 5: DDT is highly unlikely to impossible. In summary, the conclusion that DDT is highly unlikely is based both on an independent scaling assessment for the lower and annular compartments, and on the qualitative procedure of Sherman and Berman. Inputs for these assessments are derived from containment walkdowns and review of plant drawings. Finally, it has been shown above that there is suflicient margin in the analysis to account for the subjective nature of the procedure. Ouestion 5 You have assumed that only 2 percent of the entrained core debris would make it past the 90-degree turn from the instrument tunnel to the annual compartment (a debris mass of 2,800 lbs) (Section 4.4.2, page 4-16 o the submittal). This appears to be a relatively small fraction of melt participating in a direct containment heating (DCH). You have based this assumption in part on the special feature of the Vogtle cavity and instrument tunnel that enhances melt de-entrainment. Please provide the basis for assuming a value of 2 percent, including the role of the 90-degree turn from the instrument tunnel. Response 5 FAI/91-122, "Vogtle Electric Generating Plant Units I and 2 Phenomenological Evaluation Summary on Direct Containment Heating in Support of the Individual Plant Examination," provides the basis for determining that only 2% of the entrained debris mass would exit the reactor cavity instrument tunnel and reach the annular compartment. The technical basis is as follows. Sandia National Laboratory [ Walker,1987] developed a model for estimating the likelihood of debris particles not deflecting with the flow due to a change in flow direction, thus impacting structural boundaries of the flow path. The model was developed for the Zion seal table and instmment tunnel structure where the steam and debris escaping from the cavity makes a 90 degree turn to escape into the lower compartment. An analogous equation was used to describe de-entrainment of debris particles as gas makes a 90 turn to exit the Vogtle reactor cavity. The Zion and Vogtle cavity configurations are compared in Figure 5-1. The results of this plant-specific calculation indicate that only 2% of the entrained debris mass will reach the annular compartment. 129

Whereas the model of Walker accounts for a single 90 turn, core debris leaving the Vogtle reactor vessel will have to make two 90 turns before exiting the instrument tunnel to the annular compartment (see Figure 5-1). Also, at Vogtle, there is a concrete platform which extends part way across the instrument tunnel, forming a " lip" which further enhances debris de-entrainment. Thus, the 2% figure obtained from the Walker model is considered to be conservative.

Reference:

Walker, J. V.,1987, " Reactor Safety Research Semi-Annual Repon," NUREG/CR-5039, S AND87-2411. i 130 ..y.. ., -, +..,

Vogtle Cavity Configuration L - M: - n l'..l.

e: -s E s t j

a 4 ( '.e A :-seai ras e S t a t n g - f; E.f. g.3 W 's ur , s. c ( JL 5 4eaClor I.i { vessei hj

k.,....,,.

N

?^s*

,.l< p

n't E Ihi'

-e u a.. 2., .. >dc .Mc.9E

rF.C i

0

~f '.G. Q r .c 4 EM M E .) j i E I k I s...., a Zion Cavity Configuration seai Taoie y T

!.l

~ r. 3eoris Ei E nit Aeart:- vesse. Iaj h's. :. h, 3 ~G ~'-y,. > [i.is;. T/.1.91, c g.

' f. - ' ),

.:P 'B.( : T *. < (LWb"-3 t.'.;3.,9

• 'd

.1;..Bl.e'U..i.., :,

2.... g j

= 'i h.!. ~- h aa a ai s

• ..... n................ -ai.

si........... oi... Figure 5-1 Comparison of Vogtle and Zion cavity configuration. 131

Ouestion 6 i What was the amount of core material that was assumed to be released from the failed j vessel for each of the sequences analyzed? Describe the sensitivity analysis performed on the impact of the quantity of core material released. In particular, what is the impact of releasing 100 percent of the core material on containment performance and containment failure? Response 6 The amount of core material released from the failed vessel for each analyzed sequence is assumed to be identical and equal to 100% of the total core inventory (fuel, cladding, support and internal structures) of 350,000 lbm. Detailed MAAP results are contained in FAI/92-58, "Vogtle Electric Generating Plant Source Term Notebook," Vol. 3. Thus, the impact on containment due to 100% release is implicit in the analyzed source term sequences. No additional sensitivity sequences were necessary, nor performed, to quantify the effect of complete core release on containment performance. I i 132 L _}}