Text

Individual Plant Exam Insight Support Rept for NUREG-1150 Plants
	ML20094C741
Person / Time
Site:	Peach Bottom
Issue date:	08/04/1995
From:	Dingman S, Forester J, Staple B; SANDIA NATIONAL LABORATORIES
To:	; NRC
Shared Package
ML20094C670	List: ML20094C741;
References
	CON-FIN-W-6188, RTR-NUREG-1150 NUDOCS 9511020331
	Download: ML20094C741 (81)
	v • d • e

- - - . . _ .___. _ - ___ _. .

. . l l

l l

Peach Bottom Atomic Power Station Individual Plant Examination Insight Support Report for NUREG 1150 Plants NRC JCN W6188, Task 9 l

Bevan D. Staple Susan E. Dingman John A. Forester ,

i Sandia National Laboratories Risk Assessment and Systems Modeling Department August 4,1995 ,

4 Attachment 9511020331 951025 7 DR ADOCK 0500 A

D This page intentionally left blank L

k i

=

ii A

. - .- . . . -~ .. . - - _ . - _ . - - - . . -- . . _ . _ _ _ _ _ _ _ _ . _

s Acknowledgments The authors would like to thank Erasmia Lois fx her comments on a preliminary version of this report, which improved the technical content of the report. The authors would also like to thank Ellen Walroth for her assistance in preparing the report and Ruth Haas for providing technical editing.

4 i e 4

l

)

l iii A

6 This page intentionally left blank IV A

4 . .

4 Table of Contents Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Li st of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii 4

Acron y m s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x E. EXEC UTIVE S UMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.2 Licensee lPE Process . . . . . . . . . . . . . .......................... 1 E.3 lPE Analysis ............................................... 2 E.3.1 Front-End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 E.3.2 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 E.3.3 Back-End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 E.4 Generic issues and Containment Performance Improvements . . . . . . . . . . 6 E.5 Vulnerabilities and Plant improvements . . . . . . . . . . . . . .......... . 7 E.6 Observations . . . . . . . . . . . . . . . . . . . ........ ... ........... .7 1

1. I NTR O D U CTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 9 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . .............. .9

2. TE C H N I C AL R EVI EW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 I 2.1 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1.1 Completeness and Methodology - . . . . . . . . . . . . . . . . . . , . . . . . . 11 2.1.2 Multiunit Effects and As-Built, As-Operated Status . . . . . . . . . . . . 12 2.1.3 Licensee Participation and Peer Review . . . . ............... 13 2.2 Front End Technical Review . . . . . . . . . . . . . .................... 14 2.2.1 Accident Sequence Delineation and System Analysis . . . . . . . . . - 14 2.2.1.1 Initiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.2.1.2 Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.2.1.3 System Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.2.1.4 System Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.2.2 Quantitative Process . . . . . . . . . . . . . . . . .. .... ....... 29 2.2.2.1 Quantification of Accident Sequence Frequencies . .... 29 2.2.2.2 Point Estimates and Uncertainty / Sensitivity Analyses . . . 30 2.2.2.3 Use of Plant-Specific Data . . . . . . . . . . . .. ... . .. 30 2.2.2.4 Use of Generic Data ....... ..................... 31 2.2.2.5 Common-Cause Quantification . . . . . . . . . . . . . . . . . . . 32 2.2.3 Interface lssues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.2.3.1 Front-End and Back-End interfaces . . . . . . . . . . . . . . . . . 33 2.2.3.2 Human Factors Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.2.4 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.2.4.1 Internal Flood Methodology . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.2.4.2 Internal Flooding Results . . . . ........... ..... ... 34 v

A

_ _ . _ _ _ _ _ _ _ _ ___ _. _. ~ _ _ _ _ _ _ _ _ _ .. . _ _ . .

2.2.5 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . 36 l l 2.2.5.1 Dominant Core Damage Sequences . . . . . . . . . . . . . . . . 36 l

2.3 Human Reliability Analysis Technical Review . . . . . . . . . . . . . . . . . ... 38 i 2.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 i j 2.3.1.1 Pre-Initiator Human Actions Considered . . . . . . . . . . . . . . . 38 i 2.3.1.2 Process for Identification and Selection of Pre-Initiator .

Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

) 2.3.1.3 Screening and Quantification Process for Pre-Initiator

Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 i

2.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

2.3.2.1 Types of Post-Initiator Human Actions Considered . . . . . . 40 2.3.2.2 Process for identification and Selection of Post-Initiator i H uman Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.3.2.3 Screening Process for Post-Initiator Response Actions . . . 41 ;

2.3.2.4 Quantification of Post-Initiator Human Actions . . . . . . . . . . 41 2.3.2.4.1 Consideration of Timing ................,.. 42 2.3.2.4.2 Other Performance Shaping Factors Considered . 43 2.3.2.4.3 Quantification of Recovery Actions . . . . . . . . . . . 43 2.3.2.4.4 Consideration of Dependencies . . . . . . . . . . . . . . 44 2.3.2.4.5 Treatment of Operator Actions in the Internal Flooding Analysis . . . . . . . . . . . . . . . . . . . . . . 45 2.3.2.4.6 Sequences Screened Out Due to Credit for Recovery Actions . . . . . . . . . . . . . . . . . . . . . . . 45 2.3.2.4.7 Treatment of Operator Actions in the Level 2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . , 46 2.3.2.51mportant Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.4 Back End Technical Review ........................ ......... 48 2.4.1 Containment Analysis / Characterization . . . . . . . . . . . . . . . . . . . . . 48 2.4.1.1 Sequences with Significant Probabilities . . . . . . . . . . . . . . . 48 2.4.1.2 Failure Modes and Timing . . . . . . . . . . . . . . . . . . . . . . . . . . 48 2.4.1.3 Containment Isolation Failure . . . . . . . . . . . . . . . . . . . . . . . 55 2.4.1.4 System / Human Responses . . . . . . . . . . . . . . . . . . . . . . . . . . 55 2.4.1.5 Radionuclide Release Characterization . . . . . . . . . . . . 55 2.4.2 Accident Progression and Containment Performance Analysis . . . 58 2.4.2.1 Severe Accident Progression . . . . . . . . . . . . . . . . . . . . . . . 58 2.4.2.2 Dominant Contributors: Consistency with IPE Insights . . . . 59 2.4.2.3 Characterization of Containment Performance . . . . . . . . . 61 2.4.2.4 Impact on Equipment Behavior . . . . . . . . . . . . . . . . . . . . . 62 2.4.2.5 Uncertainty and Sensitivity Analyses . . . . . . . . . . . . .... 62 2.5 DHR, Other GSI/USIs and CPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 2.5.1 Evaluation of Decay Heat Removal . . . . . . . . . . . . . . . . . . . . . . 63 2.5.1.1 Examination of DHR . . . . . . . . . . . . . . . . . . . . . . . . . 63 2.5.1.2 Diverse Means of DHR . . . . . . . ...... ........... 63 2.5.1.3 Unique Features of DHR . . . . . . . . . . . . . . . . . . . . . . . . . . 63 2.5.1.4 D H R Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 2.5.2 Other GSI/USIs Addressed in the Submittal . . . . . . . . . . . . . . . . . 64 2.5.3 Responses to CPI Program Recommendations . . . . . . . . . . . . . . 64 vi A

2.6 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . 65 2.6.1 Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 2.6.2 Proposed improvements and Modifications . . . . . . . . . . . . . . . . . . 65 2.6.3 IP E ln sights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . . 66

4. DATA S U MMARY S H E ETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 REF E RE N C E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 vii A

l l

List of Tables E.3.1-1 Comparison of the Peach Bottom IPE and NUREG/CR-4550 General Accident Class Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2.1.1-1 Comparison of the Peach Bottom IPE and NUREG/CR-4550 l Initiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.1.1-2 Comparison of the Peach Bottom IPE and NUREG/CR-4550 Success C riteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2.1.2-1 Comparison of the Peach Bottom IPE and NUREG/CR-4550 Event Tree Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.2.2.3-1 Comparison of Plant-Specific Data from the Peach Bottom IPE and NUREG/CR-4550 . . . . . . . . . ............ ............... 31 2.2.2.4-1 Comparison of Generic Data from the Peach Bottom IPE and N U REG /C R-4550 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 32 l 2.2.2.5-1 Comparison of Common Cause Events from the Peach Bottom IPE .

and NUREG/CR-4550 . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....... 33 ,

l 2.2.3.2-1 Human Interaction Comparison (Selected) . . . . . . . . . . . . . . . . . . . . . . 35 2.2.5.1.-2 Comparison of the Peach Bottom IPE and NUREG/CR-4550 General Accident Type Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.4.1.2-1. Summary of Treatment of Challenges in the Peach Bottom Containment Safety Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.4.1.2-2 Timing, Size, and Location for Postulated Containment Failure Modes . . 52 2.4.1.1-3 Containment Failure Sizes Considered in the IPE .~.1d NUREG-1150 . . . 53 2.4.1.1-4 Summary of NUREG-1150 and IPE Failure Location and Type Assessment . . . . . . . . . .............. ........... .. ....... 54 2.4.1.5-1 Definition of IPE Release Magnitudes . . . . . . . . . . . . . . . . . . . . . . . . . . 56 2.4.1.5-2 Comparison of IPE and NUREGICR-4551 Releases . . . . . . . . . . . . . . . . 57 2.4.2.2-1 Containment Failure as a Percentage of CDF: Peach Bottom Results

. Compared with Peach Bottom NUREG/CR-4551 Results and with other IPE Results for Plants with Mark i Containments . . . . . . . . . . . . . . . . . . 60 2.4.2.3-1 Comparison of IPE and NUREG/CR-4551 Containment Performance . . . 61 viii 1

A l

)

) .

i Acronyms

AC Alternating current

- ADS Automatic Depressurization system ASEP Accident Sequence Evaluation Program ATWS Anticipated transient without scram

BNL Brookhaven National Laboratory BWR Boiling water reactor CDF Core damage frequency j CPI Containment Performance improvement i CRD Control rod drive

! CS Containment spray DC Direct current

. DHR Decay heat removal

EDG Emergency diesel generator EOP Emergency Operating Procedures

EPG Emergency Procedure Guidelines

EPRI Electric Power Research Institute i FSAR Final safety analysis report

GSI Generic safety issue HEP Human error probability HPCI High-pressure coolant injection HPSW High-pressure service water HRA Human reliability analysis IPE Individual plant examination ISLOCA interfacing systems loss-of-coolant accident LOCA Loss-of-coolant accident LOOP Loss of offsite power LOSP Loss of offsite power LPCI Low-pressure coolant injection LPCS Low-pressure core spray MSlV Main steam isolation valve NRC Nuclear Regulatory Commission PCS Power Uonversion system PDS Plant damage states PRA Probabilistic risk analysis PSF Performance shaping factor RCIC Reactor core isolation cooling RHR Residual heat removal RMIEP Risk Methods Integration and Evaluation Program RPV Reactor pressure vessel i SAIC Science Applications Intemational Corporation I S00 Station blackout l SDC Shutdown cooling l SLC Standby liquid control i SNL Sandia National Laboratories l SPC Suppression pool cooling '

ix i

I

^

l

l SRV Safety relief valves TER Technical evaluation report j UFSAR Updated final safety analysis report USI Unresolved safety issue i

4

)

y 4

4 k

i I j

i a

l i

X A

l

! E. EXECUTIVE

SUMMARY

) This report describes a review of the Peach Bottom Atomic Power Station Individual

Plant Examination (IPE) submittal by Sandia National Laboratories (SNL). The purpose l of the review was to evaluate the completeness of the licensee's IPE submittal relative

to what was requested in Generic Letter 88-20 and to evaluate the reasonableness of l the results, findings, and conclusions in the licensee's submittal. Because the IPE

submittal being reviewed is for a plant that has already been analyzed by the Nuclear

! Regulatory Commission (NRC)'in the,NUREG-1150 study, the major objective of this

review was a comparison between the results of the IPE submittal and the results of the NUREG-1150 study as documented in NUREG/CR-4550 Vol. 4, Rev.1 and NUREG/CR-4551 Vol. 4, Rev.1. With this objective in mind, the reader should understand that the material presented will differ from other technical evaluation reports performed for other plant submittals.

This report summarizes the results of the comparison between the front-end, human reliability analysis (HRA), and back-end portions of the IPE and NUREG-1150 analyses of the Peach Bottom Atomic Power Station. The comparisons are based on information contained in the IPE submittal [ Generic Letter 88-20] and the detailed documentation of the front-end [NUREG/CR-4550] and back-end (NUREG/CR-4551] analyses of Peach Bottom performed for the NUREG-1150 study.

E.1 Plant Characterization The Peach Bottom Atomic Power Station is a General Electric BWR/4 reactor with a Mark I containment. The primary containment consists of the traditional inverteet light bulb steel drywell and steel torus wetwell design with a suppression pool of water typical of the Mark i design. The secondary containment consists of the reactor building, which surrounds the primary containment and contains refueling equipment and spent fuel storage facilities, Peach Bottom has all of the typical BWR/4 Mark I systems and features. Additional features are listed below.

Uniaue Peach Bottom Features

. Four diesel generaturs with the flexibility of cross-tieing buses.

Residual heat removal and high-pressure service water cross-tieing capability.

E.2 Licensee IPE Process The technique used for the level 1 PRA was a small event tree /large fault tree technique. This is clearly described in the submittal. Internal initiating events and internal flooding were considered. Event trees were developed for all classes of initiating events. System descriptions were provided and the development of component-level system fault trees was discussed, intersystem dependencies were discussed in the system descriptions and a table of system dependencies was provided.

Data for quantification of the models were;provided, including common cause data. The 1

A

application of the' technique for modeling intemal flooding was described in the i submittal. The techniques used for performing importance analyses were not clearly described in the submittal. However, these were clarified in a follow-up conversation with the utility as being risk reduction measures. Overall, the methodology used in the front-end analysis is consistent with that requested in Generic Letter 88-20.

The HRA process for the Peach Bottom IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions l

. (performed as part of the response to an accident). Pre-initiator actions considered included both miscalibrations and restoration faults. Post-initiator actions included both l response-type and recovery-type actions. Procedure reviews, discussions with operations and training staff, and observations of simulator training sessions helped ensure that the IPE represented the as-built, as-operated plant. The primary HRA '

technique was the Electric Power Research Institute (EPRI) method described in EPRI NP 6560-L (EPRI NP-6560-L) . In addition, two other methods were used for !

comparison to ensure that the derived human error probabilities (HEP) were realistic and representative. Plant-specific performance shaping factors and dependencies were -

apparently considered to some degree, but no explicit examples of the HEP quantification process were provided. Human errors were identified as important contributors in accident sequences leading to core damage, and human performance-related enhancements were identified, particularly in regard to the incorporation of Revision 4 of the BWR Owners Group Emergency Procedure Guidelines.

Specific differences between the IPE and the Peach Bottom NUREG/CR-4550 PRA

[NUREG/CR-4550] process are discussed in Section E.3.2 for pre- and post-initiator human actions.

The methodology used to perform the back-end (i.e., Level 2) analysis is consistent with the guidance provided in GL $8-20 and NUREG-1335. The Level 2 portion of the Peach Bottom IPE was p6 normed using containment event trees that were quantified using functional fault trees. Separate event trees were constructed for each accident class. The Level 1 and Level 2 event trees were directly linked; however, the Level 1 results were grouped into plant damage states for presentation of results. Also, the structure and quantification of the Level 2 event trees was based on evaluations for the functional plant damage states (accident classes), rather than separate phenomenological evaluations for each sequence.

E.3 IPE Analysis E.3.1 Front-End Analysis A review of the front-end of analysis of the Peach Bottom IPE submittal reveals that it is essentially complete with respect to the type of information and level of detail requested in Generic Letter 88-20. In addition, the review did not identify any significant problems or errors in the front end. It should be noted that the IPE included a thorough identification and evaluation of plant-specific initiating events, and a detailed flooding analysis.

2 A

! As a part of the review, the front-end analysis of the IPE submittal and NUREG/CR-4 4550 were compared. The dominant accident class contribution to core damage

frequency (CDF) is shown in Table E.3.1-1 for both the Peach Bottom IPE and

NUREGICR-4550.

I Table E.3.1-1

Comparison of the Peach Bottom IPE and NUREG/CR-4550 General Accident Class Results i Accident Type Mean CDF % of Total Mean CDF ,

I Peach NUREG/CR 4550 Peach NUREG/CR 4550 Bottom IPE Bottom IPE Loss of Offsite 1.37E 6 8.5E-8 24.8 1.9 Power Station Blackout 4.79E-7 2.1E-6 8.7 48.9 ATWS 1.44E-6 1.0E-6 26 42.2 Transients 1.50E 6 1.4E-7 27.1 3.1 LOCA 5.95E-7 2.7E-7 10.8 5.8 Special Initiators

-intomal Flooding 1.47E-7 Screened out 2.6 Screened out (negligible (negligible contributor) contributor)

-Loss of DC Bus <1 E-8 <1 E-8 <0.5% <0.5%

-Loss of AC Bus <1 E-8 <1 E-8 <0.5% <0.5%

Total 5.53E-6 4.5E-6 100 100 Significant PRA findings on the front-end review are as follows:

. The mean CDF estimate from intemal events, including flooding, for Peach Bottom is 5.53E 6/yr. This frequency is comparable to the mean value af 4.%8/yr for the NUREG/CR-4550 analysis of Peach Bottom and is well below the genvic safety goal of 1E-4/yr.

Station blackout (8.7% or 4.79E-7/yr ) is not a dominant contributor to CDF in the IPE submittal compared with the results from the NUREG/CR-4550 analysis of Peach Bottom (49.9% or 2.1E-6/yr ). On the other hand, loss of offsite power (24.8% or 1.37E-6/yr ) , excluding blackouts, is a dominant contributor to CDF in the submittal compared with the results from the NUREG/CR-4550 analysis of Peach Bottom (1.9% or 8.5E-8/yr ). These differences between the two studies are not unexpected given that there are differences in the models (e.g., the ability to cross-tie EDGs existed in the IPE submittal but not in NUREG/CR-4550) and data (as discussed in Sections 2.2.2.3 through 2.2.2.5) used in both studies. It is also 3

A

j

, possible that sequences that were labeled as station blackout (SBO) in one analysis were labeled LOSP transients in the other analysis. In light of these differences and the fact that the total frequency core damage from loss of offsite power and blackout sequences is about the same for both studies, the result appears reasonable.

Transients are a more dominant contributor to CDF (27.1% or 1.5E-6/yr ) in the submittal than in the NUREG/CR-4550 analysis of Peach Bottom (3.1% or 1.4E-7/yr) because these sequences were deemed to fall below 1E-8/yr in NUREG/CR-4550.

. LOCAs are more than twice as important in the IPE (10.8% or 5.95E-7/yr) as in NUREG/CR-4550 (5.8% or 2.7E-7/yr). The differences are due to the higher initiating event frequencies used in the IPE than in NUREG/CR-4550. In addition, vessel rupture, which contributes a CDF of 9.0E-8/yr to the IPE results, was only qualitatively assessed and eliminated from further analysis in NUREG/CR-4550.

Overall, the licensee's treatment of core damage sequences is complete with respect to the information requested in NUREG-1335, and in light of the comparison with NUREG/CR-4550, appears reasonable.

E.3.2 Human Reliability Analysis While the HRA review of the Peach Bottom IPE submittal did not identify any significant problems or errors, the following points were noted:

. The submittal indicates that IPE-related work was primarily performed within the utility, with contractor support in specialized areas. One specialized area noted ,

was the reevaluation of certain human errors based on incorporation of Revision 4 of the EPGs. While reviews of the documentation indicate that a viable process was in place for confirming that the HRA portions of the IPE represent the as-built, as-operated plant, it appears that credit was taken for some aspects of the Revision 4 procedures even though training had not yet been completed, e.g., the loss of offsite power (LOOP) procedure. In addition, no specific mention was made of any HRA-related walkdowns and no mention was made of any discussions with appropriate personnel regarding pre-initiator human actions. Nevertheless, appropriate procedures apparently were reviewed and interviews and observations of training simulations for post-initiating events did occur.

. Essentially all potential pre-initiator restoration faults were completely screened out in the IPE. NUREG/CR-4550 found that failure to restore the standby liquid control (SLC) system after testing was an important event for ATWS sequences and therefore it could be argued that the event should have been explicitly modeled in the IPE. However, total core damage frequency from anticipated transient without scram (ATWS) sequences is about the same for both studies.

4 A

~ . . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . . _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ . . _ _ _ _ _ .

. . The treatment of post-initiator events appeared to be reasonably complete in l scope and both response-type and recovery-type actions were included. The numerical screening value used for post-initiator actions was iower than the value ;

traditionally used to ensure that significant human events are not eliminated. l However, a low cutoff frequency was used. While the HRA methods described as !

being used to quantify the post-initiator actions appeared viable, the main weakness of the post-initiator HRA was the lack oi &ny examples or documentation that demonstrated the actual quantification process for response or recovery actions.

E.3.3 Back-End Analysis The back-end portion of the IPE submittal provided the information requested in the IPE Submittal Guidance. Significant PRA findings on the back-end portion of the IPE submittal are as follows:

Cases with no containment failure represented 46% of the CDF. In NUREG/CR- )

4551, cases with no containment failure were much lower,18%. The difference )

appears to be the result of two factors. First, the IPE credited the results of NRC-sponsored work that was completed after NUREG/CR-4551 that indicated a lower probability of drywell liner melt-through than had been used for NUREG/CR-4551.

Second, the IPE has a smaller contribution from ATWS sequences, and so a lower ,

percentage of cases with containment failure / venting before core damage. '

Consistent with the difference in cases with no containment failure, the IPE submittal reported a lower relative contribution to CDF from early failures (28%),

and a higher relative contribution from late failures (26%).

The most frequent release category in the IPE was a low-low release (less than 0.1% Csl release) with an early release (0 - 6 hr). The most frequent release category from NUREG/CR-4551 was high release (greater than 1 % Csl release) with an intermediate release (6 - 24 hr). This difference is consistent with the differences in containment performance discussed above.

After the release categories were further grouped, the highest frequency releases were found to be those with little/no release or low risk impact (versus moderate or high release). The differences obsented in the equivalent NUREG/CR-4551 results appear to be due to the different containment performance results discussed above.

5 l

A i . _ _ - - ___

i . .

} E.4 Generic issues and Containment Performance improvements l In accordance with the resolution of USl A45, the licensee specifically examined the j decay heat removal (DHR) function for vulnerabilities. The licensee used both quantitative design objectives from the NRC staff and qualitative insights from past A-45 studies as input for the analysis of the adequacy of DHR. In the submittal, the licensee concluded that no vulnerabilities associated with DHR exist, since the total CDF from a loss of DHR was below the screening criteria in NUREG-1289. No plant modifications

! were judged to be cost beneficial. The utility's diverse means of DHR were identified '

and their benefits explored. These include the main condenser and feedwater systems, the high- and low-pressure emergency core coolant system (ECCS) with containment

cooling, the four modes of residual heat removal (RHR) at shutdown, the torus cooling,

and the high-pressure service water system. The unique features at Peach Bottom that j

directly affect the ability to provide Dh3 include a wetwell hard-pipe vent for i

< containment heat removal and four shared emergency diesel generators with cross-tie i j capabilities that allow for DHR during certain loss of offsite power events. I I

in the IPE submittal, the licensee indicated that it has chosen not to evaluate for closure ,

4 the other unresolved safety issues (USis) and generic safety issues (GSis) that remain l open for Peach Bottom at present.

1 l'

The IPE addressed the recommendations for plants with Mark l containments from the Containment Performance Improvement (CPI) Program, as summarized below-

Alternate Water Suoolv for Drvwell Sorav/ Vessel Iniection: The submittal indicated that Peach Bottom already has alternative injection / spray capability because it (1) has the capability to inject high-pressure service water through the RHR system, and although the system is ac-dependent, it has the capability of cross-tieing; and (2) it has procedures for using fire water for vessel injection through the RHR system.

e Enhanced Reactor Pressure Vessel (RPV) Deoressurization System Reliability:

The submittal discusses the DC and nitrogen dependencies of the safety relief valves, but the design does not appear exceptional relative to other BWR Mark I plants. No commitments were made toward the CPI objective of enhanced reliability in station blackout.

Emeroency Procedures and Trainina: As recommended by the CPI program, Peach Bottom has implemented Revision 4 of the BWR Owners Group Emergency Procedures Guidelines and is in the process of training the operators.

Torus Hard-Pioe Vent: The IPE submittal indicated that Peach Bottom is committed to installing the hard-pipe vent during the fall of 1992. This vent is in addition to the smaller hard-pipe vent from the torus that was modeled in the NUREG-1150 analysis.

6 A

E.5 Vulnerabilities and Plant improvements i

j in Section 3.4.2 of the IPE submittal, the licensee defined vulnerability as any failure 4

mode, single failure, or combination of a small number of failures not used to create a

support state (such as diesel failure in the LOSP event tree) that disproportionately contributes to the overall CDF. The submittal states that even though no quantitative

limits were placed on the contribution to CDF, a qualitative evaluation identified no

vulnerabilities. ,

! l

Based on insights from the front-end anal/sis, the licensee identified one plant

kmprovement: an enhancement to the f.OSo procedure (SE-11) which includes detailed

[ instructions to cross-tie emergency electrical buses and recognizes interunit interactions

! to improve the responses necessary for the safe shutdown of both Peach Bottom units during a LOSP. This procedure was schedulad for implementation in December 1992; it j

was credited in the submittal, but the impact of the plant improvement in terms of the change in CDF was not discussed.

E.6 Observations A review of the front-end of analysis of the Peach Bottom IPE submittal reveals that it is essentially complete with respect to the type of information and level of detail requested in Generic Letter 88-20. In addition, the review did not identify any significant problems or errors in the front end. It should be noted that the IPE included a thorough identification and evaluation of plant-specific initiating events, and a detailed flooding analysis.

A comparison of the front-end analysis of the IPE submittal and NUREGICR-4550 reveals some differences between the results, particularly for loss of offsite power and i station blackout sequences. However, the differences between the two studies were not unexpected given that there were differences in the success criteria, models (e.g.,

the ability to cross-tie emergency diesel generators (EDGs) existed in the IPE submittal ,

but not in NUREG/CR-4550), and data ( to be discussed in Sections 2.2.2.1 and 2.2.2.3 )

through 2.2.2.5) used in both studies.

Overall, the review of the front end analysis of the Peach Bottom IPE submittal reveals i that it is essentially complete with respect to the type of information and level of detail l requested in Geaene Letter 88-20 and, in light of the comparison with NUREG/CR- l 4550, appears reesonable. !

The HRA review of toe Peach Bottom IPE submittal did not identify any significant problems or errors. A viable approach was used in performing the HRA and only relatively minor differences were found between the IPE and NUREG/CR-4550. The most important weaknestes of the IPE HRA ine:uded complete screening of all pre-initiator restoration faults sad a lack of any examples or documentation that demonstrated the actual quentification process for post-initiator response or recovery actions.

7 A

1 I

No significant problems or errors were identified in the back-end analysis. There were differences between the IPE and NUREG/CR-4551 results, but those differences are rious sequenus to e CDF and the IPE's ;

use of re rre t a al se for he d i i

I i

I l

q i

i 1

i i

i l

1 8

I l

t A

. _ _ _ . _ . _ . _ . _ _ _ --_-.____ _ _~_________- - _ ________

l . .

1. INTRODUCTION 1.1 Review Process This technical evaluation report (TER) documents the results of a review of the Peach

, Bottom Atomic Power Station Individual Plant Examination (IPE) submittal by Sandia

! National Laboratories (SNL). The purpose of the review was to evaluate the completeness of the licensee's IPE submittal relative to what was requested in Generic l Letter 88-20 and to evaluate the reasonableness of the results, findings, and

conclusions in the licensee's submittal. Because the IPE submittal being reviewed is for a plant that has already been analyzed by the Nuclear Regulatory Commission (NRC) in the NUREG-1150 study, the major objective of this review was a comparison between the results of the IPE submittal and the results of the NUREG-1150 study as documented in NUREG/CR-4550 Vol. 4, Rev.1 and NUREG/CR-4551 Vol. 6, Rev.1.

With this objective in mind, the reader should understand that the material presented will differ from other TERs performed for other plant submittals.

This report summarizes the results of the comparison between the front-end, human reliability analysis (HRA), and back-end portions of the IPE and NUREG-1150 analyses of the Peach Bottom Atomic Power Station. Section 2 of the TER summarizes SNL's review, briefly describes the Peach Bottom submittal, and compares the results with the NUREG-1150 Peach Bottom results. Section 2 also outlines the insights gained, plant improvements identified, and utility commitments made as a result of the IPE. Section 3 presents SNL's overall observations and conclusions. Section 4 contains IPE data summary sheets for the Level 1, human reliability analysis, and Level 2 analyses.

1.2 Plant Characterization The Peach Bottom Atomic Power Station is located in southeastern Pennsylvania, it is about 38 miles northeast of Baltimore, Maryland, and 63 miles southwest of Philadelphia, Pennsylvania.

Peach Bottom consists of two General Electric Company designed BWR-4 plants with Mark I containments (units 2 and 3). Each unit's rated thermal power is 3293 MWth, with an electrical output of 1065 MWe, important safety systems include:

e turbine-driven, high-pressure coolant injection (HPCI) system o turbine-driven reactor core isolation cooling (RCIC) system o automatic depressurization system (ADS) e motor-driven core spray system o low-pressure coolant injection (LPCI) mode of residual heat removal (RHR) system 9

A

1

The primary containment consists of the traditional inverted light bulb steel drywell and steel torus wetwell design with a suppression pool of water typical of the Mark I design.

l The secondary containment consists of the reactor building, which surrounds the primary containment and contains refueling equipment and spent fuel storage facilities.

Section 1.2 of the IPE submittal lists plant-specific design and operating features that tend to lower the core damage frequency (CDF) and radionuclide releases. These

, features are:

e Four 100% capacity RHR pumps and heat exchangers e Four diesel generators with the flexibility of cross-tieing buses e RHR and high-pressure service water (HPSW) cross-tie capabilities I l

e Drywell and pedestal can be flooded to a depth of 2.5 ft before spillover into torus I e Drywell floor is the same elevation as the pedestal e Diverse sources of water for cooling and injection ,

o main steam isolation valve (MSIV) closure at Level 1 l e High head condensate pumos e anticipated transient without scram (ATWS) prevention and mitigation measures j e Emergency operating procedures are based on Revision 4 of the BWR Owners ;

Group Emergency Procedures Guidelines '

i 10 A

. - . - . - - - - . . . - . - _ . . - ~ - -_____- ____- __

i i

2. TECHNICAL REVIEW l

l 2.1 Licensee IPE Process 2.1.1 Completeness and Methodology i The Peach Bottom IPE submittal (Submittal) contains a Level 1 (front-end) probabilistic i risk assessment (PRA), a human reliability analysis and a Level 2 (back-end) PRA. A l review of the _ submittal reveals that it is essentially complete with respect to the type of

{ information and level of detail requested in NUREG-1335 [NUREGICR-1335).

l The Level 1 and 2 analyses were based on the current Unit 2 design. The screening of j accident sequences and the evaluation of the decay heat removal functions were done i in accordance with Generic Letter 88-20. The IPE submittal included a section (Section j- 8) that provided a comparison between the IPE submittal and the NUREG-1150 l analysis of Peach Bottom.

i i' The Peach Bottom IPE submittal documents and describes the techniques used to j address each of the three major technical areas: the front-end systems analysis, the j back-end containment performance analysis, and the HRA. A review of the 1 methodology employed in the front-end portion of the submittal indicates that the I technique used for the level 1 PRA was a small event tree /large fault tree technique.

This is clearly described in the submittal. Internal initiating events and internal flooding were evnsidered. Event trees were developed for all classes of initiating events.

System descriptions were provided and the development of component-level system fault trees were discussed. Intersystem dependencies were discussed in the system descriptions and a table of system dependencies was provided. Data for quantification of the models were provided, including common cause data. The application of the technique for modeling internal flooding was described in the submittal. However, the i techniques used for performing importance analyses were not clearly described in the submittal. Overall, the methodology used in the front-end analysis is consistent with that requested in Generic Letter 88-20.

The HRA process addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). Pre-initiator actions that were considered included both miscalibrations and restoration faults. However, a relatively low screening value (nonconservative) was assigned to miscalibrations and essentially all restoration faults were completely screened out on the basis of a set of criteria used to determine the potential for recovery of restoration faults. Post-initiator actions included both response-type and recovery-type actions. The primary HRA technique was the EPRI method described in EPRI NP-6560-L (a proprietary document) (EPRI NP-6560-L]. In addition, two other methods were used for comparison to ensure the obtained HEP values were realistic and representative. One method was the RMIEP [NUREG/CR-4834] Simulator Data approach, and the ciher was the " Analytic Models for Operator Response During Accidents Approach." In the latter case, apparently three HEP models were developed by the IPE HRA analysts for events occurring during three time periods of an accident.

11 A

1

.. . l l

1 l

The HEP values used in these models were " derived from Swain, plus selected alternative methods." Plant-specific performance shaping factors and dependencies were apparently considered to some degree, but no explicit examples of the HEP

! quantification process were provided. Human errors were identified as important i contributors in accident sequences leading to core damage and human performance-related enhancements were identified, particularly in regard to the incorporation of Revision 4 of the BWR Owners Group Emergency Procedure Guidelines. Licensee staff i apparently participated in the HRA process, but no specific mention of the associated 1 personnel was found. Procedure reviews, discussions with operations and training staff, l and observations of simulator training sessions helped ensure that the IPE represented j the as-built, as-operated plant. While independent reviews of the IPE were apparently l performed by in-house staff and contractors to help ensure the appropriate use of i techniques, no specific information regarding reviews of the HRA was provided.

f The methodology used to perform the Level 2 analysis is consistent with the guidance j provided in GL 88-20 and NUREG-1335. The Level 2 portion of the Peach Bottom IPE j .was performed using containment event trees that were quantified using functional fault

trees. Separate event trees were constructed for each accident class. The -

i quantification was performed using the REBECA computer program. The Level 1 and Level 2 event trees were directly linked; however, the Level 1 results were grouped into j plant damage states for presentation of results. Also, the structure and quantification of e the Level 2 event trees was based on evaluations for the functional plant damage states !

l (accident classes), rather than separate phenomenological evaluations for each l sequence.

3 I 2.1.2 Multiunit Effects and As-Built, As Operated Status l The Peach Bottom IPE is based on the Unit 2 plant design, using the description in the

updated final safety analysis report (FSAR). The IPE submittal indicates that the results I were also confirmed to be representative of Unit 3 (Section 2.2 of submittal).

j Components and systems shared between the units were explicitly modeled in the j systems event and fault trees. In addition, it was assumed in the submittal that both

j. units were operating at full power when evaluating the response of Unit 2 to initiating l events. For a loss of offsite power (LOSP), Units 2 and 3 place simultaneous demands 4 on the shared systems (i.e., a simultaneous dual unit LOSP). For all other initiating l events at Unit 2, it was assumed that Unit 3 continued to operate at full power. Dual i unit core damage frequency was not calculated.

l j To ensure that the IPE represents the as-built and as-operated plant, at the start of the

! IPE process, a document control database was instituted to ensure that updates in plant initiators, drawings (and modifications), and procedures were correctly incorporated j into every facet of the IPE model. Major documentation used in the model includes the

] updated final safety analysis report (UFSAR), plant procedures, technical specification,

, operator training lesson plans, and maintenance history information. As a result, the s IPE models reflect freeze dates of December 1990 for initiators, February 1992 for j drawings (modifications as of December 1991), and February 1992 for procedures.

l This is indicated in Section 2.4.1 of the IPE submittal. In addition, the IPE was reviewed i

) 12 A

l by plant personnel from outside the PRA group to identify deviations from the as-buP t, ,

as-operated design.

In regard to the HRA, credit was apparently taken for procedure improvements based on Revision 4 of the BWR Owners Group Emergency Procedure Guidelines, even ,

though training on particular aspects of the procedure was still in progress. The '

changes to the LOOP procedure were specifically mentioneo. As noted above, procedure reviews (particularly with regard to the review of procedures relevant to screening pre-initiator restoration faults), discussions with operations and training staff, and observations of simulator training sessions helped ensure that the IPE represented the as-built, as-operated plant. However, while the IPE notes that plant walkdowns -

were conducted, there was no discussion of any HRA-related issues being addressed or HRA-related information being obtained. Overall, the submittal indicates that the licensee took steps to provide reasonable assurance that the HRA-related aspects of the IPE model represented the as-built, as-operated plant.

Section 2.4.2 of the submittal states that a plant familiarization walkdown for observing plant-specific features that could affect severe accident progression and potential internal flooding was performed by utility personnel and contractors involved in the IPE

model development. No further details of the team makeup were given in the submittal.

2.1.3 Licensee Participation and Peer Review Section 5.1 of the submittal indicates that utility staff participated in different aspects of the IPE process. The Level 1 portion of the IPE was developed by a four-person group !

of the utility's Reliability and Risk Assessment branch. Contractor support was provided I by Halliburton NUS in specialized areas such as the reevaluation of common cause failure rates. The Level 2 portion of the IPE was done by a contractor, ERIN Engineering and Research, and the progress reviewed by utility personnel. Supporting MAAP calculations were also performed by utility personnel. Overall, about 70% of the Level 1 work and 30% of the Level 2 work was performed by utility personnel. The remainder was done by contractors.

The submittal indicates that a viable two-step process of review was employed to ensure the accuracy of the analytic techniques applied. In the first step, an ongoing review of the IPE was conducted by key plant personnel in the Nuclear Engineering and Operation divisions with support from unsultants at ERIN Engineering Research, SAIC, and NUS during the IPE's development. The submittal did not indicate if the people from these organizations were different from those that developed the IPE. In the second step, reviews of the final IPE draft were conducted by independent utility personnel and their contractors. The focus of the reviews was to ensure that the IPE methodology and models reflected accurate information and were suitable for submittal.

This included reviews of the system and event tree modeling, the assumptions, and quantification results. The submittal states that the findings of the review teams were incorporated in the IPE, but the nature and results of these findings were not specified in the submittal. Section 5.3 of the submittal also states that the licensee intends to maintain the Peach Bottom PRA as a living document.

13 A

l i

2.2 Front End Technical Review l

l This section documents the review of both accident sequence delineation and l evaluation of system performance and system dependencies provided in the submittal. j 2.2.1 Accident Sequence Delineation and System Analysis l I

The methodology used in the front-end analysis of Peach Bottom IPE is the small event '

tree /large fault tree approach, similar to that described in NUREGICR-2300

[NUREG/CR-2300). This approach is consistent with the methods for examination identified in Generic Letter 88-20. The process used to delineate the accident sequences includes identification of initiating events and associated success criteria, development of event trees, and binning accident sequences based on back-end characteristics.

2.2.1.1 Initiating Events The process used to identify initiating events is described in Section 3.1.1.2. of the IPE submittal. The process considered both generic and plant-specific events. The initiating events were grouped as transients, loss-of-coolant accidents and special initiators. First, an initiallist of transients was taken from NUREG/CR4862

[NUREGICR-3862]. Next, the transients were grouped based on the initial effect on normal plant systems; in particular, the availability of the main condenser as a heat sink and the availability of feedwater. These groups were largely equivalent to those used in the NUREG/CR-4550 analysis of Peach Bottom. A list of all plant specific transients i and their frequencies is given in Table 3.1.1-2 of the submittal. Six categories of LOCAs were considered in the submittal. A list of all plant-specific and generic LOCA events and their frequencies is given in Table 3.1.1-3 of the submittal. All plant-specific and generic special initiators and their frequencies are listed in Table 3.1.1-4 of the submittal.

A comparison of the initiating event frequencies used in the IPE submittal and those in the NUREGICR-4550 analysis of Peach is shown in Table 2.2.1.1-1. These results show that generally the IPE transient event frequencies are comparable to those from NUREG/CR-4550. The LOSP event frequency is different because updated grid information through 1990 was used to calculate the IPE LOSP frequency. The IPE frequency for a transient involving loss of feedwater is more than four times larger than the NUREG/CR-4550 value. The larger IPE value is also due to the use updated data based on Peach Bottom operating experience through 1990.

The results show large differences in the IPE LOCA frequencies (four times to an order of magnitude) compared with those from NUREG/CR-4550. The differences were attributed to the fact that the IPE used large values from the Limerick PRA [NUREG/CR-1068) while NUREG/CR-4550 used smalier values from WASH-1400 [ WASH-1400).

Overall, the licensee's treatment of initiating events in the submittal is complete with respect to the information requested in the Generic Letter 88-20 and, in light of the 14 A

comparison with NUREG/CR-4550, the initiating event frequencies appear to be reasonable.

Table 2.2.1.1-1 Comparison of the Peach Bottom IPE and NUREGICR 4550 Initiating Events initiating Event Peach Bottom IPE NUREG/CR-4550 Event Event Frequency Frequency Transients Loss of offsite power" 0.059 0.079 l

Transient with PCS 0.061 0.05 unavailable" Transient with PCS initially 2.02 2.5 I available*

Transient involving loss of 0.265 0.06 feedwater*

Inadvertent open relief valve

0.17 0.19 1

Manual shutdown" 4.54 Not modeled l LOCAs i

i Large LOCA* 4.1E-4 1.0E-4 !

Medium LOCA* 2.0E-3 3.0E-4 Small LOCA* 1.0E-2 3.0E-3 Small-small LOCA not modeled 3.0E-2 Interfacing system LOCA" 7.3E-7 <1 E-8 Vessel rupture

1.0E-7 Not modeled LOCA outside containment" 8.4E-7 Not modeled SpecialInitiators Loss of 4kV DC bus

2.6E-3 5.0E-3 Loss of 4kV DC bus

2.6E-3 5.0E-3 Internal flooding

Location dependent as Screened out as negligible Section 3.3.8 of the contributor IPE submittal. 1

Generic initiating event frequencies used.

" Plant-specific initiating event frequencies used.

15 A

l 4

i i

i

~ Success Criteria 1

To determine success criteria, the licensee utilized the Peach Bottom updated final

{ safety analysis report along with previous evaluations from other technical sources.

These success criteria are discussed in Section 3.1.1.5 of the IPE submittal and listed in i i Table 3.1.1.5 of the same section. I i

I A comparison of the success criteria (i.e., inventory control and decay heat removal) for I i each initiating event modeled in the IPE submittal and tnose modeled in the i NUREG/CR-4550 analysis of Peach Bottom is shown in Table 2.2.1.1-2. The table

! shows that the systems providing inventory control functions in both studies are

generally comparable. The major differences in success criteria between the two l studies are as follows:

l.' (a) for transients and small LOCAs, only two safety relief valves (SRVs) are needed for pressure release in the submittal while 3 SRVs were needed in NUREGICR-

4550, (b) for transients, the high-pressure service water (HPSW) system could be used to inject water into the core in NUREG/CR-4550 while this option is not used for ;

inventory control in the submittal, and 1

(c) for the medium LOCA, high-pressure coolant injection (HPCI) and control rod drive !

(CRD) are used in conjunction to provide inventory control in the IPE submittal while only HPCI is required in NUREG/CR-4550. ;

Given that there are eleven SRVs, there is not a large difference in the probability of failing two versus failing three. Even considering the other differences, overall, the l licensee's treatment of the success criteria, based on a comparison of the two studies, f appears to be reasonable. l l

4 i

l i

i 1

16 i

A

t Table 2.2.1.1-2 Cc aparison of % Peach Bottom IPE and NUREGICR 4550 Success Criteria .

Initiator inventory Control Decay Heat Removal Peach Bottom IPE NUREGICR-4550 Peach Bottom IPE NUREGICR-4550 Loss of offsite HPCI HPCI 1 of 4 RHR pumps 1 of 4 RHR pumps power or or with associated heat with associated heat .

RCIC RCIC exchanger (SPC and exchanger (SPC, CS, !

1 Feedwater pump 1 Feedwater pump SDC modes) and and SDC modes) and 4 or or associated HPSW associated HPSW j

~

CRD (enhanced) CRD (enhanced) or or or or containment venting containment venting 2 SRVs and 1 3 SRVs and 1 or or !

, g condensate pump condensate pump PCS PCS

. or or i' 2 SRVs and 1 or 4 3 SRVs and 1 of 4 LPCIpumps LPCI or or 2 SRVs and 1 o f 2 3 SRVs and 1 of 2 any i LPCS loops LPCS loops or 3 SRVs and 1 HPSW t

(injection mode) l i

17

Initiator inventory Control Decay Heat Removal Peach Bottom IPE NUREGICR-4550 Peach Bottom IPE NUREGICR-4550 Transient with HPCI HPCI 1 of 4 RHR pumps 1 of 4 RHR pumps PCS or or with associated heat with associated heat unavailable RCIC RCIC exchanger (SPC and exchanger (SPC, CS, 1 Feedwater pump 1 Feedwater pump SDC modes) and and SDC modes) and or or asweiated HPSW associated HPSW CRD (enhanced) CRD (enhanced) or or or cr containment venting containment venting .

2 SRVs and 1 3 SRVs and 1 or or condensate pump condensate pump PCS PCS or or 2 SRVs and 1 or4 3 SRVs and 1 of 4 g LPCIpumps LPCI or or 2 SRVs and 1 o f 2 3 SRVs and 1 of 2 any LPCS loops LPCS loops or 3 SRVs and 1 HPSW (injection mode)

[

18 ,

m.. L a sa. 4 .G- _..w + -Mk 4 6b +4s. w. -*.~4 > a .,A4 .a1 4 m aL 4 _m A

t initiator -

inventory Control Decay Heat Removal Peach Bottom IPE NUREG/CR-4550 Peach Bottom IPE NUREGICR 4550 ;

Transient with HPCI HPCI 1 of 4 RHR pumps 1 of 4 RHR pumps PCS initially or or with associated heat with associated heat l available RCIC RCIC exchanger (SPC and exchanger (SPC, CS, 1 Feedwater pump 1 Feedwater pump SDC modes) and and SDC modes) and ;

or or associated HPSW associated HPSW CRD (enhanced) CRD (enhanced) or or :

or or containment venting containment venting ,

2 SRVs and 1 3 SRVs and 1 or or l condensate pump condensate pump PCS PCS !

w w 2 SRVs and 1 or 4 3 SRVs and 1 of 4 !

k LPCI pumps LPCI t i

or or 2 SRVs and 1 o f 2 3 SRVs and 1 of 2 any LPCS loops LPCS loops or 3 SRVs and 1 HPSW (injection mode) l j

i i

19

- . - - - . - . . ~ ..

~

Initiator Inventory Control Decay Heat Removal Peach Bottom IPE NUREGICR-4550 Peach Bottom IPE NUREGICR 4550 Transient HPCI HPCI 1 of 4 RHR pumps 1 of 4 RHR pumps involving loss or or with associated heat with associated heat of feedwater RCIC RCIC exchanger (SPC and exchanger (SPC, CS, 1 Feedwater pump 1 Feedwater pump SDC modes) and and SDC modes) and or or associated HPSW associated HPSW CRD (enhanced) CRD (enhanced) or or or or containment venting - containment venting 2 SRVs and 1 3 SRVs and 1 or or condensate pump condensate pump PCS PCS or or 2 SRVs and 1 or 4 3 SRVs and 1 of 4 g LPCIpumps LPCI or or -

2 SRVs and 1 o f 2 3 SRVs and 1 of 2 any LPCS loops LPCS loops ,

or 3 SRVs and 1 HPSW (injection mode) i i

1 20 6

initiator inventory Control Decay Heat Removal Peach Bottom IPE NUREGICR-4550 Peach Bottom IPE NUREGICR-4550 j Transient with HPCI and CRD HPCI 1 of 4 RHR pumps 1 of 4 RHR pumps 1 stuck-open or or with associated heat with associated heat relief valve HPCI and 1 of 4 LPCI RCIC exchanger (SPC and exchanger (SPC and pumps 1 Feedwater pump SDC modes) and CS modes) and or or associated HPSW associated HPSW HPCI and 1 of 4 LPCS 3 SRVs and 1 .or or pumps condensate pump containment venting containment venting or or or or HPCI and 1 condensate 3 SRVs and 1 of 4 PCS PCS pump LPCI or or g RCIC and CRD 3 SRVs and 1 of 2 any or LPCS loops RCIC and 1 of 4 LPCI or pumps 3 SRVs and 1 HPSW -

or (injection mode) ,

RCIC and 1 of 4 LPCS pumps or RCIC and condensate or 1 Feedwater and condensate pump ,

or 1 SRV and 1 condensate pump i 1 SRVs and 1 of 4 :

LPCIpumps !

or 21 4

[

' i Initiator inventory Control Decay Heat Removal Peach Bottom IPE NUREG/CR-4550 Peach Bottom IPE NUREGiCR-4550 >

Transient with HPCI and CRD HPCI 1 of 4 RHR pumps 1 of 4 RHR pumps 2 stuck-open or or with associated heat with associated heat relief valve HPCI and 1 of 4 LPCI 3 SRVs and 1 HPSW exchanger (SPC and exchanger (SPC and i pumps (injection mode) SDC modes) and CS modes) and +

or or associated HPSW associated HPSW HPCI and 1 of 4 LPCS 3 SRVs and 1 of 4 or or pumps LPCI containment venting containment venting or or or '

HPCI and 1 condensate 3 SRVs and 1 of 2 any PCS pump LPCS loops or g RCIC and CRD or l RCIC and 1 of 4 LPCI pumps or RCIC and 1 of 4 LPCS pumps i or -

RCIC and condensate

, or t 1 Feedwater and condensate pump or I 1 condensate pemp or 1 of 4 LPCIpumps or 1 of 4 LPCS pumps 22

l Initiator inventory Control Decay Heat Removal Peach Bottoin IPE NUREG/CR-4550 Peach Bottom IPE NUREGICR 4550 Transient with 1 of 4 LPCI Pumps 1 of 4 LPCI Pumps 1 of 4 RHR pumps 1 of 4 RHR pumps 3 stuck-open or or with associated heat with associated heat relief valve any 2 LPCS pumps any 2 LPCS pumps exchanger (SPC exchanger (SPC and modes) and CS modes) and associated HPSW associated HPSW or or containment venting containment venting 1 ,

23

i -

l Initiator inventory Control Decay Heat Removal Peach Bottom IPE NUREG/CR-4550 Peach Bottom IPE NUREGCR-4550 i inadve. tent HPCI and CRD HPCI 1 of 4 RHR pumps 1 of 4 RHR pumps l open relief or or with associated heat with assocated heat valve HPCI and 1 of 4 LPCI RCIC exchanger (SPC and exchanger (SPC, CS, pumps 1 Feedwater pump SDC modes) and and SDC modes) and or or associated HPSW associated HPSW HPCI and 1 of 4 LPCS CRD (enhanced) or or

, pumps or containment venting containment venting or 3 SRVs and 1 or or HPCI and 1 condensate condensate pump PCS PCS pump or or 3 SRVs and 1 of 4 g RCIC and CRD LPCI or or RCIC and 1 of 4 LPCI 3 SRVs and 1 of 2 any pumps LPCS loops or or RCIC and 1 of 4 LPCS 3 SRVs and 1 HPSW pumps (injection mode) or RCIC and condensate or 1 Feedwater and 1 condensate pump or 1 SRV and 1 condensate pump or 1 SRVs and 1 of 4 LPCI pumps or l

24

_-___ .-_____.____.--__-_______________m._

Initiator inventory Control Decay Heat Removal Peach Bottom IPE NUREG/CR-4550 Peach Bottom IPE NUREG/CR-4550 Large LOCA 1 of 4 LPCI Pumps 1 of 4 LPCI Pumps 1 of 4 RHR pumps 1 of 4 RHR pumps or or with associated heat with associated heat any 2 LPCS pumps any 2 LPCS pumps exchanger (SPC exchanger (SPC and modes) and CS modes) and associated HPSW associated HPSW or or containment venting containment venting Medium LOCA HPCI and CRD HPCI 1 of 4 RHR pumps 1 of 4 RHR pumps or or with associated heat with associated heat HPCI and 1 of 4 LPCI 3 SRVs and 1 HPSW ^ exchanger (SPC exchanger (SPC and pumps or modes) and CS modes) and A or -

associated HPSW associated HPSW HPCI and 1 of 2 LPCS I or or or loops 3 SRVs and 1 of 4 containment venting containment venting or LPCI 2 SRVs and 1 or 4 or LPCIpumps 3 SRVs and 1 of 2 any ,

or LPCS loops 2 SRVs and 1 of 2 LPCS loops 25 i

l

Initiator inventory Control Decay Heat Removal Peach Bottom IPE NUREGICR-4550 Peach Bottom IPE NUREGICR 4550 Small LOCA HPCI HPCI 1 of 4 RHR pumps 1 of 4 RHR pumps or or with associated heat with associated heat RCIC RCIC exchanger (SPC exchanger (SPC and 1 Feedwater pump 1 Feedwater pump modes) and CS modes) and ,

or or associated HPSW associated HPSW 2 SRVs and 1 3 SRVs and 1 or or condensate pump condensate pump containment venting containment venting or or or l 2 SRVs and 1 or 4 3 SRVs and 1 of 4 PCS LPCI pumps LPCI or or g 2 SRVs and 1 o f 2 3 SRVs and 1 of 2 any LPCS loops LPCS loops or 3 SRVs and 1 HPSW (injection mode) ,

f i

26

_. ._ _ _ _ _ . ~ _ . _ _ _ _. _ ._ _ _ _ _ _. _ .. _ ._ _ .

2.2.1.2 Event Trees In the IPE submittal, systematic event trees were developed for each initiator . The event trees for transients and LOCAs were discussed in Section 3.1.2 (Figures 3.1.2.1.5.1 through 3.1.2.2.3) of the IPE submittal. The event trees for special transients were discussed in Section 3.1.3 (Figures 3.1.3.1.1a through 3.1.3.3.2) of the IPE submittal.

A comparison of the event trees for each initiator modeled in the IPE submittal and -

NUREG/CR-4550 analysis of Peach Bottom is shown in Table 2.2.1.2-1. Differences in the event trees in the two studies were not unexpected given that there were differene'es in the success criteria and the modeling approach, and that plant information available to the licensee during the IPE process was more current than that in NUREG/CR-4550.

Overall, the licensee's treatment of the event trees in the submittal is complete with

) respect to the information requested in Generic Letter 88-20 and, in light of the comparison with NUREGICR-4550, it appears to be reasonable.

Table 2.2.1.2-1 Comparison of the Peach Bottom IPE and NUREG/CR-4550 Event Tree Models .

Initiator Peach BottomiPE Event Tree NUREG/CR4550 Event Tree Model Model An enhanced LOSP procedure This LOSP procedure did not exist (SE-11) to manipulate electrical when NUREG/CR-4550 was l Ioads and cross-6e em*rgency developed and so was not modeled in i electrical buses was modeled. the LOSP event tree. I Recovery actions of offsite power Recovery actions of offsite power and and emergency diesels were emergency dieselswere modeled at modeled as top eventsin the the cut set levelin NUREG/CR-4550.

LOSP eventtreesin the iPE submittal.

Transient with PCS Success or failure of offsite power Success or failure of offsite power unavailable was not modeled as a top event was modeled as a top eventin the in the transient tree. transient tree.

Foodwaterinjection was modeled Feedwaterinjection was modeled as as a top eventin the transient a part of the power conversion system event tree. top event in the transient event tree.

Foodwater and power conversion Feedwater and power conversion system recovery for heat removal system recovery for heat removalwas was modeled as a top eventin not modeled as e top eventin the the transient event tree. transient event tree. )

Transients with PCS Comparisons the same as for Comparisons the same as for initially available transient with PCS unavailable. transient with PCS unavailable.

27 A

i 4

i initiator Peach BottomiPE Event Tree NUREG/CR 4880 Event Tree Model Model

[ Transients with PCS Comparisons the same as for Comparisons the same as for

{ unavailable transientwith PCS unavailable. transient with PCS unavailable.

$ inadvertent open relief Comparisons the same as for Comparisons the same as for

{ valve transient with PCS unavailable, trenaientwith PCS uneveilable.

s.

i Loos of 4 kV AC and DC Comparisons the same as for Comparisons the some as for i bus transient with PCS unavailable, transient with PCS unavailable.

! Manual shutdown No comperison Not modeled 1

i Large LOCA Success or failure of offsito power Success or failure of offsite power i was not modeled as a top e ent, was modeled as a top event.

I

! Vapor suppression was modeed Eliminated from the large LOCA tree j as a top event. as relatively improbable.

l

Success or failure of the Success or failure of the condensate condensate system for core system for core cooling was modeled.

coolmg was not modeled.

l-

! Medium LOCA Success or failure of offsite power Success or failure of offalle power

. was not modeled as a top event. was modeled as a top event.

f-

,' Vapor suppression was modeled Eliminated from the large LOCA tree i es top event. as relatively improbable.

i The CRD system was modeled Not modeled j as a source of high-pressure p injection to supplement HPCI.

Success or failure of the Success or failure of the condeneste 3 condensate system for core system for core cooling was modeled.

cooling was not modeled.

Small LOCA Success or failure of offsite power Success or failure of offsite power was not modeled as a top event. was modeled as a top event.

l l Vapor suppression was modeled Eliminated from the large LOCA tree as a top event. as relatively improbable.

l Success or failure of the Success or failure of the condensate condensate system for core system for core coolmg was modeled

'. cooling was not modeled.

4 Small-small LOCA Not modeled No comparison made 1

Interfacing system LOCA No comparison Screened as <1E-8 l

Vessel rupture No comparison made Not modeled

. LOCA outside No comparison made Not modeled containment s

j 28

2.2.1.3 System Analysis System descriptions are included in Section 3.2 of the submittal. The systems in the IPE submittal are similar to those modeled in the NUREG/CR-4550 study of Peach Bottom. However, the feedwater system was modeled as a fault tree in the submittal but simply given a data value in NUREG/CR 4550. Fault trees were developed for each system described in Section 3.2 down to the component level; however, they were not provided as part of the submittal.

Overall, the licensee's system analysis is complete with respect to the information requested in NUREG-1335 and, in light of the comparison with NUREG/CR-4550, appears reasonable. .

2.2.1.4 System Dependencies Dependencies are discussed in Section 3.2.3.1 of the submittal. Table 3.2.3-1 of the same section summarizes the dependencies among the systems. The submittal addressed dependencies on instrumentation, instrument air, service water, turbine building cooling water, reactor building cooling water, and emergency AC and DC power. The dependencies in the IPE submittal are similar to those modeled in the NUREG/CR-4550 study of Peach Bottom.

Overall, the licensee's treatment of dependencies is complete with respect to the information requested in NUREG-1335 and, in light of the comparison with NUREG/CR-4550, appears reasonable.

2.2.2 Quantitative Process This section summarizes the process by which the submittal quantified core damage sequences, including performance point estimates and uncertainty / sensitivity analyses, the use of plant-specific and generic data, and the quantification of common cause events.

2.2.2.1 Quantification of Accident Sequence Frequencies The methodology used in the front-end analysis of the Peach Bottom IPE is the small event tree /large fault tree approach, similar to that described in NUREG/CR-2300.

Support systems were modeled in the fault trees and fault tree linking was used to account for dependencies. Systemic event trees were used in the submittal.

The NUPRA computer code was used to link the system fault trees, create minimal cut sets and quantify sequence frequencies The analysis used cutoff frequencies (whether cut set or sequence was not stated) ranging from 1E-9 to 1E-11 to ensure that dominant contributors to risk were captured. This is contained in Section 2.3.2 of the submittal.

The sequence cutoff frequency used in the NUREG/CR-4550 analysis of Peach Bottom was 1E-8.

29 i

l 44

2.2.2.2 Point Estimates and Uncertainty / Sensitivity Analyses Section 3.3 of the submittal states that the accident sequence quantification process :

utilized mean values for initiating event frequencies and fault tree event probabilities. I Mean values are reported for the total CDF. An uncertainty analysis was performed in )

Section 3.4.1.4 of the submittal and the results are shown graphically in Figure 3.4.1-1.

The submittal indicated that an importance analysis (risk reduction) was performed to determine the most important hardware and operator actions. These are presented in Sections 3.4.1.2 and 3.4.1.3 for the hardware and the operator actions, respectively.

An additional sensitivity analysis of nondominant accident sequences was performed by increasing the human error probabilities less than 0.1 to 1.0. The results are presented - !

in Section 3.4.1.3 of the submittal.

2.2.2.3 Use of Plant-Specific Data As requested by NUREG-1335, the use of plant-specific data from plant experience was ;

addressed in Section 3.3.2 of the submittal. Section 3.3.2.1 states that the only !

component for which plant-specific failure data were readily available was the diesel generators. Plant-specific data were also available to determine the maintenance unavailability for diesel generators, RCIC, HPIC, and LPCI systems, and the initiating event frequency for some initiators such as a LOSP.

Table 2.2.2.3-1 shows a comparison of the mean failure probabilities of five events for which plant-specific data were available for the IPE submittal and their corresponding '

probabilities from the NUREG/CR-4550 analysis of Peach Bottom. These events were i selected either because of their importance, as defined in Section 3.4.1.2 of the !

submittal (the first two events), or the large differences (greater than a factor of 4) that exist between the values from the two studies. The table shows that the event probabilities from the submittal are comparable to, or larger than, those from NUREG/CR-4550. These differences between the two studies are not unexpected given that the plant-specific information available to the licensee during the IPE process was more current than that in NURE0;CR-4550.

Overall, the licensee's treatment of plant-specific data is complete with respect to the information requested in NUREG-1335,' and in light of the comparison with NUREG/CR-4550, appears reasonable.

30 A

Table 2.2.2.3-1 Comparison of Plant-Specific Data from the Peach Bottom IPE l and NUREG/CR 4550 Events Peach BottomIPE NUREG/CR 45s0

, Failure Probability Failure Probability

. ImportantIPE Emergency dieselgenerator E4 2.18E-2 1.6E-2 Submittal fails to run hardware failure events Emergency diesel generator E1 2.18E-2 1.6E-2 fails to run Maintenance Emergency diesel generator out 3.01 E-2 6.0E-3 I Events for maintenance LPCI out for maintenance 2.00E-2 2.0E-3 3

High pressure service water out 2.02E-2 2.0E-3 for maintenance 4

2.2.2.4 Use of Generic Data As requested by NUREG-1335, the use of generic data was addressed in Section 3.3.1 of the submittal. Generic data were derived from a variety of sources listed in Table ;

3.3.1-1 of the submittal. l Table 2.2.2.4-1 shows a comparison of the mean failure probabilities of 9 selected generic events from the IPE submittal and their corresponding' event probabilities from NUREG/CR-4550. These events were selected either because of their importance, as defined in Section 3.4.1.2 of the submittal (the first 4 events), or the large differences (greater than a factor of 4) that exist between the values from the two studies.

The information shows that in many cases the event probabilities from the submittal are l comparable or larger than those from NUREG/CR-4550. These differences between j the two studies are not unexpected given that, in many cases, the event probabilities used in both studies were derived from different data sources. For example, the event probabilities used in NUREG/CR-4550 were derived mainly from ASEP generic data, although data from WASH-1400 and other sources were also used. On the other hand, probabilities in the IPE submittal were derived from a variety of generic sources, where predetermined guidelines were used to select the most appropriate source.

! Overall, the licensee's treatment of generic data is complete with respect to the information requested in NUREG-1335, and in light of the comparison with NUREG/CR-4550, appears reasonable.

31 l

A

. e i

Table 2.2.2.4-1 Comparison of Generic Data from the Peach Bottom IPE and NUREG/CR-4550 Events Peach Bottom IPE NUREG/CR-4550 Failure Probability Failure Probability important IPE HPCI turbine fails to start 4.96E-2 3.0E 2 Submittal hardware failure events RCIC turbine fails to start 4.96E 2 3.0E-2 '

HPCI turbine fails to run 3.87E-2 5.0E-2 RCIC turbine fails to run 3.87E-2 5.0E-2 Miscellaneous Air-operated valves fail to 1.81 E-2 1.0E-3 event open Motor-operated valves fail 1.18E-2 3.0E-3 i to open Power permissive 1.16E-2 1E-3 i sensors fail LPCI actuation circuitry 1.25E-4 1.6E-3 I fails Battery charger fails 9.4E-5 8.0E-6 2.2.2.5 Common Cause Quantification As requested by NUREG-1335, common cause was addressed in Section 3.3.4 of the submittal. For the common cause failure of batteries, values were adopted from the NUREG/CR-4550 analysis of Peach Bottom. For diesel generators, the licensee used the Basic Parameter Model framework described in NUREG/CR-4780 [NUREG/CR-4780). For other components, the beta factor method was used to calculate the common cause failure probabilities. The common cause probabilities for various systems are listed in Tables 3.3.4-1 and 3.3.4-2 of the submittal.

Table 2.2.2.5-1 shows a comparison of the mean failure probabilities of 3 selected common-cause events from the IPE submittal and their corresponding event probabilities from the NUREG/CR-4550 analysis of Peach Bottom. These events were 2

selected because of the large differences (greater than a factor of 4) that exist between the values from the two studies.

The information shows that in many cases the common cause probabilities from the submittal are comparable or larger than those from NUREG/CR-4550. These 32 i I

I A

i i

i differences between the two studies are not unexpected given that the common cause

! probabilities were calculated using different methods and data.

Overall, the licensee's treatment of common cause is complete with respect to the information requested in NUREG-1335 and, in light of the comparison with NUREG/CR-4550, appears reasonable.

Table 2.2.2.5-1 Comparison of Common Cause Events from the Peach Bottom IPE and NUREG/CR 4550 Events Peach Bottom IPE NUREG/CR 4550 Failure Probability Failure Probability Common cause failure of 4.18E-4 7.8E-5 emergency service water pumps Common Common cause failure of 1.18E-3 1.5E-4 cause residual heat removal heat events suppression pool cooling valves Common cause failure of the 4.4E-6 2.9E-5 high-pressure service water pumps 2.2.3 Interfaceissues i This section summarizes the interface between the front-end and back-end analyses and the interface between the front-end and human factors analyses.

2.2.3.1 Front End and Back End interfaces in the IPE submittal's front-end analysis, accident sequences were postulated that lead to core damage and potentially challenge the containment. The Level 1 and 2 interface was addressed through a binning process into plant damage states (PDSs) where accident sequences similar in both their impact on the containment and their potential for release of radioactive material were grouped into five accident sequence classes.

The condition of the pressure vessel and the containment at the time of core damage was noted for each class. These classes were further discriminated so that the potential for system recovery could be identified. The PDSs are described in Tables -

3.1.5-1 and 3.1.5-2. of the submittal. It was noted in Section 3.1.5 of the submittal that the binning process was primarily done to display the Level 1 end states because the cut sets generated for each Level 1 end state were transferred into Level 2 analysis.

33 A

4 t

i 2.2.3.2 Human Factors interfaces i

With the exception of minor limitations arising from the IPE's treatment of pre-initiator i restoration faults (see Section 2.3.1.3), modeling of the human actions in the event and 4 fault trees appeared appropriate and complete. All of the human actions modeled in the i' IPE (including 'r ecovery actions) and their corresponding HEPs were presented in a 4 table in the report. The values assigned to the various human actions were reasonable i and generally consistent with the values used in NUREG/CR-4550. A comparison of the

HEPs for selected human actions from the IPE and NUREG/CR-4550 is presented in

} Table 2.2.3.21. The table is a duplicate of one presented in the IPE.

i l 2.2.4 Internal Flooding i This section contains a summary of the internal flooding methodology and results.

i 2.2.4.1 Internal Flood Methodology l

{ As requested by NUREG-1335, an internal flooding analysis was done and discussed in i Section 3.3.8 of the submittal. In the analysis, the licensee first performed walkdowns

) of the plant along with reviews of plant drawings to determine flood sources, flood 4

boundaries and possible flood propagation pathways. Next, the safe shutdown

[ equipment list was used to identify critical equipment susceptible to flooding. Flood j scenatios were then developed based on the flood sources and their impact on critical j equipment either by accumulation or direct contact (i.e., sprays or drips). The core i damage frequency of each flood scenario was then evaluated using generic flood i~ initiating event frequencies and equipment failure probabilities in conjunction with the f modified IPE submittal's event and fault trees. Next the scenarios' core damage frequencies were compared with established CDF screening criteria (1% of the total l

CDF). Those scenarios that fell below the 1% criteria were noted and not further l analyzed. Those that fell above the criteria were examined in more detail by j- considering potential drainage systems or operator actions to terminate the flood and

their frequencies determined. Finally, the frequencies of all the scenarios were summed j= to determine the total.

I 2.2.4.2 Internal Flooding Results 4 The results of the flooding analysis are summarized in Table 3.3.8-4 of the submittal.

Fifteen flood-significant zones contribute a total induced CDF of 1.47E-7/yr. Of this, l four flood areas with a CDF above 1E-8/yr were identified in the reactor building, the diesel generator building, the turbine building, and the circulating water pump structure.

Because it occurred with low frequency, internal flooding was screened from the Peach Bottom NUREG/CR-4550 analysis. Therefore, no comparisons were made with the IPE L results.

! Overall, the licensee's detailed analysis of internal flooding is adequate with respect to i the information requested in NUREG-1335 and the results appear reasonable.

4 i

l A

l l

Table 2.2.3.2-1 Human Interaction Comparison (Selected) l Peach Bottom IPE NUREG/CR-4550 Human interaction Failure Failure Probability Probability Pro-Accident Miscalibration of DW 1.87E4 2.66E-4 Pressure Sensors Miscalibration of Reactor 1.87E4 1.33E4 Level Sensors l

Miscalibration of Reactor 1.87E4 5.32E4 Pressure Sensors l l

Post-Accident ;

i Operator Fails to Manually 1.8E-3 1.0E-2 l Depressurize Reactor l Operator Fails to Align 1.0E-6 1.0E-5 RHR Cooling Mode Failure of the Operator to 0.5 0,9 Align the Emergency Heat Sink Operator Fails to Vent (Manipulative) 1.25E-2 0.5 (screening Operator Fails to Override Shroud Level Permissive Operator Falls to Initiate SLC MSIV Closure 0.26 2.E-2 Turbine Trip 2.1E-3 Operator Fails to Manually 1.2SE-2 0.5 (screening)

Transfer HPCl/RCIC Suction Operator Falls to Control 0.1 0,1 HPCl/RCIC at Level 8 Operator Fails to Back up 1.2SE 2 0.5 (screening)

Low-Pressure System Actuation 35 A

2.2.5 Core Damage Sequence Results This section summarizes the dominant core damage sequences reported in the submittal and includes the contribution of accident types to the total CDF and the dominant events leading to core damage.

2.2.5.1 Dominant Core Damage Sequences Section 3.4 of the submittal summarizes the CDF results. The submittal utilized systemic event trees in the front-end analysis, but applied the functional sequence screening criterion of 1E-6/yr. However, because the individual sequence frequencies fell below 1E-6/yr, only the greater than 5% (of total CDF) criterion was applied. Using this criterion, the licensee calculated the total mean CDF from internal events, including flooding, to be 5.53E-6 per reactor year. This frequency is comparable to the mean value of 4.5E-6/yr for the NUREG/CR-4550 analysis of Peach Bottom. The dominant accident sequences ( all sequences >1% of the total CDF are reported) are discussed in Section 3.4.1.1 of the submittal. These sequences contribute more than 83% of the total CDF.

The total and percent CDF by accident types are reported in Table 3.4.1-1 of the submittal. These results show that'the mean CDF estimate from intemal events, including flooding, for Peach Bottom is 5.53E-6/yr. This frequency is comparable to the mean value of 4.5E-6/yr for the NUREG/CR-4550 analysis of Peach Bottom and is well below the generic safety goal of 1E-4/yr.

A comparison of these results with those from the NUREG/CR-4550 analysis of Peach Bottom is shown in Table 2.2.5.1-2.

l These results show that while the total CDFs for both studies are comparable, there are some differences in CDF and percent CDF contribution of individual accident types for the two studies. These differences are as follows:

. Station blackout (8.7% or 4.79E-7/yr ) is not a dominant contributor to CDF in the IPE submittal compared with the results from the NUREG/CR-4550 analysis of Peat Bottom (49.9% or 2.1E-6/yr). On the other liand, loss of offsite power (24.8%

or 1.37E 6/yr), excluding blackouts, is a dominant contributor to CDF in the submittal compared with the results from the NUREG/CR-4550 analysis of Peach Bottom (1.9% or 8.5E-8/yr ). These differences between the two studies are not unexpected given that there are differences in the models (e.g., the ability to cross-tie EDGs existed in the IPE submittal but not in NUREG/CR-4550) and data (as previously discussed in Sections 2.2.2.3 through 2.2.2.5) used in both studies. It is also possible that sequences that were labeled as SBO in one analysis were labeled LOSP transients in the other analysis, in light of these differences and the fact that the total frequency core damage from loss of offsite power and blackout sequences is about the same for both studies, the result appears reasonable.

36 A

l Table 2.2.5.1.-2 i Comparison of the Peach Bottom IPE and j NUREG/CR-4550 General Accident Type Results i

j Accident Type Mean CDF % of Total Mean CDF Peach NUREG/CR4550 Peach N'JREG/CR-4550 j Bottom IPE Bottom IPE 3 Loss of Offsite 1.37E4 8.5E-8 24.8 1.9 l Power

! Station Blackout 4.79E 7 2.1E-6 8.7 48.9 ATWS 1.44E-6 1.9E-6 26 42.2 l

\

j Transients 1.50E-6 1.4E-7 27.1 3.1 f LOCA 5.95E 7 2.7E-7 10.8 5.8 l Special Initiators

-Intemal Flooding 1.47E-7 Screened out 2.6 Screened out (negligible (negligible

! contributor) contributor) ,

j -Loss of DC Bus <1 E-8 <1 E-8 <0.5% <0.5% l j -Loss of AC Bus <1 E-8 <1 E-8 <0.5% <0.5%

Total 5.53E-6 4.5E-6 100 100 i

i

Transients are a dominant contributor to CDF (27.1% or 1.5E-6/yr ) in the submittal compared with the NUREG/CR 4550 analysis of Peach Bottom (3.1% or 1.4E-7/yr).

The results are different because these sequences were deemed to fall below 1 E-8/yr in NUREG/CR-4550.

. LOCAs are more than twice as important in the IPE (10,8% or 5.95E-7/yr) as they are in NUREGICR-4550 (5.8% or 2.7E-7/yr). The differences are due to the higher initiating event frequencies used in the IPE compared with those used in NUREG/CR-4550. In addition, vessel rupture, which contributes a CDF of 9.0E-8/yr to the IPE results, was only qualitatively accessed and eliminated from further analysis in NUREG/CR-4550.

The submittal reported the ten most important hardware failures, in terms of risk reduction, in Section 3.4.1.2.

HPCI turbine fails to start or run

RCIC turbine fails to start or run

. LPCI injection valve common mode failure

+ Emergency diesel generator E4 fails to run 37

. A

l i

i

Emergency diesel generator E1 fails to run I

Failure of emergency service water air-operated valve

.

HPCI pump discharge valve fails to open j

HPCI pump minimum flow valve failure

HPCI steam supply valves fail to open l l

Emergency service water air-operated valve to diesel E1 fails to open

These failures associated with HPCI, RCIC, and in particular the diesels, reflect the fact that the dominant sequences were associated with a LOSP or transients at high i pressure with a failure to depressurize.

i l Overall, the licensee's treatment of core damage sequences is complete with respect to I i the information requested in NUREG-1335 and, in light of the comparison with

NUREG/CR-4550, appears reasonable.

2.3 Human Reliability Analysis Technical Review i 2.3.1 Pre-Initiator Human Actions

- i l 2.3.1.1 Pre-Initiator Human Actions Considered 1

i i The Peach Bottom IPE considered both of the traditional classes of pre-initiator human actions: failures to restore systems after test, maintenance, or surveillance activities and j instrument miscalibrations. Failures to restore were restricted to actions which would ,

leave systems misaligned. Actions that would lead to the maintained component being i

j. unavailable, even though retumed to the correct configuration, were assumed to already be included in the component failure data. While both classes of pre-initiating events were considered, all " usual" restoration faults were screened out on the basis of a set

, logical criteria, which will be discussed below. The only restoration events modeled j were related to potential precursors for ISLOCAs. Miscalibration events were incorporated into the fault trees and screening HEPs were assigned.

i NUREG/CR-4550 also considered both classes of pre-initiator actions and modeled them in the fault trees. However, NUREG/CR-4550 differed from the IPE in that a detailed quantification (no screening) was performed on all identified actions, including restoration events and miscalibrations. ISLOCA events were dismissed on the basis of quantitative and qualitative arguments in NUREG/CR-4550.

2.3.1.2 Process foridentification and Selection of Pre-Initiator Human Actions According to the Peach Bottom IPE, the identification and classification of operator actions was based on guidance from SHARP [EPRI NP-3583) and on information from reviews of test procedures, maintenance procedures, emergency operating procedures, incident reports, and other PRA studies, e.g., NUREG/CR-4550. Information in the IPE also indicates that administrative controls, procedure implementation practices, and reporting practices were also considered. However, little data were provided in the submittal regarding how the relevant information was obtained. For example, it was not 38 A

e explicitly stated (apparently) that appropriate plant personnel were consulted to help interpret and verify written information and AGiual plant practices. Nevertheless, SHARP suggests that these types of activities should take place and the IPE indicates SHARP was used as a guide. Thus, it appears that relevant sources were examined to aid in the identification of human actions and that factors which could influence the probability of human error in pre-initiator actions were considered.

1 4

NUREG/CR-4550 indicates that a similar process was used to identify and select the j pre-initiator human actions. Most of the relevant description appears in the plant familiarization and system analysis sections (as opposed to the HRA section), and appropriate discussions with plant personnel were apparently conducted. Descriptions of the pre-accident quantification methodology in Appendix C of NUREG/CR-4550 also indicate that information relevant to factors which could influence the probability of human error were considered.

2.3.1.3 Screening and Quantification Process for Pre-Initiator Human Actions 4

As noted above, restoration faults were screened out on the basis of a set logical criteria. The criteria were based on evaluation of factors that would influence the likelihood that restoration errors would be recovered. Factors evaluated included the existence of control room indications and regular panel checks, post-maintenance tests, I double verifications, and administrative controls. While the screening criteria were reasonable and most pre-initiator HRA methods give credit for similar factors, the resulting final HEP values from most HRA methods are generally in the 1E-3 to 1E-4 range. Thus, even though the Peach Bottom IPE argues that restoration fault probabilities are generally insignificant relative to component failure probabilities, the total exclusion of these events from quantification may have eliminated the opportunity to identify particularly important system restorations, it is noteworthy that NUREG/CR-4550 found the failure to restore the standby liquid control (SLC) after test to be the

most important human action in terms of risk reduction.

Regarding miscalibration events, it was asserted in the IPE that a conservative screening value was adopted for miscalibration of a group of like sensor / transmitters and that a gross miscalibration across different groups of sensors was assessed to be negligible. The screening value apparently assigned to the indicated groups was 1.87E-

4. It was unclear how this value was derived, but the value is comparable to the HEPs calculated for similar events in NUREG/CR-4550. In addition, the set of miscalibration events identified in the IPE was reasonable and similar to those used in NUREG/CR-4 4550.

As noted above, in NUREG/CR-4550, no screening of pre-initiator events was conducted. All such events were subjected to detailed quantification using the guidance provided in the Accident Sequence Evaluation Program Human Reliability Analysis procedure (ASEP HRA) (NUREG/CR-4772] . Approximately 49 restoration events, for 11 different systems, were modeled and quantified in NUREG/CR-4550.

39 A

)

l

. 1

2.3.2 Post-Initiator Human Actions l 2.3.2.1 Types of Post-Initiator Human Actions Considered Post-initiator human actions are those required in response to initiating events or related system failures. Although different labels are often applied, there are two important types of post-initiator human actions that are usually addressed in PRAs: response actions and recovery actions. Response actions are generally distinguished from recovery actions in that response actions are usually explicitly directed by amergency l operating procedures (EOPs). Altematively, recovery actions are usually performed in order to recover a specific system in time to prevent undesired consequences.

, Recovery actions may entail going beyond written procedures or using systems in relatively unusual ways. The Peach Bottom IPE included both response type and i recovery type post-initiator human actions. i A review of the list of " post-initiating event actions" suggested that the IPE only took l credit for actions specified in plant procedures. According to the submittal, response I type actions (Type CP in their labeling scheme) appeared as either headings in the event trees or as basic events in the system or functional fault trees. The recovery actions noted above were " addressed at the accident sequence cut set level or were incorporated in the appropriate locations in the fault trees with their failure." The IPE l also states that " recovery actions were identified after the initial sequence l quantification."

i Similarly, NUREG/CR-4550 states that "with few exceptions," only those actions specified in the plant procedures were considered. The exceptions were never explicitly discussed and the only event identified which might have fallen in this category was an l operator action to close XV503 after back leakage occurs to normal service water from ;

the emergency service water system. Apparently neither PRA took credit for recovery of I failures caused by hardware faults or maintenance outages or for extraordinary actions.

2.3.2.2 Process for Identification and Selection of Post-Initiator Human Actions The submittal asserts that the response type human action events were identified from "a thorough review of the instructions and guidance provided by the Transient Response Implementation Plan (TRIP) procedures in response to specific scenarios that result from abnormal plant states." The TRIP procedures are the plants' emergency operating procedures. The " method for the review of the procedures and the ;

incorporation of their impact in the logic models" was apparently the basis for EPRI's l SHARP Enhancement Project. The discussion in the IPE indicates that the response type operator actions were identified as an integral part of the sequence delineation and ,

systems analysis and that scenario-specific factors were considered in determining the i relevant human actions. To ensure that the resulting models accurately reflected the I plant procedures, discussions were held with training and operations staff and some plant simulator training exercises were observed.

40 A

1 l

i i

! The process used to identify and select human actions in NUREG/CR-4550 did not

, appear to be functionally different than that performed for the IPE. A systematic

! approach, based at least in part on the ASEP HRA procedure [NUREG/CR 4772], was implemented and apparently appropriate discussions with plant personnel were held.

l There was no indication that any simulator exercises were ob?erved for NUREG/CR-4550. However, a special HRA analysis of ATWS sequences was performed by BNL and it was stated that a visit to the training simulator facility occurred and that instructors were interviewed and trainees were observed. It was also stated that a walkthrough of the ATWS sequence using a control board mock-up and the Peach Bottom TRIP procedure was conducted. ,

1 2.3.2.3 Screening Process for Post-Initiator Response Actions !

1 In the Peach Bottom IPE, a screening value of 1.25E-2 was apparently used for some ,

post-initiator response actions during initial quantification. This value is significantly j lower (by a factor of 40) than the 0.5 value that is normally used to ensure that -

significant human events are not eliminated and that significant accident sequences were not truncated. The IPE did state that the 1.25E-2 value was used for events representing failures to manually backup initiation, given that automatic initiation failed, when it was felt that there was enough time for the operators to respond. When there was not enough time, no credit was given, it was not clear how human actions other -

than those related to responding to failed automatic initiations were treated during screening. The IPE notes that their HRA screening value was lower than the 0.5 that was used for the NUREG PRA, but that it had little consequence because the quantification cutoff frequencies were lower for the IPE. The submittal reports the cutoff frequency to be 1.0E-10 to 1.0E-11. Given the lower HRA screening value, the cutoff frequency would need to be at least 2.5E-10 to be comparable to the 1.0E-8 used for the NUREG. On the basis of a sensitivity study, the IPE also states that 75% of the sequences below 1% CDF did not rise above the screening criteria when the HEPs were increased to 1.0. While the IPE submittal did not state what percentage the remaining 25% of the sequences contributed to the total CDF, it did report which sequences containing operator or recovery actions with a value less than 0.1 could meet the "5% screening criteria"if the failure probabilities of the actions were increased to 1.0. Thirty-two such sequences were described.

While it appeared that appropriate discussions with plant personnel and the examination of relevant procedures took place prior to the screening analysis, as they should have been, the submittal documentation was not explicit in this regard. It was noted that several human actions included in the " scoping analysis" were revisited to derive realistic human error probabilities based on implementation of Revision 4 of the BWR Owners Group Emergency Procedure Guidelines Whether the implementation of Revision 4 affected which human actions were modeled in the IPE was unclear.

2.3.2.4 Quantification of Post-Initiator Human Actions The quantification of post-initiator human errors apparently follows the approach outlined in EPRI NP-6560-L (EPRI NP-6560-L). However, the submittal states that 41 A

j l i

! because "no one approach to quantification has received universal acceptance," they

used three different approaches and compared among them. The three approaches

included the EPRI NP-6560-L approach, the RMIEP (NUREGICR-4834] Simulator Data approach, and the " Analytic Models for Operator Response During Accidents Approach." In the latter case, apparently three HEP models were developed for events

! occurring during three time periods of an accident. The time periods were: 0 to 30 min,

! 30 min to 10 hr, and more than 10 hr. The HEP values used in these models were

, " derived from Swain, plus selected alternative methods." No useful additional l information was provided on this approach. While the IPE submittal provides a l reasonable, but cursory, description of the EPRI and RMIEP methods, no examples of i actual HEP calculations were given. In addition, no examples of comparisons among i the results of the different methods were given. The submittal notes that each of the three approaches was used for " selected human actions and compared," but that )

" generally the EPRI results were used as the basis for the quantification of human reliability." The list of human actions and their HEPs did not indicate which method was used to derive a given value. While the EPRI and RMIEP methods will apparently, if applied correctly, produce reasonable and consistent estimates of human error probabilities, the absence of any explicit examples makes it impossible to determine whether the methods were applied adequately. '

In contrast, the Peach Bottom NUREG/CR-4550 used the ASEP HRA procedure to l quantify (non-ATWS) response type post-initiator human actions, and the calculations of many HEPs were adequately documented in NUREG/CR-4550. As noted earlier, a separate HRA for the ATWS sequences was performed for NUREG/CR-4550 by .

Brookhaven National Laboratory (BNL). Apparently a combination of HRA methods was used to quantify the ATWS related human actions, including the OAT /TRC approach (NUREG/CR-3010) and SLIM-MAUD (NUREG/CR-3518] in conjunction with base HEP information obtained from a computerized database (NUREG/CR-4103).

2.3.2.4.1 Consideration of Timina The Peach Bottom IPE used several sources to determine the time available to recognize the need for a required action and to perform it. The sources used for estimating the available time window included: (1) accident sequence chronologies from MAAP calculations, (2) BWR Owners Group analyses and data, (3) actuarial data, and (4) published PRA studies. The IPE submittal reflected an awareness of the need to appropriately consider the available time window to diagnose and conduct the needed action, and the EPRI method requires that an estimate of " crew median response time" for particular actions be obtained. Apparently, estimates of such response times were based on " generic estimates" and on discussions with punt staff. It was stated that specific timing for each action was not recorded during d.mulator runs. In addition, no indication was given that any actual time measurements were conducted for actions occurring outside the control room. Alternatively, it could not be determined conclusively that any credit was actually taken for actions outside the control room, other than the recovery actions which were quantified separately and are discussed below.

42 A

Regarding NUREG/CR-4550, the ASEP HRA procedure requires explicit consideration of the available time window for an action (based on thermal-hydraulic calculations) and the time needed to accomplish the action. The failure probability for a particular action is based in part on the remaining time available to diagnose the action. The ASEP method provides guidance for determining the time needed to carry out actions and includes the use of actual time measurements for actions outside the control room. The approach to timing used in NUREG/CR-4550 was also documented in the NUREG/CR-4550 internal events methodology document (NUREG/CR-4550, Vol.1). Documentation of HEP

, calculations in NUREG/CR-4550 shows explicit consideration of time. The BNL A1WS analysis also documented explicit consideration of timing.

2.3.2.4.2 Other Performance Shaoino Factors Considered The discussion of the consideration of performance shaping factors (PSFs) in determining HEPs in the IPE submittal was brief, but the EPRI-NP-6560-L [EPRl-NP-6560-L) method does (in principle) consider relevant performance shaping factors in the process of determining HEPs. The approach first categorizes human actions according to their " cue-response structure " The goal is to understand what causes the operator to perform a function and what constitutes success and failure for the action. It is stated that the categorization allows construction of appropriate models for quantification and interpretation of data to estimate parameters for those quantification models. The approach then considers several potential outcomes for an action and considers performance shaping factors that could influence the likelihood of the different outcomes. While some traditional PSFs such as quality of EOPs, training, plant interface difficulties, potentially confusing indications, etc. are mentioned, there is no explicit discussion of how these factors get applied. It appears that the intent is to

, modify " generic" estimates of the likelihood of pctential outcomes according to plant-specific factors. However, no examples of this process were provided and it is impossible to determine from the submittal to what extent PSFs were considered. As noted above, no explicit examples of calculations were provided.

NUREG/CR-4550 provided adequate examples of the application of the PSFs evaluated as part of the ASEP HRA procedure. The ASEP HRA methodology has specific

approaches for addressing PSFs and some of them may be unique to the approach. For example, ASEP categorizes actions according to whether they are " step-by-step" or

" dynamic" and allows for adjustments in diagnosis HEPs as a function of the number of abnormal events, degree of training, and adequacy of procedures. Thus, it appears that the quantification approaches used in the IPE and in NUREG/CR-4550 may have considered at least some different PSFs.

2.3.2.4.3 Quantification of Recovery Actions The IPE submittal states that the values for recovery actions were derived from NUREG/CR-4550, but that in some cases correction factors were applied to the recovery of offsite power values in order to take credit for a nearby hydroelectric power source. A correction factor of 14/19 was apparently derived on the basis of information from EPRI NP-6560-L.

43

o .

l The actions listed in the IPE's table of " recovery" actions were similar to those in NUREG/CR-4550, but some differences did exist. The differences included the following:

. The IPE did not include actions for recovery of DC hardware, whereas NUREG/CR-4550 did.

The IPE listed a smaller and different set of recovery times for offsite power and diesel generators than did NUREGICR-4550. The IPE used 1, 2 , 4 , and 10-hr recovery times for both recovery of offsite power and recovery of diesel generators (DGs). NUREG/CR-4550 used 13 recovery times for offsite power, ranging from 15 min to 18 hr, and six recovery times for DGs, ranging from 3 to 16 hr, in addition, the IPE had three conditional probabilities for recovery of offsite power in 10 hr, given it was not recovered in 1, 2, or 4 hr. The failure probabilities for comparable events in the IPE and NUREG/CR-4550 did not differ drastically. For example, even with the correction factor noted above, the value for recovering offsite power within 4 hr was 4.9E-2 in the IPE. The value for recovery after 5 hr in NUREG/CR-4550 was 4.8E-2.

The IPE included several events for short-term failure to recover feedwater under different conditions, such as loss of condenser vacuum and turbine trip. Separate recovery of feedwater events was apparently not explicitly modeled in NUREGICR-4550. NUREG/CR-4550 did document the modeling of one event for recovery of power conversion system (PCS) (which included feedwater) within 13 hr, while the IPE did not explicitly model a recovery of PCS.

Other than what was noted above, the IPE submittal failed to provide any discussion regarding the selection of recovery events or their timing. Thus, the reasons for the differences between the two PRAs could not be determined. Furthermore, since l NUREG/CR-4550 did not model separate recovery of feedwater events, it is unclear I how the related failure probabilities for these events were determined in the IPE. It is possible that the EPRI NP-6560-L methodology or ono of the other post-accident methods described was used for quantifying the recovery of feedwater events.

2.3.2.4.4 Consideration of Deoendencies The Peach Bottom IPE discusses two types of dependencies that were addressed for I the response type post-initiator human actions: (1) time dependence and (2) cognitive dependence. Time dependence is concemed with the fact that the time needed to i perform an action influences the time available to recognize that a problem has occurred and to diagnose the need for an action. This type of dependence was considered in the IPE and is discussed in more detail in the section on timing above, l Another aspect of time dependence is that when sequential actions are considered, the time to complete one action will affect the time available to complete another. Similarly, the sooner one action is performed, the slower or quicker the condition of the plant changes. The IPE states that to handle these types of effects, they did what is usually done in a PRA, which is "to make conservative assumptions with respect to accident 44 A

sequence definition." One aspect of this approach is apparently to let the timing of the first action initially minimize the time window for subsequent actions. The cues for later actions are used as new time origins.

The second type of dependence, cognitive dependence, considers the possibility that different patterns of successes and failures in a scenario may influence operator response. This factor is addressed by essentially deriving different HEPs as function of the different conditions. Cognitive dependence is also relevar:' 'vhen the need for several different functions can be derived from the same diagnosis. For example, the !

need for RHR and venting can be derived from the same diagnosis, i.e., recognition of l the need to remove containment heat. Thus, in some cases, diagnoses for functionally !

different actions can be assumed to be completely dependent. Apparently this type of l dependence, i.e., dependencies among multiple actions, was addrossed in the IPE. I Although cognitive dependence was not addressed in demil in the Peach Bottom NUREG, dependencies among multiple human actions were treated at the cut set level after screening. In addition, it was stated that a cut-off value of 1E-4 was used for multiple dependent events unless justification for a lower value could be provided.

. 2.3.2.4.5 Treatment of Ooerator Actions in the Internal Floodina Analvsis The human contribution to flooding induced events was apparently assumed to be contained in the genetic frequencies. While the potential for operator recovery of a flooding situation was apparently considered (i.e., realize a flood was occurring and alleviate the problem), no discussion was provided for how probabilities for recovery were obtained or for how they were modeled. The human actions and their HEPs that were already contained in the event and fault trees used in the flooding quantification process, e.g., loss of feedwater, were apparently assumed to be the same regardless of the fact that flooding was related to the initiating event.

Flooding sequences were screened out in the NUREG/CR-4550.

2.3.2.4.6 Seauences Screened Out Due to Credit for Recoverv Actions As discussed above, a sensitivity analysis was performed in the IPE submittal to ascertain which sequences would have met the 5% screening criteria if operator and recovery actions with values less than 0.1 were set to 1.0. Thirty-two sequences, representing a variety of initiators, met this criteria and are presented in Section 3.4.1.3 of the submittal. In general, the HEPs assigned to the operator actions in these sequences were greater than 1E-3. Two exceptions were the values for aligning torus cooling within 20 hr and recovering RHR within approximately 1 hr, which were 1E 6 and 1E-4, respectively. Most of the actions contained in these sequences also appeared in the submittal's list of important human actions.

45 A

o .

i l

2.3.2.4.7 Treatment of Ooerator Actions in the Level 2 Analysis Approximately 18 operator actions were incorporated in the Level 2 analysis. They were confined to actions that were directed by the EOPs. It was stated that the Level 2 quantification method for operator actions was a screening technique. A review of the list of Level 2 operator actions (Table 4.6.21 in the IPE submittal) revealed that the HEP values ranged from 1.0 for a couple of actions to 1E-4, with most of the values in the 1E-1 to 1E-2 range, i

7The Peach Bottom NUREG/CR-4551 Level 2 analysis apparently did consider human actions. This was inferred from the list of questions asked for the accident progression event trees that were presented in NUREG/CR-4551. However, there was no separate discussion of human actions or HRA-related issues in NUREG/CR-4551. Neither a list of the human actions nor the HEPs used for them could be found. At one place in NUREG/CR-4551, it was stated that human actions were quantified using HRA techniques.

2.3.2.5 Important Human Actions The following operator actions were identified as being important in the PE submittal:

Operator action to depressurize the reactor to the condensate injection pressure.

. Operator action for manual depressurization after inhibiting ADS, with and without offsite power.

+ Operator action to recover offsite power.

Operator action to cross-tie emergency power sources to buses.

5

Failure to recover feedwater in the short term.

Failure to initiate standby liquid control (SLC) during an MSIV closure.

3

. Operator action to recover a diesel generator,

Operator action to initiate SLC during a turbine trip ATWS with a stuck open valve.

. Operator action to vent given RHR hardware failure.

Operator action to inhibit ADS, with high-pressure injection unavailable during ATWS.

Since neither the percentage contribution to CDF of the events nor their risk achievement worth was provided, it is impossible to determine how important the actions were or their importance relative to hardware failures.

The top two events in the list are related to manually depressurizing the vessel. The submittal notes that the dominant transient events in the IPE include the failure to depressurize after an ADS inhibit and that while these types of sequences also appeared in NUREG/CR-4550, they were not quantified because they were estimated to fall below 1E-8. Thus, there is a higher contribution to CDF of transient induced accident sequences in the IPE than in NUREG/CR-4550. The HEP values used for the failure to depressurize in the IPE and NUREGICR-4550 are presented with values for other comparable events in Table 2.2.3.2-1 (in an earlier section of this report). As can be seen in the table, the difference between the HEPs for failure to depressurize 4

46 s

A

__ _ _ ..__ _._ _ .____._ _ _ _ _ ___ _ _ _ _ ___ _ _______. l j . ,

i 1

approaches an order of magnitude, with the IPE using a lower failure probability. Thus

' some other mechanism must be present to cause the sequences to be important in the IPE.

l Another important human action was the failure to cross-tie emergency power sources to buses in 10 hr. Credit was apparently not taken for this event in NUREG/CR-4550, but it was found to be an important event in LOOP sequences in the IPE. Credit for this event was apparently derived from an enhancement of the loss of offsite power procedure based on Revision 4 of the Boiling Water Reactor Owners' Group (BWROG)

EPGs.

While several of the important human actions noted in the IPE submittal were related to ATWS sequences, the IPE notes that differences between the IPE and NUREGICR-4550 associated with the ATWS contribution appear to result from detail of modeling ,

and credit for operator actions. The IPE found that ATWS sequences contributed less to l total CDF than did NUREG/CR-4550, but it should be noted that the total CDF for ATWS sequences were comparable between the two. One difference in modeling was that NUREG/CR-4550 modeled a failure to restore SLC after maintenance and this was i

an important event in NUREG/CR-4550. As noted earlier, the IPE systematically l l dismissed all restoration faults as unlikely. In addition, the failure to initiate SLC in a l l turbine trip ATWS had an HEP an order of magnitude less than the value used in .

I NUREG/CR-4550 (see Table 2.2.3.2-1). However, the value for inhibiting ADS was significantly lower in NUREG/CR-4550 (1.0E-5) than those used in the IPE (ranging from 4,4E-2 to 1.2E-3). Finally, NUREG/CR-4550 did not model water level control for successful shutdown after boron injection, in the IPE, the failure to control level with HPCI available was an important contributor to ATWS sequences. The IPE also states that changes resulting from implementation of Revision 4 of the BWROGs EPGs may have contributed. The exact changes were not described.

- Several other differences in the importance measure results between the IPE and NUREG/CR-4550 were interesting and include the following:

The IPE found that the operator failure to vent was an important contributor, while NUREG/CR-4550 did not.

NUREG/CR-4550 found that miscalibration of reactor pressure sensors was important to both risk increase and risk reduction. Even though the HEPs for these events were comparable (see Table 2.2.3.2-1), this event was not listed as important in the IPE submittal.

A recovery action to recover feedwater in the short term was apparently important in the IPE, but was not explicitly modeled in NUREG/CR-4550. NUREG/CR-4550 modeled recovery of PCS and while the event was not listed as important, several sequences were eliminated after the recovery action was applied.

l 47 A

- - ... . - - . . _ _ . - - - - - - _ _ - _ _ . ~, - .

2.4 Back End Technical Review 2.4.1 Containment Analysis / Characterization 2.4.1.1 Sequences with Significant Probabilities For the Peach Bottom IPE, all of the Level 1 sequences except floods were carried through to the Level 2 analysis, with Level 1 and Level 2 event trees directly linked. The omitted flood sequences were found to contribute only about 2% of the plant CDF in bounding estimates. ,

in NUREG/CR-4550 PRA, all of the cut sets from sequences that ns.d frequencies above 1 E-8 were grouped into plant damage states. These plant damage states were then propagated through the Level 2 analysis.

2.4.1.2 Failure Modes and Timing The Peach Bottom IPE submittal included a discussion of potential containment challenges and failure modes in Section 4.4. The discussion was complete and addressed challenges identified in the general design criteria of the Standard Review Plan, past industry or NRC studies (e.g., IDCOR and NUREG-1150), and past BWR PRAs (e.g., NUREG-1150, Snoreham PRA). The submittal addressed the items in the manner indicated in Table 2.4.1.2-1, which is a reproduction of Table 4.4.1-3 from the IPE submittal.

In determining the Peach Bottom containment ultimate capacity, the steel containment i structure, coniainment hatches, hatch seals, penetrations, and isolation valves were l considered. The static capacity was evaluated for low temperatures (below 500'F), '

intermediate temperatures (between 500*F and 900*F), and high temperatures (above 900'F), and the dynamic capacity was evaluated for energetic events accompanying vessel breach as well as situations with high suppression pool temperatures and high SRV discharge flow rates.

Static Ultimate Caoacity A curve of the static ultimate capacity of containment at different drywell temperatures was developed for the Peach Bottom IPE, based on assessments for the three temperature ranges indicated above. The IPE used a lower containment capacity in the intermediate temperature range than in the low temperature range to reflect seal failures in the drywell. Above 900*F, the IPE assumed the drywell would fail if there was any appreciable pressure load. This approach is similar to the NUREG/CR-4551 approach of using different failure probability distributions for cool and hot gases, and in addition considering late drywell failures from high drywell temperatures. The IPE failure pressures for the lowest two temperature ranges were about 10 psig lower than the mean NUREG/CR-4551 values.

48

. e Table 2.4.1.21 Summary of Treatment of Challenges in the Peach Bottom Containment Safety Study

)

Postulated Containment Challenges Disposition l Containment Ir inal Conditioon

1. Containment isolation Failure included in Level 2 analysis; Treatment assumes inerting has substantial benefitin assuring isolation Seouence Deoendent Failure Modes

2. Interfacing System LOCA Included in Level 1 evaluation

3. RPV Rupture Overpressure included in Level 1 evaluation

4. Pipe Whip / Stream Jet Impingement Dismissed based on low probability

5. ATWS-Overpressure included in Level 1 evaluation TW - Overpressure

6. Vapor Suppression Failure included in Level 1 evaluation (Suppression Pool Bypass)

7. Containment Implosion Due to Drywell Low probability due to Mark I structural capability, Sprays and EPG procedural guidance, and vacuum breakers

8. ContainmentVenting and Combustible included in Level 2 analysis Gas Vents l

l 1

49 l

1 I

i f

A

g F

i Postulated Containment Challenges Disposition l-

! Phenomenoloaical Fauure Modes Addressed in Level 2 CET

9. DirectContainmentHeating included although low probabuity

{ 10. Hydrogen Effects:

1 I -

Quantity of H, Produced in-Vessel Range of values examined 1

l - H2+ 0 Deflagration Effacts Conditional probability of deflagration included Introduction of O, None considered possible except operation 4

deinerted l -

RPV Blowdown Failure + H, Causes Calculated not to cause containment failure at i containment failure Peach Bottom

11. in-vessel Steam Explosions included in Level 2 analysis l 12. Ex-Vessel Steam Explosions included in Level 2 analysis i i

! 13. Structural Failure Due to RPV Collapse '

included in high temperature

and Tear Out of Penetration included pedestal / skirt failures

14. Containment Sump Line Failure Not applicable to Peach Bottom by design i.

i ~

15. Direct Contact of Molten Material with included in Level 2 analysis Steel Shell i 16. DW Head Seal Performance at Elevated included as a po'.ential early leak path (6 to 24 hr)

Temperature (High Temp Failure) '

l i 17. Containment Overpressure due to Decay included in Level 2 analysis l Heat

18. Non-Condensable Gas Generation (Core included (range of modeling assumptions Concrete Attack) examined) ig. Reactivity insertion during Core Melt includedin Level 2 analysis Progression

20. N,Overpressurization During Accident Domessed based on low pcobability

21. Direct Impingement included in Level 2 analysis 50 A

N1

. 4 i

, The IPE submittal indicates that the curve of containment capacity at different drywell

temperatures was superimposed on the transient containment pressure / temperature j signatures for the i.evel 2 sequences to determine if containment failure would occur, and the containment conditions at the time of failure (for use in determining the p probability of failures in various locations). In NUREG/CR-4551, containment loads for

!: various scenarios were assessed in the event trees, and compared against sampled j failure pressures to determine if failure occurred. Through a sampled random variable, a failure location was assigned.

The general approaches used in the IPE and NUREG/CR-4551 are about the same for i- . average values. However, NUREG/CR-4551 included an uncertainty evaluation which I would tend to give higher containment failure probabilities for equivalent mean values of j containment loads and containment failure pressures. It is not expected that these 4

differences would have a large impact on the results of the two analyses.

Dynamic Ultimate Caoacity l The IPE considered failures from dynamic loads. For sequences with large energetic i failure at vessel breach (e.g., steam explosions), the drywell is assumed to fail. For i unmitigated ATWS scenarios, failure is assumed to occur in the wetwell airspace l because of dynamic loads on the hot suppression pool.

l NUREG/CR-4551 also modeled these phenomena. The conditional failure probabilities j were low, however. The IPE results also appear to be low.

4 o

Other Failure Modes The IPE considered the possibility of drywell liner melt-through, and used results from j NRC-sponsored research that was completed after the NUREG/CR-4551 study to

quantify cases with a flooded drywell floor. That drywell liner melt-through analysis i indicated a much lower probability of failure than was used in NUREG/CR-4551. This i

difference has a large impact on containment failure probability and failure mode (see Section 2.4.2.3). C,ases without water were treated as leading to drywell failure in the IPE, whereas in NUREG/CR-4551, the probability of failure was high, but less than 1.

Failure Location and Timina The timing, size, and location of containment failure were dependent on the particular challenge causing containment to fail. Table 4.4.1-4 of the Peach Bottom IPE submittal lists this information for each containment challenge included in the IPE. The IPE table is reproduced below as Table 2.4.1.2-2.

51 A

4 1.'

Table 2.4.1.2-2 Timing, Size, and Location for

{ Postulated Containment Failure Modes Postulated Containment Challenge Timing Size Location" a

i Sequence Deoendent Failure Modes 1

. ATWS Without Mitigation Early . Large DW, WW

. . RPV Rupture Large Enough to Cause Early Large DW Containment Failure

!- . TW-Overpressure Late Small, Large DW, WW j . Vapor Suppression Failure 4 LOCA Early Large DW

. N2 Overpressurization Intermediate Small, Large DW, WW*

4

. Combustible Gas Vent Early Large WW

. Containmentimplosion Due to DW Early Large DW Spray initiation 4

. Containment Overpressure Vent Late Small WW Phenomenological Failure Modes

Non-Condensable Gas Generation Intermediate Small, Large DW, WW

. Direct Containment Heating Early Large DW

. DW Temperature Rise Intermediate Small, Large DW

. Steam Explosions Early Large DW

. Hydrogen Explosions Early Large WW, DW*

. Structural Failure due to Penetration intermediate Large DW Tear out

. VesselThrust Forces Early Large DW Containmentinitial Conditions

. Containmentisolation Failure Early Large DW

- Containment Leakage Early/ Late Small WW

Always treated as a drywell failure in the simplified CET evaluation.

"WW = Wetwell, DW = Drywell.

52 A

l Table 4.4.2-1 of the Peach Bottom IPE submittal gives the range of contair. ment failure sizes considered in the IPE, as well as the point estimates that were c::rsd to characterize each range, The IPE is reproduced below as Table 2.4.1.1-3, with a column added for the NUREG/CR-4551 values.

Table 2.4.1.1-3 Containment Failure Sizes Considered in the IPE and NUREG-1150 l

l IPE l Modeled NUREG/CR-4551 NUREG/CR-4551 IPECategory IPE Range Value Category Modeled Value !

Negligible < 3.14 in2 0 (intact) 2 Small 3.14 in' - 1 ft: 27 in i.eak O.1 ft'(14 in )

Large > 1 ft' 2 ft' Repture 1 ft' The IPE small and large categories correspond to the NUREG/CR-4551 leak and rupture categories. The IPE negligible break size was determined as the size that would be expected to increase risk by less than 5%. The IPE large break size was chosen to be midway between the NUREG/CR-45.51 value and the value used in IDCOR analyses. The small break size range is intermediate between the negligible and large breaks, and was characterized by a break size at about the transition point where containment will not depressurize for most accidents. The factor of two difference in characteristic break sizes between the IPE and NUREG/CR-4551 would not be expected to have a large impact on the results.

Tables 4.4.3-1 through 4.4.3-3 of the IPE submittal give the probability of failure occurring at various containment locations and sizes for the three temperature ranges considered in the containment failure analysis for gradual overpressurization failures.

Also shown are the NUREG/CR-4551 values. Those tNee tables are combined into Table 2.4.1.1-4. For each of the temperature ranger, ti;9 IPE has higher probabilities of the more conservative failure locations / sizes (drywell failur es and wetwell failures above the water line, ruptures) relative to NUREG/CR-4551.

53 A

- - - . .. . . . . . .. .. - - . - - = . . . - - - - - - . . - . . ... .

1 A l Table 2.4.1.14 I Summary of NUREG-1150 and IPE Failure Location and Type Assessment I Containment Failure Typo Conditional Failure Probability NUREG-1150' IPE' High Temperature Case (2 900*F)

Drywell Head Leak 0.5 Rupture 0.5 l

Drywell Upper Leak 0.5 ,

Rupture 0.5 Intermediate Temperatures (700*F for IPE)

Drywell Head Leak 0.4 0.7 Rupture 0.12 0.2 Wetwell Above Leak 0,3 0.1 Water Line Rupture Low Temperature Case (s 500*F)

Drywell Head Leak 0.25 0.19 Rupture 0.05 Drpell Upper ~ Leak O.06 Bcdy Rupture 0.04 Wetwell Above Leak 0.15 0.3 Water Line Rupture 0.25 0.3 Wetwell Below Leak O.001 Rupture 0.35 0.06

' Failure assessments were at the following pressures:

high temperature - 36 psig for NUREG-1150 and 0 psig for IPE intermediate temperature - 112 psig for NUREG-1150 and 60 psig for IPE low temperature - 147 psig for NUREG-1150 and 140 psig for IPE.

54 A

< l l 2.4.1.3 Containment isolation Failure l

(

Containment isolation is addressed in the Peach Bottom IPE' submittal, but it is argued that there is high confidence that the containment will be isolated because Peach

, Bottom is required to be inerted. This statement (and the reported results) indicates -

l that containment isolation failure is negligible for Peach Bottom. This is consistent with the NUREG/CR-4551 Peach Bottom analysis, which also considered containment i

isolation failure to be negligible.

2.4.1.4 System / Human Responses See Section 2.3.2.4.7 for a discussion of the operator actions treated in the Level 2 l analysis. I 2.4.1.5 Radionuclide Release Characterization The Peach Bottom radionuclide release characterization is discussed in Section 4.7 of the IPE submittal. The general approach was to use existing calculations and engineering judgment to directly categorize the sequences from the containment event trees into release categories that were characterized by the magnitude and timing of the release. In NUREG/CR-4551, a parametric expression was used to develop source terms, representing the release of radioactive material from the fuel and core debris and its subsequent transport through the containment to the environment. The parametric source terms were gcuped into partitions with similar consequence potential, and then the consequences for each partition were calculated. Consistent with the IPE guidelines, Peach Bottom did not perform a full Level 3 analysis, and so it is not possible to compare the consequence results from the two studies. Since the focus of NUREG/CR-4551 was on a full Level 3 evaluation, release categories were not calculated. However, for comparison, the NUREG/CR-4551 results were categorized into the Peach Bottom release categories as discussed below. First, though, the IPE release categories and the approach to map sequences into the release categories are discussed.

In the Peach Bottom IPE, the sequences from the containment event trees were grouped into radionuclide release categories, based on timing and magratude of release. Three timing categories are considered: early (0 - 6 hr), inter.nediate (6 - 24 hr), and late (a 24 hr). These times are all relative to accident initiatio 1. The accident timing for each of the sequences from the containment was determine i by subjectiva estimates guided by MAAP calculations and other previous analyses.

Five categories are considered for the magnitude of the release:

High - potential to cause early fatalities

Moderate - potential to cause near-term health effects

Low - potentiel for latent health effects 55 A

5

Low-Low - undectable or minor health effects j e Negligible - less than or equal to the containment design base leakage.

Results from previous IDCOR studies, PRAs, and NRC studies containing detailed consequenos modeling were used to determine the release magnitude for the sequences from the IPE containment event trees. To cover all of the release paths identified in the IPE, the results of multiple studies had to be combined because no single study spanned the range of release paths. The results of the various studies were mapped into release magnitude categories based on the Csl release fraction, which was considered an approximate measure of the whole-body population dose.

The mapping is summarized in Table 2.4.1.5-1.

l Table 2.4.1.5-1 Definition of IPE Release Magnitudes Release Csl Release Magnitude Fraction High > 10% i Moderate 1 -10%

Low 0.1-1%

Low-Low <0.1%

Negligible < 0.1 %

The variables found to have the largest impact on the release magnitude in the analyses that formed the basis for the IPE were containment failure mode, water availability, and reactor building effectiveness. Therefore, the majority of the sequences were mapped into release categories based on these variables. Several exceptions were considered, however, for cases such as energetic events that failed containment at vessel breach or bypass accompanying containment flooding. Adjustments (increases or decreases) to category severity were made to handle these exceptions.

The frequency of each release category in the Peach Bottom IPE is presented in Table 2.4.1.5-2, which is a reproduction of Table 4.6.3-1 from the IPE submittal. To allow comparison with the NUREG-1150 results, approximate equivalent release categories were formed by combining source term groups using the definitions of release magnitude and timing from the IPE submittal. NUREG/CR-4551 included separate releases for the species Cs and I, but did not track Csl (which is used in the IPE to define release categories), so the approximate release categories for NUREG/CR-4551 were based on I releases, rather than Csl. The frequencies of these NUREG/CR-4551 56 A

release categories are also presented in Table 2.4.1.5-2. The table lists contributions from each release category as well as for groupings of release categories according to expected risk impact. The values from the IPE and NUREG/CR-4551 are in reasonable agreement, except that NUREG/CR-4551 has a higher proportion of high-impact releases relative to negligible releases, whereas the IPE has a higher proportion of the negligible releases. This is consistent with the containment failure results, in which the j IPE had fewer early containment failures because of the treatment of drywell liner melt- !

through and the lower relative contribution of ATWS sequences (see Section 2.4.2.3). j Table 2.41.5-2 Comparison of IPE and NUREG/CR-4551 Releases Rolesse Frequency (1/yr) Redlonuchde Rolesee Reisees Frequency (1/yr)

Reissee End State i

_ Charactertantion* IPE NUREG/CR-4661 Magnitudefriming** IPE NUREG/CR-4661 Little or No Reisese 2.51 E4 3.67E-7 Negugeble 2.51E4 3.67E 7 LUL 4.61 E-9 LUl 2.83E4 6.94E 7 LUE 9.94E 7 R 2.16E4 1.17E4 UL 2.77E 7 M/L 7.57E-7 UI 5.03E4 3.29E-7 UE 4.62E4 1.51 E-7 M/1 1.27E 7 5.77E 7 Moderate Reisese 5.40E 7 6.46E-7 M/E 4.22E-7 2.60E-7 H,1. 8.56E4 High Reisees 1.86E-7 1.96E4 H/l 4.4E4 1.61E4 H/E 5.66E4 3.44E-7

Questative desenption beoed on comtuning indicated reisees ca:egones in fourth column.

- Reisees Magnitude: LL very low, L km, M moderate, H high Reisees Timing: E earty,1 intermedete, L late.

57 A

d 2.4.2 Accident Progression and Containment Performance Analysis 2.4.2.1 Severe Accident Progression The Peach Bottom IPE utilized containment event trees (CETs) to probabilistically i

model the progression of the accident following the onset of core damage. The CET is .I represented by a main CET supported by functional fault trees describing the failure I modes for each CET node.- Three basic CETs structures were used: sequences with containment initially intact and initial loss of coolant makeup, sequences with containment failure before core melt (failure of containment heat removal or ATWS), ,

and sequences with containment bypass. The quantification was performed using the l REBECA computer program. The following top events were considered in the CETs: l 1

e Containment isolation

Operator depressurizes RPV i e Core melt progression arrested in-vessel l

Combustible gas venting l

Early containment failure

Steel shellintact

Coolant injection for temperature control of molten debris

Containment flood e Containment heat removal (RHR, venting) l e Suppression pool not bypassed e Containment breach size (leakage, overpressure failures)

Coolant inventory makeup

Location of containment breach (drywell, wetwell airspace)

Reactor building effectiveness.

The Peach Bottom CET was quantified through a combination of MAAP analyses and separate evaluations of selected issues. MAAP 3.08, revision 7.01 was used to estimate the primary and secondary containment response, accident timing, and source terms for most of the accident progression. For phenomena not treated in MAAP or phenomena that were identified as being of concem to NRC, separate evaluations were performed based on industry and/or NRC studies. Section 4.2 of the IPE submittal includes a discussion of the important issues regarding severe accident progression in BWR3/ Mark I plants, and indicates whether each is treated through MAAP calculations or some other analysis.

The NUREG/CR-4551 Level 2 event trees were considerably more detailed than the Peach Bottom CETs. However, without the IPE fault trees, it is not possible to determine how the overall IPE analysis (including the fault trees) compares with NUREG/CR-4551, By considering the top events listed above and the discussion of phenomenological issues, it appears that both analyses consider the same events with the following exceptions. The IPE addresses containment flooding and the accompanying potential for containment bypass, and NUREG/CR-4551 does not; the IPE considers a small possibility for burns occurring in a deinerted containment and NUREG-1150 does not; and it is unclear whether the IPE considered SRV reclosure 58 A

i j-l and subsequent vessel repressurization resulting from high drywell pressures j (inoperability because of DC failure is considered in the IPE).

i i The IPE considers the full range of phenomena that are expected to be important for i containment failure and radionuclide release characterization. However, the IPE l submittal does not provide the quantification for all of the events in the event trees / fault trees. Because of this, it is not possible to directly determine if the quantification is reasonable for all events, but the quantification for important events can be assessed indirectly by comparing the IPE results with the NUREG/CR-4551 results. As discussed i in Section 2.4.2.3 of this report, the IPE and NUREG/CR-4551 results are comparable,

, except for differences in the treatment of drywell liner melt-through and differences due

[ to the relative contributions of Level 1 sequences. The treatment of liner melt-through in l

} the IPE apperrs reasonable, and so it can be inferred that there are no significant unexplained differences in the quantification of the phenomena between the IPE and j NUREG/CR-4551.

I j 2.4.2.2 Dominant Contributors: Consistency with IPE Insights

Table 2.4.2.2-1 shows a comparison of the dominant contributors to the Peach Bottom j containment failure with those contributors identified for the Fitzpatrick, Oyster Creek,_

j Browns Ferry, Duane Arnold, Dresden, and Cooper IPEs, as well as the NUREG/CR- -

l 4551 results for Peach Bottom.

a l There is considerable variability indicated for both the CDFs for the plants and the

} relative contribution for most of the containment failure modes. Peach Bottom's plant i CDF, contribution from early containment failure, and contribution from late containment l failure all fall toward the middle of the relatively wide ranges for the other studies that

are compared in the table. The contribution of Peach Bottom bypass sequences is 1 small, which is consistent with the bulk of the other studies. The contribution from cases without vessel breach was not available from the Peach Bottom IPE submittal.

However, comparing the combined results from the various studies of intact containments and no vessel breach, it can be seen that the Peach Bottom IPE results fall toward the high end of the range spanned by the other studies for these more benign outcomes.

NUREG/CR-4551 has a high proportion of early containment failures relative to the IPE.

This appears to be prede,minantly due to two factors: differences in modeling of drywell liner melt-through, and differences in the relative contribution of the Level 1 sequences.

These factors are discussed further in the following section.

59 A

6 i

Table 2.4.2.2-1 Containment Failure as a Percentage of CDF: Peach Bottom Results Compared with Peach Bottom NUREG/CR-4551 Results and with other IPE Results for Plants with Mark l Containments ;

Fitzpatrick Oyster Creek Browns Ferry Duane Dresden Cooper Peach Bottorn / Peach Bottom IPE IPE IPE Arnold IPE IPE IPE NUREG/CR- IPE 4551 CDF (per year) 1.9E4 32E-6 4.8E-5 7.8E4 1.8E-5 7.1E-5 4.3E4 5.4E4" i Early Failure 60% 16% 46 % 47% 3% 36 % 67% 28%

Bypass na* 7% na 0 0 0 <1% 0.1% ,

Late Failure 26 % 26 % 26 % 32 % 86 % 31 % 5% 26 %

intact 3% 0 3% 21% 11 % 33% 18% 46 % -

No Vessel 11 % 51 % 25% na na na 10% na :

Breach l

na - Not available. [

" The Peach Bottom CDF,incluoing internal floodmg, is 5.53E-6. The Peach Bottom Level 2 did not include floodmg sequences, so the Level 2 ;

CDF is 5.40E4.

i

?

i i

i

4 . ,

1 t

l l 2.4.2.3 Characterization of Containment Performance The ultimate strength of containment and the phenomena considered as mechanisms for containment failure were discussed in Section 2.4.1.2 of this report. The containment performance results from the IPE are compared with NUREG/CR-4551 in this section. When comparing results, it is important to note that some differences in containment performance results would be expected because the two studies had different relative contributions of core damage sequences. The containment performance varies somewhat for different sequence types; when important, the effects l of these differences are noted in the following discussion.

The conditional containment failure assessments from the IPE and from NUREG-1150 are shown in Table 2.4.2.3-1. The results from the iPE are based on information provided in Section 4.6.4.3 of the submittal.

l l

Table 2.4.2.31 l Comparison of IPE and NUREG/CR-4551 Containment Performance l

% of CDF IPE NUREG/CR-4551*

Drywell Liner Melt-through 19.3% 42.1 %

Other Containment Failure 20.3% 17.8%

Containment Vented 14 % 17.5%

No Containment Failure 46.4 % 22.7 %

Note that in this breakdown,' cases without vessel breach are not separated out, and so the percentages for containment vented and no containment failures are different from Table 2.4.2.2-1.

NUREG/CR-4551 predicted higher probabilities of early containment failure for Peach Bottom than did the IPE, while the IPE predicted a higher proportion of cases without containment failure. The IPE submittal indicates that this is due to differences in the liner melt-through quantification. As noted in Section 2.4.1.1, Peach Bottom used updated, less conservative probabilities for liner melt-through for cases with a flooded drywell; however, this does not appear to fully explain the differences in results. A sensitivity study was performed for NUREG/CR-4551 in which liner melt-through was not modeled. The results of that sensitivity study indicated that containment failure was not significantly affected by the change because other modes of containment failure (which were precluded by the liner melt-through failures in the base case) partially replaced the liner melt-through failures, rather than proceeding to no containment failure. For example, drywell overpressure and pedestal failure partially replaced 61

, A

s drywell liner melt-through for station blackout scenarios, and early containment failures j from overpressurization before core damage in ATWS scenarios were not eliminated by the removal of the liner melt-through failure mechanism. NUREG/CR-4551 had a higher proportion of ATWS sequences than the IPE, so the impact of reducing the probability of drywell liner melt-through was not as large for NUREG/CR-4551 as it was for the IPE, That is, the differences in containment failure results are due to both differences in L modeling drywell liner melt-through and the differences in the accidents contributing to core damage.

2.4.2.4 Impact on Equipment Behavior Equipment survivability during severe accidents was addressed in Section 4.6.2.1 of the IPE submittal for components whose success was credited in the IPE. Exposure to temperature, pressure, aerosol loading, radiation, and moisture was considered. The submittal indicates that applicable studies (primarily NRC-sponsored) were reviewed, and then engineering judgment was used to make assessments of operability in these adverse environments. The submittal indicated that most components located in the reactor building would be expected to survive the harsh environment.

2.4.2.5 Uncertainty and Sensitivity Analyses The Level 2 analysis for the Peach Bottom IPE did not include an uncertainty analysis, but several sensitivity studies were performed to address issues that could affect the viability of accident management strategies. In addition, qualitative discussions of the impact of uncertain phenomena on accident progression were included for phenomena that were not examined through sensitivity studies. Sensitivity studies were performed both for the deterministic analyses (e.g., MAAP) that formed the basis for quantification, and for the actual probabilistic analysis.

For the deterministic sensitivity studies, PECo considered both MAAP results and the results of NRC-sponsored studies. The sensitivities discussed in Section 4.6.5.2 of the IPE submittal are:

Hydrogen production and combustion e Core relocation characteristics e Mode of reactor vessel melt-through

Long-term disposition of core debris e Revaporization of deposited fission products

Reactor building decontamination factor.

62 A

. s Sensitivity studies were performed for the following items to investigate the impact of changing their probabilities. The results were discussed in Section 4.6.5.3 of the IPE submittal.

e Induced failure of the reactor coolant boundary (stuck-open relief valve) e Mode of vessel failure e Fuel-coolant interactions e Direct containment heating -

Early containment failure from liner melt-through.

2.5 DHR, Other GSI/USis and CPI l l

This section summarizes the evaluation of decay heat removal provided in the IPE j submittal. Other GSl/USis, if addressed in the submittal, were also reviewed.

i 2.5.1 Evaluation of Decay Heat Removal 2.5.1.1 Examination of DHR in accordance with the resolution of USl A-45 (NUREG/CR-1289], the licensee specifically examined the DHR function for vulnerabilities. This is contained in Section 3.4.3 of the IPE submittal. The licensee used both quantitative design objectives from the NRC staff and qualitative insights from past A-45 studies as input for the analysis of the adequacy of DHR.

l 2.G.1.2 Diverse Means of DHR The utility's diverse means of DHR were identified and their benefits explored in Section 3.4.3.1 of the IPE submittal. These include the main condenser and feedwater systems, l the high- and low-pressure ECCS with containment cooling, the four modes of residual heat removal at shutdown, the torus cooling, and the high-pressure service water system.

2.5.1.3 Unique Features of DHR The unique features at Peach Bottom that directly affect the ability to provide DHR include a wetwell hard-pipe vent for containment heat removal and four shared emergency diesel generators with cross-tie capabilities that allow for DHR during certain loss of offsite power events. These features significantly reduce the CDF contribution of scenarios involving a loss of DHR.

63 A

l . .

i !

1 j 2.5.1.4 DHR Results l The evaluations indicate that about 7% of the total CDF is due to a loss of containment

, heat removal while 55% of the total CDF was attributed to the loss of inventory, 1 Therefore, about 62% of the total CDF (3.0E-6) is due to DHR failures. In the submittal, l

the licensee concluded that no vulnerabilities associated with DHR exist since the total

CDF from a loss of DHR was below the screening criteria in NUREG-1289. No plant modifications were judged to be cost beneficial.

l Overall, the licensee's examination and evaluation of DHR is complete with respect to the information requested in NUREG-1335, and the results of the evaluation appear l reasonable.

i 2.5.2 Other GSl/USis Addressed in the Submittal i in the IPE submittal, the licensee indicated that it has chosen not to evaluate, for l

! closure, the other USis and GSis that remain open for Peach Bottom at present.

2.5.3 Responses to CPI Program Recommendations The IPE addressed the recommendations for plants with Mark l containments from the .

Containment Performance Improvement (CPI) Program, as summarized below:

e Alternate Water Sucolv for Drvwell SoravNessel Iniection: The submittal !

indicated that Peach Bottom already has alternative injection / spray capability because it (1) has the capability to inject high-pressure service water through the ,

RHR system , and although the system is ac-dependent, it has the capability of !

cross-tising; and (2) it has procedures for using fire water for vessel injection through the RHR system.

Enhanced Reactor Pressure Vessel (RPV) Deoressurization System Reliability; i The submittal discusses the DC and nitrogen dependencies of the safety relief valves, but the design does not appear exceptional relative to other BWR Mark I plants. No commitments were made toward the CPI objective of enhanced reliability in station blackout.

e Emeraency Procedures and Training: As recommended by the cpl program, Peach Bottom has implemented Revision 4 of the BWR Owners Group I Emergency Procedures Guidelines and is in the process of training the operators. j e Torus Hard-Pioe Vent: The IPE submittal indicated that Peach Bottom is committed to installing the hard-pipe vent during the fall of 1992. This new vent is larger than the older hard-pipe vent from the torus that was modeled in NUREG-1150.

64 A

l The IPE has addressed the relevant recommendations of the CPI Program, and has partially satisfied the recommendations.

l 2.6 Vulnerabilities and Plant improvements This section summarizes the vulnerability evaluation, the proposed plant improvements and modifications, and insights provided in the iPE submittal.

2.6.1 Vulnerability l

In Section 3.4.2 of the IPE submittal, the licensee defined vulnerability as any failure mode, single failure, or combination of a small number of failures not used to create a i support state (sud1 as diesel failure in the LOSP event tree) that disproportionately l contributes to the overall CDF. The submittal states that even though no quantitative limits were placed on the contribution to CDF, a qualitative evaluation identified no '

vulnerabilities. !

2.6.2 Proposed improvements and Modifications i Plant improvements and modifications were discussed in Section 6.0 of the submittal. l l

Based on insights from the front-end analysis, the licensee identified one plant improvement: an enhancement to the LOSP procedure (SE-11) which includes detailed instructions to cross-tie emergency electrical buses and recognizes interunit interactions to improve the responses necessary for the safe shutdown of both Peach Bottom units during a LOSP. This procedure is scheduled for implementation in December 1992.

This procedure was credited in the submittal but the impact of the plant improvement in . 1 terms of the change in CDF was not discussed.

l 2.6.3 IPE Insights Section 6.2 of the IPE submittal discusses the IPE insights and potential plant improvements. All insights discussed in that section formed the basis for the potential plant improvements provided in the section. Since Section 2.6.2 of this report presents these IPE insights, they are not repeated here.

65 A 1

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS A review of the front-end of analysis of the Peach Bottom IPE submittal reveals that it is

. essentially complete with respect to the type of information and level of detail requested in Generic Letter 88-20. In addition, the review did not identify any significant problems or errors in the front end. It should be noted that the IPE included a thorough identification and evaluation of plant-specific initiating events, and a detailed flooding analysis.

j A comparison of the front-end analysis of the IPE submittal and NUREG/CR-4550 reveals some differences between the results, particularly for loss of offsite power and station blackout sequence. However, the differences between the two studies were not i unexpected given that there were differences in the success criteria, models (e.g., the ability to cross-tie EDGs existed in the IPE submittal but not in NUREG/CR-4550), and

data (as previously discussed in Sections 2.2.2.1 and 2.2.2.3 through 2.2.2.5) used in both studies.

Overall, the review of the front-end analysis of the Peach Bottom IPE submittal reveals that it is essentially complete with respect to the type of information and level of detail requested in Generic Letter 88-20.and, in light of the comparison with NUREG/CR-4550, appears reasonable.

The HRA review of the Peach Bottom IPE submittal did not identify any significant problems or errors. A viable approach was used in performing the HRA and only relatively minor differences were found between the IPE and NUREG/CR-4550. The most important weaknesses of the IPE HRA included complete screening of all pre-initiator restoration faults and a lack of any examples or documentation that demonstrated the actual quantification process for post-initiator response or recovery actions.

No significant problems or errors were identified in the back-end analysis. Differences were observed between the IPE and NUREG/CR-4551 results, but they are primarily due to the relative contribution of various sequences to the CDF, and the IPE's use of more current analyses for the drywell liner melt-through issue.

66 A

. e l l

4. DATA

SUMMARY

SHEETS

a The mean total core damage frequency (CDF) : 5.53x104 per reactor-year. i e Initiating events contributing to the total CDF are:

Initiator ContributiQn O Loss of Offsite Power 33.5 %

a Transient with PCS Unavailable 13.6%

a Transient with PCS Initially Available 20.8 %

a Transient involving Loss of Feedwater 10.3%

a 'Large LOCA 5.4%

0 Loss of Condenser Vacuum 4.8%

a Inadvertent Open Relief Valve 3.6%

a Medium LOCA 2.8%

a Internal Flooding 2.6%

a Vessel Rupture 1.8% i a Others 0.8% l e Classes of accident sequences contributing to the total CDF are:

Seouences Contribution a Loss of Inventory Makeup with Reactor at High Pressure 43.4%

0 Failure to insert Negative Reactivity with Reactor at High Pressure 17.7%

a Loss of Offsite Power and Loss of Makeup 9.0%

a Loss of Containment Heat Removal and No Venting Capability 7.4%

a Loss of Makeup induced by ATWS 6.1%

0 Medium or Large LOCA for Which the Reactor is at Low Pressure 5.3%

a Small or Medium LOCA for Which There is No Depressurization 2.5%

0 Common Mode Failure of Front-Line Systems with the Reactor at High Pressure 2.4%

a Others 6.2%

67 A

e Major operator actions to prevent core damage or containment failure:

a Failure to depressurize the reactor to the condensate injection pressure.

a Failure to manually depressurize after inhibiting ADS, with and without offsite power.

a Failure to recover offsite power in 10 hr.

O Failure to cross-tie emergency power sources to buses in 10 hr.

O Failure to recover feedwater in the short term.

O Failure to initiate SLC during an MSIV closure.

a Failure to recover a diesel generator in 10 hr.

O Failure to initiate SLC during a turbine trip ATWS with a stuck-open valve. -

a Operator fails to vent given RHR hardware. I a Operator fails to inhibit ADS, with high-pressure injection unavailable during l ATWS.

e Conditional containment failure probability given core damage:

Containment Failure Locations a Drywell Liner 19%

a Other Failure 20%

a Bypass 0.1%

a Vented 14%

a intact 46 %

Containment Failure Timinos a Early 28%

o Late 26 %

o Bypass 0.1%

a Intact 46 %

e Significant PRA findings Design or operational features having the most significant impact in reducing the CDF are:

a Four emergency diesel generators with the flexibility of cross-tising buses.

O Recovery of offsite power.

O Residual heat removal and high-pressure service water cross-tieing capability.

68 A

. s a Potentialimprovements under evaluation a The licensee identified one plant improvement: an enhancement to the LOSP procedure which includes detailed instructions to cross-tie emergency electrical buses and recognizes interunit interactions to improve the respontes necessary for the safe shutdown of both Peach Bottom units during a LOSP. This procedure is scheduled for implementation in December 1992. This procedure was credited in the submittal but the impact of the plant improvement in terms of the change in CDF was not discussed.

e important plant hardware and plant characteristics:

a Four diesel generators with the flexibility of cross-tieing buses.

O Residual heat removal and high-pressure service water cross-tieing capability.

O Four 100% capacity residual heat removal pumps and heat exchangers, o High-head condensate pumps.

O MSIV closure at Level 1.

O Diverse sources of water for cooling and injecting.

(Information has been taken from the Peach Bottom IPE and has not been validated by the NRC staff.)

69 A

w REFERENCES i l

[ Generic Letter 88-20] U.S. Nuclear Regulatory Commission, " Individual Plant Exnmination of Severe Accident Vulnerabilities - 10 CFR

part," Generic Letter No. 88-20, November 1988.

I

[ Submittal] Philadelphia Electric Company, " Individual Plant Examination: Peach Bottom Atomic Power Station Units 2 &

3," August 1992.

(NUREG/CR-1335] U.S. Nuclear Regulatory Commission, " Individual Plant

! Examination: Submittal Guidance," NUREG-1335, August l 1989.

(NUREG/CR-4550j A. M. Kolaczkowski et al., " Analysis of Core Damage Frequency: Peach Bottom Unit 2 Internal Events,"

NUREG/CR-4550, Vol. 4, August 1989.

(WASH-1400] U.S. Nuclear Regulatory Commission, " Reactor Safety i Study: An Assossment of Accident Risks in U.S. Commercial l Nuclear Plants," WASH-1400,1975 (NUREG/CR-2300] U.S. Nuclear Regulatory Commission, "PRA Procedure Guide - A Guide to the Performance of PRA at Nuclear Power Plants," NUREG/CR-2300, January 1983.

(NUREG/CR-1068] U.S. Nuclear Regulatory Commission, " Review Insights on the Probabilistic Risk Assessment for Limerick Generating Station," NUREG-1068, August 1983.

[NUREG/CR-3862] D. P. Mackowiak, et al., " Development of Transient initiating Event Frequencies for Use in Probabilistic Risk Assessments," NUREG/CR-3862, May 1985.

(NUREG/CR-4780] A. Mosleh, et al., " Procedure for Testing Common Cause Failures in Safety and Reliability Studies," NUREG/CR-4780, January 1988.

(NUREGICR-1289] U.S. Nuclear Regulatory Commission, " Regulatory /Backfit Analysis: Unresolved Safety issue A-45, Shutdown Decay Heat Removal and Requirements," NUREG-1289, September 1988.

[EPRI NL-6560-L] A.J. Spurgin, P.Moieni, and G. W. Parry, A Human Reliability Analysis Approach Using Measurements forIndividualPlant F_xaminations, EPRI NP-6560-L, Palo Alto, CA Electric Power Research Institute,1989.

70 A

. v (NUREGICR-4772) A.D. Swain, Accident Sequence Evaluation Program Human Reliability Analysis Procedure, NUREGICR-4772, U.S.

Nuclear Regulatory Commission, Washington, D.C.,

February,1987.

(NUREGICR-3010] R.E. Hall, J. R. Fragola, & J. Wreathall, Post-Event Human i Decision Errors: Operator Action Tree / Time Reliability i Correlation, NUREGICR-3010, Upton, NY: Brookhaven l National Laboratory, November,1982.

(NUREGICR-3518) D.E. Embrey, et al. Slim-Maud: An Approach to Assessing .

Human Error Probabilities Using Structured Expert l Judgment, Vol.1-2, NUREGICR-3518, U.S. Nuclear l Regulatory Commission, Washington, D.C., March 1984.

[NUREGICR-4103] J.N. O'Brien and C.M. Spettel,."Uses of Human Reliability 1

Analysis PRA Results to Resolve Personnel Peribrmance Issues That Could Affect Safety, NUREGICR-4103, U.S.

, Nuclear Regulatory Commission, Washington, D.C., October 1985.

I

[EPRI-3583) G.W. Hannaman and A.J. Spurgin, Systematic Human

< Action Reliability Procedure (SHARP), EPRl-3583, Palo Alto, CA: Electric Power Research Institute,1984.

(NUREGICR-4550, Vol.i] D. M. Ericson Jr., et al., Analysis of Core Damage Frequency: Intemal Events Methodology, NUREGICR-4550, j Vol.1, Rev.1, U.S. Nuclear Regulatory Commission, Washington, D.C., January,1990.

[NUREGICR-4834] L.M. Weston, D.W. Whitehead, and N.L. Graves, Recovery Actions in PRA lbr the Risk Methods Integration and ^

Evaluation Program (RMIEP), Vol.1: Development of the Data-Based Method, NUREGICR-4834I1 of 2, SAND 87-0179, Sandia National Laboratories, Albuquerque, N.M.,

June 1987.

71 4

1 A

ML20094C741

Text

SUMMARY

SUMMARY

Navigation menu

Search