Text

App a, Technical Evaluation Rept on IPE Front End Analysis
	ML20100C909
Person / Time
Site:	Nine Mile Point
Issue date:	08/31/1995
From:	Darby J, Sciacca F, Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML17059B097	List: ML20100C909; ML20100D240; ML20100D247;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-92-553-030, SEA-92-553-030-A:3, SEA-92-553-30, SEA-92-553-30-A:3, NUDOCS 9602010287
	Download: ML20100C909 (52)
	v • d • e

SEA-92-553-030-A:3 August 31,1995 Nine Mile Point 1 Technical Evaluation Report on the Individual Plant Examination Front End Analysis ,

NRC-04-91-066, Task 30 !

John L. Darby, Analyst Willard R. Thomas, Editor Frank W. Sciacca, Editor I

Science and Engineering Associates, Inc.

Prepared for the Nuclear Regulatory Commission h o2O\O2E D }37g 9 M S

TABLE OF CONTENTS E. Executive Su m ma ry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.1 Plant Characterization . . . . . . ..... ...................... 1 E.2 Licensee's lPE Process . . . . . ... ....................... 2 E.3 Front-End Analysis . . . . . . . . ........................... 2 E.4 Generic issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . 5 E.6 0bservations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1. I NTRO D U CTI ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2. TEC H N I CAL R EVI EW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1 Licensee's lPE Process . . ............................... 9 2.1.1 Comoleteness and Methodoloav . . . . . . . . . . . . . . . . . . . . . . 9 2.1.2 Multi-Unit Effects and As-Built. As-Operated Status . . . . . . . . 9 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . 10 2.2 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . . 11 2.2.1 lnitiatina Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2.2 Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.2.3 Systems Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.2.4 System Dependencies . . . . . . . . . . . ................. 21 2.3 Q uantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.1 Quantification of Accident Seauence Freauencies . . . . . . . . . 22 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analyses . . . . . . . 23 2.3.3 Use of Plant-Soecific Data . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.4 Use of Generic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3.5 Common-Cause Quantification . . . . . . . . . . . . . . . . . . . . . . . 27 2.4 Interface issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.4.1 Front-End and Back-End Interfaces . . . . . . . . . . . . . ..... 29 2.4.2 Human Factors Interfaces . . ....................... 30 2.5 Evaluation of Decay Heat Removal and Other Safety issues . . . . . . . . 31 2.5.1 Examination of DHR . . . . . . . . . . . . . . . .............. 31 2.5.2 Diverse Means of DHR . ..................... .... 31 2.5.3 Uniaue Features of DHR . . . . . . .......... ......... 31 2.5.4 Other GSI/USis Addressed in the Submittal . . . . . . . . . . . . . . 32 2.6 Internal Flooding . . . . . . . . . . . . . . . ................. ..... 32 2.6.1 Internal Floodina Methodoloav . . . . . . . . . . . . . . . . . . . . . . . 32 2.6.2 Internal Floodina Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.7 Core Damage Sequence Results . . . . . . .................... 34 2.7.1 Dominant Core Damaae Seauences . . . ... . . .... 34 l

iii

2.7.2 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.7.3 Proposed Improvements and Modifications . . . . . . . . . . . . . . 38

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . 40

4. DATA S U M MARY S H EETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 REFERENCES ................................................ 44 l

l iV

l l

i i

I LIST OF FIGURES ;

1 Figure 2-1. Comparison of Data for Recovery of Offsite Power . . . . . . . . . . . . . 26 l Figure 2-2. Core Damage Frequency by Class of Accident . . . . . . . . . . . . . . . . 35 1

l l

1 1

1 l

i l

l l

l 1

I

)

l l V i

1 :

i 1 l

UST OF TABLES f Table 2-1. Plant Specific Component Failure Data . . . . . . . . . . . . . . . . . . . . . . 24 Table 2-2. DG Recovery Data from NUREG-1032 . . . . . . ............... 25 Table 2-3. Comparison of Common Cause Failure Factors for 2-of-2 C omponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Table 2-4. Top 6 Core Damage Sequences . . . . . . . . . . . . . . . . . . . ....... 37

)

l I

J s

Vi

E. Executive Summary This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for Nine Mile Point 1. This review is based on information contained in the IPE submittal along with the licensee's responses to Requests for Additional Information (RAI).

E.1 Plant Characterization The Nine Mile Point 1 plant is co-located with the Nine Mile 2 plant, but shares few

. systems with unit 2, because the two plants are different vintage Boiling Water Reactors (BWR). The plant is located on the southeast shore of Lake Ontario in New York, seven miles northeast of Oswego, New York. Nine Mile Point 1 is a BWR 2 with a Mark I containment. General Electric was the Nuclear Steam System Supplier (NSSS); the utility, Niagara Mohawk Power Corporation, was the architect engineer (AE) and Stone and Webster was the constructor. The Unit achieved commercial operation in December 1969. The rated power is 1850 megawatts thermal (MWt) and 620 megawatts electric (MWe) net.

Design features at Nine Mile Point 1 that impact the core damage frequency (CDF) are as follows:

Emeroency (isolation) condensers (ECs) The ECs require no electrical power to provide for core cooling, and this tends to decrease CDF. Per design, the ECs alone provide no makeup to the vessel and thus excessive leakage or unisolated seal Loss of Coolant Accidents (LOCAs) cannot be mitigated with the ECs; this tends to increase the CDF.

Hardened containment vent The hardened containment vent decreases the CDF by providing a backup to loss of containment cooling whereby continued support of core cooling systems can be provided.

Eloht-hour batterv lifetime The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime tends to decrease CDF, since it is relatively long compared to battery lifetimes at some other BWRs, thereby allowing for increased likelihood of recovery of offsite power.

Diesel driven firewater The availability of diesel driven firewater tends to lower the CDF since this source can be used to provide makeup to the ECs and to inject to the vessel via the feedwater piping.

Ability to power control rod drive (CRD) oumos off 1E oower The ability to power the CRD pumps with the diesel generators (DGs) tends to decrease the !

CDF since this provides an additional source of makeup to the vessel even if j offsite power is lost. j 1

l

l 1

l E.2 Licensee's IPE Process The IPE is a level 2 probabilistic risk assessment (PRA). The licensee initiated work on a PRA for Nine Mile Point 1 in response to the Generic Letter 88-20. They modeled the plant as of January,1993. No pending improvements were credited in the IPE model.

Five full-time engineers from the utility were assigned to the IPE effort. As-needed support was provided from in-line utility organizations, including: operations, nuclear technology, safety analysis, systems engineering, reactor engineering, training, electrical design, fuels, and design basis reconstitution. Consultants from the following organizations were utilized: General Physics, Fauske and Associates, GKA, Haliburton NUS, and EQE.

Three types of walkdowns were performed for the IPE. The first walkdown was a week in duration, performed during shutdown, and focused on the primary containment and equipment within primary containment. The second walkdown was performed at power, and it focused on the reactor building. The third walkdown was a collection of individual walkdowns, performed as necessary in support of modeling of individual systems and in support of the model for internal flooding.

Major documentation used in the IPE included: the Updated Final Safety Analysis Report (UFSAR), procedures, drawings, design basis documents, equipment qualification reports, Licensee Event Reports (LERs), in service test results, and maintenance work reports.

Numerous PRAs were reviewed during the preparation of the IPE for Nine Mile Point 1, especially the IPE for Nine Mile Point 2.

The submittal states that: " continued application of IPE is a priority for NMPC". So far, the IPE has been used by the utility for developing an emergency diesel generator reliability program, supporting operator training, and enhancing operating procedures.

E.3 Front-End Analysis The methodology chosen for the Nine Mile Point 1 IPE front-end analysis was a Level l PRA; the large event tree /small fault tree technique with support state modeling was used and quantification was performed with the RISKMAN computer code.

i The IPE quantified 23 initiating events: 7 LOCAs,8 plant specific support system l failures, and 8 generic transients. The IPE developed 4 large, systemic event trees for frontline systems, to model the plant response to each initiating event. Two large support state event trees were developed.

2

Loss of heating, ventilating and air conditioning (HVAC) was considered to not be an important initiating event. Loss of instrument air was modeled as an initiating event.

The criterion used for inadequate core cooling was temperature in excess of 2500 F peak core temperature.

Success criteria were developed based on thermal hydraulic analyses, mostly with Modular Accident Analysis Program (MAAP) calculations, the UFSAR, and engineering judgement.

The IPE used plant specific data from 1984 through 1992, for selected components.

Generic data were updated with plant specific data for the selected components and for test and maintenance unavailabilities.

The IPE modeled support system dependencies in two large support system fault trees. The fault trees were solved for each core damage sequence by quantifying the frontline event tree sequences conditional on the support states specified by the support state event trees. Tables of inter-system dependencies were included in the submittal. No HVAC systems were considered required. Instrument air was modeled.

The Multiple Greek Letter (MGL) method was used to model common cause failure, and the Pickard, Lowe and Garrick (PL&G) generic common cause failure database was used to quantify common cause failures. Common cause failures were modeled within systems.

The internal flooding analysis was performed in the following manner. Potential flood sources were identified using information on the plant layout combined with a review of industry flooding experience. A plant walkdown was performed to collect additional information, such as the relative locations of equipment in flood zones. Flood propagation was evaluated to determine the extent of equipment damage from flooding events. Flood scenarios were then conservatively quantified using industry data without credit for operator intervention. For those scenarios surviving this conservative analysis, more detailed analyses were performed, including operator intervention. The general transient event tree was used to evaluate core damage from floods that did not in-and-of-themselves directly cause core damage; this evaluation addressed core damage from a flood initiating event with its resultant failure of equipment, combined with subsequent random failures of equipment.

The model for internal flooding does not consider spray induced failure of equipment.

The submittal states that an internal flooding analysis performed by the utility in 1972, and reviewed by the NRC in 1974, concluded that vital equipment is adequately protected from spray and splashing failures by the use of drip-proof motors or shields.

1 3

- - - - . J

The total CDF from internal initiating events is 5.5E-6/ year. Internal flooding was screened from quantification for the CDF, based on semi-quantitative evaluations of flood scenarios.

Initiating events that contribute the most to CDF, and their percent contribution, are as follows:

Loss of Offsite Power leading to Station Blackout 63%

Medium LOCA in Water Line 7%

Loss of Instrument Air 7%

Small LOCA in Water Line 4%

Reactor Scram initiating Events with 3% i anticipated transient without scram (ATWS) l A more detailed listing of the CDF by initiating event is provided in Section 2.7.1 of l this report.

The CDF grouped by class of accident is as follows:

Station Blackout 64 %

Loss of injection 19%

10% l ATWS '

Loss of DHR 6%. I Based on contributions to the CDF, the following systems are most important, listed in decreasing order:

Emergency AC Power Emergency DC Power Relief Valves Reclosing Diesel Firewater injection to Vessel.

Based on contributions to CDF, the following operator actions are most important, listed in decreasing order. ;

AC power recovery ,

load shedding DG under LOCA conditions l depressurization preventing EC isolation and EC recovery after isolation calibration of core spray injection permissive feedwater control given loss of instrument air DC load shedding given station blackout alignment of torus cooling mcvje of containment spray.

4

- . . - . - . ~ . . - . . - - - _ _ - - _ - - - - - . _ _ _ _ - . _ - . - . _ _

i i

)

i' e

Each front end core damage accident sequence was linked directly to the level 2

' i containment tree, so binning of core damage sequences into Plant Damage States (PDSs) was not required. However, the submittal does provide a binning classification for core damage sequences to facilitate the assessment of results, '

i These bins are referred to as Core Damage End States, and are tabulated in the j submittal.

r Based on our review, the following modeling assumptions are somewhat unique and can have a significant impact on the overall CDF:

(a) assignment of 0.05 for the probability of a seal LOCA with loss of cooling to the recirculation pump seals (b) the assumption that no HVAC or ventilation systems are required l (c) the assumption that the core spray pumps, rated for 140 deg. F, can survive up to over 300 deg. F with a 0.5 probability. l 1

All of thesa assumptions tend to lower the CDF. The first assumption makes a seal LOCA relatively unlikely. The second assumption means that all HVAC and ventilation systems can fail and not impact the ability to prevent core damage. The third assumption decreases the likelihood of loss of core cooling given loss of containment heat removal. ;

i E.4 Generic issues The IPE specifically addressed loss of Decay Heat Removal (DHR). The IPE considers DHR to be the final heat sink. The contribution of loss of DHR to the CDF is 6%. This relatively low contribution is due to the variety of methods available to provide DHR at Nine Mile Point 1, including:

power conversion system emergency condensers containment spray system shutdown cooling system containment venting.

No vulnerabilities associated with loss of DHR were identified by the IPE.

The submittal addresses three NRC questions from Generic Letter 91-06 related to l resolution of GI A-30, " Adequacy of Safety Related DC Power Supplies".) The licensee requests that GL 91-06 be resolved based on the IPE submittal.

E.5 Vulnerabilities and Plant Improvements 5

The licensee does not define vulnerability. The submittal concludes: "With regard to t core damage frequency, there are no unusual or unique contributors to core damage that suggest a plant specific vulnerability."

The submittal discusses improvements judged to have the most potential benefit for reducing risk. These potential improvements are as follows.

Load shedding of non-1E battery loads so the non-1E battery system can be used for supply of DC power after the 1E batteries fail at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months during station blackout Use of a portable battery charger improved calibration of low vessel pressure emergency core cooling system (ECCS) permissive sensors Use of plant specific data exclusively for failure of a relief valve to reclose instead of generic data updated with plant specific data, since failure to reciose has never happened at the plant Providing capability to locally operate certain air operated valves (AOVs) following loss of instrument air.

The licensee stated that none of the potential improvements have been incorporated into the plant. The licensee stated that given the low risk as quantified in the IPE, consideration of these improvements has not been a high priority . These improvements may be initiated in conjunction with some related effort, such as accident management.

E.6 Observations The licensee appears to have analyzed the design and operations of Nine Mile Point 1 to discover instances of particular vulnerability to core damage. It also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at Nine Mile Point 1; gained a quantitative understanding of the overall frequency of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.

Strengths of the IPE are as follows. The treatment of plant specific initiating events is comprehensive compared with some other IPE/PRA studies. The consideration of leakage from the vessel as affecting the ability to cool the core is notable, especially since Nine Mile Point 1 has emergency condensers which remove decay heat without providing makeup to the vessel. The treatment of recirculation pump seal LOCAs is by far the most comprehensive for any BWR IPE that we have reviewed to date.

6

One possible shortcoming of the IPE is as follows. The IPE assumes that the core spray pumps, rated for 140 deg. F, can survive up to over 300 deg. F with a 0.5 probability, based on engineering judgement.

Significant level-one IPE findings are as follows:

i e station blackout dominates the CDF

leakage from the vessel impacts CDF

loss of DHR, defined as the final heat sink, contributes relatively little to CDF.

Station blackout is a major contributor to the CDF; the top two sequences involve station blackout with loss of primary inventory. The ECs do not provide makeup to the primary, and leakage from all sources, including recirculation pump seals, is an important contributor to the CDF. Loss of DHR contributes relatively little to the CDF l due to the variety of options available for core cooling during shutdown.

1 l

i l

t l

, . - - . . --- =_ ._--..-. -. _-..-- _- -.-.._- - ----- . - _.-

1. INTRODUCTION 1.1 Review Process l l

This report summarizes the results of our review of the front-end portion of the IPE for Nine Mile Point 1. This review is based on information contained in the IPE submittal along with the licensee's responses to RAl. [lPE] [lPE Responses]

1.2 Plant Characterization The Nine Mile Point i plant is co-located with the Nine Mile 7 plant, but shares few systems with unit 2, because the two pients are different vintage Boiling Water Reactors (BWR). The plant is located on the southeast shore of Lake Ontario in New York, seven miles northeast of Oswego, New York. Nine Mile Point 1 is a BWR 2 with a Mark I containment. General Electric was the Nuclear Steam System Supplier (NSSS); the utility, Niagara Mohawk Power Corporation, was the Architect Engineer (AE) and Stone and Webster was the constructor. The Unit achieved commercial operation in December 1969. The rated power is 1850 MWt and 620 MWe net.

The design features at Nine Mile Point 1 that directly impact the core damage frequency (CDF) are as follows:

Emeroency (isolation) condensers (EC) The ECs require no electrical power to provide for core cooling, and this tends to decrease CDF. However, the ECs alone provide no makeup to the vessel and thus excessive leakage or unisolated seal Loss of Coolant Accidents (LOCAs) cannot be mitigated with the ECs; this tends to increase the CDF.

Hardened containment vent The hardened containment vent decreases the CDF by providing a backup to loss of containment cooling whereby continued support of core cooling systems can be provided.

Eiaht-hour batterv i;Mme The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime tends to decrease CDF, since it is relatively long compared to battery lifetimes at some other BWRs, thereby allowing for increased likelihood of recovery of offsite power.

Diesel driven firewster The availability of diesel driven firewater tends to lower the CDF since this source can be used to provide makeup to the ECs and to inject to the vessel via the feedwater piping.

i e Ability to power control rod drive (CRD) oumos off 1E oower The ability to l power the CRD pumps with the diesel generators (DGs) tends to decrease the l CDF since this provides an additional source of makeup to the vessel even if l offsite power is lost. l

\

8 )

i

_ - ,r-

\

2. TECHNICAL REVIEW 2.1 Licensee's IPE Process We reviewed the process used by the licensee with respect to: completeness and methodology; multi-unit effects and as-built, as-operated status; and licensee participation and peer review.

2.1.1 Completeness and Methodoloav. :

The submittal contains the information requested by Generic Letter 88-20 and j NUREG 1335. No obvious omissions were noted. [NUREG 1335][GL 88-20] j The Nine Mile Point 1 IPE is a level 2 PRA. The front-end portion of the IPE is a level l PRA, which is a method that is addressed in Generic Letter 88-20. The specific technique used for the level i PRA was a large event tree /small fault tree :

technique, and it was clearly described in the submittal. l I

The submittal described the details of the technique. Internal initiating events and internal flooding were considered. Event trees were developed for all classes of 1

initiating events. The development of component level system fault trees was summarized, and system descriptions were provided. Support systems were ;

modeled with event trees used to establish support state conditions for quantification 1 of the frontline event trees. Inter-system dependencies were discussed in the system descriptions and a table of system dependencies was provided. Data for !

quantification of the models were provided, including common cause and recovery l data. The application of the technique for modeling internal flooding was described in !

the submittal. No results of uncertainty analyses or sensitivity analyses are provided l in the submittal, although the submittal implies that these analyses may have been performed importance analyses were performed, and results therefrom are provided in the submittal.

The licensee initiated work on a PRA for Nine Mile Point 1 to fulfill the requests of Generic Letter 88-20. [lPE submittal, Section 1.1) 2.1.2 Multi-Unit Effects and As-Built. As-Operated Status.

Although Nine Point i shares its site with Nine Mile Point 2, there is almost no sharing of systems except for offsite power, and for the ability to use firewater from Unit 2 at Unit 1. A separate IPE was performed for Unit 2.

The submittal states that three types of walkdowns were performed for the IPE. [lPE submittal, Section 1.2) The first walkdown was a week in duration, performed during shutdown, and focused on the primary containment and equipment within primary containment. The second walkdown was performed at power, and it focused on the 9

1 1

i-1 l reactor building. The third walkdown was a collection of individual walkdowns, j performed as necessary in support of modeling of individual systems and in support of the model for internal flooding.

Major documentation used in the IPE included: the UFSAR, procedures, drawings, design basis documents, equipment qualification repcrts, LERs, in-service test results, and maintenance work reports. [lPE submittal, Section 2.4.1]

The submittal states that many PRAs were reviewed during the preparation of the IPE for Nine Mile Point 1, especially the IPE for Nine Mile Point 2. [lPE submittal, Section 2.4.2] Some of the PRAs reviewed were as follows: [lPE submittal, Section 8]

Brunswick PRA Shoreham PRA Limerick PRA Reactor Safety Study [ WASH-1400]

Seabrook PRA.

The IPE did not select a specific freeze date. [lPE Responses] information was tollected as needed throughout the project- from 3/91 through 1/g3. The IPE did not credit any pending changes to the plant in the model.

2.1.3 Licensee Particioation and Peer Review.

Five full-time engineers from the utility were assigned to the IPE effort. [lPE submittal, Section 5.1] As- needed support was provided from in-line utility organizations, i including: operations, nuclear technology, safety analysis, systems engineering, l reactor engineering, training, electrical design, fuels, and design basis reconstitution.

Consultants from the following organizations were utilized: General Physics, Fauske j l

and Associates, GKA, Haliburton NUS, and EQE.

The submittal states that: " continued application of IPE is a priority for NMPC". [lPE submittal, page 2-3] So far, the IPE has been used by the utility for developing an emergency diesel generator reliability program, supporting operator training, and enhancing operating procedures.

The submittal states that independent in-house reviews were performed throughout the study. [lPE submittal, Section 2.1) As individual IPE packages were prepared, thsy were reviewed by: Quality Assurance (QA), independent Safety Engineering Group (ISEG), engineering, operations, maintenance, training, and systems engineering. However, there is no indication that the independent reviews were performed by personnel with PRA expertise to provide an overall review of the IPE.

The final IPE package was reviewed by licensing and management. More information on the review efforts is provided in Section 5 2 of the submittal.

10

2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies provided in the submittal.

2.2.1 initiatina Events.

The IPE used the following process to identify initiating events: [lPE submittal, Section 2.3]

review of generic BWR experience a review of other PRAs

review of the plant operating history

failure modes and effects analysis (FMEA) for plant specific initiating events.

The initiating events were quantified as follows. [lPE submittal, Section 3.1.1.1)

Anticipated transient initiating events were quantified based on plant specific historical data. Internal (to containment ) LOCA events were quantified with generic date from other PRAs. External (to containment) LOCA events were quantified with plant specific analyses. Plant specific support system initiating events were quantified with plant specific fault tree models, except for events involving loss of instrument air and loss of the ultimate heat sink, which were quantified based on plant operating history.

Plant specific initiating events were systematically identified by a FMEA applied to systems. [lPE submittal, Section 3.1.1.2.3 ) Table 3.1.1-5 of the submittal summarizes the resuits of the FMEA analysis for the identification of plant specific initiating events. The 23 initiating events analyzed in the IPE, categorized into three initiating event groups, are as follows; [lPE submittal, Table 3.1.1-1)

LOCAs Large LOCA in a water line Large LOCA in a steam line Medium LOCA in a water line Medium LOCA in a steam line Small LOCA in a water line Small LOCA in a steam line Interfacing systems LOCAs Transients Reactor scram Turbine trip Main steam isolation valve (MSIV) closure Partial MSIV closure Loss of condenser 11

i 4

i Totalloss of feedwater l Partial loss of feedwater i Inadvertent opening of safety / relief valve

! Plant Specific Initiating Events Loss of offsite power l

Loss of operating service water

! Loss reactor building closed loop cooling water (RBCLC)

! Loss of turbine building closed loop cooling water (TBCLC)

! Loss of instrument air i Loss of AC power board 102 -

[ Loss of AC power board 103

~

Loss of lake intake.

Loss of HVAC was not modeled as an initiating event. Based on the analysis of the HVAC systems as summarized in Section 3.2.1.23 of the submittal, the licensee concluded that loss of HVAC has limited impact. This is due to the plant design, specifically: room sizes, equipment sizes, and heat loads. [lPE Responses] The licensee stated that loss of control room cooling does not lead to excessive control room temperatures. [lPE Responses] The iPE model assumed that loss of control room cooling is included in the SCRAM initiating event.

Loss of a DC battery board does not cause plant trip and therefore was not modeled as an initiating event. [lPE Responses]

The IPE includes " loss of lake intake" as an initiating event. This event is loss of the screen house intake water supply, which fails all heat removal capability except that utilizing the isolation condensers . [lPE submittal, Section 3.1.1.2.3] This event has happened once in 23 operating years, and this occurrence was used to quantify the frequency of this initiating event.

The submittal provides a discussion of the identification of interfacing systems LOCAs. [lPE submittal, Section 3.1.1.3.2.2] The licensee concludes that the core spray system is of most potential significance for an interfacing systems LOCA, and assigns an initiating event frequency of 9.2E-6/yr for an interfacing systems LOCA.

This frequency does not include the conditional probability the core spray system components exposed to pressures greater than design pressure fail catastrophically.

As indicated in Table 3.1.3-1 of the submittal, the probability the core spray components fail catastrophically under exposure to RCS pressure is 1E-4. Therefore, the likelihood of an interfacing systems LOCA that results in significant leakage is small.

Table 3.1.1-1 of the submittal provides point estimate frequencies for the initiating events modeled in the IPE. These frequencies are comparable to values used in typical IPE/PRAs, with two possible exceptions.

12

The submittal states that recirculation pump seal LOCAs as initiating events, considering the capability to isolate the seal LOCAs, are bounded by the small LOCA initiating event frequency, which is 4E-3/yr for a small LOCA in a water bearing line.

[lPE submittal, Section 3.2.1.28-1] [lPE submittal, Table 3.1.1-1] Other PRAs have considered a recirculation pump seal LOCA initiating event as a small-small LOCA and assigned it a higher frequency than that for a small LOCA. For example, the NUREG/CR 4550 study for Peach Bottom used a frequency of 3E-2/yr for the recirculation pump seal LOCA initiating event, and the Browns Ferry IPE used a frequency of 2E-2/yr for the seal LOCA initiating event. [NUREG/CR 4550, Peach Bottom Table 4.3-3] [ Browns Feny IPE submittal, Table 3.1.1-1] The licensee notes that the Nine Mile Point i small LOCA model does not address the ability to isolate the LOCA; a seal LOCA can be isolated. The NUREG/CR 4550 analysis for Peach Bottom explicitly considered isolation of the seal LOCA. Therefore, the inclusion of a seal LOCA in the unisolable small LOCA category for Nine Mile Point 1 has minor impact on the overall results. [lPE Responses]

The IPE uses a frequency of 2E-2/yr for spurious opening of a relief valve. This is low in comparison to values used in other IPEs/PRAs for this event. The NUREG/CR 4550 study for Peach Bottom used 0.19/yr, the Browns Ferry IPE used 0.04/yr, the NUREG/CR 4550 study for Grand Gulf used 0.14/yr, and the Cooper IPE used 0.09/yr. [NUREG/CR 4550, Peach Bottom, Table 4.3-1] [ Browns Ferry IPE submittal, Table 3.1.1-1] [NUREG/CR 4550, Grand Gulf, Table 4.3-1] [ Cooper IPE submittal, Table 3.1.1-14] Furthermore, Nine Mile Point i uses electromatic relief valves; other plants using electromatic relief valves have experienced problems with these valves.

The Quad Cities plant uses electromatic relief valves; the Quad Cities IPE used a frequency of 0.1/yr for spurious opening of a relief valve. [ Quad Cities, IPE Responses]

The frequency assigned to loss of offsite power is 0.05/yr, based on plant data. [lPE submittal, page 3.1.1-8] This plant specific value is lower than a typical generic value. Based on generic data, the frequency of loss of offsite power is estimated to be 0.15/yr. [lPE submittal, page 3.1.1-7]

2.2.2 Event Trees.

Each accident initiating event was included in an appropriate class of initiating events, and each class of initiating events was modeled with an event tree. The following large, frontline event trees were developed: [lPE submittal, Section 3.1.2]

transients and small LOCAs AM/S i station blackout l medium and large LOCAs.

13 i

i

l. Two large support system event trees were developed, these being: [lPE submittal, i Section 3.1.4]

.l electrical and actuation support systems event tree mechanical support systems event tree.

l A special event tree was developed for interfacing systems LOCAs. [lPE submittal, j Section 3.1.3] The event trees are systemic rather than functional in nature. The i mission time used was 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . [lPE submittal, Section 3.1.1.4.1) i.

! The success criteria for no core damage is that the peak core temperature remains l below 2500 F. [lPE submittal, Section 3.1.1.4.1] Nine Mile Point 1 does not use jet j pumps and the recirculation lines are piped to the vessel such that 2/3 of the core cannot be maintained covered following a large LOCA, thus, collapsed water level is j not as meaningful a measure for long term core cooling at Nine Mile Point 1 as it is i for BWR plants with jet pumps. ,

1 1

N submittal provides a table of success criteria, with numerous explanatory !

iootnotes, for the various types of accidents . [lPE submittal, Table 3.1.1.8a] These !

l success criteria were developed based on: generic information, plant specific analysis j particularly with the MAAP code, and engineering judgement. [lPE submittal, Section j 3.1.1.4.2] l l

It is notable that this IPE modeled seal LOCAs as a result of loss of seal cooling l

i during transient accident sequences. This IPE is only the second BWR IPE that we ,

l have reviewed to date that has clearly addressed recirculation pump seal LOCAs due !

to failure of seal cooling; this is of special interest at BWRs using isolation j condensers instead of reactor core isolation cooling (RCIC), such as Nine Mile Point l

1. l

,r The success criteria for depressurization with relief valves to allow the use of low l

j pressure cooling systems, specifically core spray or injection with firewater, specify j that 2 valves are sufficient if they are opened by operator action when measured level is at the top of the active fuel. [lPE submittal, Table 3.1.1.8a] NUREG/CR-4550 l for Peach Bottom required 3 safety relief valves (SRVs) for successful

depressurization. [NUREG/CR 4550 Peach Bottom, Table 4.3.4) The licensee j discussed the basis for assuming that 2 SRVs can provide successful j depressurization. [lPE Responses) MAAP calculations were used to show that 2 i

SRVs are sufficient. Also, generic calculations in NEDO-24708A indicated that 2

! SRVs are adequate.

The licensee also provided information addressing the capability of injection with the j firewater system during depressurization with 2 SRVs. [lPE Responses) A calculation indicated that firewater can provide 510 gpm at 130 psid. MAAP calculations 4

E I

14 i

indicated that firewater can be used for core cooling with 2 SRVs providing depressurization.

The success criteria take credit for CRD to provide core cooling. [lPE submittal, Table 3.1.1-8a) The submittal states that one CRD pump at 110 gpm can provide core cooling after 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . [lPE submittal, Page 1.1-2) We performed a calculation to check this statement; our results support the submittal statement. The submittal states that 220 gpm of injection from CRD can provide core cooling immediately after plant shutdown. However, the IPE did not take credit for the use of both CRD pumps to provide 220 gpm of core cooling and thereby mitigate a transient immediately after

. trip, due to lack of an assessment of the total flow from 2 CRD pumps. [lPE submittal, Table 3.1.1.8a footnote 11) Our calculations indicate that 220 gpm from CRD can provide core cooling immediately after plant trip.

The success criteria state that a large LOCA can be mitigated with 1 core spray pump. [lPE submittal, Table 3.1.1.8a] The table of success criteria does not specify whether or not a core spray topping pump is also required; but, the system description for the core spray system states that both one core spray pump and one core spray topping pump are required. [lPE submittal, page 3.2.1.15-1) The UFSAR states that one core spray pump and one core spray topping pump together can mitigate a large LOCA. [UFSAR, page XV-81a and Tables XV-9A and XV-10]

The success criteria for containment heat removal with containment spray, require 1 containment spray pump,1 containment spray heat exchanger, and 1 raw water cooling pump for cooling the containment spray heat exchanger. [lPE submittal, Table 3.1.1.8a] This agrees with the UFSAR criteria for containment cooling. [UFSAR, pages XV-169b and XV-169e] If containment cooling with the containment spray system is lost, the success criteria credit the use of shutdown cooling or containment venting for containment heat removal / pressure control. At Nine Mile Point 1, the shutdown cooling system is totally distinct from the containment spray system, utilizing distinct core cooling pumps and heat exchangers, and using service water for a heat sink instead of containment spray raw water.

The IPE credits operator action to vent containment if normal containment heat removal is lost. [lPE submittal, page 3.1.2.1-19] The venting takes place before the drywell pressure limit is reached, at 43.4 psia. [lPE submittal, Section 3.2.1.20.2) If venting is successful, the IPE assumes that core cooling with external sources of water can be continued or initiated, but that recirculation from the suppression pool with the core spray system fails after venting due to loss of adequate net positive suction head available (NPSHA). [lPE submittal, page 3.1.2.4-6]

The submittal states that without normal containment cooling, the procedures cM 'or all injection to containment to be terminated when the drywell pressure limit is reached. [lPE submittal, Section 3.2.1.25.1) This condition is reached if the containment has not been vented. In this situation, only core cooling with 15

I recirculation from the suppression pool with the core spray system is used. The i temperature of the suppression pool can reach 312 F before containment fails on !

overpressure, and the core spray pumps are rated at 140 F. (Section 3.1.1.4.1 of the submittal states that at low temperature, the vent line bellows in the suppression pool wetwell airspace fail at about 65 psig; the saturation pressure at 312 F is about 80 psia which equates to 65 psig.) The IPE assigns a probability of 0.5 for the core ,

spray pumps surviving and continuing to cool the core until containment failure. After ;

containment failure, the core spray pumps are assumed to fail due to loss of l adequate NPSHA. [lPE submittal, Section 3.1.2.1) If the core spray pumps fail prior i to containment failure, the submittal states that MAAP calculations indicate that I containment failure prior to core damage is likely, and the IPE assigns a value of 0.2 i for the probability that core damage occurs prior to containment failure. [lPE submittal, Section 3.2.1.25.1] If containment fails before core damage, the IPE .

credits operator action to cool the core with extemal sources, in particular: CRD, feedwater, containment spray raw water crosstied to inject via core spray, and firewater crosstied to inject through feedwater. [lPE submittal, Section 3.2.1.25.2)

The submittal states the failure of external cooling sources following containment failure due to environmental qualification (EQ) effects is not likely, and a discussion of equipment locations and EQ effects is provided. [lPE submittal, Section 3.2.1.25.2) j The IPE assigns a human error failure probability of 0.1 to loss of extemalinjection j following containment failure, and states that this human error dominates over EQ related failures.

The submittal provides a discussion of how high suppression pool water temperature can result in failure of the core spray pumps, with loss of normal containment heat removal and no containment venting. [lPE submittal, Section 3.2.1.25.1) Engineering judgement was used to assign a 50% probability that the pumps, with a design temperature of 140 F, can survive up to 312 F. [lPE Responses) As previously discussed, the IPE assumes that even if core spray fails prior to containment failure, there is an 80% probability that containment failure will precede core damage. Thus, with core spray available, the probability that core damage occurs prior to containment failure is 0.5 x 0.2 = 0.1. [lPE submittal, page 3.2.1.25-3] The licensee provided information on the impact of these assumptions (about the core cooling / containment cooling interface) on the CDF. [lPE Responses) If the probability of failure of the core spray pumps without containment cooling is increased from 0.5 to 1.0, the CDF increases by 2%. If core damage is assumed to always occur prior to containment failure, the CDF increases by 16%.

The table of success criteria credits the use of containment spray raw water for core cooling in response to a large LOCA in a water bearing line, and credits the use of either raw water or firewater for core cooling in response to a large LOCA in a steam bearing line. [lPE submittal, Table 3.1.1.8a] These cooling options require operator actions, to either inject containment spray raw water into the core spray lines, or to inject firewater into the feedwater lines. The use of firewater for injection requires 1 installation of a spool piece of p! ping. [lPE submittal, page 3.2.1.4-2) Firewater is not i 16

credited for the water LOCA since it injects via feedwater into the downcomer and would be lost out the break. It is unlikely that operator actions to implement core cooling with either of these options can be performed quickly enough to prevent core

. damage following a large LOCA. Blowdown occurs quickly following the large LOCA, and cooling with ECCS must be initiated in a matter of tens of seconds to prevent core damage of uncovered fuel. The large LOCA event tree recognizes this, and does not credit the use of firewater or containment spray raw water unless core spray operates initially. [IPE submittal, page 3.1.2.4-1)

The model for successful mitigation of an ATWS requires that operators inhibit ADS and inject with the liquid poison system. (IPE submittal, Section 3.1.2.2) i The model for station blackout uses a battery lifetime of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , with load shedding, i and considers recovery of offsite power and recovery of failed diesel generators. (IPE !

i submittal, Section 3.1.2.3) Battery power is needed for station blackout events that are accompanied by leakage of coolant from the reactor system such as due to ,

recirculation pump seal failure. For such sequences, battery power is needed to maintain the relief valves open to depressurize the reactor coolant system which, in tum, allows for use of firewater system for low pressure injection makeup. On loss of DC power for such sequences, the relief valves are assumed to reclose, allowing the reactor system to repressurize, rendering low pressure injection ineffective. Operatdr actions to shed DC loads are required for the batteries to last for 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . If load shedding is successfully completed by 15 minutes, the batteries last for 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ; if load shedding is successfully completed after 15 minutes but before 30 minutes, the batteries will last for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . If DC load shedding is not accomplished by 30 minutes, the batteries fail at 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . If offsite power is not recovered prior to battery depletion, the model assumes that it cannot be recovered and that a DG cannot be started, due to loss of DC control power.

The success criteria for station blackout state that if vessel leakage is less than 25 gpm, then one train of emergency condensers (two condensers per train) with shell makeup (makeup to the secondary sides of the condensers) can provide for core cooling throughout the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time. [lPE submittal, Table 3.1.1.8a and Footnote #8 to Table 3.1.1.8a] This success criteria does not distinguish between shell makeup with the gravity makeup tanks, and long term makeup with condensate or firewater; however, in the discussion of the station blackout event tree, the submittal clarifies the distinction between gravity makeup and long term makeup and discusses the times to core damage with various combinations of makeup failures.

[IPE submittal, page 3.1.2.3.6]

The success criteria state that for a stuck open relief valve, if one train of emergency condensers without makeup is available, then depressurization to allow use of low pressure core cooling systems is not required. [IPE submittal, Table 3.1.1.8a] That is, the submittal states that 1 train of emergency condensers without gravity makeup provides core cooling long enough so that when lost, one open relief valve can 17

4 maintain pressure sufficiently low to allow use of low pressure core cooling systems,

such as: core spray, firewater, and condensate. We compared the energy relieved

! from one open relief valve at low pressure to the decay heat at the time cooling with

the emergency condensers would be lost; based on this comparison, we agree with j this success criteria used in the IPE.

?

l 2.2.3 Systems Analysis.

i l System descriptions are included in Section 3.2.1 of the submittal. We found these l system descriptions to be informative, and the system schematics to be helpful. Of l' i special note is the system description for the recirculation pump seals.

l l

l Our comments on the systems descriptions are as follows.

l l The system description for AC power discusses the need for operator action to shed I j loads off the DGs following a DBA, to prevent overloading the DGs. [lPE submittal, l j Section 3.2.1.2) For example, a containment spray pump needs to be unloaded j when containment spray raw water cooling pumps are loaded. [lPE submittal, Section

! 3.2.1.2.11] The normal supply of offsite power to the 102 and 103 emergency buses i is from the station reserve transformers; thus, no transfer of offsite power after plant

! trip is required.

i The system description for firewater states that two pumps are available, one l

electrical and one diesel. Each pump can provide 2500 gpm at 125 psig; evidenti/ ,

the pressure is the pump discharge pressure. Firewater from Unit 2 can be cro'sstied to supply Unit 1. To use firewater for core cooling via injection into the feedwater system, a spool piece of piping must be installed.

The service water system consists of 2 normal pumps and 2 emergency pumps. The normal pumps cool the RBCLC system and the TBCLC system; the emergency pumps only cool the RBCLC system. The emergency service water pumps can be powered off the 1E electrical buses. The source of service water is the screenhouse.

There was one event in the history of the plant in which lake water to the screenhouse was lost. As previously discussed in this report, loss of intake water was modeled as an initiating event in the IPE.

The system description for the containment spray system discusses the use of the system for containment cooling by either spray or torus cooling. Operation of the containment spray raw water pumps fu cooling the containment spray heat exchangers requires manual operator actions. Operator action can also be used to align two of the four containment spray raw water pumps for injection into the vessel '

via the core spray system piping.

18

.a .u. --.us- .a,a+.we.. s~ w.,m,_-

.e -- - . - - - :

P The RBCLC system cools the following components: recirculation pumps and seals, two instrument air compressors, motor driven feedwater pumps, feedwater booster pumps, and the shutdown cooling system pumps and heat exchangers.

The TBCLC system cools the following components: one instrument air compressor, the service air compressor, and the shaft driven feedwater pump.

The submittal states that the nitrogen system was found to be unimportant and was .

not modeled. Air is, required for opening the outboard MSIVs and for venting containment. The table of system dependencies lists nitrogen as a support system for containment venting. presumably as a backup for instrument air. [lPE submittal, Table 3.2.3.2)

The system description for feedwater and condensate discusses the use of the motor driven feedwater pumps as a non-safety grade HPCI system; these pumps require offsite power. One of the motor driven feedwater pumps is operating at power and ,

the other is in standby. A larger feedwater pump, directly driven off the main turbine ;

shaft, is also operating at power.

The system description for the Main Steam System discusses the ' safety and relief valves, and the MSIVs. The inboard MSIVs are motor operated and fail-as-is; the ;

outboard MSlVs are air operated and fail closed. Six electromatic relief valves on the main steam lines are provided; these valves are distinct from the safety valves, require DC motive power to open, and do not require air to open as do combination i safety relief valves used at many BWRs. There are 16 safety valves connected j directly to the vessel head. 1 The system description for the emergency condensers describes the two trains of condensers, each consisting of two condensers, and the gravity-driven secondary makeup tanks, which require operator action to throttle makeup supply. Long term makeup to the secondary shell side of the emergency condensers requires operator action to use the condensate transfer system or the firewater system. At power, the two motor operated isolation valves (one DC and one AC) in each of the two steam lines from the vessel to the emergency condensers are open. At power, each of the two water return lines from the emergency condensers to the reactor vessel are !

isolated by both a normally closed fail open air operated valve and a check valve.

The system description for the core spray system describes the need for a core spray topping pump to support operation of each of the four core spray pumps. The use of the containment spray raw water crosstie into core spray piping for injection to the vessel is also described.

The system description for CRD describes the makeup flow paths to the vessel, both through the CRD seals and into the 3 inch line connected directly to the vessel. One of the two CRD pumps is normally operating. The majority of the injection is through 19

1 l

3-4 j the CRD seals. At power, about 44 gpm is injected through the CRD seals, and

another 12 gpm is injected into the 3 inch line. After reactor scram, with all control

rods fully inserted, about 103 gpm is injected through the CRD seals, and another 9 :

gpm is injected into the 3 inch line. Thus, after reactor scram, evidently about 110 gpm of CRD is provided to the vessel without the need for operator action to increase

CRD flow. With loss of instrument air, air operated valves in the CRD system fail open. [lPE submittal, Section 3.2.1.16-12] The system description and the modeling l<

of CRD in the event trees, imply that operator action is not required to increase CRD l flow to the vessel to 110 gpm following reactor trip.

The submittal describes the shutdown cooling system. This system is distinct from f the containment spray system. It consists of three trains, each with a shutdown l cooling pump and a shutdown cooling heat exchanger. The supplies to the pumps j are headered to pull from one recirculation loop suction line, and the returns from the

heat exchangers are headered to inject into one recirculation loop discharge line.

The system can be used to cool the core when vessel conditions are below 120 psig j and 350 F. The shutdown cooling system heat exchangers are cooled by the RBCLC system. The shutdown cooling system pumps can be powered by 1E buses. [lPE j submittal, Table 3.2.3.2]

t

! The submittal provides a system description of the containment venting system.

j Containment can be vented from eitNr the drywell or from the torus airspace, j j Venting from the torus airspace is prSrred since this provides for scrubbing of i j fission products by the suppression pool water. Procedures direct operators to vent

' containment before the drywell pressure limit of 43.4 psig is reached. Instrument air >

l is required for operation of the vent. The submittal states that the vent is hardened.

i [lPE submittal, Section 1.2)

The system description for the liquid poison system states that operator action to

inject 30 gpm with one of two pumps is needed to mitigate an ATWS accident scenario. [lPE, Table 3.1.2.2-1] The operator has between 7 minutes and longer than

one hour to initiate SLC, depending on the specifics of the accident scenario. The j liquid poison system pumps can be powered by 1E buses.

e i The submittal provides a system description of the recirculation pump seals and

! cooling for the seals. [lPE submittal, Section 3.2.1.28] If the seals fail as a result of loss of seal cooling, the maximum leakage is expected to be 60 gpm per pump, due j to the presence of a breakdown bushing in the seal design. Thus, the maximum

expected loss from all five recirculation pumps is 300 gpm. Seal cooling is provided

! by the RBCLC water system, and is not isolated on containment isolation. [lPE

! submittal, Pages 3.2.1.22-10 and 3.2.1.22-19] At some BWRs, CRD can also be 1

used to cool the recirc pump seals.

! The submittal describes results of tests performed on the seal cartridge. [lPE l submittal, Section 3.2.1.28] Based on these tests, the IPE assigns a probability of 4

j 20 j

1

)

I 0.05 to the probability that a significant seal LOCA develops with . loss of cooling to the recirculation pump seals. It is important to note that the potential significance of seal LOCAs is associated with scenarios when core cooling is provided by the emergency condensers with no makeup, and during this state cooling of vessel water using the condensers substantially lowers vessel water pressure and temperature, resulting in less stress on the seals. [lPE submittal, Figure 3.2.1.28-4]

A significant recirculation pump seal LOCA is defined as total leakage greater than 45 gpm, after one hour [lPE submittal, Page 3.1.2.3-4)

The IPE modeled a recirculation pump seal LOCA as a possibility during both general transient events and during station blackout. Following a seal LOCA, makeup to the i vessel is required. [lPE Responses) l The submittal includes a discussion HVAC systems, and discusses the need for ;

HVAC to support frontline systems. [lPE submittal, Section 3.2.1-23] Ventilation for 1 the following areas was discussed: ;

Reactor Building Battery Rooms and Battery Board Rooms Diesel Generator Rooms '

Emergency Switchgear Rooms Control Room and Auxiliary Control Room Screenhouse Turbine Building. l The submittal states that none of these ventilation systems are required to support operation of equipment. The licensee stated that loss of HVAC is not of item of significance, based on caiculations of temperatures resulting from loss of HVAC. [lPE Responses)

The submittal states that the ventilation system for the diesel generator rooms is not needed because the roll doors are normally partially opened during hot weather to provide maximum cooling when the DGs are operating. The doors are closed when the outside temperature drops below 50 F, but that the doors automatically open once the room temperature reaches 80 F and then the doors remain open. [lPE Responses]

2.2.4 System Dependencies.

The submittal provided tables that indicate the dependencies of frontline systems on support systems and support systems on support systems. [lPE submittal, Tables 3.2.3-2 and 3.2.3-1] Also, the submittal provided a table of the dependencies of actuation systems on sensors. [lPE submittal, Table 3.2.3-3) 21

Important asymmetries in train-level system dependencies were indicated in the submittal, such as differences in sources of cooling water for different air compressors and associated aftercoolers. The following types of dependencies were considered: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, area HVAC (screened cut), operator actions, and environmental and phenomenological effects. Our specific comments on the dependency tables follow.

The dependency tables appear complete and are accompanied with numerous I I

informative footnotes.

The system dependency tables indicate that the following pumps are self cooled: core spray, containment spray, CRD, and firewater. The system dependency tables indicate that the following pumps require the indicated external cooling: condensate and feedwater pumps require RBCLC, and feedwater pump 13 also requires TBCLC; and, shutdown cooling system pumps require RBCLC (at the upper temperature limit of operation only). ,

.We have a one minor comment related to the dependency tables. The tables list nitrogen as a support system, yet the system description for nitrogen states that this system was not modeled.

2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences. it also summarizes our review of the data base, including consideraton given te plant-specific data, in the IPE. The uncertainty and/or sensitivity a.1alyses that were performed, if any, were reviewed.

2.3.1 Quantification of Accident Secuence Freauencies.

The Nine Mile Point i IPE used the large event tree /small fault tree technique with ,

support states for quantifying core damage. The event trees were systemic. The RISKMAN computer software was used to quantify the fault trees and the event sequences. [lPE submittal, Section 2.3]

Table 3.4.1-2 of the submittal indicates that a truncation value of 1E-11 was used for quantification of all initiating events.

Recovery actions were modeled in the event trees. [lPE submittal, Section 3.2.1.26]

The following recovery actions were considered:

OGR Recovery of offsite power within one hour OSP Recovery of offsite power at either 2,4, or 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months conditional on the probability that offsite power was not recovered in the first hour

! 22 i

4

..-7 .-- ~ .

i EDG Recovery of a DG REC Recovery of a method to remove heat from containment late in an accident.

The event REC considers a number of actions, depending on the preceding failures in the accident sequence, such as: recovery of intake water, recovery of instrument air, and recovery of service water.

2.3.2 Point Estimates and Uncertgintv/ Sensitivity Analyses.

Mean values were used for point estimate failure frequencies and probabilities. A 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time for mitigation of aq accident was used.

l The submittal implies that an uncertainty analysis was performed using Monte-Carlo l techniques; [lPE submittal, Page 2-3) however, no details of an uncertainty analysis j are provided in the submittal. The submittal implies that sensitivity analyses were :

performed; [lPE submittal, page 2-3) however, no details of any sensitivity analyses !

are provided in the submittal. I importance analyses were performed and the results of these analyses are provided in the submittal. Event tree top event and split fraction importance measures are tabulated in the submittal [lPE submittal, Tables 3.4.2.1 through 3.4.2.-5) Results are tabulated for: fractional contribution to CDF, risk achievement worth, and risk reduction worth.

2.3.3 Use of Plant-Soecific Data.

The entire plant operating history, except for the first year, was used to quantify ,

appropriate initiating events. [lPE submittal, Section 3.1.1.2]. Because of changes to procedures, plant modifications, and equipment aging, only more recent plant specific data were used to quantify failures of mitigating system components. [lPE submittal, ,

Section 3.3.2) To quantify failures of standby components to operate on demand, plant specific data from 1988 through 1992 were used. To quantify failures of operating components, plant maintenance history data from 1984 through 1991 were '

used. Data from Unit 2 were not used, since the two units are different vintage BWR designs.

Generic data were Bayesian updated with plant specific data, for both hardware failures and maintenance unavailabilities.

The components for which plant specific data were developed are tabulated in Tables 3.3.2.1 and 3.3.2.2 of the submittal.

We performed a spot check of these tables to see if the following components were modeled with pkant specific data: diesel generators, ECCS pumps, service water 23 i

, . __ _.-_____________a

pumps, motor operated valves (MOVs), AOVs, relief valves, firewater pumps, and circuit breakers. All of these components are listed in the tables except for core spray pumps, containment spray pumps, containment spray raw water pumps, and service water pumps; data for a " general" low pressure centrifugal pump were used for these pumps based on grouping of plant specific data. [lPE Responses)

Table 2-1 of this report compares the plant specific data mean values for selected components from Table 3.3.2-3 of the submittal to values typically used in IPE/PRA l studies, using the NUREG/CR 4550 data for Peach Bottom for comparison.

[NUREG/CR 4550, Peach Bottom) (The data in the submittal is the Bayesian updated data.)

Table 2-1. Plant Specific Component Failure Data Component and Nine Mile Point NUREG/ CR 4550 Failure Mode Value ")d') Value o>a2) Peach Bottom Submittal Table 3.3.2-3 Table 4.9-1 Diesel Generator 2.0E-2/D 3.0E-3/D Fail to Start Diesel Generator 1.0E-3/H (First Hour) 2.0E-3/H Fail to Run 3.0E-3/H (After First Hour)

Core Spray Pump 1.2E-3/D(*) 3.0E-3/D l

Fail to Start Core Spray Pump 4.7E-5/H(' 3.0E-5/H Fail to Run MOV 3.6E-3/D 3.0E-3/D

Fail to Change State (Open/Close)

AOV 1.7E-3/D 1.0E-3/D l Fail to Change State (Open/Close) l Relief valve fails to open on 8.2E-3/D 1.0E-2")

demand Open valve fails to reclose 3.2E-3/D 9.6E-2/D l

i I

i (1) D is per demand; these values are probabilities.

(2) H is per hour; these values are frequencies.

24

(3) Submittal only provides data for centrifugal pumps in general, not for these specific pumps.

(4) Data from NUREG/CR-4550 Generic Data [NUREG/CR-4550, Methodology)

Based on the data in Table 2-1 of this report, the plant specific component failure data are comparable to values used in typical IPE/PRAs.

The IPE calculated plant specific values for recovery of offsite power. [lPE submittal, Section 3.2.1.26.2) We compared this data to that used in a recent PRA. [Surry Shutdown PRA) Figure 2-1 summarizes our comparison. Based on this comparison, the data used for recovery of offsite power in the Nine Mile Point 1 IPE are comparable to that used in tvpical IPE/PRAs. !

i 2.3.4 !)se of Generic Data.

The generic data used for component failures are listed in Table 3.3.1-1 of the submittal. The source of the generic data is primarily the PL&G data base, but the following sources were also used for selected components: the NUCLARR data base of NUREG/CR-4639, the NSAC PRA for Peach Bottom Unit 2, and IEEE STD-500.

The generic data are comparable to generic data used in most PRA/IPEs. !

l The IPE used data from NUREG-1032 to calculate recovery factors for failed diesel generators. [lPE submittal, Section 3.2.1.26.2) The IPE calculated recovery factors ,

for DGs based on a few discrete data points provided in NUREG-1032. Table 2-2 of this r.eport provides the point estimate data from NUREG-1032 as summarized in the submittal.

Table 2-2. DG Recovery Data from NUREG-1032 i

Time Cumulative Probability Cumulative Probability 1 (hours) of Failure to Recover of Failure to Recover 1 of 2 DGs 1 of 1 DGs 0 1.0 1.0 4 0.50 -

8 - - 0.5 '

30 <0.10 -

70 <0.10 We fitted this sparse data using the' Interpolating Polynomial' function in Mathematica, and compared it to the data points used for recovery provided in the table on page 3.2.1.26-4 of the submittal. [Mathematica] Based on this comparison.

25

the data used in the IPE from a fit of sparse data in NUREG-1032 are comparable to that used in typical IPE/PRAs.

l 1

26

Figure 2-1. Comparison of Data for Recovery of Offsite Power l

l

{

i 27

2.3.5 Common-Cause Quantification.

The method used to model common cause failures was reviewed, and the process by which classes of components were selected for consideration for common cause failures was reviewed.

The submittal states that the method used to model and quantify common cause failure was the Multiple Greek Letter method (MGL), and that the source of data for common cause failures was the PL&G generic common cause database. [lPE submittal, Section 3.3.4)

The submittal states that the identification of systems and components to model for common cause failure was based on NUREG/CR-4780. The IPE considered common cause failures within systems for identical components. Common cause passive failures were neglected.

Table 3.3.4-1 of the submittal tabulates the groups of components by system considered for common cause failure. This list includes such components as circuit breakers, relays, air compressors, and safety / relief valves in addition to the expected components such as diesel generators, pumps, and valves. This list of components selected for consideration is consistent with that used in other IPE/PRA analyses.

Common cause failures across systems were screened from consideration; this is the typical practice used in PRA, except that many BWR IPEs model common cause failure of RCIC and HPCI turbine driven pumps. Nine Mile Point 1 has no RCIC system and HPCI is part of the condensate /feedwater system and does not use steam driven pumps. Therefore, this potential inter-system common cause failure considered for many BWRs is not applicable to Nine Mile Point 1.

Table 3.3.4-2 of the submittal lists the mean common cause failure data MGL factors for the components for which common cause failure was considered. We performed a spot check of this data, as summarized in Table 2-3 of this report.

The common cause values are generally comparable to those used in typical IPE/PRAs, except possibly for the DG fail to start beta factor and the SRV failure beta factor. The licensee provided information about these two cases. The DG combined common cause failure likelihood for failure to start and failure to run results in a model consistent with that used in the Oyster Creek IPE. Also, the CDF for Nine Mile Point 1 is not significantly affected by common cause failure of the DGs. A sensitivity ,

analysis was performed indicating that the CDF is relatively insensitive to common cause failure of the SRVs. [lPE Responses] l 28 1

1 Table 2-3. Comparison of Common Cause Failure Factors for 2-of-2 Components Corrponent Nine Mile Point 1 Beta Factor value from Source Indcated in Submittal Table 3.3.4-2 Footnote i Dese. Genetor 0.001 (fail to start) 0.04 "'

0.01 (fail to run) 0.006 ") (fail to start) ;

0.03 ")(fail to run) 8 0.038 )(fail to start) 0.004 ") (fail to start) 0.02 "3 (fail to run)

MOV 0.07 0.05 m 0.09 * ") ,

0.05 ") l 0.098) i 0.07 ") i RHR Pump

0.07 (fail to start)* 0.1 " A m 0.01 (fail to run)") 0.2 ")

l 0.1 ") (fail to start) 0.02 ") (fail to run) 0.2")

0.06 ") (fail to start) 0.008 ") (fail to run)

Safety /Relef Valve 0.01(fail to open on 0.1")

demand) 0.2 )

0.3 "' ") (fail to epen on pressure) 0.1 "k ") (fail ta open on signal) 0.2") (fail to ooen)

High Head Pump 0.2 "' *

Core Spray Pump

0.07 (fail to start)

0.2 **)

0.01 (fail to run) *) 0.2 ") (fail to start) 0.02 ") (fail to run) 0.1 ") (fail to start) 0.009 ") (fail to run)

Servce Water Pump

0.07 (fail to start)* 0.03 "' *

j 0.01 (fail to run)") 0.1 ")(fail to start) 0.02 ") (fail to run) l Circuit Breaker 0.07 0.2

for 480 V and higher 0.07 ") for less than 480 V 0.07 ")

l (1) NUREG/GR 4550 Peach tiottom, Table 4.9-1 (2) NUREG/CR 4550 Grand Gulf. Table 4.9-29 (3) NRC IPE Review Guidance, Rev.1,- November 1993 i

(4) PLG Generic Data in Brown Ferry IPE Submittal Table 3.3.410 (5) The Nine Mile Point 1 Submittal only provides factors for a general low pressure centrifugal pump, not for these specific pumps. These factors are the corrected ones provided by the licensee. [lPE Responses] 1 (6) NUREG/CR 4550 Methodology Document (7) PLG Generic Data in Fermi IPE submittal Table 3.3-8.

29

2.4 Interface issues This section of the report summarizes our review of the interfaces between the front-end and back-end analyses, and the interfaces between the front-end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.

2.4.1 Front-End and Back-End Interfaces.

The success criteria for containment heat removal with containment spray require 1 containment spray pump,1 containment spray heat exchanger, and 1 raw water cooling pump for cooling the containment spray heat exchanger. [lPE submittal, Table 3.1.1.8a) This agrees with the UFSAR criteria for containment cooling. [UFSAR, pages XV-169b and XV-169e] If containment cooling with the containment spray system is lost, the success criteria credit the use of shutdown cooling or containment venting for containment heat removal / pressure control. At Nine Mile Point 1, the shutdown cooling system is totally distinct from the containment spray system, utilizing distinct core cooling pumps and heat exchangers, and using service water for a heat sink instead of containment spray raw water. ,

The IPE credits operator action to vent containment if normal containment heat removal is lost. [lPE submittal, page 3.1.2.1-19] The venting takes place before the drywell pressure limit is reached, at 43.4 psia. [lPE submittal, Section 3.2.1.20.2) If venting is successful, the IPE assumes that core cooling with extemal sources of water.can be continued or initiated, but that recirculation from the containment sump with the core spray system fails after venting due to loss of adequate NPSHA. [lPE submittal, page 3.1.2.4-6]

The submittal states that without normal containment cooling, the procedures call for all injection to containment to be terminated when the drywell pressure limit is reached. [lPE submittal, Section 3.2.1.25.1] This condition is reached if the containment has not been vented, in this situation, only core cooling with recirculation from the suppression pool with the core spray system is used. The temperature of the suppression pool can reach 312 F before containment fails on overpressure, and the core spray pumps are rated at 140 F. (Section 3.1.1.4.1 of the submittal states that at low temperature, the vent line bellows in the suppression pool wetwell airspace fail at about 65 psig; the saturation pressure at 312 F is about 80 psia which equates to 65 psig.) The IPE assigns a probability of 0.5 for the core spray pumps surviving and continuing to cool the core up until containment failure.

After containment failure, the core spray pumps are assumed to fail due to loss of adequate NPSHA. [lPE submittal, Section 3.1.2.1] If the core spray pumps fail prior to containment failure, the submittal states that MAAP calculations indicate that containment failure prior to core damage is likely, and the IPE assigns a value of 0.2 for the probability that core demage occurs prior to containment failure. [lPE submittal, Section 3.2.1.25.1] If containment fails before core damage, the IPE 30

a

! credits operator action to cool the core with external sources, in particular: CRD, i feedwater, containment spray raw water crosstied to inject via core spray, and j firewater crosstied to inject through feedwater. [lPE submittal, Section 3.2.1.25.2)

The submittal states the failure of external cooling sources following containment j failure due to EQ effects is not likely, and a discussion of equipment locations and i EQ effects is provided. [lPE submittal, Section 3.2.1.25.2) The IPE assigns a human

, error failure probability of 0.1 to loss of extemal injection following containment l failure, and states that this human error dominates over EQ related failures.

l The submittal provides a discussion of how high suppression pool water temperature

can result in failure of the core spray pumps, with loss of normal containment heat removal and no containment venting. [lPE submittal, Section 3.2.1.25.1] Engineering judgement was used to assign a 50% probability that the pumps, with a design temperature of 140 F, can survive up to 312 F. As previously discussed, the IPE assumes that even if core spray fails prior to containment failure, there is an 80%

probability that containment failure will precede core damage. Thus, with core spray available, the probability that core damage occurs prior to containment failure is 0.5 x 0.2 = 0.1. [lPE submittal, page 3.2.1.25-3]

Containment isolation does not result in isolation of cooling to either the recirculation pump motors or to the recirculation pump seals.

Each front end core damage accident sequence was linked directly to the level 2 containment tree, so binning of core damage sequences into Plant Damage States (PDS) was not required. [lPE submittal, Section 3.1.5] However, the submittal does provide a binning classification for core damage sequences to facilitate the assessment of results. These bins are referred to as Core Damage End States, and are tabulated in Table 3.1.5-1 of the submittal.

2.4.2 Human Factors Interfaces.

Based on the front-end review, the following operator actions were noted for possible consideration in the review of the human factors aspects of the IPE:

e action to shed loads off DGs durirg LOCAs e action to depressurize during transients with loss of high pressure makeup

action to inhibit ADS during ATWS

action to initiate injection with the. liquid poison system during an ATWS

action to provide containment coo:ing

action to vent containment

action to control makeup from gravity tanks to emergency condensers e action to provide long term makeup to emergency condensers e action to inject to vessel with firewater via feedwater piping

action to inject to vessel with containment spray raw water pumps via core spray piping 31

action to shed DC loads during station blackout

recovery of failed DGs.

It appears that all of these actions are in procedures.

2.5 Evaluation of Decay Heat Removal and Other Safety issues This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USIs, if they were addressed in the submittal, were also reviewed. ,

I 2.5.1 Examination of DHR. 1 l

Section 3.4.3 of the submittal discusses DHR. The IPE considers DHR to be the final )

heat sink, and does not include direct loss of core cooling in the definition of loss of DHR. The contribution of loss of DHR to the CDF is 6%. This relatively low _

contribution is due to the variety of methods available to provide DHR at Nine Mile l Point 1, as discussed in Section 2.7.1 of this report.

]

The licensee performed an importance analysis for loss of DHR. The results of this analysis indicate that operator error is the dominant factor associated with loss of DHR.

No vulnerabilities associated with DHR were found as a recult of the IPE.

2.5.2 Diverse Means of DHR.

The IPE evaluated the diverse means for DHR, including:

power conversion system emergency condensers containment spray system shutdown cooling system containment venting. J l

The IPE addressed and summarized the means for DHR, using the definition of DHR as the final heat sink.

2.5.3 Unioue Features of DHR Design features at Nine Mile Point 1 that impact the CDF from loss of DHR are as follows:

Emeroency (isolation) condensers (ECs) The ECs require no electrical power to provide for core cooling, and this tends to decrease CDF. However, the 32

l I

ECs alone provide no makeup to the vessel and thus excessive leakage or unisolated seal Loss of Coolant Accidents (LOCAs) cannot be mitigated with the ECs; this tends to increase the CDF.

Hardened containment vent The hardened containment vent decreases the CDF by providing a backup to loss of containment cooling whereby continued !

support of core cooling systems can be provided. l l

8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months batterv lifetime The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime tends to decrease CDF, since it is relatively long compared to battery lifetimes at some other BWRs, thereby allowing for increased likelihood of recovery of offsite power.

Diesel driven firewater The availability of diesel driven firewater tends to lower j the CDF since this source can be used to provide makeup to the ECs and to inject to the vessel via the feedwater piping.

Ability to oower control rod drive (CRD) oumos off 1E power The ability to I power the CRD pumps with the diesel generators (DGs) tends to decrease the l CDF since this provides an additional source of makeup to the vessel even if l offsite power is lost.

2.5.4 Other GSI/USls Addressed in the Submittal.

The submittal addresses three NRC questions from Generic Letter 91-06 related to resolution of Gl A-30, " Adequacy of Safety Related DC Power Supplies". [lPE submittal, Section 3.4.4.1] The licensee requests that GL 91-06 be resolved based l on the IPE submittal. (IPE submittal, Section 7.0] Review of the adequacy of the l response to these questions is deferred to NRC staff evaluating GI A-30.

No other GSI/USIs are addressed in the submittal. )

i 2.6 Internal Flooding l This section of the report summarizes our reviews of the process used to model internal flooding and of the results of the analysis of internal flooding.

2.6.1 Internal Floodino Methodoloav.

The following process was used to address internal flooding. [lPE submittal, Section 3.3.8]

Potential flood sources were identified using information on the plant layout combined with a review of industry flooding experience. A plant walkdown was performed to collect additional information, such as the relative locations of equipment in flood zones. Flood propagation was evaluated to determine the extent of equipment 33

damage from flooding events. Flood scenarios were then conservatively quantifici using industry data without credit for operator intervention. For those scenarios surviving this conservative analysis, more detailed analyses were performed, including operator intervention. The general transient event tree was used to evaluate core damage from floods that did not in-and-of-themselves directly cause core damage; this evaluation addressed core damage from a flood initiating event with its resultant failure of equipment, combined with subsequent random failures of equipment.

The model for intemal flooding does.not consider spray induced failure of equipment.

[IPE submittal, Section 3.3.8.3.3) The submittal states that an intemal flooding analysis performed by the utility in 1972, and reviewed by the NRC in 1974, concluded that vital equipment is adequately protected from spray and splashing failures by the use of drip-proof motors or shields.

2.6.2 Internal Floodina Results.

The following major flood sources were evaluated: [lPE submittal, Section 3.3.8.3.1]

(1) Systems connected to Lake Ontario

- fire water system )

- service water

- circulating water (2) Condensate Storage Tanks (3) Suppression Pool (4) RBCLC System (5) TBCLC System.

Also, the following flood sources were evaluated:

(6) Containment spray raw water (7) Diesel generator cooling water (8) Emergency condenser makeup water tanks l (9) Makeup domineralized water tank.

Sources (6) through (9) were assessed to be insignificant compared to flooding from the circulating and service water system.

Nineteen flooding scenarios are summarized in the submittal. [IPE submittal, Table 3.3.8-1) Of these 19 scenarios, all were screened from further consideration but one, based on a specific evaluation of each flood scenario as summarized in Table 3.3.8-1 of the submittal. Section 3.3.8.3.2 of the submittal provides a description of this one flooding sequence. The initiating event for this sequence is a rupture of the suppression pool torus or the ECCS suction lines, and is assigned a frequency of 1.1E-4/yr. The submittal states that the worst situation resulting from this flood is 34

1 f

j flooding of ECCS equipment in all four corner rooms, but that numerous systems j remain available for injecting to the vessel, for depressurizing the vessel, and for ,

i cooling containment. Based on the number of systems available, this event was

screened from quantification for core damage.

2.7 Core Damage Sequence Results i

j This section of the report reviews the dominant core damage sequences reported in i the submittal. The reporting of core damage sequences- whether systemic or

) functional- is reviewed for consistency with the screening criteria of NUREG 1335.

The definition of vulnerability provided in the submittal is reviewed. Vulnerabilities, ,

4 enhancements, and plant hardware and procedural modifications, as reported in the j submittal, are reviewed.

! 2.7.1 Dominant Core Damaae Seauences.

! The IPE utilized systemic event trees, and reported results using the screening I criteria from NUREG 1335 for both functional and systemic sequences. [lPE j submittal, Section 3.4.1] Sequences were grouped into core damage end states, j where the end states are defined based on safety functions lost. Thus, the reporting i of the results by end states is a reporting by function. The top 100 core damage systemic sequences from the event trees are also reported in Table 3.4.1-1 of the I submittal.

The total CDF from internal initiating events is 5.5E-6/yr. Intemal flooding was

! screened from quantification for core damage. Figure 2-2 summarizes core damage l by accident class.

The loss of DHR class of accident refers to sequences in which the final heat sink is lost. The relatively low contribution of loss of DHR to core damage at Nine Mile Point i 1 is due to the following attributes. If the power conversion system is unavailable, core cooling can be provided with the emergency condensers which do not require containment cooling for support. Containment can be cooled with any 1 of four containment spray pumps, each with its own heat exchanger. The shutdown cooling system is totally distinct from the containment spray system, even in terms of cooling water for heat exchangers, and it can be used to cool the core without support from any other containment cooling system. Finally, Nine Mile Point 1 has a hardened vent installed which can be used if all other required means of cooling containment are lost, to preserve the ability to cool the core with numerous systems, including:

feedwater, CRD, firewater crosstie to feedwater, and containment spray raw water crosstie to core spray. The only negative feature associated with containment cooling at Nine Mile Point 1, is that if the containment is vented or fails by overpressure, cooling of the core using the core spray system in recirculation from the containment sump is lost due to loss of NPSH margin.

35

Figure 2-2. Core Damage Frequency by Class of Accident 4

2 4

36

__ _ _ . _ _ _ . _ _ _ . _ _ _ . _ _ ~ _ _ _ _ _ _ _ . _ . __

i l ,

ATWS is a relatively high contributor to core damage at Nine Mile Point 1 cor0 pared i to some other BWRs. The ATWS model requires inhibition of ADS to mitigate an j ATWS; other BWRs have credited level control during an ATWS when ADS is r ot inhibited and high capacity low pressure ECCS systems actuate.

Station blackout is the dominant class of accident. Nine Mile Point 1 has two DGs,

! but no station blackout DG or other onsite AC power systems such as combustion l gas turbine powered generators. Nine Mile Point 1 has no turbine driven pumps that 4 can inject to the core. The only injection systems that do not require AC power are

the emergency condensers and diesel driven firewater, and during station blackout, i the emergency condensers require diesel driven firewater for long term secondary ;

makeup. Also, during station blackout a seal LOCA can develop due to loss of seal

cooling, and the emergency condensers alone cannot mitigate a seal LOCA' j sequence since they provide no makeup to the vessel. The battery lifetime is 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months )

with successful load shedding, which is a relatively long lifetime compared to other i i BWRs.

l Loss of injection core damage sequences are dominated by two types of scenarios.

l In the first type of scenario, high pressure cooling is lost and operators fail to depressurize. In the second type of scenario, a LOCA occurs which requires core spray for core cooling, but core spray fails.

)

Initiating events which contribute at least 1% to CDF, and their percentage contribution to CDF are as follows:'

Loss of Offsite Power leading to Station Blackout 63%

Medium LOCA in Water Line 7%

Loss of Instrument Air 7%

Small LOCA in Water Line 4% l Reactor Scram initiating Events with ATWS 3%

Turbine Trip with ATWS 2%

Loss of Offsite Power without Station Blackout 2%

Large LOCA in Water Line 2%

Loss of Lake intake 2%

Loss of RBCLC 1%

The top six core damage sequences are summarized in Table 2-4 of this report.

'The reporting of initiating event CDF contributors in the submittal is limited to those inrtiating events that individually contribute at least 1% to the total CDF. As a group, this set of initiating events represents 93% of the total CDF. The remaining 7% of the CDF appears to be associated with initiating events that individually contribute less than 1% to the total CDF.

37

.- -. - - .-- -. - -. -. _ - _ ~ - - - - - - - - - - - -.

l l

l Table 2-4. Top 6 Core Damage Sequences l

l Initiating Dominant Subsequent Failures in Sequence Percent CDF for internal l Event CDF For Total Sequence l Loss of Offsite Loss of Both DGs, Failure to Recover Offsite Power in 8 17%

l Power Hours, Failure to Recover either DG in 8 Hours, Inability l

to Cool Core with ECs alone due to Leakage from Vessel

Loss of DC Power to Maintain Relief Valves Open, Loss of Ability to Use Firewster to inject to Vessel due to Repressunzation of Primary when Relief Valves Close Loss of Offsite Battery Board for Division 1E Power Fails, DG 2 Fails, 11 %

Power Offsite Power and DG 2 Not Recovered in 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , i Inability to Cool Core with ECs alone due to Leakage from l Vessel *, Loss of DC Power to Maintain Relief Valves l Open, Loss of Ability to Use Firewster to inject to Vessel )

! due to Repressurization of Primary when Relief Valves l Close l Loss of initiating Event Disables: Power Conversion System, 5.1%

Instrument Air Torus Cooling, and Containment Venting; MSIVs Close i Resulting in isolation of ECs due to Water Entering EC l Steam Lines from Feedwater Supply to Vessel; Feedwater l Lost due to Operator. Error or Equipment failure; CRD Not l Considered for Core Cooling unless ECs Operate for i Hour; Operators Fail to Depressurize Resulting in Loss of

All injection

! Medium LOCA Failure of Core Spray Resulting in inadequate Core 4.0%

in Water Line Cooling Loss of Offsite Recirculation Pump Seal LOCA Develops thus ECs alone 2.4%

i Power Cannot Cool Core due to Loss of Vessel Inventory; I Operators Fail to Load Shed DGs as Required following LOCA, leading to Station Blackout; Offsite Power Not l Recovered in 8 Hours; Batteries Fail after 8 Hours; Loss l of DC Power to Maintain Relief Valves Open; Loss of ;

j Ability to Use Firewater to inject to Vessel due to

Repressurization of Primary when Relief Valves Close i _

l Loss of Offsite Relief Valve Sticks Open; Operators Fail to Load Shed 2.2%

l Power DGs as Required, following LOCA leading to Station l Blackout; Offsite Power Not Recovered in 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ; Batteries Fail after 8 Hours; Loss of DC Power to Maintain Relief Valves Open; Loss of Ability to Use Firewater to inject to Vessel due to Repressurization of Primary when Relief Valves Close (a) These sequences result in core damage due to leakage from the primary with loss of makeup.

d Based on contributions to the CDF, the following systems are most important, listed

in decreasing order: (IPE submittal, Section 3.4.2.3]

38

Emergency AC Power Emergency DC Power Relief Valves Reclosing Diesel Firewater injection to Vessel.

Based on contributions to CDF, the following operator actions are most important, listed in decreasing order: [lPE submittal, Section 3.4.2.5)

AC power recovery ,

load shedding DG under LOCA conditions depressurization preventing EC isolation and EC recovery after isolation calibration of core spray injection permissive feedwater control given loss of instrument air DC load shedding given station blackout alignment of torus cooling mode of containment spray.

l 2.7.2 Vulnerabilities. I l

Section 3.4.2 of the submittal addresses vulnerabilities. The submittal does not- !

define vulnerability. The submittal concludes: "With regard to core damage frequency, there are no unusual or unique contributors to core damage that suggest a l plant specific vulnerability." l 2.7.3 Proposed Improvements and Modifications.

Section 6.2 of the submittal discusses improvements judged to have the most potential benefit for reducing risk. These potential improvements are as follows.

Load shedding of non-1E battery loads so the non-1E battery system can be used for supply of DC power after the 1E batteries fail at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months during station blackout Use of a portable battery charger improved calibration of low vessel pressure ECCS permissive sensors Use of plant specific data exclusively for failure of a relief valve to reclose instead of generic data updated with plant specific data, since failure to reclose has never happened at the plant Providing capability to locally operate certain AOVs following loss of instrument air.

39

l l

l Section 6.3 of the submittal provides additional insights that require more research to validate their cost benefit.

I The submittal states that the insights with the most potential for plant improvement may be considered in future plant decision making. [lPE submittal, Section 6.2]

The licensee states that none of the potential improvements have been incorporated into the plant. [lPE Responses] The licensee states that given the low risk as j quantified in the IPE, consideration of these improvements has not been a high I priority. These improvements may be initiated in conjunction with some related effort, such as accident management.

The licensee states that the IPE model included the prior plant response to meet the station blackout rule. [lPE Responses] No changes, independent of the prior response to meet the station blackout rule, were noted in the IPE as leading to significant risk reduction for station blackout.

1 40

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS This section of the report provides our overall evaluation of the quality of the front-end portion of the IPE based on this review. Strengths and shortcomings of the IPE are summarized. Important assumptions of the model are summarized. Major insights from the IPE are presented.

Strengths of the IPE are as follows. The treatment of plant specific initiating events is comprehensive compared with some other IPE/PRA studies. The consideration of leakage from the vessel as affecting the ability to cool the core is notable, especially since Nine Mile Point 1 has emergency condensers which remove decay heat without providing makeup to the vessel. The treatment of recirculation pump seal LOCAs is by far the most comprehensive for any BWR IPE that we have reviewed to date.

One possible shortcoming of the IPE is as follows. The IPE assumes that the core spray pumps, rated for 140 deg. F, can survive.up to over 300 deg. F with a 0.5 probability, baaed on engineering judgement.

Based on our review, the following modeling assumptions have an impact on the overall CDF:

(a) assignment of 0.05 for the probability of a seal LOCA with loss of cooling to the recirculation pump seals (b) the assumption that no HVAC or ventilation systetts are required (c) the assumption that the core spray pumps, rated for 140 deg. F, can survive up to over 300 deg. F with a 0.5 probability.

All of these assumptions tend to lower the CDF. The first assumption make a seal l LOCA relatively unlikely. The second assumption means that all HVAC and ventilation systems can fail and not impact the ability to prevent core damage. The third assumption decreases the likelihood of loss of core cooling given loss of containment heat removal.

Significant level-one IPE findings are as follows:

station blackout dominates the CDF e leakage from the vessel impacts CDF e loss of DHR, defined as the final heat sink, contributes relatively little to CDF.

Station blackout is a major contributor to the CDF; the top two sequences involve station blackout with loss of primary inventory. The ECs do not provide makeup to the primary and leakage from the vessel with no makeup is an important contributor to the CDF. Loss of DHR contributes relatively little to the CDF due to the variety of options available for core cooling during shutdown.

1 41 i

l

4. DATA

SUMMARY

SHEETS This section of the report provides a summary of information from our review.

Overall CDF The total CDF from internal initiating events is 5.5E-6/ year. Internal flooding was screened from quantification for CDF.

Dominant Initiatina Events Contributina to CDF Initiating events that contribute the most to CDF, and their percent contribution, are l as follows:

Loss of Offsite Power leading to Station Blackout 63 %

l Medium LOCA in Water Line .

7%

Loss of instrument Air 7%

Small LOCA in Water Line 4%

Reactor Scram initiating Events with ATWS 3%

Turbine Trip with ATWS 2%

Loss of Offsite Power without Station Blackout 2%

Large LOCA in Water Line 2%

! Loss of Lake intake 2%

I Loss of RBCLC 1%

l l Dominant Hardware Failures and Operator Errors Contributina to CDF l

Based on contributions to the CDF, the following systems are most important, listed l

in decreasing order:

l Emergency AC Power '

i Emergency DC Power l Relief Valves Reclosing l Diesel Firewater injection to Vessel.

Based on contributions to CDF, the following operator actions are most important, listed in decreasing order: ,

AC power recovery load shedding DG under LOCA conditions depressurization preventing EC isolation and EC recovery after isolation calibration of core spray injection permissive feedwater control given loss of instrument air DC load shedding given station blackout 42 l

. . _ . .-=- _.- - -._. _ - - . . - - . . _ _ . . .

4 i

{ alignment of torus cooling mode of containment spray.

! Dominant Accident Classes Contributina to CDF The submittal summarizes the contribution to overall CDF by accident category, as ;

) follows: 1 1

Station Blackout 64 %

l Loss of injection ig%

j

ATWS 10%

j Loss of DHR 6%.

i Desian Characteristics lmoortant for CDF

}

Design features at Nine Mile Point 1 that impact the Core Damage Frequency (CDF) j from loss of DHR are as follows

Emeroency (isolation) condensers (EC) The ECs require no electrical power to provide for core cooling, and this tends to decrease CDF. However, the ECs alone provide no makeup to the vessel and thus excessive leakage or ,

unisolated seal Loss of Coolant Accidents (LOCA) cannot be mitigated with the !

ECs; this tends to increase the CDF.

Hardened containment vent The hardened containment vent decreases the CDF by providing a backup to loss of containment cooling whereby continued support of core cooling systems can be provided.

Eiaht-hour batterv lifetime The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime tends to decrease CDF, since it is relatively long compared to battery lifetimes at some other BWRs, thereby allowing for increased likelihood of recovery of offsite power.

Diesel driven firewater The availability of diesel driven firewater tends to lower the CDF since this source can be used to provide makeup to the ECs and to inject to the vessel via the feedwater piping.

Ability to power Control Rod Drive (CRD) oumos off 1E oower The ability to power the CRD pumps with the Diesel Generators (DG) tends to decrease the CDF since this provides an additional source of makeup to the vessel even if offsite power is lost.

Modifications The following potential improvements were noted based on insights from the IPE:

43

i Load shedding of non-1E battery loads so the non-1E battery system can be used for supply of DC power after the 1E batteries fail at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months during station

! blackout Use of a portable battery charger Improved calibration of low vessel pressure ECCS permissive sensors Use of plant specific data exclusively for failure of a relief valve to reclose

. instead of generic data updated with plant specific data, since failure to reclose has never happened at the plant 4

Providing capability to locally operate certain AOVs following loss of instrument air.

The submittal states that the insights with the most potential for plant improvement may be considered in future plant decision making.

Other USI/GSIs Addressed The submittal addresses three NRC questions from Generic Letter 91-06 related to i resolution of Gl A-30, " Adequacy of Safety Related DC Power Supplies". [lPE .

submittal, Section 3.4.4.1) The licensee requests that GL 91-06 be resolved based on the IPE submittal. [lPE submittal, Section 7.0)

Sionificant PRA Findinas i

Significant level-one IPE findings are as follows.

l

station blackout dominates the CDF

leakage from the vessel impacts CDF e loss of DHR, defined as the final heat sink, contributes relatively little to CDF.

l Station blackout is a major contributor to the CDF; the top two sequences involve station blackout with loss of primary inventory. The ECs do not provide makeup to

~

the primary and leakage from the vessel with no makeup is an important contributor to the CDF. Loss of DHR contributes relatively little to the CDF due to the variety of options available for core cooling during shutdown.

l l

l

I 44 l l

l

REFERENCES i

[GL 88-20] " Individual Plant Examination For Severe ,

Accident Vulnerabilities - 10 CFR 50.54 (f)",

Generic Letter 88.20, U.S. Nuclear Regulatory Commission, November 23,1988.

[NUREG-1335] " Individual Plant Examination Submittal Guidance", NUREG-1335, U. S. Nuclear Regulatory Commission, August 1989.

[lPE] Nine Mile Point 1 IPE Submittal, July 27, 1993

[lPE Responses] " Request for Additional Information Regarding )

Individual Plant Examination (IPE) for Nine Mile Point Nuclear Station Unit No.1", letter from C.D. rery, Niagara Mohawk Power Corporation, to U.S. NRC, June 26,1995, NMPIL 0957.

[UFSAR) Updated Final Safety Analysis Report for Nine Mile Point 1

[ Tech Specs] Technical Specifications for Nine Mile Point 1 l

[Mathematica] Wolfram, Steven A., Mathematica. A System i for Doino Mathematics by Computer. Second Edition, Addison Wesley,1991. (Version 2.2.2)

[SRP, Decay Heat] NRC Standard Review Plan, NUREG 0800, Branch Technical Position ASB 9-2, " Residual Decay Heat Energy for Light Water Reactors for Long Term Core Cooling", Rev 2, July 1981.

[NUREG/CR 4550, Surry] NUREG/CR- 4550, Vol 3, Rev 1, Part 1, Analysis of Core Damage: Surry, Unit 1 Internal Events, April 1990.

[NUREGICR 4550, Peach Bottom 1 NUREG/CR- 4550, Vol 4, Rev 1, Part 1, Analysis of Core Damage Frequency: Peach Bottom, Unit 2 Intemal Events, August 1989 45

i i

I ,

j [NUREG/CR 4550, Methodology) NUREG/CR-4550, Vol 1 Rev 1, Analysis of I Core Damage Frequency: Internal Events Methodology s

i [ Grand Gulf Shutdown PRA) NUREG/CR-6143, Evaluation of Potential Severe Accidents During Low Power and Shutdown Operations at Grand Gulf, Unit 1, June 1994.

j

! [Surry Shutdown PRA) NUREG/CR-6144, Evaluation of Potential Severe i Accidents During Low Power and Shutdown la Operations at Surry, Unit 1, June 1994.

a

[ Browns Ferry IPE) IPE Submittal for Browns Ferry l l !

[ Fermi IPE) iPE Submittal for Fermi j !

[ Quad Cities IPE) IPE Submittal for Quad Cities l l

[ Cooper IPE) IPE Submittal for Cooper l

! [ North Anna IPE) IPE Submittal for North Anna

[ Quad Cities TER) SEA Draft TER for Quad Cities IPE Submittal l

i

[ Quad Cities DET) Diagnostic Evaluation for Quad Cities Station

[ WASH 1400) Reactor Safety Study,1975 l

l 4

46

ML20100C909

Text

SUMMARY

Navigation menu

Search