ML20100F061
| ML20100F061 | |
| Person / Time | |
|---|---|
| Site: | Vermont Yankee  |
| Issue date: | 11/30/1995 |
| From: | Darby J, Sciacca F, Thomas W SCIENCE & ENGINEERING ASSOCIATES, INC., VERMONT YANKEE NUCLEAR POWER CORP. |
| To: | NRC COMMISSION (OCM) |
| Shared Package | |
| ML20100F049 | List: |
| References | |
| CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-92-553-032, SEA-92-553-32, SEA-95-553-032-A:3, SEA-95-553-32-A:3, NUDOCS 9602200069 | |
| Download: ML20100F061 (48) | |
Text
. . . _ - , .
1 APPENDIX A VERMONT YANKEE NUCLEAR POWER STATION INDIVIDUAL PLANT EXAMINATION I
I TECHNICAL EVALUATION REPORT (FRONT-END) !
i I
l l
i t 1 9602200069 960209 PDR ADOCK 05000271
,f-,. . . .PDR
9 SEA-92-553 032-A:3 November 30,1995 Vermont Yankee Technical Evaluation Report on the Individual Plant Examination -
Front End Analysis NRC-04-91-066, Task 32 John L. Darby Frank. W. Sciacca Willard R. Thomas Science and Engineering Associates, Inc. l l
Prepared for the Nuclear Regulatory Commission
1 TABLE OF CONTENTS E. Executive S u mmary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.2 Licensee's lPE Process ................................. 2 E.3 Front-End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 E .4 G ene ric i s s ue s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . 6 E.6 Ob se rvation s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
- 1. I N TR O D U CTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.1 Review Proce ss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
- 2. TEC H N IC AL REVI EW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 l 2.1 Licensee's IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 l 2.1.1 Comoleteness and Methodoloov . . . . . . . . . . . . . . . . . . . . . . 10 2.1.2 Multi-Unit Effects and As-Built. As-Ooarated Status . . . . . . . . 10 1 2.1.3 Licensee Particioation and Peer Review . . . . . . . . . . . . . . . . 11 2.2 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . . 12 .
2.2.1 initiatino Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 l 2.2.2 Event Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.3 Systems Analvsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
~
2.2.4 System Denendencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 1 2.3 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.3.1 Quantification of Accident Seouence Frecuencies . . . . . . . . . 25 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses . . . . . . . 25 2.3.3 Use of Plant-Soecific Data . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3.4 U se of Gene ric Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.3.5 Common-Cause Quantification . . . . . . . . . . . . . . . . . . . . . . . 26 2.4 Inte rface iss ues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.4.1 Front-End and Back-End Interfaces ................... 28 2.4.2 Human Factors Interfaces .......................... 28 2.5 Evaluation of Decay Heat Removal and Other Safety lasues . . . . . . . . 29 i 2.5.1 Examination of DHR .............................. 29 ;
2.5.2 Diverse Means of DHR ............................ 30 l' 2.5.3 Unlous Features of DH R . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.5.4 Other GSI/USIs Addressed in the Submittal . . . . . . . . . . . . . . 31 2.6 Inte mal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.7 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 1 2.7.1 Dominant Core Damaos Seouences . . . . . . . . . . . . . . . . . . . 31 2.7.2 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.7.3 Pronosed Imorovements and h . fiications . . . . . . . . . . . . . . 35 11
4
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS ............... 37
- 4. D ATA S U M M ARY S H E ETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 REFERENCES................................................ 42 lii i
1 4'
l UST OF TABLES !
Table 2-1. Loss of Offsite Power Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 '
Table 2-2. Plant Specific Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Table 2-3. Common Cause Factors for 2-of-2 Components . . . . . . . . . . . . . . . . 27 l Table 2-4. Accident Classes and Their Contribution to Core Damage F re q u e n cy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Table 2-5. Initiating Events and Their Contribution to Core Damage Frequency . 33 Table 2-6. Top Five Core Damage Sequences . . . . . . . . . . . . . . . . . . . . . . . . . 33 i
l iv
41
'l E. Executive Summary This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for the Vermont Yankee. This review is based on information contained in the IPE submittal [lPE Submittal) along with the licensee's responses [RAI Responses] to a request for additional information (RAl).
E.1 Plant Characterization Vermont Yankee is a single unit site located in Vermont. The plant is a Bolling Water Reactor (BWR) 4 reactor with a Mark I containment. General Electric (GE) was the Nuclear Steam System Supplier (NSSS); Ebasco was the architect / engineer (AE).
The unit achieved commercial operation in 1972. Rated power for the unit is 1,593 megawatts thermal (MWt) and 504 net megawatts electric (MWe). Similar units in operation are Duane Amold and Cooper.
Design features at Vermont Yankee that impact the core damage frequency (CDF) relative to other BWR 4 plants are as follows:
. Power tie line from Vernon hydroelectric station that can oower either 1E bus The power line from the hydroelectric plant provides an altemate power supply for the 1E buses if offsite power and the Diesel Generators (DG) are lost. This tie line is independent of the normal off-site electrical grid. This feature tends to lower the CDF from station blackout.
. Ability to use diesel driven firewater for inlection to the vessel The ability to use the diesel driven firewater pump in conjunction with the John Deere DG, allows for long term mitigation of station blackout accident scenarios. This feature tends to lower the CDF from station blackout.
. Presence of John Deere DG This small DG can be used to provide power for .
opening injection valves and maintaining SRVs open to allow core cooling with low pressure firewater injection. This feature tends to lower the CDF from I station blackout.
. Passive. hardened torus vent The passive torus vent provides a capability to support operation of attemate injection' systems for core cooling if containment cooling systems fall. This tends to lower the CDF from accidents associated with loss of containment cooling systems.
. Altamate coolina mode for backuo to service water The altemate cooling mode provides for a gravity driven backup supply of water for DG cooling and for '
Residual Heat Removal Service Water (RHRSW) suction if the service water 1
1<
l l
system is lost. This tends to lower the CDF associated with loss of service water. ,
l
. Four hour batterv lifetime The four battery lifetime is relatively short and this tends to increase the CDF from station blackout since it restricts the time l available to recover offsite power. l E.2 Licensee's IPE Process The IPE is a level 2 Probabilistic Risk Assessment (PRA). The freeze date for the IPE model was December 1,1993. The model considered one change to the plant scheduled for completion after the freeze date, that being a modification to increase the diversity of the Altemate Rod Insertion / Reactor Protection Trip (ARl/RPT) trip units.
Utility personnel were heavily involved in all aspects of the IPE effort. The IPE was performed by the Yankee Atomic Electric Company (YAEC) under the direction of Vermont Yankee. Support was provided by contractors, ERIN and GKA, and from an independent consultant l l
The IPE team members performed a walkdown of t'he reactor building. This walkdown I focused on the generel arrangement of equipment modeled in the IPE. Other walkdowns were done to specifically support deterministic assessments of room cooling requirements.
Other IPE/PRA studies and related information reviewed were: the Reactor Safety l Study, NUREG/CR 4550 studies, PRA studies for Shoreham and Limerick, and l
lDCOR Methodology information. {
1 All aspects of the analysis received a review by qualified in-house personnel who were l not directly involved in the aspects of the analysis that they reviewed. System fault ;
trees were reviewed by in-house experts from systems engineering, electrical engineering, mechanical engineering, l&C engineering, and operations, during system l review meetings. High level review of all aspects of the analysis was performed by a consultant from ERIN engineering. Review comments were resolved as the work progressed; all comments involving potential errors or deficiencies were resolved to ;
the satisfaction of the reviewers. l The submittal does not indicate whether or not the licensee intends to maintain a
'living" PRA.
E.3 Front-End Analysis The methodology chosen for the Vermont Yankee IPE front-end analysis was a Level l PRA; the large event tree /small fault tree technique was used and quantification was performed with RISKMAN software.
2
i The IPE quantified 15 initiating events: 5 Loss of Coolant Accidents (LOCAs),5 plant specific support system failures, and 5 generic transients The IPE developed large systemic event trees for both frontline and support systems, to model the plant response to initiating events. Initiating events were quantified using plant specific data and industry data for frequent events, data from previous PRAs for infrequent events, and component failure data for plant specific initiating events.
Loss of instrument air as an initiating event was modeled as being included in closure of MSIVs as an initiating event. Loss of heating, ventilating, and air conditioning (HVAC) was not considered to be an initiating event. -
System level success criteria were based on generic IDCOR information supplemented by plant-specific Modular Accident Analysis Program (MAAP) analyses.
Core damage was assumed to occur when the reactor water level is less than 1/3 core height and decreasing.
Support system dependencies were modeled in electrical and auxiliary systems support state event trees. Tables of inter-system dependencies were not provided, although the system descriptions addressed such dependencies The IPE primarily used plant specific data to Bayesian update generic data for hardware failures. Testing / maintenance unavailabilities were quantified with generic
- data.
The Multiple Greek Letter (MGL) method was used to model common cause failures.
Cnmmon cause failures were modeled within systems; however, common cause failure between the High Pressure Core injection (HPCI) and Reactor Core Isolation Cooling (RCIC) turbine driven pumps were considered. The Pickard, Lowe, and Garrick (PLG) generic data base was used to quantify common cause failures, and the data were consistent with generic data used in most IPE/PRAs.
Analysis of intemal flooding was deferred to the IPEEE with the consent of the NRC.
The total CDF from intemal initiating events is 4.3E-6/ year . The licensee reported core damage sequences consistent with the reporting criteria of NUREG 1335. The top 100 systemic core damage sequences were reported. These top 100 sequences constituted 84% of the total CDF.
The initiating events that contribute most to the CDF and their percent contribution are listed below:'
Loss of offsite power (LOSP) 20%
' A complete list of initiating event CDF contributors is provided in Table 2-5 of this report. l l
3
t ATWS (all types) 20%
Loss of feed and MSIV closure 12%
Loss of DC bus 2 11 %
Loss of DC bus 1 10%
Transient 8%
Loss of AC bus 3 5%
Loss of AC bus 4 5%
Major classes of accidents contributing to the total CDF, and their percent contribution are as follows:8 IA 34%
IBL 14%
IVA 13%
ID 9%
llA 7%
IVL 6%
These accident classes are defined as follows:
lA transient with loss of high pressure injection and failure to depressurize IBL station blackout with HPCl/RCIC lost late due to DC battery depletion IVA ATWS with containment failure ID transient with loss of low pressure injection llA transient with loss of all containment heat removal; core damage caused by containment failure IVL A1WS with overpressure.
The results indicate that a transient with loss of all high pressure injection and failure to depressurize is the dominant class of accident for overall CDF.
A station blackout condition is associated with the second most dominant class. As a group, the station blackout accident classes appear to represent 20% of the total CDF.
The contribution of station blackout is less than that at many other plants due to the following reasons: the presence of the power line from the hydroelectric station that can power a 1E bus, the ability to use diesel driven firewater supplemented with power from the John Deere DG for long term injection, four tie lines to different points in the electrical grid, and the fact that the IPE did not model weather-related loss of offsite power. We estimate that the CDF from station blackout would increase by about 36% ;
had weather-related loss of offsite power been considered.
I 1
'A complete list of CDF contributors by accident class is provided in Table 2-4 of this report.
4 I
i ATWS sequences associated with containment failure are the third most important class. The IPE does not credit the ability to mitigate an ATWS with loss of the main condenser unless the operators inhibit ADS; other IPEs have credited control of low pressure injection to mitigate an ATWS if ADS is not inhibited. However, if the main condenser is available, the 105% turbine bypass capability means that the ATWS can -
be mitigated without opening SRVs and discharging to the suppression pool.
The fourth most important class of accidents is a transient with loss of all high and low pressure injection. The fifth most important class is loss of core cooling due to c6ntainment failure, and the sixth most important class is ATWS with vessel overpressure failure.
The submittal does not discuss dominant failures contributing to overall core damage, but from the dominant sequences and tables of systems-levelimportant component failures it can be deduced that dominant failures include: failure of the RCIC pump to start, failure of the RCIC pump to run, RCIC out for test and maintenance, failure of the HPCI pump to start, failure of the HPCI pump to run, and HPCI out for test and maintenance. Dominant human errors contributing to CDF include: operator failure to depressurize, and operator failure to restore SRVs and nitrogen supply after test and maintenance.
Plant damage states were not used to bin level 1 core damage sequences for subsequent level 2 analyses; instead, the RISKMAN software directly linked the level 1 event trees to the containment event tree.
E.4 Generic issues The submittal specifically addressed loss of Decay Heat Removal (DHR) only in terms of loss of the final heat sink. The submittal contains a description of the contributors to loss of DHR for the restrictive definition of DHR used in the evaluation of DHR; loss of containment heat removal contributes about 10% to the overall CDF. The submittal 1 addresses two aspects related to DHR, these being: support systems for DHR, and l human errors and recovery actions associated with loss of DHR. The submittal states that the two major systems for containment heat removal are: the main condenser and the RHR system. The submittal tabulates the support systems required for these main cooling systems. The submittal also discusses the unique capabilities for supporting containment heat removal at Vermont Yankee.
No vulnerabilities associated with loss of DHR were identified by the IPE.
No other USI/GSis were addressed in the IPE.
5
S E.5 Vulnerabilities and Plant improvements NRC proposed safety goals were used to identify vulnerabilities, namely:
core damage frequency > 1E-4/ year, and large Release Frequency > 1E-6/ year.
Based on these criteria, the IPE identified no vulnerabilities.
No plant hardware modifications were identified as a result of the IPE. Thirteen enhancements to procedures.were identified based on the front-end portion of the IPE.
Of these enhancements, ten are stated to have been implemented in the plant procedures and/or training and the remaining three were dropped based on the ;
evaluations performed.
One of the potential enhancements deals with maximizing CRD makeup. The dominant accident class is IA, a transient with loss of feedwater followed by failure of HPCI and RCIC and failure to depressurize. The IPE model does not credit makeup with both CRD pumps. It is possible that if both CRD pumps are used, CRD can i
provide a backup high pressure cooling option immediately after reactor trip. Other BWR IPEs have credited this option.
E.6 Observations The licensee appears to have analyzed the design and operations of Vermont Yankee i to discover instances of particular vulnerability to core damage. It also appears that i the licensee has: developed an overall appreciation of severe accident behavior; )
gained an understanding of the most likely severe accidents at Vermont Yankee; l gained a quantitative understanding of the overall frequency of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.
l Strengths of the IPE are as follows. The evaluation and identification of plant-specific initiating events is more thorough than corresponding analyses in some other IPE/PRA studies. Also, the licensee's involvement in the IPE process was more substantial than in some other IPE/PRA studies.
No particular shortcomings of the IPE were identified.
Significant findings on the front-end portion of the IPE are as follows:
- transients involving loss of feedwater with subsequent failure of RCIC and HPCI and failure to depressurize dominate the overall CDF
= station blackout is less of a contributor to overall CDF than at other similar plants due to the power tie line from the hydroelectric station and due to the i 1
6
i ability to provide for long term injection with diesel driven firewater using the John Deere DG to open injection valve; e,nd to maintain the SRVs open; also, the IPE deferred consideration of weather related loss of offsite power to the IPEEE
- hVAC support is only required for the DG rooms
- = core cooling can be maintained without containment cooling if containment venting is successful and is controlled; no credit was taken for core cooling without containment venting, after containment failure.
The estimated core damage frequency for Vermont Yankee,4.3E-06/ year, is fairly low but is in the range of CDF estimates for other BWR 3 and 4 designs. This low CDF estimate for Vermont Yankee is due to important plant features such as the power tie line from the hydroelectric station and the ability to provide for long term injection with diesel driven firewater. In addition, the low CDF for Vermont Yankee is affected somewhat by the fact that the IPE scope was more limited than that for most plants in that weather-related LOSP was not considered, nor was internal flooding. The licensee intends to include these aspects in the IPEEE for Vermont Yankee.
Consideration of weather-related LOSP could potentially increase the station blackout CDF by about 36%, or the total CDF by about 7%. Most IPEs have found that intemal '
flooding is not a significant contributor to CDF.
7
f 1l i
i :
- 1. INTRODUCTION ,
- 1.1 Review Process i i
j This report summarizes the results of our review of the front-end portion of the j Individual Plant Examination (IPE) for the Vermont Yankee. This review is based on J information contained in the IPE submittal (IPE Submittal)'along with the licensee's
! responses [RAI Responses) to a request for additional information (RAI).
i l 1.2 Plant Charactertration . ,
- Vermont Yankee is a single unit site located in Vermont. The plant is a Boiling Water l Reactor (BWR) 4 reactor with a Mark I containment. General Electric (GE) was the j Nuclear Steam System Supplier (NSSS); Ebasco was the AE. The unit achieved
- commercial operation in 1972. Rated power for the unit is 1593 MWt and 504 MWe
! (net). Similar units in operation are: Duane Amold and Cooper.
l Design features at Vermont Yankee that impact the. core damage frequency (CDF) !
relative to other BWR 4 plants are as follows: i l . Power tie line from Vemon hydroelectric station that can oower either 1E bus.
i The power line from the hydroelectric plant provides an altamate power supply i 3 for the 1E buses if offsite power and the Diesel Generators (DG) are lost. This
! feature tends to lower the CDF from station blackout.
I Ability to use diesel driven firewater for iniection to the vessel. The ability to l use the diesel driven firewater pump in conjunction with the John Deere DG,
! allows for long term mitigation of station blackout accident scenarios. This
- feature tends to lower the CDF from station blackout.
l . Presence of John Deere DG. This small DG can be used to provide power for l opening injection valves and maintaining SRVs open to allow core cooling with
! low pressure firewater injection. This feature tends to lower the CDF from j station blackout.
! . Passive. hardened torus vent. The passive torus vent provides a capability to i support operation of attemate injection systems for core cooling if containment
- cooling systems fall. This tends to lower the CDF from accidents associated j with loss of containment cooling systems.
l
- . Altamate coolina mode for backuo to service water. The attemate cooling
- mode provides for a gravity driven backup supply of water for DG cooling and j for Residual Heat Removal Service Water (RHRSW) suction if the service water j system is lost. This tends to lower the CDF associated with loss of service water.
1
) 8 1
1
. Four hour batterv lifetime. The four battery lifetime is relatively short and this l tends to increase the CDF from station blackout since it restricts the time available to recover offsite power.
I i
l i
9
i
- 2. TECHNICAL REVIEW ,
2.1 Licensee's IPE Process The process used by the licensee was reviewed with respect to: completeness and methodology; multi-unit effects and as built, as operated status; and licensee participation and peer review.
2.1.1 Comoleteness and Methodoloov.
The completeness of the submittal was reviewed with respect to the type of information and level of detail requested in NUREG 1335. The submittal does not provide a global dependency matrix. Also, the utility has (with NRC concurrence) deferred consideration of intemal flooding to the IPEEE. [lPE submittal, Section 1.3)
No other obvious omissions were noted.
l The front-end portion of the IPE is a level i PRA. The specific technique used for the level l PRA was a large event tree /small fault tree technique with support systems modeled in event trees, and it was clearly described in the submittal.
The submittal described the details of the technique. The split fraction logic and event l tree linking utilized in the large event trees were discussed. The component level i system fault trees and system descriptions were provided. Inter-system dependencies 1 were described in the system descriptions, although no system dependency tables )
were provided. Data for quantification of the models were provided, including common :
cause and recovery data. The submittal does not address uncertainty. Sensitivity and importance analyses are not included in the submittal.
l The PRA upon which the IPE is based was initiated in response to Generic Letter 88- l 20; however, a Containment Safety Study that used PRA techniques was performed in l 1986 and it led to numerous plant modifications prior to the performance of the IPE. ;
[lPE submittal, Section 1.2]
)
j 2.1.2 Multi-Unit Effects and As-Built. As-Onerated Status.
! Vermont Yankee is a single unit site; therefore, multi-unit considerations do not apply j to this plant. l The IPE team members performed a walkdown of the reactor building. [lPE submittal, j Section 2.4) This walkdown focused on the general arrangement of equipment
- modeled in the IPE. Other walkdowns were done to specifically support deterministic
- assessments of room cooling requirements. ;
- i
~
Major documentation used in the IPE included: the UFSAR, technical specifications, i systems information, equipment specifications, LERs, and procedures. [lPE submittal, j 10
1 Section 2.4] Other IPE/PRA studies and related information reviewed were: the Reactor Safety Study, NUREG/CR 4550 studies, PRA studies for Shoreham and Limerick, and IDCOR Methodology information.
The freeze date for the IPE model was December 1,1993. [lPE submittal, Section 2.4.1] One modification scheduled for installation after the freeze date was considered in the IPE model, that being a modification to increase the diversity of ARl/RPT trip units.
Several modifications had been made prior to the performance of the IPE as a result of the Containment Safety Study of 1986, the most notable of these being: [lPE submittal, Section 1.2]
(a) ability to provide injection to the vessel with diesel driven firewater lined up to the RHR/LPCI system and to open required MOVs using power from a 175 KW John Deere DG, during station blackout (b) ability to provide DC control power to the SRVs from the John Deere DG to maintain them open to maintain low vessel pressure over the long term, during station blackout (c) incorporation of Revision 4 of the BWROG EPGs.
Also, a hard-piped torus vent has been iristalled to provide backup mitigation capability if containment cooling is lost. [lPE submittal, Section 1.2]
2.1.3 Licensee Particination and Peer Review.
The Vermont Yankee IPE was performed by staff of the Yankee Atomic Electric Company (YAEC), under the direction of Vermont Yankee. [lPE submittal, Section 2.2]
A principal engineer at Vermont Yankee directed the IPE effort. Two YAEC staff members were assigned full-time to the IPE, and a number of YAEC staff members were assigned part time to the IPE. Consultants from the following organizations were used for selected activities in the front-end portion of the IPE: one independent consultant, ERIN, and GKA.
It is evident from the submittal that utility personnel were heavily involved in the IPE for Vermont Yankee. The plant-specific treatment of reference line breaks, LOCAs outside of containment, ISLOCAs, loss of drywell cooling, and loss of HVAC indicate considerable involvement of knowledgeable utility staff in the IPE.
Section 5.2 of the submittal summarizes the review process. All aspects of the analysis received a review by qualified in house personnel who were not directly involved in the aspects of the analysis that they reviewed. System fault trees were reviewed by in-house experts from systems engineering, electrical engineering, mechanical engineering, l&C engineering, and operations, during system review meetings. High level review of all aspects of the analysis was performed by a 11
i l
consultant from ERIN engineering. Review comments were resolved as the work progressed; all comments involving potential errors or deficiencies were resolved to '
the satisfaction of the reviewers.
1 We could find no discussion in the submittal of any utility plans to maintain a "living" PRA.
2.2 Accident Sequence Delineation and System Analysis l
This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies provided in the submittal.
2.2.1 Initiatina Events.
Initiating events were defined as events for which a reactor scram should occur; events requiring controlled reactor shutdown were not considered as initiating events. ,
[lPE submittal, Section 3.1.1) This is the typical definition used for initiating events for l PRAs of nuclear power plants operating at power. l Initiating events were identified by a review of the plant operating history, Updated Final Safety Analysis Report (UFSAR) analyses, and other BWR PRAs. [lPE submittal, Section 3.1.1) initiating events were categorized into the following four classes:
general transients LOCAs ATWS*
plant-specific events.
The general transient initiating events were grouped into the following types:
plant trip with feedwater and condenser available, MSIV closure with feedwater available, MSIV closure with loss of feedwater, and loss of offsite power.
Vermont Yankee has motor-driven feedwater pumps, so closure of MSIVs does not i render feedwater unavailable.
All the general transient initiating events, except for Loss of Offsite Pow;st (LOSP),
were quantified with plant-specific data from 1974 through 1988; data lhr 1988 were not available when the quantification of initiating events was performt d. !as"%iont
- An ATWS event is a combination of a true initiating event followed by failure to scram.
12 l
}
1 1) l plant specific data were available to quantify LOSP. The submittal listed all events that caused scram of the reactor, with the reactor above 25% power, none of which ,
were due to LOSP. [lPE submittal, Table 3.1.1.2) That Vermont Yankee has not J experienced an at-power LOSP is at least partially due to the fact that the plant has four main feeder lines to various points on the electrical grid. [lPE Submittal, Section 3.2.19] The frequency for LOSP was calculated using generic information from NUREG 1032.
The IPE does not consider weather-related LOSP. [lPE submittal, page 3.1.1-2] The submittal states that weather related LOSP is suitable for analysis as part of the -
]
IPEEE. This exclusion of weather-related LOSP results in a slightly lower frequency. ,
for LOSP; more importantly, it results in a higher likelihood for recovery of offsite i power, since weather-related losses require the most time to recover from. Other IPEs have included weather-related LOSP in the IPE. The exclusion of weather-related LOSP from the Vermont Yankee IPE results in a lower CDF from LOSP than would be calculated if the effect had been considered.
The frequencies assigned to LOSP in the IPE from. plant-centered and grid-centered events, respectively, are 0.087/ year and 0.018/ year, yielding an overall frequency of i 0.1/ year. [lPE submittal, Page 3.1.1-2] These values are generic values from Table A- !
l 1 of NUREG 1032. The submittal states that a plant-specific evaluation yielded frequencies for LOSP due to severe weather and extremely severe weather, respectively, of 9 CE-3/ year and 7.2E-4/ year; these losses are not included in the IPE. ;
Table A-1 of NUREG 1032 provides a generic vaiue of 0.009/ year for loss of offsite j power due to weather.' Exclusion of weather-related losses has a smallimpact on the ,
frequency of LOSP in that the total frequency without these events is reduced by only l about 10%; however, it can have a significant impact'on the ability to recover from LOSP, as subsequently discussed in this report.
LOCAs inside and outside of containment were evaluated. [lPE submittal, Section j 3.1.1.2] LOCAs inside containment were divided into small, medium, and large ranges, and were quantified with values from the Reactor Safety Study. The submittal does not provide the size ranges for small, medium, and large LOCAs. LOCA sizes were defined in terms of mitigating system requirements. The Vermont Yankee IPE 1 drew on generic information for establishing LOCA system success criteria [RAI responses, p. 5). For example, the Vermont Yankee IPE treats a stuck open SRV as l a medium steam LOCA, while other IPEs for similar plants have treated it as a small i LOCA that can be mitigated with RCIC. [lPE submittal, Page 3.1.1-12]
The IPE did not specifically discuss a recirculation pump seal LOCA as an initiating )
event, but the small LOCA category can include such an event. The frequency for a j small LOCA in the IPE is 1E-2/ year. [lPE submittal, Table 3.1.1.1] Other IPEs have 1 used a frequency of 3E-2/ year, explicitly for a seal LOCA initiating event. [NUREG/CR )
4550, Peach Bottom) 13
i i
The IPE included an analysis of HELB LOCAs outside containment with failure to isolate, and interfacing systems LOCAs in low pressure rated piping.
The IPE performed an evaluation of plant-specific transient initiating events, and the submittal documents the process by which such events were evaluated and retained for analysis. The following events were specifically analyzed as plant-specific initiating ,
events:
Loss of 125 V DC Bus 1 Loss of 125 V DC Bus 2 )
Loss of 4160 V AC Bus 3 Loss of 4160 V AC Bus 4 i Loss of Service Water. )
The following events were considered and not specifically modeled, as they are bounded in impact and frequency by other initiating events considered in the analysis:
loss of RBCCW, loss of TBCCW, loss of drywell cooling, loss of instrument air, loss of containment nitrogen, and vessel level reference line breaks. The RBCCW and TBCCW systems are cooled by service water, and failures in these systems were assumed to be bounded by loss of service water. [lPE submittal, p. 3.1.1-9] Loss of drywell cooling was evaluated and found to result in an orderly plant shutdown rather than a plant trip, and was not considered further as an initiating event. Loss of instrument air would result in an MSIV closure transient with loss of feedwater. In addition, the Diesel Fuel Oil Makeup System would also be impacted, but could be recovered by operator actions. Loss of instrument air was assumed to be similar to the MSIV closure transient with loss of feedwater. Loss of containment nitrogen would result in an MSIV closure transient. However, since nitrogen can be provided by three div,erse and separate sources, the loss of containment nitrogen was considered to be very unlikely and was not treated as a separate initiating event. The vessel level i reference line breaks were evaluated and found to be equivalent to small LOCAs.
The point estimate frequencies assigned to the initiating events are comparable to i data typically used in other IPE/PRA studies, except possibly for one event. [lPE i submittal, Table 3.1.1.1) The frequency assigned to the initiating event, inadvertent opening of an SRV, designated lORV, is 5.6E-3/ year, which is substantially less than 1 the frequency used in other studies. For example: the Peach Bottom PRA used 0.19/ year; and the Grand Gulf PRA used 0.14/ year. [NUREG/CR 4550, Peach Bottom]
[NUREG/CR 4550, Grand Gulf) The Vermont Yankee IPE submittal presented the basis for the frequency of this IORV initiating event. [lPE submittal, Section 3.2.27)
This basis included an assessment of the number of SRV opening events, the likelihood that an SRV will stick open, and the probability that the SRV will not reclose ,
during the depressurization process. The IPE used the PLG generic data base for conditional probability of an individual SRV failing to reclose once opened. In addition, the IPE took credit for historical data [NUREG/CR-0901] showing that stuck-open SRVs are likely to reclose when the pressure drops below 200 psig. [lPE submittal, 14
1 Section 3.2.27] Thus, the Vermont Yankee IPE assessment of IORV frequency appears to be more optimistic than that used in other IPEs/PRAs. As an initiating event, IORV contributes about 3% to the total CDF. [RAI, Responses, p.14] A less '
optimistic assessment of IORV frequency would raise the CDF contribution of this event and would also increase the overall CDF. For example, if an IORV frequency of 0.* 9/ year were used rather than 5.6E-03/ year, the overall CDF would potentially .
Increase by a factor of 2.
The frequency of an interfacing systems LOCA,2.3E-7/ year, accounts for best- ,
estimate probabilities for failure of piping exposed to beyond design pressure. Credit was taken for the ultimate strength of the affected piping, which can lower the frequency by a factor of 100 or more compared to assuming failure at the design pressure. The IPE used data from a NUREG prepared by Brookhaven National Laboratory for these best-estimate probabilities. [lPE submittal, page 3.2.36-8]
The frequency of a break outside containment,1.5E-6/ year, includes both the break ,
and failure to isolate the break. [lPE submittal, Page 3.1.1-21]
2.2.2 Event Trees.
Each accident initiating event was included in an appropriate class of initiating events, and each class of initiating events was modeled with an event tree. The following large, frontline event trees were developed: [lPE submittal, Section 3.1.2)
Large LOCA Medium LOCA Small LOCA Transient ATWS.
Two special event trees were developed: [lPE submittal, Section 3.1.3]
Interfacing Systems LOCAs LOCA outside containment.
Two large support system event trees were developed, these being: [lPE submittal, Section 3.1.4]
electrical systems event tree, and auxiliary systems event tree.
Core damage was assumed to occur when the reactor water level is less than 1/3 core height and decreasing. The licensee states that peak fuel temperatures are expected to exceed 1,500 deg. F under these conditions. [p. 2 of RAI Responses]
15
_ _ _ _._ . - - _ _ --~
4i The submittal states that system level success criteria were based on generic IDCOR information supplemented by plant-specific MAAP analyses. [lPE submittal, Section 3.1.2] The submittal does not tabulate system success criteria by type of accident.
System success criteria were provided in the event tree descriptions and in the systems descriptions, so we were able to discern the success criteria for accident l types. The following two system level success criteria were difficult to pull out of the i submittal: (1) credit for the use of the CRD system to mitigate transient accident sequences, and (2) the specific systems credited for attemate injection with external l water sources to provide core cooling following venting of containment.
The submittal does provide a summary discussion of event tree sequences, specifically indicating which ones lead to core damage. This is a major strength of the submittal which significantly helped our review. PRAs that use the large event tree methodology typically do not specify the sequence end states (success or core damage) on the event trees. (Small event tree PRAs typically do specify the end states on the event trees.) The large event trees may include branches that were l assumed to fall in actual quantification; for example, the Vermont Yankee model includes a branch for altemate injection (AI) after failure of containment heat removal systems and failure of venting, but the event was assumed failed with a probability of 1.0 during quantification because no credit was given to core cooling following loss of containment heat removal and loss of containment venting.
Another strength of the IPE was the segregation of small LOCAs and transient events into different event trees. This greatly facilitated understanding of the event sequences. Typically, IPEs that use the large event tree methodology combine transients and small LOCAs into the same event tree and it is difficult to check how j the different aspects of these events were considered in the sequences.
If containment cooling systems fall, the IPE credits venting of containment and altamate injection to maintain core cooling. The requirements for successful altemate injection (Al) are accident specific. For example, for a large LOCA, Al includes cooling of RHR seal coolers with RBCCW or the altemate cooling system and operator action to stop venting prior to loss of adequate NPSH margin for LPCI and core spray pumps; attemate injection with extemal sources as firewater is not credited. [lPE submittal, Page 3.1.2-4] For a small LOCA, Al credits use of condensate and feedwater, and for a transient, Al also credits firewater crosstle to inject to the core via the RHR/LPSI system. [lPE submittal, pages 3.1.2-12 and 3.1.2-14]
The discussions of the event tree sequences for LOCAs and transients explicitly state that no credit was taken for attemate injection to maintain core cooling with loss of containment cooling systems and failure of containment venting. Other IPEs for similar plants have credited the ability of selected systems to provide for core cooling after containment failure from overpressure. Although not explicitly stated, the submittal discussions suggest that RHR pump seal failure is assumed to occur for cases where containment cooling falls and the RHR pump seals are exposed to high 16 l
)
I 4 temperature suppression pool water. Such failures result in failures of alternate injection since its flow path to the reactor includes the RHR pumps.
The small LOCA event tree credits HPCI or RCIC as capable of mitigating the accident over the entire 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time. Both of these systems use steam driven pumps that can provide injection down to 150 psig steam supply pressure, according to the system descriptions in the submittal. The NUREG/CR 4550 model for Peach Bottom also credited steam driven HPCI or RCIC as being available for the entire mission time following a small break LOCA. [NUREG/CR 4550 Peach Bottom, Figure 4.4-3] The Vermont Yankee IPE success criteria for LOCAs are stated to be taken from NUREG/CR 4550 and from reactor vendor documentation (NEDO 24708A).
[RAI Responses, p. 6)
The small LOCA event tree credits HPCI or RCIC with loss of containment cooling systems but success of containment venting, as sufficient to mitigate the accident until containment is vented, after which alternate injection is required. [IPE submittal, Figure 3.1.2-3, Expanded Sequences # 4 and # 11] The submittal states that the pressure for venting containment is 59*3 psig, and that RCIC automatically trips on high turbine backpressure at 25 psig. [IPE submittal, Pages 3.2.9-1 and 3.2.4-1] MAAP calculations performed for Vermont Yankee indicated that, for the scenarios of interest, alternate injection will not be needed until about 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> since core cooling with HPCI or RCIC is estimated to be adequate up until that time. [RAI Responses, p. 7]
The transient event tree assumes that DC power is available for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for operation of HPCI or RCIC during station blackout prior to battery depletion. Long term core cooling with the firewater crosstie is credited only if HPCI or RCIC operate for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, due to the time required to establish the crosstle. The system description for the firewater crosstie indicates that to use the crosstie during station blackout, power from the 175 KW John Deere DG must be provided to open MOVs to implement injection with the crosstle. [lPE submittal, Page 3.2.23-1] Also, as discussed in Section 1.2 of the submittal, DC control power to maintain the SRVs open must be supplied from this DG, to maintain low vessel pressure to allow for injection with firewater.
The transient event tree considers the inability to maintain the SRVs open over the long term due to loss of nitrogen supply and leakage from accumulators. (IPE submittal, Page 3.2.1-17] For sequences in which low pressure injection is lost due to loss of nitrogen supply to maintain the SRVs open, the IPE credits use of CRD and/or Condensate Transfer at high pressure. The SRV accumulators will maintain the SRVs open for a few hours following loss of nitrogen supply, and CRD or Condensate Transfer systems can provide sufficient makeup for the decay heat levels at that time.
(IPE submittal, p. 3.1.2-8]
The ATWS event tree assumes that if the main condenser is not available, core damage occurs if the operator falls to inhibit ADS or if boration with SLC is not successful.
17 i
I j
__-- - -- ~^ ~ ~ ~
l The event tree for an ISLOCA models both a small LOCA and a large LOCA. The model assumes that HPCI can be used to mitigate a small LOCA early in the accident, but that EQ effects prevent long term use of HPCI. Two options for mitigating an interfacing systems LOCA are credited: (1) isolation of the break, and (2) external injection with the firewater crosstie over the long term after suppression pool inventory cannot be maintained. The IPE model requires that the vessel be depressurized, if the break is small, for isolation to be possible, due to the DP limits of the isolation valves. [lPE submittal, Page,3.1.3-4) Consideration of the ability of the isolation valves to close under flow conditions indicates that careful plant-specific attention was paid to modeling interfacing systems LOCAs. .
The event tree for a HELB LOCA outside containment that is not isolated requires ,
depressurization if the break is small, short term use of either LPCI or core spray, and long term cooling using injection with the firewater crosstle, or with the condensate system if the break is not in a feedwater line.
Two support system event trees were developed: an electrical system support tree and an auxiliary systems support tree. The electric.al systems support event tree considers the ability to power either one, but not both, of the 1E 4160 V AC trains with a dedicated tieline from the Vernon hydroelectric station. This unique arrangement allows for powering a 1E bus if offsite power is lost, without using the onsite DGs.
The auxiliary systems support event tree model includes the following support systems: service water, RHRSW, TBCCW, RBCCW, instrument air, containment nitrogen, and l&C systems.
The auxiliary systems support event tree considers recovery of offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. [lPE submittal, Page 3.1.4-9] The IPE assigns a probability of 0.088 for non-recovery of offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. [lPE submittal, Pago 3.1.4-10] This value is based on data from NUREG 1032 for recovery of offsite power for plant-centered and grid-related losses of offsite power. As discussed in Section 2.2.1 of this report, the IPE does not model weather-related LOSP events. The 0.088 probability is calculated by weighing the probabilities for plant-centered and grid related losses. The probability for not recovering offsite power by 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> due to a plant-centered loss is based on data in Figure A.3 of NUREG 1032 for the 13 offsite power group; it should be noted that the 13 group has a significantly higher probability for non-recovery than the other 2 groups. The probability for not recovering offsite power by 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> due to a grid-related loss is 0.01 based on data in Figure A.5 of NUREG 1032, assuming normal recovery.
The impact of not considering weather loss of offsite power can have a significant impact on the calculation of CDF due to station blackout, since weather-related losses require the most time for which to restore offsite power. For example, NSAC-147 Implies that, in general, the probability of non-recovery at 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is about 0.15 and about 90% of this value is due to weather-related losses. [NSAC-147, Figure 2-1] The 18
1l relative importance of plant-centered loss of offsite power is plant specific, as it is affected by the design features for supply of offsite power. For example, Figure A.3 of NUREG 1032 shows that the probability for non-recovery of offsite power by 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> due to a plant-centered loss can differ by a factor of 10 depending on the plant group (11,12, or 13). To estimate the impact of not considering weather-related loss of offsite power in the Vermont Yankee IPE, we used data from NUREG 1032. Figure A.8 of NUREG 1032 indicates that the probability for non-recovery of offsite power by 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> due to severe weather loss of power is 0.43. Table 2-1 summarizes data used in the IPE to address loss of offsite power and recovery ~ of offsite power, and data we us'ad to estimate the impact of including weather-related losses of offsite power.
The data in Table 2-1 Indicates that if the IPE had considered weather-related loss of offsite power, the CDF from station blackout would increase by about 36%,
considering the increase in both the initiating event frequency and the increase in the probability of non-recovery of offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. That is, the frequency of LOSP events increases by about 8% and the probability of non-recovery in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> increases by 26%, giving an overall increase of 36% in SBO-related CDF. It should be noted that the increase is smaller than perhaps expected. This is because the IPE used data from NUREG 1032 for non-recovery of offsite power following plant-centered loss for the 13 design group. This group has a significantly higher probability for non-recovery than the other two groups; for a plant in the 11 design group, not modeling weather-related loss of offsite power would result in a significantly greater fractional reduction in the CDF due to station blackout.
Table 2-1. Loss of Offsite Power Data Category of Loss Frequency
- Probability of Non-Recovery 1/ year within 4 Hours Plant Centered 0.087 0.08*
Grid Related 0.018 0.1' Weather Related 0.009 0.43' Total in IPE 0.105 0.088* l (excluding weather loss) i Total (including weather loss) 0.114 0.111*
From NUREG 1032 table A.1
- From NUREG 1032 Figure A.3 Group 13 From NUREG 1032 Figure A.5 with normal recovery
- From NUREG 1032 Figure A.8 with normal recovery Weighted by frequencies for categories of losses considered Most PRAs that model intamal initiating events include weather-related losses of offsite power; the Vermont Yankee IPE does not.
l 19 ,
1
2.2.3 Svstems Analysis.
I System descriptions are included in Section 3.2 of the submittal. The system descriptions include system fault trees, system success criteria, system mission time, system interfaces and dependencies, and modeling assumptions. HVAC requirements are explicitly addressed in the system descriptions.
The system descriptions only very briefly address the John Deere 175 KW DG. This component is needed to provide power for opening MOVs and for maintaining DC power to keep the SRVs open to allow for long term mitigation of a station blackout scenario with injection from the diesel driven firewater pump. Operator action is required to properly align breakers so that this DG can be used. The John Deere DG is independent of other support actions and services [RAI responses).
Based on the analyses of the impacts of loss of HVAC/ room cooling, we conclude that the only areas for which such support systems were required in the IPE were the DG rooms, where ventilation is provided by DG driven fans and louvers. The submittal summarizes the results of loss of HVAC analyses for many, areas, including: LPCl/ core spray corner rooms, HPCI and RCIC rooms, and service water pump rooms. Many of these analyses were performed with the GOTHIC computer code. HVAC for the main control room was not explicitly modeled for the Vermont Yankee IPE, but was judged to have low consequences of failure since operators could take compensatory actions.
[RAI Responses, p. 8)
The system description for HPCI indicates that the high back pressure trip setpoint is 150 psig; this is greater than the best-estimate containment failure pressure of 140 psig used in the IPE. Therefore, loss of HPCI due to high backpressure is not of significance. The submittal does not discuss the temperature limitations of the HPCI system; overtemperature considerations are addressed in the event trees for cases where containment cooling systems are lost. [IPE submittal, Page 3.2.1-8 Note #17)
The system description for LPCI points out that each of the two RHR pumps in each of the two injection trains are powered off different 1E power supplies. Although not specifically discussed in the submittal, it is clear that the present LPCI design does not utilize loop selection to inject into the intact recirculation loop. Figure 3.2.2A of the submittal shows that the MOV in the injection crosstle line is closed with power removed. The system description indicates that closure of valves in the recirculation lines is required for certain accidents for which diversion of flow through open valves is of significance. [lPE submittal, Page 3.2.2-5) For the BWR 4 design, LPCI injects into recirculation lines and does not inject directly into the core region as the case for BWR 6 designs. Closure of the recirculation pump discharge isolation valve in the intact loop is required following a LOCA in the other recirculation loop to ensure adequate supply of ECCS water to the core. The IPE LPCI fault tree model included the closure l of the recirculation loop pump discharge valve in the intact loop as a basic event. The I LPCI fault tree was quantified with and without this valve in the model. The LPCI 20
failures increased from 6.4E-03/ demand without the valve (valve failure rate set to 0) to 7.6E-03/ demand with the valve (valve failure rate = 1.2E-03/ demand), an increase of about 16%. From this evaluation the licensee concludes that the inclusion or exclusion of the closure of this valve in the models has little impact on the IPE results.
[RAI Responses, p. 9) However, from the information provided it is not clear if the valve closure model was actually included in the final quantification of CDF estimates
The IPE model requires long term cooling of the RHR pump seal coolers with l RBCCW; cooling over the short term is not required. The submittal summarizes the results of analyses supporting the assumption that HVAC for the HPCI system is not -
required. The success criteria for LPCI is one pump injecting to the vessel. l The system description for core spray includes an analysis supporting the assumption that room cooling to support operation of the core spray pumps is not required. The ,
success criteria for core spray is successful injection to the vessel with one core spray j pump. The submittal does not provide a discussion supporting the ast mption that a l large LOCA can be mitigated with injection from either one LPCI or one core spray '
pump; however, this success criteria is consistent with that used for other BWR IPEs/PRAs.
The system description for RCIC states that the high backpressure trip setpoint is 25 psig. As discussed in Section 2.2.2 of this report, the IPE model credits RCIC for long term mitigation of a small LOCA with loss of containment cooling systems and l successful venting of containment. Plant specific MAAP calculations indicated that, for ,
this small LOCA scenario where initial core cooling is provided by HPCI or RCIC and l containment cooling systems fall, the containment back pressure is not expected to l reach 25 psig until about 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. [RAI Responses, p. 7) Evidently, Vermont i Yankee has not implemented GE SIL # 371 of 1982 which recommended raising the l RCIC trip setpoint from 25 psig to 50 psig to prevent loss of RCIC due to trip on high back pressure during a small LOCA. [GE SIL #371) The submittal does not discuss the temperature limitations of the RCIC system; overtemperature considerations are addressed in the event trees for cases where containment cooling systems are lost.
[lPE submittal, Page 3.2.4-6 Note #12] The system description for RCIC summarizes analyses supporting the assumption that room cooling is not required to support operation of RCIC.
The system description for the ADS system states that depressurization can be provided with 2 of the 4 three stage target rock SRVs.
The submittalincludes a system description of the RHR shutdown cooling system, but this system was not credited in the IPE models.
The system description for containment venting points out that the vent at Vermont Yankee is a passive rupture disk, which opens at 59 3 psig. This is different from the 21
. -- . . . - _ . . - . - - - - . ~ . . - - . - - - - _ - . - . -
4 design of many BWR venting systems which require opening of air operated valves for venting. The' system description indicates the presence of a normally open MOV downstream of the vent rupture disk, which can be used to isolate the vent. No details ,
of this isolation capability are provided in the system description. However, as discussed in Section 2.2.3 of this report, the event trees indicate that after venting, operator action to isolate the vent is needed to prevent loss of adequate NPSH margin for operation of LPCI or core spray using the suppression pool. ~ The system description states that power to close the vent isolation valve is provided by 480 V AC .
MCC 7A, and the system description for AC power indicates that this MCC is not powered by 1E power.
The system description for the MSIVs indicates that instrument air is required to maintain the outboard valves opon, and containment nitrogen is required to maintain the inboard MSIVs open; the MSIVs drift closed on loss of air / nitrogen.
The system description for SLC states that HVAC is not required for operation of the 2
SLC pumps.
The system description of the CRD system describes the increased injection from CRD after reactor trip. Success criteria for CRD is 1 pump, which supplies about 100 gpm to the vessel at high pressure after reactor trip. The IPE made the assumption that, due to friction losses and orificing, the flow to the reactor vessel from 2 CRD pumps would not be significantly greater than that available from 1 pump. [lPE submittal, Section 3.2.13) The CRD pumps are powered off 480 V AC buses 8 and 9, which receive 1E power. RBCCW is required for cooling of the CRD pump oil and bearings. HVAC is not required for the CRD pump rooms, based on analyses summarized in the submittal. As discussed in Section 2.2.3 of this report, CRD is credited for long term core cooling if nitrogen to the SRVs is lost and they close, preventing the use of low pressure core cooling systems. The time at which CRD makeup is assumed to be adequate for core cooling is not specified in the submittal, but the statement is made that cooling with CRD should be adequate several hours after the reactor is tripped. [lPE submittal, Section 3.1.2) CRD makeup was credited as part of alternate injection for transients, IORV events, and small LOCAs, but not for A1WS events.
The system description of the feedwater/ condensate system indicates that the feedwater pumps are motor driven and are, therefore, available for injection after closure of the MSIVs. After reactor trip, operator action to throttle feedwater flow is necessary to prevent trip of feedwater on high vessel water level. [lPE submittal, Page 3.2.14-3) TBCCW cooling for pumps is required and loss of HVAC is included in the unavailability for the feedwater/ condensate system.
The turbine bypass system can handle 105% of full power. Therefore, if the response of this system is sufficiently fast following load rejection, the reactor will not trip and 22
..mm. ,6.. ,m-m 4-=-u.-- ---~4- wm i
the. plant can provide its own power. The Vermont Yankee IPE, however, assumed !
. that the plant would trip on a load rejection event. [RAI Responses, p. 31] .
The system description for service water states that 2 of the 4 service water pumps are required for accident mitigation. The system description for RHRSW states that one RHRSW pump is required, but that service water supply to the RHRSW pumps is also required. The submittal summarizes analyses indicating that HVAC for service water and for RHRSW are not required.
The system description for station AC power states that at power, the 1E buses -
receive power from the plant generator, but that after plant trip, transfer to offsite i power from the startup transformers is required to maintain offsite power to the 1E buses. The site has a dedicated power line from the Vernon hydroelectric plant that can be used to power either one, but not both, of the 1E buses; this is a unique plant feature. The Vernon tie line connects to the IE buses through a dedicated transformer, and is not connected to other plant loads. The submittal does not discuss whether or not the 1E buses can be crosstled, although Figure 3.2.19A, Sh.1, indicates this capability. The DGs are cooled by service water. The submittal summarizes the results of a GOTHIC calculation supporting the assumption that HVAC is not required for the electrical switchgear rooms.
The system description for DC power summarizes DC power supplied from the station DC batteries and from the attemate shutdown batteries. The altemate shutdown batteries are credited in the model for providing power for actuating breakers needed to provide AC power from the Vernon dam tie line, and for providing control power for Diesel Generator A.
The system description for station air indicates that 2 of the 4 air compressors are needed to provide air, and that 2 of the compressors can be powered with 1E power.
The submittal states that the air compressors are air cooled; at many plants, the air compressors require water cooling.
The submittal provides a description of the fire water crosstle to the RHR injection lines to the recirculation loops, that can be used to provide diesel driven injection of firewater to cool the core. This capability can be used during station blackout, if the John Deere DG is available to provide power for opening normally closed AC MOVs; the submittal indicates that no credit was given for local operator action to open these valves. The submittal discusses the capability of fire water injection to the core, and concludes that it can provide 1000 gpm if vessel pressure is less than 100 psig. The submittal states that a substantial amount of time is required to institute injection to the core with the fire water crosstle; HPCI or RCIC must operate for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to provide sufficient time to implement long term injection with the fire water crosstle.
The submittal provides a system description of how RHRSW can be crosstied to provide for injection to the core through the RHR connections to the recirculation is 23
a lines. This option was not credited for sequences involving failure of containment cooling and successful containment venting [RAI Responses, p. 3).
Failure of the Vernon dam can result in loss of service water due to loss of water from Vernon Pond. To mitigate this event, the plant has the capability to provide cooling to the DGs and water to the suction of the RHRSW pumps with gravity drain from the deep basin beneath the west cooling tower. [lPE submittal, Section 3.2.33] The basin has sufficient water for one week operation in this cooling mode. This is a unique capability. All valves needed to align this 'Altemate Cooling Mode' are capable of local manual operation. If the DGs auto start and service water cooling to the DGs is lost, rapid operator action to trip the DGs is required to prevent failure of the DGs due to loss of cooling, until manual actions can establish the 'Altemate Cooling Mode'; this is discussed in the system description for the 'Altemate Cooling Mode'.
The IPE submittal addresses the need for long term refill of the CST to maintain long term cooling with the CRD system. The CST maintains a minimum inventory of 75,000 gal and one CRD pump supplies about 100 gpm; therefore, makeup to the CST is needed after about 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
The discussion for interfacing systems LOCAs references NUREG/CR-5124, a BNL report, as the source of data for quantifying the probability that piping exposed to I greater than design basis pressure fails.
We have no comments on the system descriptions in the submittal for the following )
systems: containment spray, suppression pool cooling, RBCCW, TBCCW, ARl/RPT, l nitrogen supply, drywell cooling, condensate transfer, and RPS. It should be noted J that no fault trees were developed for the RPS system, rather the following overall demand probabilities bf failure to scram were used: 1E-5 for mechanical failure and 2E-5 for electrical failure.
2.2.4 System Denendencies.
The submittal does not provide system dependency tables. System dependencias are discussed in the system descriptions. The lack of system dependency tables increased the complexity of our review; however, the system dependencies were discussed in the separate system descriptions. 1 2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences. It also summarizes our review of the data base, including consideration given to plant-specific data, in the IPE.
24
q:
2.3.1 Quantification of Accident Seouence Freauencies.
The Vermont Yankee IPE used tne large event tree /small fault tree model for quantifying core damage. Support states were modeled with support system event trees. Support state quantification was not used, as the support system event trees were linked directly with the frontline event trees in the quantification whh RISKMAN software. (IPE submittal, Section 3.3.6] The event trees are systemic. Fault trees were used to develop component level failures for event tree events. (IPE submittal, Section 3.2.2] A 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time for mitigation of an accident was used. j Quantification of linked event trees was accomplished with Riskman software, i All system fault trees were quantified using a truncation value of 1E-08. The resulting system failure probabilities were subsequently used in the quantification of the event tree models. The event tree models were quantified using a truncation value of 1E-13.
[p. 32 of RAI Responses]
2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses.
~
Mean values were used for point estimate failure frequencies and probabilities. No uncertainty analysis is discussed in the submittal. The submittal does not discuss any sensitivity or importance analyses, although component level importance measures for system failures (by system) are given in tables in the submittal.
2.3.3 Use of Plant-Soecific Data.
The IPE used plant specific data to Bayesian update generic data for selected components. [IPE submittal, Section 3.3.2] Plant specific data for component failures were taken from plant data covering the time period January 1973 through June 1989.
Components for which plant specific data was evaluated were selected based on the IPE analysts judgement as to which components were considered to be important contributors to the system function, and for which component history data could reasonably be retrieved from plant records. [RAI Responses, p. 33]
The submittal does not discuss the data used for test and maintenance outage durations and frequencies, although data in Table 3.3.1 of the submittal indicates that PLG generic data were used. Test and maintenance frequencies were stated to have been developed from both plant specific and generic data, and typically the higher value of the two sources was used in the analysis. The durations for test and maintenance outages were taken from generic data because, with the exception of the diesel generators, plant specific information was not reasonably retrievable. [RAI Responses,p.35)
We performed a spot check of the plant specific data for component failures. The results of this check are summarized in Table 2-2 of this report.
25
1 Table 2-2. Plant Specific Data Component and Vermont Yankee NUREG/CR 4550 Value'4
- Fallure Mode IPE Value(4
- Peach Bottom Table 4.91 Diesel Generator 8.3E 3/D 3.0E 3/D Fall to Start Diesel Generator 6.7E-3/H (First Hour) 2.0E-3/H Fall to Run 2.8E-3/H (After First Hour)
HPCI Turbine 3.5E 2/D 3E-2/D Fall to Start HPCI Turbine 1.0E 3/H SE 3/H Fall to Run !
LPCIPump 1.6E 3/D 3E 3/D l Fall to Start l LPCIPump 3.4E 5/H 3E-5/H Fall to Run Core Spray Pump 1.2E-3/D 3E 3/D Fall to Start Core Spray Pump 3.4E-5/H 3E-5/H Fall to Run MOV about 2E-3/D 3E-3/D Fall to Change State (Open/Close)
AOV 1 E-3/D Fall to Change State (Open/Close)
RCIC Pump 2.5E-2/D 3E 2/D Fall to Start RCIC Pump 1.0E 3/H SE-3/H I Fall to Run l (1) D is per demand; these values are probabilities.
(2) H is per hour; these values are frequencies.
Based on the data in Table 2-2 of this report, the plant specific component failure data are comparable to data used in other typical IPE/PRA studies. l 2.3.4 Use of Generic Data.
The generic data used for component failures are listed in Table 3.3.1 of the submittal.
The primary source of generic data was the PLG generic data base. We reviewed this generic data used in the IPE and found it to be to be consistent with data typically used in other IPE/PRAs.
2.3.5 Common Cause Quantification.
The MGL method was used to model common cause failures. [lPE submittal, Section 3.3.4) The PLG generic data base was used to quantify common cause failure. The 26
i MGL factors are not in the fault trees; they are considered in the Riskman cut set equations. Common cause failures were modeled within a system, with one notable exception being consideration of common cause failure between the HPCI and RCIC turbine driven pumps. Components were selected for common cause failure treatment based on the existence of major redundant components within a system and the availability of generic common-cause modeling parameters for those components.
[RAI Responses, p. 34]
Table 3.3-4 of the submittal lists the common cause failure data MGL factors for the components for which a plant-specific common cause analysis was performed. We.
performed a spot check of this data, as summarized in Table 2-3 of this report.
Table 2-3. Common Cause Factors for 2-of-2 Components l
Component Vermont Yankee Beta Factor Value from Source !
Submittal Tabio 3.3-4 Indicated l in Footnote Diesel Generator 0.07 (fail to start) 0.0 4 *'
- 0.01 (fall to run) 0.03 (') fall to run (0.006 for fall to start)
MOV 0.07 0.05 '"
0.09 *
- 0.05 i 'l RHR Pump 0.07 (fail to start) 0.1 "'
- 0.01 (fall to run) 0.2
- l 0.1 fall to start (0.02 for fall to run) l Safety / Relief Valve 0.07 0.1 14 0.2
- 0.3 fall to open on pressure ;
{0.1 fall to open on signal)
High Head Pump 0.2 "' " ;
Core Spray Pump 0.07 (fail to start) 0.2
- 0.01 (fall to run) 0.2 fail to start (0.02 for fall to run)
Service Water Pump 0.07 (fall to start) 0.03 "'
- 0.01 (fall to run)
Circuit Breaker 0.07 ( > 480 V ) 0.2 for 480 V and higher 0.07('l for less than 480 V HPCl/RCIC Turbine Pump 0.07 HPCl/RCIC Fall to Start 0.02 fail to start "' ,
0.01 HPCl/RClO Fall to Run (0.009 for fall to run) l l
(1) NUREG/CR 4550 Peach Bottom. Table 4.91. l (2) NUREG/CR 4550 Grand Gulf Table 4.9-29 l (3) NRC IPE Review Guidance. Rev 1 November 1993 (4) PLG Generic Data in Brown Ferry IPE submittal Table 3.3.410.
27 i l
Based on the data in Table 2-3 of this report, the common cause factors appear consistent with data typically used in other IPE/PRA studies.
2.4 Interface issues !
3 This section of the report summarizes our review of the interfaces between the front-end and back-end analyses, and the interfaces between the front-end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.
2.4.1 Front-End and Back-End Interfaces.
The IPE credits containment venting with alternate injection to the vessel for core cooling if containment cooling systems are lost. Operator action to control venting is required to prevent loss of NPSH margin for ECCS pumps pulling from the suppression pool. The venting is accomplished with a rupture disk, and isolation of ,
venting to control the venting process requires closure of a downstream MOV.
The IPE does not credit continued operation of any core cooling systems if containment cooling systems are lost and venting fails.
The IPE does not address the impact of containment isolation on the ability to cool the recirculation pump seals. This is not of major significance for Vermont Yankee, since it is not an isolation condenser BWR plant, and all methods of core cooling involve injection of water to the vessel.
The IPE methodology does not require binning of front-end core damage sequences into PDSs for the back end analyses; the front-end and back-end models are directly linked together in quantification by the RISKMAN software. [lPE submittal, Page 2.3-1]
However, to characterize and summarize the results of the front-end analysis, the licensee did bin core damage sequences into classes of accidents. [lPE submittal, Section 3.1.5) 2.4.2 Human Factors Interfaces.
Based on our front-end review, we noted the following operator actions for possible consideration in the review of the human factors aspects of the IPE:
. manualinitiation of depressurization
= inhibition of ADS during ATWS sequences a control of feedwater after plant trip to prevent loss of feedwater due to feedwater isolation on high vessel level e manualinitiation of SP cooling
. manual control of containment venting (initiation of venting is passive)
= manual initiation of the alternate cooling mode for loss of service water events 28
i
- initiation of injection with the firewater crosstie using the diesel driven firewater
- open isolation valves and for providing DC control power for maintaining the
- SRVs open over the long term during station blackout
- e use of the tie line from the Vernon hydroelectric station to power a 1E Bus
4 2.5 Evaluation of Decay Heat Removal and Other Safety lasues This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USls, if they were addressed in
! the submittal, were also reviewed.
2.5.1 Examination of DHR Although the IPE evaluated all aspects of decay heat removal, the evaluation of DHR i
, in Section 3.4.3 of the submittal is restricted to the final heat sink options: RHR, PCS, l or containment venting. Thus, the evaluation of DHR in the submittal does not l address direct loss of core cooling.
The submittal addresses two aspects related to DHR, these being: support systems for l DHR, and human errors and recovery actions associated with loss of DHR. The !
submittal states that the two major systems for containment heat removal are: the main condenser and the RHR system. The submittal tabulates the support systems required for these main cooling systems. The submittal also discusses the unique capabilities for supporting containment heat removal at Vermont Yankee, specifically:
+
the hardened torus vent the altemate cooling mode the Vernon power line crosstle.
l The submittal summarizes the important operator actions associated with DHR, !
specifically:
initiation of suppression pool cooling reopening of MSIVs and restoration of main condenser heat sink recovery of offsite power control of service water initiation of the alternate cooling mode control of containment venting use of CRD.
Loss of centainment heat removal accident sequences contribute about 10% to the overall CDF. The licensee concludes that the IPE addressed loss of DHR, and that there are no plant vulnerabilities associated with loss of DHR.
29
J
! Regarding insights related to loss of core cooling and specific contributions to CDF, l the licensee noted the following: (RAI Responses, p. 21-22)
,t
- high pressure injection systems with failure to depressurize. The high pressure
! systems are Feedwater, HPCI, and RCIC. The failure to depressurize is dominated by operator error since the IPE analysis assumes that Automatic d
Depressurization System (ADS) logic is inhibited (as prescribed by EOPs).
2 (b) About 14% of the total DCF comes from extended (i.e., >4 hours) Station Blackout sequences where core cooling fails due to battery depletion.
i (c) About 13% of the total CDF comes from ATWS sequences where failure of reactivity control causes containment failure and subsequent core damage. ,
(d) About 9% of the total CDF comes from transient sequences where all high pressure and low pressure core cooling systems fail. Because of the many injection system,s available, most of these sequences involve failure of AC and/or DC support systems.
(e) About 7% of the total CDF comes from transiant sequences where the containment heat removal function falls and the subsequent containment failure causes loss of core cooling.
(f) About 5% of the total CDF comes from LOCA sequences. For about 3%, the loss of core cooling is caused by random failure of Emergency Core Cooling Systems (ECCS) and/or their required support systems. For about 2%,
containment failure (and loss of ECCS) occurs due to failure of vapor suppression.
2.5.2 Diverse Means of DHR.
The IPE evaluated the diverse means for DHR and for core cooling. Cooling options evaluated included: main condenser /feedwater, high and low pressure ECCS systems whh containment cooling or containment venting, and alternate injection for core cooling with the diesel driven firewater crosstie.
The use of containment venting as a backup to suppression pool cooling is an important aspect of DHR modeled in the IPE.
2.5.3 Uniaue Features of DHR.
Design features at Vermont Yankee that impact the Core Damage Frequency (CDF) from loss of DHR are as follows:
. Ability to use diesel driven firewater for iniection to the vessel. The ability to use the diesel driven firewater pump in conjunction with the John Deere DG, allows for long term mitigation of station blackout accident scenarios. This feature tends to lower the CDF from station blackout.
30
i Presence of John Deere DG. This small DG can be used to provide power for opening injection valves and maintaining SRVs open to allow core cooling with low pressure firewater injection. This feature tends to lower the CDF from station blackout.
Passive. hardened torus vent . The passive torus vent provides a capability to support operation of alternate injection systems for core cooling if containment cooling systems fall. This tends to lower the CDF from accidents associated with loss of containment cooling systems.
Altamate coolina mode for backun to service water. The alternate cooiing mode provides for a gravity driven backup supply of water for DG cooling and for Residual Heat Removal Service Water (RHRSW) suction if the service water system is lost. This tends to lower the CDF associated with loss of service water. .
2.5.4 Other GSI/USIs Addressed in the Submittal.
No other safety issues were specifically addressed for resolution in the Vermont Yankee IPE submittal. [lPE submittal, Section 3.4.4]
2.6 Intemal Flooding As discussed in Section 2.2.1 of this report, the IPE deferred consideration of intemal flooding to the IPEEE.
2.7 Core Damage Sequence Results This section of the report reviews the dominant core damage sequences reported in the submittal. The reporting of core damage sequences- whether systemic or functional- is reviewed for consistency with the screening criteria of NUREG-1335.
The definition of vulnerability provided in the submittal is reviewed. Vulnerabilities, enhancements, and plant hardware and procedural modifications, as reported in the submittal, are reviewed.
I 2.7.1 Dominant Core damaae Secuences.
The IPE utilized systemic event trees, and reported results consistent with the criteria for systemic based analyses delineated in NUREG-1335. Table 2-4 of this report summarizes the contribution to core damage by accident class. Station blackout appears to represent 20% of the total CDF. (Table 1.1, Section 3.4 of submittal]
31
- . . .- -. - . - - . .. - - -.-- - . _ = - . ._ - . _ - - - _ - . - -
l .. . .. 4 l
l l
Table 2-4. Accident Classes and Their Contribution to Core Damage Ffequency l
l- Accident Class Descdption of Accident Class Percent of CDF l lA Transient with loss of high pressure injection 34 and failure to depressurize ,
l IBL Station blackout with HPCl/RCIC lost late 14 l due to DC battery depletion IVA ATWS with containment failure 13 ID Transient with loss of low pressure injection 9 l IIA Transient with loss of all containment heat 7 -
removal; core damage caused by containment failure IVL ATWS with overpressure 6 i IED Station blackout with early failure of DC 4 control power llV Venting with failure to reclose vent resulting 3 in NPSH loss of ECCS systems IllC LOCA with loss of low pressure injection 3 I IBE Station blackout with early failure of HPCI 2 and RCIC lilD LOCA with containment failure 2 I IC ATWS with loss of injection 1 V Containment bypass by ISLOCA or HELB 1 LOCA outside containment IEC Transient with delayed loss of DC 1 Level 1 endstates that contributes <1% to <1 Others CDF i
Table 2-5 below summarizes the CDF contributions by initiating event. [p.14 of RAI Responses) l l l
l l
1 32
1 Table 2-5. Initiating Even'.s and Their Contribution to Core Damage Frequency inilletng Event CDF Contribution / yr. % Cont to CDF LOSP 8.6E-07 20 ATWS with MSIV Closure 6.0E-07 14 Loss of Feedwater and MSIV Closure 5.2 E-07 12 Loss of DC Bus 2 4.7E-07 11 Loss of DC Bus 1 4.3E-07 10 Trknsient 3.4E-07 8 Loss of AC Bus 3 2.2E-07 5 Loss of AC Bus 4 2.2E-07 5 Inadvertent / Stuck Open Relief Valve 1.3E-07 3 ATWS with Loss of Feed and MSIV Closure 1.3E-07 3 ATWS 1.3E-07 3 Transient with MSIV Closure 8.6E 08 2 Large LOCA 4.3E-08 1 ISLOCA 4.3E-08 1 Medium LOCA <4.3E-08 <1 Loss of Service Water <4.3E-08 <1 Small LOCA <4.3E-08 <1 ATWS with LOSP <4.3E-08 <1 The submittal lists the top 100 core damage sequences; in total, these 100 sequences constitute 84% of the overall CDF. The top S core damage sequences for the two units are summarized in Table 2-6 of this report.
Table 2-6. Top Five Core Damage Sequences initating Event Millgating system Sequence Frequency 1/ year Fellures % of Total CDF Loss of Feedwater with MSIV Loss of RCIC; Loss of HPCl; 4.6E 7 11 %
Closure Failure to Depressurize Loss of Offsite Power Loss of RCIC; Loss of HPCl; 3.6E 7 9%
Failure to Depressurize ATWS Loss of SLC 1.7E 7 4%
ATWS Failure to Trip 1.4E 7 3%
Feedwater Transient with feedwater available Loss of RCIC; Loss of HPCl; 1.1E 7 3%
and MSlVs open ,
Failure to Depressurize 33 1
4
-_.,-4 ,, , _c, _m. - , -. ,
The results indicate that a transient with loss of all high pressure injection and failure to depressurize is the dominant class of accident for overall CDF. Station blackout is the second most dominant class; however, the contribution of station blackout is less l
than that at many other plants due to the following reasons: the presence of the power line from the hydroelectric station that can power a 1E bus, the ability to use diesel driven firewater supplemented with power from the John Deere DG for long term injection, and the fact that the IPE did not model weather-related loss of offsite power.
We estimate that the CDF from station blackout would increase by about 36% had weather-related loss of offsite power been considered. ATWS sequences associated with containment failure are the third most important class. The IPE does not credit the ability to mitigate an ATWS with loss of the main condenser unless the operators j inhibit ADS; other IPEs have credited control of low pressure injection to mitigate an ATWS if ADS is not inhibited. However, if the main condenser is available, the 105%
turbine bypass capability means that the ATWS can be mitigated without opening SRVs and discharging to the suppression pool. The fourth most important class of accidents is a transient with loss of all high and low pressure injection. The fifth most l important class is loss of core cooling due to containment failure, and the sixth most important class is ATWS with vessel overpressure fallure.
l Based on the dominant core damage sequences and the system level importance measures in Tables 3.3.5.2 through 3.3.5.50 of the submittal, we infer the following.
Dominant hardware failures contributing to CDF include: failure of the RCIC pump to 3 start, failure of the RClO pump to run, RCIC out for test and maintenance, failure of l l the HPCI pump to start, failure of the HPCI pump to run, and HPCI out for test and l maintenance. Dominant human errors contributing to CDF include: operator failure to l depressurize, and operator failure to restore SRVs and nitrogen supply after test and l maintenance.
l The submittal states that the total CDF from intemal initiating events is 4.3E-6/ year; analysis of internal flooding was deferred to the IPEEE.
2.7.2 Vulnerabilities.
l
- Section 3.4.2 of the submittal discussed front-end vulnerabilities. The NRC proposed safety goals were used to identify vulnerabilities, namely
core damage frequency > 1E-4/ year, and large release frequency > 1E-6/ year.
Based on these criteria, the submittal states that the IPE identified no vulnerabilities.
[lPE submittal, Section 6.2.1]
d d !
34
3 2.7.3 Prooosed imorovements and Modifications.
The submittal summarizes plant modifications that were made during the performance of the IPE; these were planned modifications that were not implemented specifically due to the IPE evaluation. [lPE submittal, Section 6.2) These design changes were as follows:
=
replacement of 480 V UPS for LPCI injection valves e upgrading of pneumatic components for the MSIVs and SRVs a
replacement of old water cooled air compressors with new self-driven fan air cooled compressors a upgrades for RHRSW MOVs 89A and 89 B
= change of DC control power for Vernon crosstie breaker 3V4 from DC1 to DC ,
1AS. I The submittal states that no vulnerabilities were identified, and therefore no hardware modifications are being proposed as a result of the iPE. [lPE submittal, Section 6.2.1]
The submittal discusses 13 front-end procedural enhancements that were being evaluated. [lPE submittal, Section 6.2.2) The procedural enhancements are as follows:
provide capability to crosstie SLC A train to B train so that A train pump can I inject through B train valvec monitor ECCS drywell pressure channels and reactor low pressure permissive channels in the same manner that other ECCS/RPS channels are monitored to provide early detection of a problem
- exercise key manual valves in the alternate cooling system for service water to improve availability of valves
= improve availability of nitrogen supply for opening SRVs by operating valves manually and by providing additional surveillance of backup nitrogen sources a use station service water pumps in addition to firewater for external injection to RHRSW /RHR crosstle during interfacing systems LOCAs and LOCAs outside l containment
- refill the CST with service water and condensate when additional makeup rate is required (provide .10 times refill rate compared to refill with the demineralized water system) .
- provide more specific instructions for manually cross connecting fuel oil transfer I systems to provide more options for the operators a for certain station blackout scenarios consider DC load shedding and limiting DC power use to extend battery lifetime
= provide instructions for maximizing CRD injection to the vessel for conditions of high vessel pressure and loss of normal high pressure makeup systems.
- expand the use of drywell spray before reactor pressure vessel failure 35
1
. provide instructions under specified circumstances to align core spray to take suction from the CST to avoid loss of NPSH margin due to high suppression pool water temperature
. enhance emergency action level criteria for long term loss of containment heat removal and for long term station blackout
. under certain depressurization scenarios limit reactor depressurization to 200 psi to maintain steam supply for operation o; HPCl'and RCIC All of these potential enhancements except the last three are stated to have been implemented in the plant procedures and/or training. The reasons for not implementing the last three procedural changes were provided. [RAI Responses, p.
17]
None of these procedural enhancements were credited in the IPE, and their implementation is not expected to cause a measurable reduction in the CDF. [RAI Responses, p.19]
We believe that one of the most important of these potential enhancements is that I dealing with maximizing CRD makeup. The dominant accident class is IA, a transient with loss of feedwater followed by failure of HPCI and RCIC and failure to depressurize. The IPE model does not credit makeup with both CRD pumps. It is J possible that if both CRD pumps are used, CRD can provide a backup high pressure I cooling option immediately after reactor trip. Other BWR IPEs have credited this option.
9 l
36
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS This section of the report provides our overall evaluation of the quality of the front-end portion of the IPE based on this review. Strengths and shortcomings of the IPE are summarized important assumptions of the model are summarized. Major insights ;
from the IPE are presented. !
l The licensee appears to have analyzed the design and operations of Vermont Yankee to discover instances of particular vulnerability to core damage, it also appears that 1 the licensee has: developed an overall appreciation of severe accident behavior; . l gained an understanding of the most likely severe accidents at Vermont Yankee; l gained a quantitative understanding of the overall frequency of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.
Strengths of the IPE are as follows. The evaluation and identification of plant-specific initiating events is more thorough than corresponding analyses in some other IPE/PRA studies. Also, the licensee's involvement in the IPE process was more substantial than in some other IPE/PRA studies.
No particular shortcomings of the IPE were identified.
Based on our review, the following modeling assumptions used in the IPE have an impact on the overall CDF:
(a) operator action to terminate venting prevents loss of ECCS pumps pulling from the suppression pool due to inadequate NPSH margin (b) all core cooling capability is lost if containment 'cooling systems fall and containment venting is not successful (c) four hours are required to align firewater for injection to the core (d) if containment cooling systems fail, HPCI and RCIC are not lost on high temperature (or high back pressure for RCIC) prior to containment venting.
Assumptions (a) and (d) tend to lower the overall CDF. Operator action to control i venting preserves the ability to cool the core with recirculation from the suppression I pool. . Long term operation of RCIC and HPCI without containment cooling systems l operation provides for core cooling over the long term with these systems. l
. Assumptions (b) and (c) tend to increase the overall CDF. Other BWR IPEs have credited core cooling from selected sources with failure of both containment cooling systems and containment venting. The long time required for alignment of fire water injection to the core means that HPCI or RCIC must operate for four hours during station blackout.
Significant findings on the front-end portion of the IPE are as follows:
37
9
. transients involving loss of feedwater with subsequent failure of RCIC and HPCI and failure to depressurize dominate the overall CDF
. station blackout is less of a contributor to overall CDF than at other similar plants due to the power tie line from the hydroelectric station and due to the ability to provide for long term injection with diesel driven firewater using the John Deere DG to open injection valves and to maintain the SRVs open; also, the IPE deferred consideration of weather-related loss of offsite power to the IPEEE
. HVAC support is only required for the DG rooms a core cooling can be maintained without containment cooling if containment venting is successful and is controlled; no credit was taken for core cooling without containment venting, after containment failure.
The estimated core damage frequency,4.3E-06/ year, is fairly low but is in the range of CDF estimates for other BWR 3 and 4 designs. This low CDF estimate for Vermont Yankee is due to important plant features such as the power tie line from the hydroelectric station and the ability to provide for long term injection with diesel driven firewater. In addition, the low CDF for Vermont Yankee is affected somewhat by the fact that the IPE scope was more limited than that for most plants in that weather-related LOSP was not considered, nor was intemal flooding. The licensee intends to include these aspects in the IPEEE for Vermont Yankee. Consideration of weather-related LOSP could potentially increase the station blackout CDF by about 36%, or the total CDF by about 7% Most IPEs have found that internal flooding is not a significant contributor to CDF.
38
l A
- 4. DATA
SUMMARY
SHEETS This section of the report provides a summary of information from our review.
Initiatina Event Freauencies initiating Event Frequency per Year Transient (MSIVs and Feedwater Available) 1.5E-00 MSIV Closure Transient (Feedwater Available) 3.0E-01 MSIV Closure Transient with Loss of Feedwater 1.0E-01 Loss of Off-site Power Transient 1.0E-01 Large LOCA 1.0E-04 Medium LOCA 3.0E-04 Small LOCA 1.0E-02 Loss of 125 V DC Bus 1 1.5E-03 Loss of 125 V DC Bus 2 1.5E-03 Loss of 4,160 V AC Bus 3 1.5E-03 Loss of 4,160 V AC Bus 4 1.5E-03 Loss of Service Water 7.0E-04 Inadvertent / Stuck Open Rellef Valve 5.6E-03 Interfacing Systems LOCA 2.3E-07 LOCA Outside Containment 1.5E-06 1
Overall CDF The total CDF from intemal initiating events is 4.3E-6/ year. The modeling of internal flooding was deferred to the IPEEE.
Dominant Initiatina Events Contributina to CDF' Loss of offsite power (LOSP) 20%
ATWS (all types) 20%
l Loss of feed and MSIV closure 12%
l Loss of DC bus 2 11 %
l Loss of DC bus 1 10%
Transient 8%
Loss of AC bus 3 5%
Loss of AC bus 4 5%
l
- A complete list of initiating event CDF contributors is provided in Table 2-5 of this report.
39 l
l
9 Dominant Hardware Failures and Ooerator Errors Contributina to CDF The submittal does not provide a discussion of dominant failures. Based on the dominant core damage sequences, we infer the following:
Dominant hardware failures contributing to CDF include:
failure of RCIC failure of HPCI.
Dominant human errors and recovery failures contributing to CDF include:
Failure to depressurize Dominant Accident Classes Contributina to CDF The definition of the accident classes are provided in Section 2.4.1 of this report. The l dominant contributors to CDF by accident class are as follows: I lA 34%
IBL 14%
IVA 13% l lD 9%
llA 7%
IVL 6% l Other 17%.
Deslan Characteristics Imoortant for CDF Design features at Vermont Yankee that impact the Core Damage Frequency (CDF) relative to other BWR 4 plants are as follows:
. Power tie line from Vernon hydroelectric station that can power either 1E bus
. Ability to use diesel driven firewater for injection to the vessel
. Presence of John Deere DG
= Passive, hardened torus vent
. Alternate cooling mode for backup to service water
. Four hour battery lifetime The impact of these features on the CDF is discussed in Section 1.2 of this report.
Modifications One modification scheduled for installation after the freeze date was considered in the IPE model, that being a modification to increase the diversity of ARl/RPT trip units.
40
No plant modifications were proposed as a result of the IPE. Several procedural enhancements were identified based on the IPE and most are stated to have been implemented; these procedural enhancements are provided in Section 2.7.3 of this report.
Other USI/GSis Addressed No USI/GSis are specifically addressed for resolution in the submittal other than DHR.
Sianificant PRA Findina_ s
. transients involving loss of feedwater with subsequent failure of RCIC and HPCI !
and failure to depressurize dominate the overall CDF
. station blackout is less of a contributor to overall CDF than at other similar plants due to the power tie line from the hydroelectric station and due to the i ability to provide for long term injection with diesel driven firewater using the John Deere DG to open injection valves and.to maintain the SRVs open; also, the IPE deferred consideration of weather-related loss of offsite power to the IPEEE i
. HVAC support is only required for the DG rooms
= core cooling can be maintained without containment cooling if containment venting is successful and is controlled; no credit was taken for core cooling without containment venting, after containment failure.
41
i REFERENCES
[GE SIL #371) "RCIC Turbine Exhaust Pressure Trip Setpoint", SIL No. 371, February 1982. l
[GL 88-20] ' Individual Plant Examination For Severe Accident Vulnerabilities - 10 CFR 50.54 (f)", Generic Letter 88.20, U.S. Nuclear Regulatory Commission, November 23, 1988. j l
[lPE, Cooper) IPE Submittal for Cooper, NPPD. j
[lPE TER, North Anna] SEA TER for North Anna IPE Submittal.
[lPE Submittal] Vermont Yankee IPE Submittal, December 21,1993.
[lPE TER, Hatch) SEA TER for Hatch IPE Submittal.
[lPE. Browns Ferry] IPE Submittal for Browns Ferry, TVA.
[NEDO 24708A] Additional Information Required for NRC Staff Generic Report on BWRs, August 1979, Rev 1 December 1980.
[NEDO-24700A] AdditionalInformation Required for NRC Staff Generic Report on Boiling Water Reactors.
[NSAC-147] ' Losses of Offsite Power at U.S. Nuclear Power Plants through 1989",
NSAC-147, March 1990.
[NUREG/CR-5640] ' Overview and Comparison of U.S. Commercial Nuclear Power Plants', NUREG/CR-5640, September 1990.
[NUREG/CR 4550, Peach Bottom] NUREG/CR- 4550, Vol 4', Rev 1, Part 1, Analysis of Core Damage Frequency: Peach Bottom, Unit 2 Intemal Events.
[NUREG/CR 4550, Grand Gulf) NUREG/CR- 4550, Vol 6, Rev 1, Part 1, Analysis of Core Damage Frequency: Grand Gulf, Unit 1 Internal Events.
[NUREG 1032) " Evaluation of Station Blackout Accidents at Nuclear Power Plants',
NUREG-1032, June 1988.
[NUREG-1335) " Individual Plant Examination Submittal Guidance', NUREG-1335, U.
S. Nucloar Regulatory Commission, August 1989 42
=. . -. - - -. _ - -..- . - . . . - - . _ - ___ _.
1 I
[RAI Responses) RAI Responses, letter to NRC from J. J. Duffy, Vermont Yankee Nuclear Power Corp., BVY 95-114, October 27,1995.
(Tech Specs] Technical Specifications for Vermont Yankee.
[UFSAR) Updated Final Safety Analysis Report for Vermont Yankee I
i 1
l 43
'