Text

Technical Evaluation Rept on Individual Plant Exam Front End Analysis
	ML20100L072
Person / Time
Site:	Farley
Issue date:	06/30/1995
From:	Darby J; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20100L043	List: ML20100L072;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-92-553-024, SEA-92-553-024-A:3, SEA-92-553-24, SEA-92-553-24-A:3, NUDOCS 9603040077
	Download: ML20100L072 (128)
	v • d • e

-.- -.. .~ _- - . . . . .

e e SEA-92-553-024-A:3 June 30,1995 1

l 1

1 1

Farley 1 and 2 Technical Evaluation Report on the Individual Plant Examination Front End Analysis NRC-04-91-066, Task 24 John Darby, Technical Arialyst Willard Thomas, Technical Editor I

Science and Engineering Associates, Inc.

I Prepared for the Nuclear Regulatory Commission 9603040077 960226 PDR ADOCK 05000348 '

P PDR

1 1

TABLE OF CONTENTS l

E. E xecutive S u mm ary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1

E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

E.2 Licensee's lPE Process ................................. 2 E.3 Front-End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 E.4 Gene ric issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 E.5 Vulnerabilities and Plant improvements . . . . . . . . . . . . . . . . . . . . . . . 5 E.6 Ob se rvation s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1. I N TR O D U CTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 ;

1.1 R eview P rocess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2. TEC H N IC AL R EVI EW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.1 Licensee's IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.1.1 Comoleteness and Methodoloav .. . . . . . . . . . . . . . . . . . . . . . 10 2.1.2 Multi-Unit Effects and As-Built. As-Ooerated Status . . . . . . . . 11 2.1.3 Licensee Particioation and Peer Review . . . . . . . . . . . . . . . . 12 2.2 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . . 13 ,

2.2.1 lnitiatina Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 i

2. 2. 2 E ve n t T re e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.3 Svstems Analvsis ................................ 19 2.2.4 System Denendencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 i 2.3.1 Quantification of Accident Seauence Freauencies . . . . . . . . . 23 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses . . . . . . . 23 2.3.3 Use of Plant-Soecific Data . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.3.4 U se of Generic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3.5 Common-Cause Quantification . . . . . . . . . . . . . . . . . . . . . . . 25 i 2.4 Inte rf ace issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.4.1 Front-End and Back-End Interfaces ................... 27 2.4.2 Human Factors interfaces .......................... 27 2.5 Evaluation of Decay Heat Removal and Other Safety issues . . . . . . . . 28 2.5.1 Exa mination of DH R , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.5.2 Diverse Means of DHR ............................ 28 2.5.3 Unlous Features of DH R . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.5.4 Other GSI/USIs Addressed in the Submittal . . . . . . . . . . . . . . 29 2.6 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 '

2.6.1 Internal Floodina Methodoloov . . . . . . . . . . . . . . . . . . . . . . . 30 2.6.2 Intemal Floodina Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.7 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.7.1 Dominant Core Damaae Seauences . . . . . . . . . . . . . . . . . . . 31 i 2.7.2 Vulne rabilitie s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 li

2.7.3 Prooosed imorovements and Modifications . . . . . . . . . . . . . . 35 ,

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS ............... 36

4. D ATA S U M M ARY S H E ETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

. REFERENCES ............................................ ,, 43 1

1 l

l

)

i 9

i 1

l l

l 4

I i

lii

LIST OF TABLES Table 2-1 Comparison of Core Uncovery Probabilities 19 due to Seal LOCAs Table 2-2 Plant Specific Failure Data 24 Table 2-3 Comparison of Beta Factors for Two Like Components 26 Table 2-4 Dominant initiating Events 33 Table 2-5 Top 5 Systemic Core Damage Sequences 34 e

iv

o LIST OF FIGURES Major Contributors to CDF for Farley 32 Figure 2-1 4

e m,

V

l i

E. Executive Summary This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for Farley units 1 and 2. This review is based on information contained in the IPE Submittal along with the licensee's responses to Requests for AdditionalInformation (RAl).

E.1 Plant Characterization The Farley site contains two units, each a three loop pressurized water reactor (PWR),

located in southeast Alabama. Westinghouse was the nuclear steam system supplier (NSSS), and Southern Nuclear Company (SNC) was the architect engineer (AE), for both units, with assistance from Bechtel. Unit 1 achieved commercial operation in 1977; unit 2 achieved commercial operation in 1981. The design power is 2652 MWt, 861 MWe (gross), for each unit. Similar units in operation are: Surry and North Anna.

Design features at Farley that impact the core damage frequency (CDF) are as follows:

. Use of charging oumos for hiah head Emergenev Core Coolina system (ECCS) inlection which use Comoonent Cooling Water (CCW) for oumo coolina.

Loss of CCW results in loss of cooling to the Reactor Coolant Pump (RCP) thermal barriers; since the charging pumps are the High Pressure Safet)

Injection (HPSI) pumps, and these pumps use CCW for normal cooling, loss of CCW also causes loss of sealinjection and loss of high pressure ECCS makeup, unless backup cooling is supplied to the charging pumps. This woeld ;

result in an RCP seal Loss of Coolant Accident (LOCA) that cannot be I mitigated. Therefore, use of the same pumps for both charging and high pressure ECCS that are normally cooled by CCW tends to increase the CDF from seal LOCAs.

Ability to orovide diesel driven firewater for coolina to charaina oumos.

Diesel driven firewater can be used to supply cooling to the charging pumps if CCW cooling is lost; this tends to decrease the Core Damage Frequency (CDF) from a seal LOCA due to loss of CCW.

. No automatic alignment of ECCS from iniection to recirculation.

Manual actions are required to align ECCS to recirculation from the containment sump from injection from the Refueling Water Storage Tank (RWST) following a LOCA; this tends to increase the CDF from LOCAs relative to plants for which the alignment is automatic.

. Presence of 5 Diesel Generators (DGs). 3 of which are swina DGs that can orovide oower to either unit.

1

l . .

l

\

The presence of 3 swing DGs tends to lower the CDF due to station blackout i relative to plants with fewer DGs.

E.2 Licensee's IPE Process The IPE represents a level 2 Probabilistic Risk Assessment (PRA), that includes !

internalinitiating events and internal flooding. The IPE reflects the plant design as of l May,1991. 1 Utility staff were involved in the performance of the IPE. A project engineer from the Ilcensing department managed the effort, and one senior-level engineer was dedicated i to the IPE team for the front end effort. The major contractor for the front-end PRA l was Westinghouse, with some assistance provided by Bechtel.

Plant walkdowns were performed to verify that the PRA model represented the as-built condition. The walkdowns were performed by members of the IPE team with specific responsibilities for modeling of systems, structures, and internal flooding.

Major documentation used in the IPE included: the UFSAR, technical specifications, system descriptions, plant drawings, simulator runs, operating procedures, and calculations. Bechtel HVAC and heat load calculations were reviewed. IPE submittals of three other plants were reviewed, and information from other PRA studies was reviewed. 1 Several reviews of the level 1 PRA were performed. An Independent Review Group l (IRG) was created to provide an independent in-house review of the IPE. !

PLG, in consultation with the IRG, performed more intensive reviews of selected j portions of the IPE for the IRG.

The utility does not indicate in the Submittal whether or not it intends to maintain a

'living' PRA.. The licensee indicated that Farley intends to maintain an updated PRA. 1 E.3 Front End Analysis The methodology chosen for the Farley IPE front end analysis was a Level l PRA; the large event tree /small fault tree technique with support state modeling was used; quantification was performed with the GRAFTER code.

The IPE quantified 42 initiating events: 3 LOCAs, SGTR, Interfacing Systems LOCA, Vessel Rupture, Two Types of Secondary Breaks,12 Generic Transient Events,10-Plant Specific Transient Events, and 12 Internal Flooding Events. The IPE developed 11 systemic event trees for frontline systems, to model the plant response to each ;

class of initiating event. i i

2 i

The criterion for core cooling was that core exit temperature not exceed 1200 F for a significant time period, on the order of thirty minutes.

l Loss of instrument air was considered as an initiating event. Loss of HVAC was not considered to be an initiating event based on plant-specific analyses that were l

performed.

Success criteria were developed based on thermal hydraulic analyses performed with MAAP and TREAT, the Updated Final Safety Analysis Report (UFSAR), and engineering judgement.

l Major support systems were modeled in a support system event tree, but some minor support systems were modeled in the system fault trees.

The IPE used plant specific data from 1984 through 1990, to Bayesian update generic data. Generic data were used in lieu of plant specific data in situations where plant specific data were not available. The IPE used plant specific data for system unavailability for testing and maintenance. The plant specific data used in the IPE ,

l were comparable with data used in typical IPE/PRAs.

The Multiple Greek Letter (MGL) method was used to model common cause failures.

The data for common cause failures were taken from standard sources, and reviewed 1 for applicability to Farley. Common cause failures were modeled within systems.

Some of the MGL common cause factors used in the IPE are lower than those used in many other IPE/PRAs. The licensee discussed the process used to eliminate or ;

modify data from the Electric Power Research Institute (EPRI) data base for

~

consideration in the IPE, and concluded that in many cases common cause events from the EPRI database could not happen at Farley due to the plant-specific configuration.

The Submittal describes the technique u!.ed to evaluate internal flooding. All areas of the plant were evaluated to identify those areas for which flood could result in reactor trip; studies of the Appendix R fire zones, review of plant design documentation, and plant walkdowns were used to finalize flotding events of potential significance .

Submergence and spray were considered. Quantification of 14 flooding events in 11 flood zones was performed.

The total CDF from internal initiating events and internal flooding is 1.3E-4/ year . The CDF from internal flooding is 1.2E-5/ year.

The Submittal reported core damage sequences consistent with the systemic reporting criteria of NUREG 1335. The top 100 core damage sequences were reported.

Internal initiating events, including flooding, that contribute the most to CDF, and their percent contribution, are as follows:

3

)

Loss of Train A Service Water (SW) 22%

Small LOCA - 13% ;

Loss of 4160 V AC Bus F- 10% ,

Dual Unit Loss of Offsite Power 8%

Single Unit Loss of Offsite Power 7% :

Loss of in-Service CCW 6% .

- Loss of All CCW 6% .

Flood in Cable Spreading Room 4%.

Turbine Trip' 3%

Large LOCA 3%. ;

Core damage by the major classes of accidents is as follows: ,

i RCP Seal LOCA 47 %

Loss of Heat Sink 25%

LOCA 18%

Station Blackout 9%.

l i

Section 4 of this report contains a more complete listing of the contribution of initiating events and the contribution of accident classes to the total CDF. ;

Based on the contribution to the CDF, the most important systems are as follows, l listed in decreasing importance: service water,4160 V AC buses, component cooling '

water, ECCS recirculation, and ECCS injection.

The IPE used Plant Response Trees (PRTs) that model both the front and back end portions of the accident sequences. Therefore, traditional plant damage states (PDS) j that bin front-end core damage sequences for subsequent back-end analyses were not used.

l Based on opr review, the following aspects of the modeling process have an impact -

on the overall CDF:

(a) the model used for seal LOCAs (b)~ no requirement for any containment cooling with fan coolers or containment spray to allow core cooling with recirculation from the containment sump (c) HVAC required only for charging and AFW pump rooms and for DG rooms.

The licensee stated that the Westinghouse seal LOCA model was used. . Other IPEs have also used the Westinghouse' seal LOCA model, but predict less likelihood of core uncovery as a function of time, especially if the RCS is cooled down. Therefore, the -

specific application of the Westinghouse seal LOCA model in this IPE tends to increase the CDF from a seal LOCA in comparison to that in other IPEs. Also, this 4

l .

a IPE assumed that if CCW cooling is lost to an RCP and the RCP is not tripped within 2 minutes, a total failure of the seal occurs. It should be noted that Farley is more ,

I susceptible to loss of seal cooling than many other PWRs since CCW is used to cool ;

the charging pumps and the charging pumps are the HPSI pumps; therefore, design i as well as the data used contributes to the high CDF from a seal LOCA at Farley. l The IPE assumed that no containment spray and no containment fan coolers are required to support core cooling; best estimate containment failure pressure was used and MAAP calculations were performed to establish that cooling with one RHR heat l exchanger is sufficient. This tends to lower the CDF by not requiring operation of either core spray or containment fan coolers to mitigate an accident.

Based on plant specific room heatup analyses, the IPE assumed that Heating Ventilation and Air Conditioning (HVAC) was not required for rooms containing: CCW pumps, core spray pumps, Residual Heat Removal (RHR) pumps, or electrical equipment. This tends to lower the CDF compared to plants for which HVAC for such areas is required.

E.4 Generic Issues The IPE specifically addressed loss of Decay Heat Removal (DHR), considering DHR as both core cooling and ultimate heat removal. Failures in the following systems dominated the CDF due to loss of DHR: service water, AC power, CCW, high head ,

ECCS recirculation, high head ECCS injection, and Auxiliary Feedwater (AFW). No ,

vulnerabilities associated with DHR were identified as a result of the IPE.

The Submittal states that the expectations of USl A-17, " Systems interactions", with respect to the IPE evaluation of internal flooding, have been met.

The licensee does not propose to resolve any other generic issues with the IPE.

~

E.5 Vulnerabilities and Plant improvements <

The IPE used the following criteria used to screen for plant specific vulnerabilities:

(1) Any lunctional core damage sequence that contributes greater than 1E-4/ year, or greater than 50% of CDF.

(2) The dominant core damage sequences resulting in containment bypass that contribute, when summed together as a group, greater than 1E-5/

year, or greater than 20% of CDF.

Based on these criteria, the licensee concluded that Farley has no vulnerabilities.

During the performance of the IPE, several plant improvements were identified as important and were implemented prior to completion of the IPE. These improvements 5

i e

involved procedural changes and minor hardware modifications. These improvements !

were as follows: ;

a- alignment of fire water for charging pump cooling if CCW cooling is lost _

' alignment of charging pump suction to the RWST and isolating seal return flow.

upon loss of cooling to the in-service CCW train to allow additional time to align the miscellaneous CCW header to the opposite train ,

e alignment of the swing CCW pump to the standby train while it is powered from l the opposite train to maintain seal injection flow following loss of SW cooling to l the in service train of CCW combined with failure of the standby CCW pump . j

stabilizing the pla'nt with only one operating SW pump by reducing SW system l loads in order to maintain CCW cooling !

a realigning ECCS to cold leg recirculation following failure to establish hot leg recirculation l a verifying that major loads on the Emergency Safeguards Features (ESP) buses !

have been shed prior to aligning a backup DG following a single unit loss of l offsite power. !

i The first two improvements resulted in a reduction of overall CDF from 7E-4 to 1.3E- :

4/ year, due to decreasing the potential for RCP seal LOCAs. l The Submittal states that during the next scheduled maintenance outage for the !'

RCPs, the current RCP seal O rings will be replaced with new high temperature O rings. The Submittal indicates that installation of these new seal rings will reduce i overall CDF by about 20 %.

1 The improvements already completed and planned to'should result in a reduction in CDF.

E.6 Observations

~

We believe that the licensee analyzed the plant design and operations of Farley to :

discover instances of particular vulnerability to core damage. The licensee has developed an overall appreciation of severe accident behavior, understands the most likely severe accidents at Farley, has gained a quantitative understanding of the ,

t overall frequency of core damage, and has implemented changes to the plant to help prevent and mitigate severe accidents. ,

In our opinion, the IPE has the following strengths. The list of initiating events appears complete, and does consider many plant specific initiating events. j in our opinion the IPE has two shortcomings, one of which can have an important !

Impact on the CDF. (1) The IPE used low values for common cause failure among ;

certain important components such as DGs and ECCS pumps based on plant-specific screening of generic data. Common cause failures are subtle and that the screening l i

6

.- - .j

l may have underestimated the potential for common cause failures. The CDF would j increase if common cause failure values typically used in most other IPE/PRAs were l ussu in the Farley IPE. (2) The success criteria for mitigation of a large LOCA do not require injection from the accumulators. MAAP analyses were performed to provide i the basis for the success criteria for a large LOCA. We do not believe that MAAP has l sufficient fidelity to model the blowdown, reflood, and refill phases of a large LOCA accident. However, the impact of requiring accumulators to mitigate a large LOCA should have a minor impact on the CDF.

1 Significant level-one IPE findings are as follows: l

= seal LOCAs are an important contributor to the overall CDF

= the use of firewater for providing backup cooling for the charging pumps has a significant impact on reducing the CDF

= station blackout is a relatively small contributor to CDF.

Seal LOCAs are an important contributor to the total CDF due to the requirement to trip the RCPs following loss of seal cooling, the use of CCW to cool the charging /HPSI pumps, and the model used for the likelihood and size of a seal LOCA following loss of seal cooling. The use of fire water for backup cooling for the charging pumps reduces the likelihood of loss of seal injection and prevents the CDF from seal LOCAs from being even higher. The CDF from station blackout is relatively small due to: the distinction between loss of offsite power for the site and loss of offsite power for a single unit in the IPE, the presence of 3 swing DGs at the site, and the low values i used for common cause failures of DGs in the IPE.

l 7

1. INTRODUCTION 1.1 Review Process !

This report summarizes the results of our review of the front-end portion of the IPE for Farley units 1 and 2. This review is based on information contained in the IPE l Submittal [lPE) along with the licensee's responses [lPE Responses) to RAl. j 1.2 Plant Characterfzation i The Farley site contains two units, each a three loop pressurized water reactor (PWR), ,

located in southeast Alabama. Westinghouse was the nuclear steam system supplier (NSSS), and Southern Nuclear Company (SNC) was the architect engineer (AE), for both units, with assistance from Bechtel. Unit 1 achieved commercial operation in j 1977; unit 2 achieved commercial operation in 1981. The design power is 2652 MWt, 861 MWe (gross), for each unit. Similar units in operation are: Surry and North Anna.

Design features at Farley that impact the CDF are as follows:

Use of charoina oumos for hiah head Emeroencv Core Coolina system (ECCS) I iniection which use Comoonent Coolina Water (CCW) for oumo coolina. l Loss of CCW results in loss of cooling to the Reactor Coolant Pump (RCP) thermal barriers; since the charging pumps are the High Pressure Safety - l Injection (HPSI) pumps, and these pumps use CCW for normal cooling, loss of j CCW also causes loss of sealinjection and loss of high pressure ECCS i makeup, unless backup cooling is supplied to the charging pumps. This would !

result in an RCP seal Loss of Coolant Accident (LOCA) that cannot be !

mitigated. Therefore, use of the same pumps for both charging and high l pressure ECCS that are normally cooled by CCW tends to increase the CDF !

from seal LOCAs.

~

Abilitv to orovide diesel driven firewater for coolina to charalna numos.

. Diesel driven firewater can be used to supply cooling to the charging pumps if CCW cooling is lost; this tends to decrease the Core Damage Frequency (CDF) from a seal LOCA due to loss of CCW.

No automatic alianment of ECCS from inlection to recirculation.

Manual actions are required to align ECCS to recirculation from the containment sump from injection from the Refueling Water Storage Tank (RWST) following a LOCA; this tends to increase the CDF from LOCAs relative to plants for which the alignment is automatic.

l 8

Presence of 5 Diesel Generators (DGs). 3 of which are swino DGs that can j j

orovide oower to either unit, The presence of 3 swing DGs tends to lower the CDF due to station blackout relative to plants with fewer DGs. ,

1 i

t l

f f

i t

e i

l i

t I

I l

3 i

l 1

1 I

i l

9

i 1

2. TECHNICAL REVIEW 2.1 Licensee's IPE Process We reviewed the process used by the licensee with respect to: completeness and l

methodology; multi-unit effects and as-built, as-operated status; and licensee participation and peer review.

2.1,.1 Comoteteness and Methodoloav The Farley IPE is a level 2 PRA. The IPE Submittal is complete with respect to the type of information requested by Generic Letter 88-20 and NUREG 1335.

The front-end portion of the IPE is a level l PRA. The specific technique used for the ,

level i PRA was the large event tree /small fault tree technique with support state modeling.

1 The Submittal described the details of the technique. Internal initiating events and internal flooding were considered. Event trees were developed for all classes of initiating events. Plant Response Trees (PRT) were developed for each class of initiating event. The PRTs model both the front-end and the back-end portions of the analysis, and they are larger in scope than the standard event trees that model the front-end portion of the accident sequences. Event Sequence Diagrams (ESDs) were developed and used as the basis for the PRTs. The development of component level system fault trees was summarized, and system descriptions were provided. Major support systems were modeled with event trees that were analyzed to specify support states for quantification of the accident sequence event trees; localized support was modeled directly in the fault trees. Inter-system dependencies were discussed and figures of system dependencies were provided. Data for quantification of the models were provided, including common cause failure data. Recovery was considered. The application pf the technique for modeling internal flooding was described in the Submittal. The IPE did not include an uncertainty analysis. The Submittal did include l a limited sensitivity analysis. j The technique uses large event trees with support states, but based on an I examination of the event trees provided in the Submittal, complete split fractions were not produced. The Submittal indicates that for situations in which support states did not account for all inter-event dependencies, 'special' events were inserted into the l event tree models to account for the dependencies. (IPE submittal, Section 2.3](IPE Responses) l The PRA upon which the IPE is based was initiated in response to Generic Letter 88-l 20.

l 10

2.1.2 Multi-Unit Effects and As-Built. As-Ocerated Status Farley is a dual unit site and the two units share some systems, such as the swing DGs. The IPE modeled Unit 1 and concluded that the results of the analysis for Unit 1 are also applicable to Unit 2. [lPE, Section 2.5)

The licensee states that where shared systems were modeled (such as shared DC power for service water), the IPE only took credit for the Unit 1 components and did not credit the Unit 2 components. [lPE Responses) The IPE did credit crosstle of the following Unit 2 systems for use at Unit 1: instrument air and service water. One dual unit initiating event was modeled, that being dual unit loss of offsite power.

Plant walkdowns were performed to verify that the PRA model represented the as-built condition. [lPE submittal, Section 2.4) The walkdowns were performed by members of the IPE team with specific responsibilities for modeling of systems, structures, and intemal flooding. Walkdowns included participation by utility staff knowledgeable in the systems and technical areas to be addressed by the walkdowns. Checklists were 1 developed and used to collect information during the walkdowns. The checklists considered: room environment (barriers, cooling, etc.), local indications and control, and flood related information.

Major documentation used in the IPE included: the UFSAR, technical specifications, system descriptions, plant drawings, simulator runs, operating procedures, and calculations. [lPE submittal, Table 2-1) Calculations reviewed included Bechtel HVAC and heat load calculations.

IPE submittals of three other plants were reviewed, and information from other PRA studies was reviewed. [lPE submittal, Section 2.4.2) The specific IPEs and studies reviewed are as follows:

IPE fpr Millstone IPE for Diablo Canyon !

IPE for Zion PRA for Seabrook NUREG 1150 PRAs l

The freeze date for the IPE mode! was May 1,1991, with some exceptions. [lPE submittal, Section 2.1] . The Sut mittal does list several procedural and hardware ;

enhancements identified and imp emented during the course of the IPE, these being:

[lPE submittal, Section 1.4.1) alignment of firewater for charging pump cooling if CCW cooling is lost alignment of charging pump suction to the RWST and isolating seal return flow i l

i e

11 i !

I

J l

upon loss of cooling to the in service CCW train to allow additional time to align !

the miscellaneous CCW header to the opposite train l alignment of the swing CCW pump to the standby train while it is powered from ;

the opposite train to maintain seal injection flow following loss of SW cooling to the in-service train of CCW combined with failure of the standby CCW pump !

stabilizing the plant with only one operating SW pump by reducing SW system loads in order to maintain CCW cooling realigning ECCS to cold leg recirculation following failure to establish hot leg recirculation 1

verifying that major loads on the ESF buses have been shed prior to aligning a backup DG following a single unit loss of offsite power.

The licensee states that the following four plant design changes completed after the freeze date were incorporated into the IPE model: [lPE Responses]

replacement of charging pump seals with a new design not requiring CCW cooling (charging pump oil coolers still use CCW cooling) replacement of the plant inverters !

I I

modification of SW pump miniflow valves to fail closed on loss of air addition of interposing relays to ensure continued operation of safety-related DC j loads at the minimum voltage supplied by the Unit 2 batteries at 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months with loss of charging.

The first three of these plant changes reduced the overall CDF to a small extent. The last change ensured that the battery lifetime used in the model for Unit 1 was also l applicable to Unit 2.

2.1.3 Licensee Particloation and Peer Review I

Two utility personnel were actively involved in the IPE front-end effort. [lPE submittal, Sections 1.1 and 5.1.1]. The primary contractor for the front-end PRA was Westinghouse. Assistance from architect / engineer personnel at Southern Nuclear Services and Bechtel was obtained for selected technical areas such.as: service water system flow calculations, room heatup calculations, and the ability to use firewater to cool charging pumps.

The licensee indicated that Farley intends to maintain an updated PRA, but no specific plan to maintain an updated PRA was provided. [IPE Responses) 12 l

Several reviews of the level 1 PRA were performed. [lPE submittal, Section 5.2] An

^

l Independent Review Group (IRG) was created to provide an independent in house !

review of the IPE. The IRG was composed of plant and corporate staff with plant

knowledge and experience who were not involved in the direct performance of the IPE. PL&G, in consultation with the IRG, performed more intensive reviews of

, selected portions of the IPE for the IRG. These reviews included a comparison of the methodology used in the IPE to that used by PL&G in PRA/IPEs which they had 4

performed.

2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence ,

delineation and the evaluation of system performance and system dependencies j provided in the submittal.

2.2.1 initiatina Events A plant specific initiating event, denoted as a 'special' initiating event in the Submittal, was retained for specific analysis if it caused reactor trip and simultaneously degraded !

i the capability of mitigating system (s). Plant specific initiating events retained for specific analysis were as follows:

Loss of instrument Air ,

Loss of Both Trains of Service Water Loss of Single Train of Operating Service Water j Loss of Both Trains of CCW , l Loss of the Operating Train of CCW :

Loss of 2120 V ac Instrument Panels Loss of 1125 V de Auxiliary Building Power Bus Loss of 14160 V ac Emergency Bus.

The license'e discussed the reasons for not considering the following events as initiating events: loss of service water building DC power, and spurious containment isolation and the impact on seal cooling. The licensee stated that the following criteria i

were used to screen plant specific events from consideration as a special initiating event: (1) the event had frequency of less than 1E-8/ year, and (2) the event had a low ;

frequency and a similar impact as a previously considered event. Loss of service l water building DC power does not trip the running SW pump and it has no impact on l other systems. The service water building DC power system was modeled in the fault tree for the standby service water pump. Containment isolation phase A does not result in loss of seal cooling. Containment isolation phase B isolates CCW cooling but does not isolate seal injection; operators will have to trip the RCPs due to loss of bearing cooling. The impact of a spurious phase B containment isolation signal has a minor impact on CDF compared to loss of CCW or loss of SW; therefore, this event ;

was not considered as a specialinitiating event. [lPE Responses]

~

13 l

The licensee discussed the basis for not considering the following specific initiating events: loss of a non-1E 4160 V AC bus and loss of HVAC to electrical equipment l

rooms and to the control room. [lPE Responses) The licensee stated that the loss of a 1- non-1E 4160 bus is subsumed in the initiating event " loss of reactor coolant flow".

The licensee stated that room heatup calculations and the redundancy of room cooling equipment support not modeling loss of HVAC for electrical switchgear rooms as specialinitiating events. Loss of control room HVAC was not considered due to the ability to implement compensatory cooling measures.

The frequency assigned to the interfacing systems LOCA is 5.4E-6/ year. Information as to how the IPE modeled interfacing systems LOCAs is provided in the " Interfacing System LOCA initiating Event Frequency Notebook". This notebook describes the process used to identify interfacing system LOCAs, and summarizes the quantification of the interfacing LOCA events. [lPE Responses)

The Submittal states that the small LOCA initiating event includes RCP seal LOCAs and primary safety / relief valves falling to reclose after a transient event that results in their opening. [lPE submittal, Section 3.1.1)

An inadvertent safety injection (SI) signal was considered as an initiating event. [lPE submittal, Table 3.1-1] The UFSAR indicates that an SI signal also results in phase A containment isolation (Cl); note f.0 of Table C-2 of the Submittal indicates that this was considered in the IPE model.

The Submittal does include a figure and table, with copious footnotes, that summarizes the systems affected by and responding to the initiating events. [lPE submittal, Figure C-1 and Table C-2) This information states that an interiacing systems LOCA initiating event is due to failure of RHR suction line isolation valves.

[lPE submittal, Teble C-2, Note 9] This information also provides a description of the impact of the loss of instrument air: the MSIVs drift closed, turbine bypass valves close, main.feedwater is lost, and CCW cooling to RCP thermal barriers is lost. [lPE submittal, Table C-2, Note 30)

The point estimate frequencies assigned to the initiating events are comparable to those used in typical IPE/PRAs. [lPE submittal, Table 3.1-1)

The IPE does consider both single and dual unit loss of offsite power; this is appropriate since each unit has its own switchyard. According to the UFSAR, unit one has a 230 KV switchyard and unit 2 has a 500 KV switchyard; the two switchyards are interconnected by an auto-transformer. [UFSAR, Section 8.2)

The IPE does consider breaks in main steam and feedwater lines as initiating events, and the location of these breaks which affects the ability to isolate the breaks and the remaining steam generators, is considered. [lPE submittal, Table 3.1-1) l 14

4 The IPE evaluated 42 specific initiating events. [lPE submittal, Table 3.1-1) These

events can be categorized as follows

a Three LOCA Events (large, medium, and small) a- SGTR Interiacing Systems LOCA Vessel Rupture Two Types of Secondary Breaks i 12 Generic Transient Events 10 Plant Specific Transient Initiating Events 12 Internal Flood Events.

l The IPE developed 1.1 specific PRTs to model all of the 42 initiating events. [lPE j submittal, Appenaix A)

! 2.2.2 Event Trees I Each accident initiating event was included in an appropriate class of initiating events, and each class of initiating events had a corresponding event tree logic model. All functions or systems important to the accident sequences were considered. The

interfaces among the events in the event tree logic models and the corresponding mitigating systems were clearly indicated. The event tree logic models properly accounted for: time ordered response, system level dependencies, sequence specific effects on system operability- such as environmental conditions, and high level

^

operator actions as appropriate.

! Eleven PRTs were developed, these being:

3 Large LOCA Medium LOCA I Small LOCA Interfacing Systems LOCA SGTR Secondary Breaks inside Containment Secondary Breaks Outside Containment

ATWS Loss of Offsite Power i Station Blackout l Transients.

The mission time used was 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The Submittal states that the criterion for no core damage is core exit temperatures not in excess of 1200 F for a significant time period, about 30 minutes. [lPE submittal, j Section 2.3) We have a comment on this success criterion used for no core damage.

15

l During a large LOCA fuelis uncovered and cladding temperatures are high until the ;

core is refilled; the success criteria does not address, in our opinion, the transient phases (blowdown, reflood, and refill) of a large LOCA accident.

I' The Submittalindicates that accumulators are not required in the success criteria for mitigation of a large LOCA. This assumption was based on MAAF sulyses. In our opinion, MAAP does not have sufficient fidelity to model the blowwwn, reflood, and refill phases of a large LOCA accident where the cladding temperature is of potential significance. To our knowledge MAAP does not include delayed neutron fission energy, an important source of energy in the first minute after the LOCA, and we do not know if the analysis considered the iml5act of failure to isolate containment (not i required in the IPE success criteria for a large LOCA) which results in significant l increase in peak cladding temperature due to lower back pressure increasing the time i i

to reflood the core. Inclusion of the accumulators in the success criteria should have !

minor impact on the overall CDF, but we consider this success criteria for the large LOCA to be questionable. [lPE Responses)

The Submittal states that the accident sequence systems success criteria were based 1

on: the UFSAR, Westinghouse Owner's Group generic technical reports, plant emergency operating procedures, MAAP analyses (for LOCAs), TREAT analyses (for transients), and COMPACT analyses (for room heatup).

Based on our review of the PRTs, we have the following comments related to sequence success criteria and the structure of the PRTs.

Table 3.1-2 of the Submittal uses different success criteria for the event HHI depending on the applicable PRT. This table provides two different success criteria for event HHI for the same PRT, namely the PRT SBO (station blackout). In one entry in the table, the success criteria for HHI for SBO is stated to be 1 of 2 charging pumps to 2 of 3 cold legs for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months in a subsequent entry in the table, the success criteria for HHI for SBO is stated to be 2 of 2 charging pumps to 2 of 3 cold legs for 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

The licensee stated that HHI is considered after power restoration [lPE Responses).

HHI is successful with one pump only if the turbine driven AFW pump is available and power is restored in one hour; all other success paths involving HHI require two pumps. This explains the use of different success criteria for event HHl.

The licensee stated that cooling with either one RHR heat exchanger or with 2 fan coolers is required during recirculation from the containment sump. The licensee summarized the results of MAAP calculations that support the assumption that one RHR heat exchanger is sufficient. [lPE Responses) Other IPEs have made similar assumptions also supported by MAAP analyses. We believe that MAAP is appropriate for such analyses and we agree with tha conclusions in the IPE, but the temperature of the water in the containment sump calculated for this IPE,175 F, seems very low in comparison with analyses that we have seen for other IPE Submittals. However, we performed a scoping calculation to assess the ability of one RHR heat exchanger to 16

~aw .tw ...s~ s a.s> a.w . a -,an=.->.u.a.w..,w -s.s + nmuw~~ -~..--.s a - - - + . . . - .~.w-n---~, a.= . - . -. a- .

,, i t.

maintain acceptable temperatures, and concluded that one RHR heat exchanger is

- probably sufficient. [ SEA Calc 553 24]

The Submittal indicates that a reactor trip is not required for successful mitigation of a

medium LOCA. [lPE submittal, Section 3.1.3) This conclusion is based on analyses performed for ATWS.

The PRT for a small LOCA indicates that either steam generator cooling with auxiliary -

feedwater or feed and bleed are required to mitigate a small LOCA. [lPE submittal, page A-21]

i The PRT for an interfacing systems LOCA indicates that if the containment fan coolers work (FC), high head injection works (event HHI), operator action is taken to minimize ECCS injection (OSR) and to establish normal makeup (OSM), and normal makeup works (NMKF), then the LOCA is successfully mitigated. The licensee stated that the most important interfacing systems LOCA is equivalent to a medium LOCA which can be mitigated with one HHSI (charging) pump. The requirement for fan cooler operation is to prevent automatic operation of containment sprays and subsequent early depletion of RWST inventory.

The PRT for a Steam Generator Tube Rupture (SGTR) contains a subtree for use of -

normal RHR, however sequences on this subtree have endstates of ' success' for the case where RHR fails. [lPE submittal, page A-44 endstates # 2,3,7 and 8). The licensee clarified this point. [lPE Responses) The licensee stated that no credit for refill of the RWST was taken in the model, but due to the time available for operator actions to recover long term core cooling given success of HHSI and AFW, all event 4 sequences with success of these two systems were assumed to have successful core cooling even if RHR shutdown cooling initially failed. In effect, the event tree credits .

operator action to establish core cooling if HHSI and AFW are successful. l 1

The PRT for a steam line break considers the case where the break is inside containment and therefore blowdown from the ruptured steam generator cannot be ;

isolated. The PRT indicates that boration with high head injection is not required to successfully mitigate a steam line break inside containment. [lPE submittal, page A-46, !

endstate # 6) The licensee provided the basis for not requiring boration to mitigate a main steam line break. The licensee stated that best estimate analyses which do not ;

assume that the control rod of highest worth falls to insert (as assumed in the UFSAR analysis) indicate that boration is not required to prevent a return to criticality. [IPE Responses)

The PRT for a main steam line break inside containment indicates that the accident can be successfully mitigated if event SGI fails. [lPE submittal, page A-46 endstate # )

8) Table 3.1-2 of the Submittal indicates that SGI is isolation of the 2 intact steam generators from the ruptured steam generator. The licensee stated that a Bechtel analysis indicates that if only one motor driven AFW pump is available on Unit 1 it

! 17 i

I 4

m.,, , . - , , --, . -

t r

may runout and both motor driven AFW pumps running may runout on Unit 2, unless j operator action is taken to throttle flow. [lPE Responses) The licensee states that the (

model used in the IPE for successful operation of AFW with unisolated SGs cannot be l supported by current analysis; the CDF for Unit 2 could increase by no more than {

3.3% and for Unit 1 by no more than 1.05% A final flow modelis being completed :

and if this model stillindicates a problem, the IPE model will be revised accordingly.

i The event tree for transients models the use of feed and bleed for successful mit.igation. For successful feed and bleed the following events are required to be successful: operator initiated feed and bleed cooling (event OAB),1 of 2 high head safety injection, charging, pumps work (event HHI), and one of two relief valves and associated block valves on the pressurizer open (event PZR). [lPE submittal, page A- l 86 and Tables A-1 and 3.1-2) The Submittal does not provide the basis for the ;

- success criteria for feed and bleed. We did a quick check on this element of the IPE success criteria. [ SEA Calc 553-024) Our calculations indicate that a more complete (

analysis would support the success criteria used for feed and bleed in the IPE. j The PRT for a transient event indicates that if CCW falls (event CCT) and the operator j fails to trip the RCPs (event ORC), then a seal LOCA occurs. [lPE submittal, page A- l 64, sequence # 26] The licensee stated that the seal LOCA model used in the IPE was based on the Westinghouse seal LOCA model from WCAP-9541 [lPE Responses) Seal LOCAs were modeled under two conditions: loss of CCW or loss of i service water cooling, and station blackout. Event SL is a catastrophic seal LOCA of 480 gpm per pump; this event is considered for the loss of CCW/SW case. if cooling l Is not restored within 20 minutes, then the event SL occurs with a probability of 1.0. If j seal cooling is restored within 20 minutes, the likelihood of a catastrophic seal LOCA i

occurring (event SL) within the 20 minutes has a valu's of 0.0283 (0.027 stated in the '

Submittal). For station blackout, the Westinghouse seal LOCA model was used to calculate the probability that a seal LOCA occurs and leads to core uncovery prior to ,

restoration of offsite power. The IPE model assumes that if CCW is lost to the RCPs and the RCPs are not tripped within two minutes, then a catastrophic seal LOCA (480 :

gpm per pump) occurs; the response states that no mechanism for the failure such as l pump vibration was explicitly assumed. The model requires one HPSI pump to mitigate a seal LOCA due to loss of CCW/SW; the model requires two HPSI pumps to mitigate a seal LOCA due to station blackout considering the latest possible time for ;

recovery of offsite power.

We have a comment on the data used to model the likelihood of a seal LOCA in the IPE. This licensee response states that this data is from WCAP-10541. We have reviewed other IPE Submittals which have also used WCAP-10541 as the basis for the seal LOCA model. As indicated in Table 2-1 of this report, although the same Westinghouse model was used in different IPEs, the actual probabilities assigned to core uncovery as a function of time are different among the IPEs. The higher values used in the Farley IPE is one reason that the contribution of seal LOCAs to overall CDF is higher for Farley than for other plants. (The data for Point Beach is taken 18

- . . - .- .- - . - _ _ ~ -.

, o i

~

from the licensee responses to our review of the Point Beach IPE Submittal; the data j - are for unqualified seal elastomers. [TER, Point Beach])

Table 2-1. Comparison of Core Uncovery Probabilities due to Seal LOCAs Time, hours Probability of Core Probability of Core

< Uncovery as Function of Uncovery as Function of Time (without recovery of Time (without recovery of .

. offsits power) offsite power) i

! No Cooldown of RCS Cooldown of RCS L Farley Point Beach Farley Point Beach 6.9E-4 1 0.028 0.0018 0.028 I 2 0.028 0.0043 0.028 0.0015 4

3 0.028 0.010 0.028 0.0031 i 4 0.090 0.024 0.028 0.0065 l 5 0.13 0.057 0.09 0.014 6 0.28 0.13- 0.13 0.029 7 0.44 0.32 0.23 0.061 J

8 0.64 0.75 0.42 0.13 l

\ ;

The moderator temperature coefficient (MTC) is insufficiently negative early in core l l i t life to be able to mitigate an ATWS under all conditions. The licensee explained how "

the ATWS PRT addressed early in life core conditions when the MTC effect is small.

[lPE Responses] The licensee stated that event PR on the PRT considers the i

, possibility that the MTC is insufficiently negative early in life to prevent overpressurization of the primary in response to an ATWS. The licensee information l provides the probability that pressure relief is inadequate for various sequences i considering the possibility that pressurizer PORV block valves are closed.

The station blackout PRT includes events for restoration of offsite power. [lPE l

submntal, page A-142] Event 1HR in the PRT is restoration of offsite power within 1 i

hour, and event XHR in the PRT is restoration of offsite power before core damage.

l The probability that power is not restored within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months is 0.248. [lPE submittal, Table 1 3.3.5-1].

b 2.2.3 Systems Analysis

}

} System descriptions are included in Section 3.2 of the Submittal; system schematics are included in the Submittal. The Submittal provides system descriptions of the

}

1 19

systems listed in Table 3.2-1; these are summaries of the more detailed system descriptions developed for the IPE and retained at the utility. ,

We chose to use information from the UFSAR to supplement the information provided in the system descriptions in the Submittal. We did find the system dependency figures and tables in the Submittal useful in understanding system operations and inter-dependencies, but we had to read the UFSAR to understand the dependencies documented in the Submittal. ,

The list of systems on Table 3.2-1 of the submittal does not include normal makeup, AMSAC, or nitrogen, although nitrogen is mentioned in the description for instrument air.

The licensee stated that preliminary calculations show that one motor driven AFW pump can provide sufficient flow, and even if two motor driven pumps are required the increase in the overall CDF is negligible. [lPE Responses)

The system description does discuss the UPS power supply for the turbine driven AFW pump; however, the system description does not address the ability to operate the turbine driven AFW pump without instrument air. Note # 30 in Table C-2 of the Submittal states that the steam admission valve to the AFW pump drive turbine will fall .

closed after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months with out air supply due to loss of air from the valve's accumulator.

Non-safety portions of CCW are auto-isolated on low surge tank level. CCW cooling ,

to the RCP thermal barriers is isolated upon phase B of containment isolation which l occurs on high-high containment pressure (sealinjection with charging pumps is not isolated); a safety injection signal calls for phase A of containment isolation, and high-high containment pressure causes phase B containment isolation. [ Sections 6.2.4, 9.2.2, Table 7.3-1 of UFSAR]

In recirculati,on, the containment spray system pulls from the containment sump without using the RHR heat exchangers; thus, in recirculation the spray system by itself removes no energy from containment. The fan cooler system removes energy from containment by transferring heat to service water via air to water heat exchangers in the fan coolers. The design basis for contelnment cooling is 2 fan coolers, or 1 !

spray and 1 fan cooler. [Section 6.2 of UFSAR) Adequate NPSHA is available from i the containment sump even if the sump pressure is the saturation pressure at the sump temperature. [Section 6.2.2.2.1 of UFSAR]

The system description for containment isolation in the Submittal does not discuss the actuation of containment isolation, the distinction between phase A and phase B isolation, or the systems isolated.

Only DG # 2C can be used to simultaneously power equipment at both units,[UFSAR, Section 8.3]. DG # % A is a swing DG that can power either unit. DGs # 18 and #

20

2B are dedicated to unit 1 and 2. The system description indicates that the two 'little' DGs can be used to power equipment other than the river water pumps. The system description discusses the presence of the auto-transformer that allows either switchyard (500 kV and 230 kV) to power both units. SW cools the DGs. [lPE submittal, Section 9.2.1)

The licensee stated that the IPE used a battery lifetime of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , based on Bechtel calculations that credit the installation of the new inverters. [lPE Responses)

CCW cools the charging pumps and the RHR pumps. [UFSAR, Section 9.2.2) Section 1.4.1 of the Submittal states that as a result of the IPE, the capability has been added to cool the charging pumps with fire water. The system description does state that switchover of ECCS from injection to recirculation requires manual action. The RHR pumps have sufficient NPSHA when pulling from the containment sump even if the sump pressure is the saturation pressure at the sump water temperature. [Section 6.3 of UFSAR)

The Submittal states that 'it was determined' that room coolers in the RHR, CS, CCW, and electrical equipn ent rooms are not required. The licensee discussed the basis for excluding room cooling requirements from the IPE model. [lPE Responses) The licensee summarized the room heatup calculations performed to support the assumptions used in the IPE for room cooling.

The system description for instrument air discusses the emergency instrument air system that can be powered off 1E power. This subsystem can be used to open SG ADVs and to operate the turbine driven AFW steam admission valves. The air compressor aftercoolers appear to be cooled by SW. [UFSAR, Section 9.3.1) The Submittal does not explicitly identify or discuss those air operated valves that require air from accumulators to operate in their safety position; the possibility exists that, over time, accumulators leak and the safety position of these valves cannot be maintained.

(As discussed earlier in this report, the Submittal did indicate in a footnote to a dependency table that this is an item of potential significance for AFW steam admission valves.)

The system description for the pressurizer relief system does not discuss the normal air supply required to open the air-operated relief valves, or the de control power required. The system description for instrument air does state that bottled nitrogen can be used as a backup supply to open pressurizer relief valves, and that manual actions are required to use this backup. The system description does not indicate whether normal operation is with the relief block valves open or closed; the description of event PZR in Table 3.1-2 states that for feed and bleed the relief and block valves must be opened, implying that the block valves may be closed, at least a certain fraction of the time. The Submittal states in Section 3.4.3 that the block valves can be closed during power operation subject to tech spec LCOs. [lPE submittal, page 3-246) 21

The system description for SW in the Submittal states that if supply of river water to the pond is lost, SW discharge is directed back to the pond instead of to the river by manual action, to conserve water for the ultimate heat sink. The system description states that non-essential portions of the service water system are isolated by either a safety injection signal or a containment phase A isolation signal. (The UFSAR indicates that an SI signal calls for phase A containment isolation. [UFSAR, Table 7.3-1])

2.2.4 Svstem Deoendencies The Submittal provides three figures that delineate system dependencies, and each figure has an accompanying table of notes. [lPE submittal, Figures C-1, C-2, and C-3)

Important asymmetries in train-level system dependencies were indicated. The following types of dependencies were considered: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, area HVAC, operator actions, and environmental and phenomenological effects.

The dependency figures and accompanying tables were extremely useful in reviewing the IPE. Our specific comments on the systems dependency figures follow.

Figure C-3 of the Submittal indicates that CCW, charging /HPSI, and CS all have a delayed dependence on HVAC. The licensee stated that room heatup calculations indicate that the CCW, RHR, and containment spray pump rooms will not overheat following loss of HVAC within the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time. [lPE Responses) The charging /HPSI pump rooms will overheat if HVAC falls and the room doors remain closed; credit for operator action to open doors to provide room cooling for the charging pumps was taken only given annunciation of loss of HVAC.

SW provides the heat sink for the CCW, HPSI/ charging, and Low Pressure Safety injection (LPSI) room coolers. The licensee stated that loss of service water only results in possible overheating of the HPSI/ charging pumps, a long term effect compared to the impact of loss of the SW heat sink for CCW which directly cools the charging pumps. [lPE Responses)

Figure C-3 of the Submittal does not provide the dependencies for the atmospheric dump valves (ADV), or for the turbine bypass valves. The licensee stated that instrument air is required for the ADVs and the turbine bypass valves. [lPE Responses) 2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences, it also summarizes our review of the 22

data base, including consideration given to plant-specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed, if any, were reviewed.

2.3.1 Quantification of Accident Seauence Freauencies The Farley IPE used the large event tree /small fault tree technique with support state event trees. Support states were quantified prior to quantification of the PRTs. The PRTs are event trees that model both the front-eno' ad back-end response to a class of accident initiating events. The PRTs are systemic. The fault trees were developed

and quantified with the Westinghouse GRAFTER computer code system. [lPE submittal, Section 3.3.5) The truncation limit for sequence quantification was 1E-11.

[lPE submittal, page 3-158) The licensee response states that only 0.14% of the CDF was unaccounted for due to truncation and that this is a negligible residual. [lPE 1 Responses)

Table 3.3.5-1 of the Submittal provides data used for recovery of offsite power at three j specific times: 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ,5 hours, and 19 hours2.199074e-4 days 0.00528 hours 3.141534e-5 weeks 7.2295e-6 months . This table states that the probability of l non recovery of offsite power by 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ,5 hours, and 19 hours2.199074e-4 days 0.00528 hours 3.141534e-5 weeks 7.2295e-6 months , respectively, is: 0.25, !

0.10, and 0.017. These non-recovery values are comparable with values used in other PRA/IPEs.

2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses Mean values were used for point estimate failure frequencies and probabilities. [lPE ,

submittal, Section 3.3.2] No uncertainty analyses were performed, but sensitivity l 1

analyses were performed for several key sets of operator actions, procedural enhancements, and system interactions. [lPE submittal, Section 3.4.5) Sensitivity analyses were performed for each of the following toples: >

l Human Error Rate Sensitivity per NUREG 1335, Effect on CDF of Removal of Procedural and Equipment Enhancements for RCP Seal LOCA, I

Consideration of Limiting Time that Fire Protection Piping in Cable Spreading Room is Pressurized with Water, and Effect on CDF for Unit 2 due to Different SW Pump Performance for the Two Units Based on these sensitivity analyses, CDF was shown to be sensitive to operator response to prevent RCP seal LOCAs; CDF was relatively insensitive to the other topics.

23

2.3.3 Use of Plant-Soecific Data The Submittal states that plant specific data was used based on the time period January 1,1984 through September 30,1990. (IPE submittal, Section 3.3.2] Data from both units were combined into one database. Plant specific data was used to model maintenance unavailabilities. [lPE submittal, Section 3.2.2] For hardware failures, generic data was Bayesian updated with plant specific data, and these updated data were used in the quantification of the fault trees; quantification of maintenance failures was based solely on the plant specific data. [lPE submittal, Section 3.3.21 Generic dcta were used in lieu of plant specific data when plant specific data were not available.

We performed a spot check of the plant specific data from Table 3.3.2-3 of the Submittal and compared it to data used in NUREG/CR 4550 for Surry, as shown below in Table 2-2. 1 Table 2-2. Plant Specific Failure Data '

Component Submittal Point Estimate Suny NUREG/CR 4550 (Updated) Point Estimate Table 3.3.2-3 Tables 4.9-1 and 5-2 Turbine driven AFW 6E-3 Fall to Start 1E-2 Fail to Start pump 7E-3 Fall to Run SE-3 Fall to Run Si pump 2E-3 Fall to Start 4E-3 Fall to Start l 1E-5 Fall to Run 7E-5 Fall to Run l RHR pump (LPCI for 9E-4 Fall to Start 3E-3 Fall to Start Surry)' 1E-5 Fall to Run 3E-5 Fail to Run

~

Diesel Generator 1E-2 Fall to Start (large DG) 2E-2 Fall to Start !

9E-3 Fall to Start (small DG) 2E-3 Fall to Run 2E-3 Fail to Run (large DG) 1E-3 Fall to Run (small DG) 1E-2 Fail to Open 3E-3 Fall to Open AFW MOV

' ' Failures to start or open are probabilities of failure on demand. Failures to run are frequencies in 1/hr.

" Surry has separate RHR and LPCI pumps; Farley uses the same pumps for RHR and LPCI.

Based on a spot check of the plant specific data, the values in the Farley IPE for component failures are comparable to those values used in other PRAs.

24

.-- .. .- -. - . - ~ - - - . . - - . . - . . - _ - _ . - - _ - _ . _ - _ -

1 i .

2.3.4 Use of Generic Data l The primary source for generic data was NUREG/CR 4550, supplemented by data form NUREG/CR 2815, IEEE 500, NUREG/CR 2728, WASH 1400, and Westinghouse

' Technical Reports. The generic data used were comparable to data used in typical IPE/PRAs.

2.3.5 Common-Cause Quantification The method used to model common cause failures was reviewed, and the process by which classes of components were selected for consideration for common cause i failures was review'ed.

! The MGL method was used to model common cause failures. [lPE submittal, Section l 3.3.4) The data for common cause failures were taken from a draft EPRI report of j September 1990, "A Database for Common-Cause Events for Risk and Reliability i Evaluations". The generic events were reviewed for applicability to Farley, and events not applicable were screened from consideration. The probabilities for certain events retained for analysis were decreased based on an evaluation of operating practices at Farley.- The procedures used in the evaluation of common cause failure were from NUREG/CR-4780 and the draft 1990 EPRI report.

Common cause events retained for consideration were modeled directly in the fault trees. [lPE submittal, Section 3.2.2) The Submittal does not discuss whether or not common cause failure was modeled among systems; evidently, the consideration of common cause failure was restricted to within systems, which is the usual practice except for special components (such as a HPCI turbine pump and a RCIC turbine pump at a BWR).

The Submittal lists the components for which specific common cause failures were considered.JIPE submittal, Section 3.3.4) The list of components for which common cause failure was considered does not include safety and relief valves. The Submittal states that common cause failure for these valves was modeled by using data for a generic component from the EPRI data base. Common cause failure of these valves can be important, and is typically considered in PRA/IPEs.

The IPE used single composite MGL values for the commor, cause failure factors for numerous diverse components such as relays, inverters, and air compressors. The licensee stated that no plant-specific evidence existed for common cause failures among these components, and that the values used were based on a composite component using plant-specific impact vectors and information from the EPRI data base and from NUREG/CR-4780. [lPE Responses) The licensee considers the values used to be conservative.

Table 3.3.4-1 of the Submittallists the common cause failure data MGL factors.

25

We compared selected beta factors from this table in the Submittal to those used in the NUREG/CR 4550 PRA of Surry; Table 2-3 of this report summarizes the comparison.

The data in Table 2-3 of this report indicates that the common cause factors used in the Farley IPE are typically lower than used in other IPE/PRAs, especially for ECCS ,

pumps (HHI and RHR) and diesel generators.

Table 2-3. Comparison of Beta Factors for Two Like Components Component Beta Factor from Table Surry NUREG/CR 4550 3.3.4-1 of Submittal Beta Factor Table 4.9-3 AFW Pump (Motor 0.034 0.056 Driven)

RHR Pump (LPCI for 0.0098 0.15 Surry)

HHIPump 0.0018 0.21 Containment Spray Pump 0.081 0.11 MOV 0.012 0.088 Diesel Generator 0.0059 0.038 1 Safety / Relief Valve 0.023 (for generic 0.07 component)

The licensee stated that the generic data were screened for application to Farley thereby resulting in the lower values. Common cause failures are subtle; the screening may have underestimated the potential for common cause failures. In our opinion, the licensee has not provided enough information to support the use of low common cause failure values for important components such as DGs and ECCS pumps. The licensee states that the contribution of common cause hardware failures to the overall CDF is about 5%, and that a factor of 10 increase in all common cause failures increases the overall CDF by about 75%.

2.4 Interface issues This section of the report summarizes our review of the interfaces between the front-end and back-end analyses, and the interfaces between the front-end and human i factors analyses. The focus of the review was on significant interfaces that affect the !

ability to prevent core damage. l l

26 I

. . l i

2.4.1 Front-End and Back End Interfaces l As discussed in Section 2.2.2 of this report, the IPE model requires operation of either 1 RHR heat exchanger (during recirculation) or 2 fan coolers to support core cooling when energy is released into containment. l As discussed in Section 2.2.1 of this report, containment isolation phase A does not result in loss of seal cooling. Containment isolation phase B isolates CCW cooling but ,

does not isolate seal injection; operators will have to trip the RCPs due to loss of j bearing cooling. l The IPE modeled front and back end aspects of accident sequences in the same event trees. Plant damage states (PDS) were assigned to sequence endstates, but l

, these PDS bins address both core damage and ultimate containment state. [lPE submittal, Sections 3.1.7 and 4.7] (In most PRA/IPEs, PDSs address the factors associated with core damage that influence the back-end analysis.) The assignment of PDSs in the IPE based on core damage characteristics is comparable to standard PRA practice.

2.4.2 Human Factors Interfaces Based on our front-end review, we noted the following operator actions for possible -

consideration in the review of the human factors aspects of the iPE: l operator actions to prevent an RCP seal LOCA on Loss of CCW or SW, involving tripping RCPs and establishing seal cooling operator action to transfer ECCS to recirculation from the containment sump operator action to provide water supply for AFW after the CST is depleted operator action to initiate feed and bleed cooling operator action to cooldown and depressurize the primary using secondary depressurization and primary spray /PORVs.

Numerous recovery actions were modeled. Section 2.3 of the Submittalindicates that

, recovery was applied to dominant sequences; Section 1.3.1 states that recovery was considered in the success criteria. Recovery actions of note include:

Response to RCP seal LOCA Recovery of Offsite Power Event RPW (operator restores power systems)

Event ORS (operator action to restore failed systems).

27

1 i . .

1 1

I

! 2.5 Evaluation of Decay Heat Removal and Other Safety lasues l

This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USIs, if they were addressed in the submittal, were also reviewed.

2.5.1 Examination of DHR The IPE specifically addresses DHR and its contribution to CDF as described in l 1

Section 3.4.3 of the Submittal. No vulnerabilities associated with DHR were identified ~

i i as a result of the IPE.

i

! Although section 3.4.3 of the Submittal provides a summary of the methods for

providing DHR, it contains no insights into DHR; it merely states that DHR was ,

l modeled and that no vulnerabilities related to the loss of DHR exist. !

i The licensee provided the following contribution of system failures to the CDF where the indicated percent is the percent of the total CDF represented by a failure of the ,

l '

system on a sequence basis: [lPE Responses]

l S'

Service Water 27.4 % i AC Power 26.6 % +

t CCW ~ 25.8% l High Head Recirculation 25.5 %

j High Head injection 24.0 %

+ AFW 22.6 % '

' Normal RHR 17.0%

j- Containment fan coolers 10.8%

r

. Pressurizer PORVs 9.5%

I Service water, AC power, and CCW all are important for supporting front-line systems that provide DHR. High pressure injection and recirculation for feed and bleed, and :

j AFW are important for providing heat removal following a transient. The licensee ;

s states that the high relative contribution of these systems is as expected and that no I cost effective improvements to the systems themselves are warranted. i 2.5.2 Diverse Means of DHR 1

! The IPE evaluated the diverse means for DHR, including: use of the power conversion !

system, feed and bleed, auxiliary feedwater, and ECCS. RCP seal LOCAs and l actions to prevent such LOCAs were addressed.

J

' Section 3.4.3 of the Submittal provides a complete description of the ways for l providing DHR at the Farley plant.

1 1

i 28 i

i h

2.5.3 Unlaue Features of DHR Design features at Farley that impact the CDF from loss of DHR are as follows:

. Use of charoing oumos for hiah head Emergencv Core Cooling system (ECCS) inlection which use Comoonent Coolina Water (CCW) for oumo coolina. :

Loss of CCW results in loss of cooling to the Reactor Coolant Pump (RCP) thermal barriers; since the charging pumps are the High Pressure Safety injection (HPSI) pumps, and these pumps use CCW for normal cooling, loss of ,

CCW also causes loss of sealinjection and loss of high pressure ECCS makeup, unless backup cooling is supplied to the charging pumps. This would result in an RCP seal Loss of Coolant Accident (LOCA) that cannot be mitigated. Therefore, use of the same pumps for both charging and high pressure ECCS that are normally cooled by CCW tends to increase the CDF from seal LOCAs.

Abi!ity to orovide diesel driven firewater for coolina to charging oumos.

Diesel driven firewater can be used to supply cooling to the charging pumps if CCW cooling is lost; this tends to decrease the Core Damage Frequency (CDF) from a seal LOCA due to loss of CCW.

No automatic alionment of ECCS from in_iection to recirculation.

Manual actions are required to align ECCS to recirculation from the containment sump from injection from the Refueling Water Storage Tank (RWST) following a LOCA; this tends to increase the CDF from LOCAs relative to plants for which the alignment is automatic.

I e Presence of 5 Diesel Generators (DGs). 3 of which are swina DGs that can ,

orovide oower to either unit. ~

The presence of 3 swing DGs tends to lower the CDF due to station blackout relatiye to plants with fewer DGs.

2.5.4 Other GSI/USis Addressed in the Submittal 1 The Submittal states that the expectations of USl A-17, " Systems Interactions", with respect to the IPE evaluation of intamal flooding, have been met. [lPE submittal, Section. 3.4.4]

No other GSl/USI's are addressed by the IPE Submittal for Farley.

2.6 Intemal Flooding This section of the report summarizes our reviews of the process used to model internal flooding and of the results of the analysis of intemal flooding. ;

29

. -_ - - . - . - - --~-. -

i i 2.6.1 Internal Floodina Methodoloav i i The Submittal describes the technique used to evaluate internal flooding. [lPE submittal, Section 3.3.8) The internal flooding analysis was performed in the following l

~

' manner. Information on the plant design and Appendix R fire zone related documentation were reviewed to identify flood initiating events. Areas where a flood ,

j could result in a reactor trip were considered as potential flood initiating zones. Table .

~ 3.3.8-1 of the Submittallists areas eliminated from consideration as flood zones as a result of this information review. Walkdowns were performed that eliminated additional l l areas from_ consideration, as summarized in Table 3.3.8-2 of the Submittal. The ,

l susceptibility of equipment in the remaining potential flood zones to submergence or spray was evaluated, considering water propagation, draining, equipment location and '

shielding, and EQ. Based on this more intensive analysis, more areas were eliminated from consideration as summarized in Table 3.3.8-3 of the Submittal. The - ,

remaining flood zones were analyzed; there are 11 areas where flooding can contribute to CDF. The total initiating event frequency for a flood in these areas is

2.0E-4/ year. We could not find a discussion in the Submittal of how CDF from flood i i

events was calculated. Evidently, the PRT for iransient events was used to quantify i- flood events, considering the failures due to the flood itself.

i The Submittal indicates that flood related differences between the two units were i

considered, but that the effect of the differences is not important. [lPE submittal, Section 3.3.9]

2.6.2 Internal Floodina Results Core damage from 14 intemal flooding events in 11 s'eparate flood zones was quantified. Table 3.3.8-4 of the Submittal summarizes the flooding events, the flood

zones, and the frequencies of the flooding events.

The IPE coricluded that the major consideration related to internal flooding is spray

- onto equipment that is not environmentally qualified to operate under spray conditions or is not shielded from spray. [lPE submittal, Section 3.3.8) Only lower level j equipment rooms and charging pump hallways were found to be susceptible to j

! submersion-type failures. Major flood sources are: fire water system, CCW, and SW. 1 1

The IPE evaluated the effect of not charging the fire sprinkler system with water until

f necessary, instead of leaving it continuously charged. It was concluded that this l

change would have little impact on CDF.

The IPE considered one unit specific flood event, that being flooding due to failure of a

! fire header pipe in the unit 1 cable spreading area; this event is not applicable to unit i 2. [lPE submittal, Section 3.3.9) l 1

4 30 i l

i i

I l

Internal flooding events were calculated to contribute about 9% to the total CDF from internal initiating events and internal flooding events. [lPE submittal, Figure 1.4-1]

2.7 Core Damage Sequence Resufts l

This section of the report reviews the dominant core damage sequences reported in I the submittal. The reporting of core damage sequences- whether systemic or functional-is reviewed for consistency with the screening criteria of NUREG-1335.

The definition of vulnerability provided in the submittalis reviewed. Vulnerabilities, j enhancements, and plant hardware and procedural modifications, as reported in the' l submittal, are reviewed.

l 2.7.1 Dominant Core Damaae Secuences l l The IPE utilized systemic event trees, and reported results using the screening criteria from NUREG 1335 for systemic sequences. [lPE submittal, Section 3.4)

Figure 2-1 of this report summarizes the major contributors to core damage by class of initiating event. These results apply to each of the two units. Definitions of the acronyms and abbreviations used in this figure are as follows:

Special Plant Specific initiating Events LOSP Loss of Offsite Power SLOCA Small LOCA Transient Generic PWR Transient Flood Internal Flooding Event LLOCA Large LOCA MLOCA Medium LOCA SGTR Steam Generator Tube Rupture ISLOCA Interfacing Systems LOCA RVR. Reactor Vessel Rupture, j The Submittal also summarizes CDF by type of accident ao follows: [lPE submittal, Section 1.4.1 and Table 1.4-2]

RCP Seal LOCA 47 %

Loss of Heat Sink 25%

LOCA 18%

Station Blackout 9%

Other 0.6%.

Table 3.4-2 of the Submittal lists the initiating events in each class, and Table 3.4-1 of the Submittal provides the CDF for each initiating event. Based on Table 3.4-1 of the Submittal, the dominant initiating events are summarized in Table 2-4.

31 l

Core Damage Frequency for Farley by Class of initiating Event Total O, e u< <

tw < ^ ?

~ o : m.e-- y..

~ . ~ - ae' spec.l ia e

s

^.

e^=

_m.

.. .~ _

r; -- ^.

__ _ _ _a c s ~v .m .

y G LOSP y-

,-- : : -: v;n,- : %u,, . > ., -

u:.

, , ~, ~ . ' . ,x

.. ~~. -

uJ SLOCA P- .'t z' ..::- o-^.

2: ' ~:

Total CDF

'^'

.Erransient

~: ^ ' +:.' ^

' ':M'? 'N?; " "

. :' ' ' ^ 1.3E-4/

.3 I l Flood mm -

v m. ~ c: ~ ;, e

~: : : . . . ,: : : w. .

.: a , ~ ~.

n

.- Year 1

1

..n LLv pg a we.me%;sw w w* ggj.: ^ w g.g m g.g);; e-' gg- ' s'"' w x ,

,- f ' ~ { s .y.::::

o -

- 1 m

m MLOCA _

NrF92We ?^ -

!?

.3 SGTR M:m,ugg gg -

g . --.*;', ' - s 3m . . . . j

_m g-ISLOCA ',m,,..-^Y!f'9F5' . . .. .

A y

_ . . . .y RVR **' ^ ^ @ ' " : ~

f / \ \ N I I i i 1E-008 1E-007 1E-006 1E-005 i

0.0001 0.001 Frequency,1/yr Figure 2-1. Major Contributors to CDF for Farley 32 4

-w, e oe.- * -*

e Table 2-4. Dominant Initiating Events Initiating Event Frequency of initiating CDF from Initiating Event Event (1/yr) (1/yr)

Loss of Train A SW 1 E-2 3E-5 Small LOCA SE-3 2E-5 1 E-5 i Loss of 4160 V ac Bus F 1 E-3 Dual Unit Loss of Offsite 1 E-2 1 E-5 Power Single Unit Loss of Offsite 4E-2 9E-6 Power Loss of in-Service CCW 1 E-3 8E-6 Loss of All CCW 8E-5 8E-6 ;

Flood in Cable Spreading 1 E-4 6E-6 Room Turbine Trip SE-1 4E-6 The Submittallists the highest frequency systemic core damage sequences, per the l screening criteria of NUREG 1335, in Table 3.4-4; the top 100 sequences are ,

described in this table.

The total CDF from internal initiating events and internal flooding is 1.3E-4/ year. The CDF from internal flooding is 1.2E-5/ year. [IPE submittal, Figure 3.4-2]

\

The top five sequences are summarized in Table 2-5 of this report. j Based on the contribution to the CDF, the most important systems are as follows, listed in decreasing importance: service water,4160 V AC buses, component cooling water, ECCS recirculation, and ECCS injection.

The CDF from a SGTR as calculated in the IPE is 2.7E-7/ year, which is low in comparison to the CDF due to a SGTR as calculated in other IPEs. The licensee provided information on the model used for SGTR in the IPE. [IPE Responses) Based on this information, it appears that the CDF from a SGTR is low due to values assigned to operator actions in the model.

33

~

Table 2 5. Top 5 Systemic Core Damage Sequences initiating Event Subsequent Failures Sequence Frequency <

and 1/ year (Failures Due to initiating Event]

Small LOCA Depressurization to 8E-6 Shutdown Cooling (SDC) ;

is Successful but RHR SDC falls; loss of RHR I components prevents use of High Head ECCS Recirculation Flood in Cable Spreading Operator Action to Start SE-6 Room AFW at Shutdown Panel fails; Alignment of

[ Flood causes Loss of Air] Condensate or Feed and Bleed Not Credited due to Complexity of Operator Actions in this sequence Loss of SW Train A Operators Fall to Quickly 3E-6 Trip RCPs leading to Seal LOCA, RHR Fails Loss of All CCW Seal injection Falls 3E-6 leading to Seal LOCA, RHR Unavailable due to loss of CCW with no Recovery Turbine Trip AFW Fails, Main 2E-6 '

l Condenser Unavailable, Operators Fall to initiate Feed and Bleed i

2.7.2 Vulnerabilities Section 3.4.2 of the Submittal states the following criteria used to screen for plant specific vulnerabilities:

(1) Any functional core damage sequence that contributes greater than 1E-4/ year, or greater than 50% of CDF.

34

'- . . (;

. l The dominant core damage sequences resulting in containment bypass j (2) '

that contribute, when summed together as a group, greater than 1E-5/

year, or greater than 20% of CDF.

Based on these criteria, the licensee concluded that Farley has no vulnerabilities. l 2.7.3 Pronosed imorovements and Modifications During the performance of the IPE, several plant improvements were identified as j important and were implemented prior to completion of the IPE. [lPE submittal Section !

6.1.1) These improvements involved procedural changes and minor hardware l i

modifications. These improvements were as follows:

alignment of fire water for cooling charging pump oil coolers if CCW cooling is i i

lost l

alignment of charg!ng pump suction to the RWST and isolating seal return flow upon loss of cooling to the in-service CCW train to allow additional time to align ,

the miscellaneous CCW header to the opposite train alignment of the swing CCW pump to the standby train while it is powered from ;

i the opposite train to maintain seal injection flow following loss of SW cooling to the in-service train of CCW combined with failure of the standby CCW pump l stabilizing the plant with only one operating SW pump by reducing SW system ;

> loads in order to maintain CCW cooling i realigning ECCS to cold leg recirculation following failure to establish hot leg recirculation verifying that major loads on the ESF buses have been shed prior to aligning a backup DG following a single unit loss of offsite power.

The IPE estimated that without cooling, the normally operating charging pump can

, operate for 20 minutes. [lPE submittal, Section 6.1.1) The first two improvements resulted in a reduction of overall CDF from 7E-4 to 1.3E-4/ year, due to decreasing the potential for RCP seal LOCAs.

The Submittal states that during the next scheduled maintenance outage for the RCPs, the current RCP seal O rings will be replaced with new high temperature O rings. (IPE submittal, Section 1.4.1) The Submittal indicates that installation of these new seal rings will reduce overall CDF by about 20 %.

The IPE does not address any other long term plant improvements under consideration.

35

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS This section of the report provides as overall evaluation of the quality of the IPE based on this review. Strengths and shortcomings of the IPE are summarized. Important assumptions of the model are summarized. Major insights from the IPE are presented.

Overall, the front-end portion of the Farley IPE is well done. All of the major aspects that affect the CDF were addressed in the IPE. The analysis addresses the plant specific characteristics of Farley, those that impact the CDF both positively and negatively.

Strengths of the IPE are as follows. The list of initiating events appears complete, and does consider many plant specific initiating events.

Shortcomings of the IPE are as follows. The success criteria for a large LOCA are based on MAAP analyses and do not require injection with the accumulators; this is questionable, in our opinion. The screening process by which the IPE derived lower than generic values for common cause failures among DGs and ECCS remains questionable in our opinion.

Based on our review, the following aspects of the modeling process have an impact on the overall CDF:

(a) the model used for seal LOCAs (b) no requirement for any containment cooling with fan coolers or containment spray to allow core cooling with recirculation from the containment sump (c) HVAC required only for charging and AFW pump rooms and for DG rooms.

The licensee stated that the Westinghouse seal LOCA model was used. Other IPEs have also used the Westinghouse seal LOCA model, but predict less likelihood of core uncovery as a function of time, especially if the RCS is cooled down. Therefore, the specific application of the Westinghouse seal LOCA model in this IPE tends to increase the CDF from a seal LOCA in comparison to that in other IPEs. Also, this IPE assumed that if CCW cooling is lost to an RCP and the RCP is not tripped within 2 minutes, a total failure of the seal occurs. It should be noted that Farley is more susceptible to loss of seal cooling than many other PWRs since CCW is used to cool the charging pumps and the charging pumps are the HPSI pumps; therefore, design as well as the data used contributes to the high CDF from a seal LOCA at Farley.

The IPE assumed that no containment spray and no containment fan coolers are required to support core cooling; best estimate containment failure pressure was used and MAAP calculations were performed to establish that cooling with one RHR heat exchanger is sufficient. This tends to lower the CDF by not requiring operation of either core spray or containment fan coolers to mitigate an accident.

36

Based on plant-specific room heatup analyses, the IPE assumed that HVAC was not required for rooms containing: CCW pumps, core spray pumps, RHR pumps, or electrical equipment. This tends to lower the CDF compared to plants for which HVAC for such areas is required.

Significant findings on the front-end portion of the IPE are as follows:

seal LOCAs are an important contributor to the overall CDF

the use of firewater for providing backup cooling for the charging pumps has a significant impact on reducing the CDF

station blackout is a relatively small contributor to CDF.

Seal LOCAs are an important contributor to the total CDF due to the requirement to trip the RCPs following loss of seal cooling, the use of CCW to cool the charging /HPSI pumps, and the model used for the likelihood and size of a seal LOCA following loss of seal cooling. The use of fire water for backup cooling for the charging pumps reduces the likelihood of loss of seal injection and prevents the CDF from seal LOCAs from being even higher. The CDF from station blackout is relatively small due to: the !

distinction between loss of offsite power for the site and loss of offsite power for a single unit in the IPE, the presence of 3 swing DGs at the site, and the low values used for common cause failures of DGs in the IPE.

]

d a

j 37

4. DATA

SUMMARY

SHEETS This section of the report provides a summary of information from our review.

Overall CDF i l

The total CDF from internal initiating events and internal flooding is 1.3E-4/ year The CDF from internal flooding is 1.2E-5/ year. l Ddminant initiatina Events Contributina to CDF Loss of Train A SW 22 %

Small LOCA 13%

Loss of 4160 V ac Bus F 10% '!

Dual Unit Loss of Offsite Power 8%

Single Unit Loss of Offsite Power 7% ;

Loss of in-Service CCW 6% ;

Loss c,f All CCW 6%. !

Flood in Cable Spreading Room 4% !

Turbine Trip 3% !

Large LOCA 3% ;

Partial Loss main Feedwater 2% ;

Medium LOCA 2% ,

SW Flood of All SW Pumps 2% >

Loss of Main Feedwater 1%

Reactor Trip 1% i Total Loss SW 1 %.

l Dominant Hardware Failures and Ooerator Errors Contributing to CDF )

i Based on the contribution to the CDF, the most important systems are as follows, e listed in decreasing importance: service water,4160 V AC buses, component cooling

water, ECCS recirculation, and ECCS injection.

Dominant Acc: dent Classes Contributing to CDF Seal LOCA 47 %

Loss of Heat Sink 25%

LOCA 18% i Station Blackout 9%

. Other 0.6%.

i e

38 !

l

t 9 i

l Desian Characteristics Imoortant for CDF The following design features impact the CDF 1

Use of charging pumps for high head ECCS injection which use CCW for pump !

f cooling Ability to provide diesel driven firewater for cooling to charging pumps i

No automatic alignment of ECCS to injection from recirculation l 4 i Presence of 5 DGs,3 of which are swing DGs that can provide power to either unit.

I The impact of these design features on the overall CDF is discussed in Section 1.2 of this report.

Modifications

~

During the performance of the IPE, several plant improvements were identified as important and were implemented prior to completion of the IPE. These improvements involved procedural changes and minor hardware modifications. These improvements 4 were as follows:

alignment of fire water for cooling charging pump oil coolers if CCW cooling is lost alignment of charging pump suction to the RWST and isolating seal return flow upon loss of cooling to the in-service CCW train to allow additional time to align the miscellaneous CCW header to the opposite train alignment of the swing CCW pump to the standby train while it is powered from the opposite train to maintain seal injection flow following loss of SW cooling to the in-service train of CCW combined with failure of the standby CCW pump stabilizing the plant with only one operating SW pump by reducing SW system loads in order to maintain CCW cooling realigning ECCS to cold leg recirculation following failure to establish hot leg recirculation verifying that major loads on the ESF buses have been shed prior to aligning a backup DG following a single unit loss of offsite power.

39

The first two improvements resulted in a reduction of overall CDF from 7E-4 to 1.3E-4/ year, due to decreasing the potential for RCP seal LOCAs.

The Submittal states that during the next scheduled maintenance outage for the RCPs, the current RCP seal O rings will be replaced with new high temperature O rings. The Submittal indicates that installation of these new seal rings will reduce overall CDF by about 20 %.

The improvements already completed and planned to should result in a reduction in CDF.

Other USI/GSis Addressed The Submittal states that the expectations of USI A-17, " Systems interactions", with respect to the IPE evaluation of internal flooding, have been met. [lPE submittal, Section. 3.4.4]

No other GSI/USI's are addressed by the IPE Submittal for Farley.

Slanificant PR A Findinas Significant findings on the front-end portion of the IPE are as follows:

a seal LOCAs are an important contributor to the overall CDF

= the use of firewater for providing backup cooling for the charging pumps has a significant impact on reducing the CDF ~

= station blackout is a relatively small contributor to CDF.

I 40 l

REFERENCES

, [GL 88-20] " Individual Plant Examination For Severe Accident

! Vu!nerabilities - 10 CFR 50.54 (f)", Generic Letter 88.20, U.S. Nuclear Regulatory Commission, November 23,1988

[NUREG-1335) " Individual Plant Examination Submittal Guidance",

NUREG-1335, U. S. Nuclear Regulatory Commission, August,1989

[lPE) Farley IPE Submittal June 14,1993

[lPE Responses) Letter from J.D. Woodard SNC to NRC, November 9, 1994

[UFSAR) Updated Final Safety Analysis Report for Farley

[ SEA Calc 553-024] " Calculations in Support of the IPE Review of Farley", SEA C 92-553-038-A:1, February 23,1994.

[NUREG/CR 4550 Surry) " Analysis of Core Damage Frequency: Surry, Unit 1 Internal Events", NUREG/CR-4550, Vol. 3. Rev.1, Part 1, April 1990.

[lPE Maine Yankee) IPE Submittal for Maine Yankee !

[lPE Palisades) IPE Submittal for Palisades l l

l

[lPE San Onofre) IPE Submittal for San Onofre

[lPE Palo Verde) IPE Submittal for Palo Verde

[TER, Point Beach) SEA TER for Point Beach IPE Submittal 41

, -_ A, a 1- .a, m..* -4 4- 4, m -* -*44-.eA--L * -

In- & e -<s.e.- w -w_.. _J-__.+ a aw.p.- _ . a

.._2 O , .

.ea e

ENCLOSURE 3 FARLEY NUCLEAR POWER PLANT INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT (BACK-END)

.. a i -

SCIE-NRC-226-94 I

FARLEY NUCLEAR STATION 4 TECHNICAL EVALUATION REPORT ON THE INDIVIDUAL PLANT EXAMINATION BACK-END ANALYSIS i

2 3

2 1 I

I

l 4 l 3

I W. H. Amarasooriya l Prepared for the U.S. Nuclear Regulatory Commission Under Contract NRC-05-91-068-25 March 1995 SCIENTECH, Inc.

11140 Rockville Pike, Suite 500 Rockville, Maryland 20852

f * . .

TABLE OF CONTENTS Pace l

l E. EXECUTIVE

SUMMARY

. . . . . . . . . . . . . . . . . . . iv 1

E1. PLANT CHARACTERIZATION . . . . . . . . . . . . . . iv E2. LICENSEE IPE PROCESS . . . . . . . . . . . . . . . iv E3. BACK END ANALYSIS . . . . . . . . . . . . . . . . . .v 1

E4. CONTAINMENT PERFORMANCE IMPROVEMENTS (CPI) . . . . vi E5. VULNERABILITIES AND PLANT IMPROVEMENTS . . . . . . vi E6. OBSERVATIONS . . . . . . . . . . . . . . . . . . . vii I. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . 1 I.1 REVIEW PROCESS . . . . . . . . . . . . . . . . . . . 1 I.2 PLANT CHARACTERIZATION . . . . . . . . . . . . . . . 1 II. TECHNICAL REVIEN . . . . . . . . . . . . . . . . . . . . . 2 II.1 LICENSEE IPE PROCESS . . . . . . . . . . . . . . . . 2 II.1.1 Completeness and Methodology . . . . . . . . . 2 !

1 II.1.2 Multi-Unit Effects and As-Built As-Operated i Status . . . . . . . . . . . . . . . . . . . . 2 II.1.3 Licensee Participation and Peer Review . . . . 3 !

II.2 CONTAINMENT ANALYSIS / CHARACTERIZATION . . . . . . . 3 .

II.2.1 Front-end Back-end Dependencies . . . . . . . . 3 II.2.2 Sequences with Significant Probabilities . . . 4 ;

II.2.3 Failure Modes and Timing . . . . . . . . . . . 4 j II.2.4 Containment Isolation Failure . . . . . . . . . 5 l II.2.5 System / Human Response . . . . . . . . '. . . . . 5 l II.2.6 Radionuclide Release Characterization . . . . . 6 !

l l

Farley IPE Back-End Review 11 March 1995

t l

TABLE OF CONTENTS (cont.) .

]

1 II.3 ACCIDENT PROGRESSION AND CONTAINMENT PERFORMANCE ANALYSIS . . . . . . . . . . . . . . . . . . . . . . 7 j II.3.1 Severe Accident Progression . . . . . . . . . . 7 !

I II.3.2 Dominant Contributors: Consistency with IPE Insights . . . . . . . . . . . . . . . . . . . 7 i i

II.3.3 Characterization of Containment Performance . . 9 II.3.4 Impact on Equipment Behavior . . . . . . . . . 9 II.4 REDUCING PROBABILITY OF CORE DAMAGE OR FISSION PRODUCT l RELEASE . . . . . . . . . . . . . . . . . . . . . . 9 :

II.4.1 Definition of Vulnerability . . . . . . . . . . 9 ;

II.4.2 Plant Improvements . . . . . . . . . . . . . 10 1 i

II.5 RESPONSES TO CPI PROGRAM RECOMMENDATIONS . . . . . 10 ,

II.6 IPE INSIGHTS, IMPROVEMENTS AND COMMITMENTS . . . . 10 III. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . 12 IV. REFERENCES . . . . . . . . . . . . . . . . . . . . . . . 13 APPENDIX . . . . . . . . . . . . . . . . . . . . . . 14 e

r p

i b

l Farley IPE Back.End Review iii March 1995 !

i

E. EXECUTIVE

SUMMARY

SCIENTECH, Inc.,. performed a review of the back-end portion of the Southern Nuclear Operating Company (SNC) Individual Plant Examination (IPE) of the Joseph M. Farley Nuclear Plant (FNP)

Units 1 and 2.

E1. PLANT CHARACTERIEATION Both units at the Farley Nuclear Plant are PWR-3s with large, dry containments. Each unit was designed to produce a reactor thermal power output of 2652 MW with a gross electric power output of 813 MW from Unit 1 and 823 MW from Unit 2. Units 1 and 2 began commercial operation in December 1977 and July 1981, respectively.

E2. LICENSEE IPE PROCESS Fauske and Associates, Inc., led the back-end analysis. A l senior-level engineer with experience in Level II analysis was l responsible for performing the following: technical reviews, containment walkdown, Level I and Level II interfaces, and technology transfer related to the Level II portion of the FNP This engineer was a member of the probabilistic risk ;

IPE.

assessment (PRA) group within the SNC corporate Technical Services department. The utility architect / engineer firms of l Southern Company Services and Bechtel reviewed the following: j the containment-structure-overpressurization position paper and the methodology for evaluating thermal loading of containment penetrations.

An independent review group (IRG), consisting of four members of j the FNP staff, three members of the SNC corporate staff, and a '

consultant from P74, Inc. , reviewed the FNP IPE. The back-end analyses that the IRG reviewed included the Recovery Analysis Notebook, Level 2 Phenomenological Evaluations, and source-term i analysis. The IRG held seven meetings over a period of 2 years.

Meeting agenda items that were related to the back-end analysis included the following: source-term analysis, Level II results, and phenomenological evaluations on hydrogen deflagration and detonation, direct containment heating, and containment overpressurization.

The IPE team performed its examination by integrating analyses of plant responses to both core damage accident sequences and to source terms. The IPE team developed PRTs and a mechanistic model to examine the post core damage behavior. The team Farley IPE Back-End Review iv March 1995

. 1 calculated containment response and radioactive source terms for these PDSs using the MAAP 3.0B, Revision 17.03 analysis for a l 48-hour mission time. Several phenomenological issues were addressed by using FNP-specific position papers and a best- I estimate containment tailure fragility curve for the containment response analysis. The FNP IPE team did not develop CETs to characterize containment response to core melt sequences, but used PRTs developed in the Level I PRA, which incorporated some CET aspects. The " containment analysis" portions of the PRTs addressed system availabilities (yes or no) and vessel pressure at failure. :

E3. BACK END ANALYSIS From the Level I analysis, the team calculated an overall core damage frequency (CDF) of 1.3E-4 per reactor year, excluding l internal flooding. The largest CDF initiator was a seal loss of l coolant accident (LOCA) (47.1 percent), followed by a loss of )

heat sink (LOHS) accident (24.5 percent), and a small LOCA (13.4 percent).

I The team performed its IPE of the FNP by integrating analyses of plant responses to both core damage accident sequences and to source terms. The IPE team developed plant response trees ,

(PRTs) and a mechanistic model to examine post core damage behavior. Using MAAP 3.0B Revision 17.03 analysis for a 48-hour mission time, the team calculated containment response and radioactive source terms for the PDSs. Several phenomenological i issues were addressed by using FNP-specific position papers and l a best-estimate containment failure fragility curve for the I containment response analysis. The FNP IPE team did not develop I containment event trees (CETs) to characterize containment response to core melt sequences, but used PRTs developed in Level I PRA that incorporated some CET aspects. The team maintained that separate CETs were not applicable to the FNP IPE. The " containment analysis" portions of the PRTs addressed system availabilities (yes or no) and vessel pressure at failure.

The IPE team assumed that all core damage sequences continued to breach the vessel and did not take any credit for the in-vessel recovery. No credit was taken for operator actions or equipment recoveries following the onset of core damage. The equipment that was operable at the time of core damage was assumed to have remained operable during the Level II mission time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . 1 The FNP IPE team postulated no early containment failures other than containment isolation failures and bypass sequences.

Severe accident phenomena were found not to threaten the Farley IPE Back-End Review v March 1995 l

l

9 integrity of the FNP containment. These phenomena included steam explosions, molten core-concrete interactions, direct containment heating, vessel thrust forces, thermal attacks on containment-penetrations, and hydrogen detonation and deflagration. According to the submittal, these issues were addressed in specific position papers. The review of these "phomenology evaluation summaries" is outside the scope of this IPE review; it is being carried on by the NRC staff. The IPE team performed the MAAP sensitivity analysis recommended in EPRI TR-100167.

The back-end analysis showed that the uncontrolled fission product release frequency (FPRF) within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months would be 4.4E-6 per reactor year. The largest contributor to the FPRF postulated was the containment overpressure failure (3.90E-6/yr). Other contributors to the FPRF were steam generator tube rupture (SGTR) events (2.7E-7/yr) , interfacing systems loss of coolant accidents (ISLOCAs) (1. 8E- 7/yr) , and containment isolation failures (7.2E-8/yr).

E4. CONTAINMENT PERFORMANCE IMPROVEMENTS (CPI)

The IPE submittal does not provide information in response to the Containment Performance Improvement (CPI) Program recommendations. Related information on hydrogen detonation and deflagration is given in a position paper, a summary of which is provided in the submittal.

E5. VULNERABILITIES AND PLANT IMPROVEMENTS SNC defined a severe accident vulnerability as (Section 4.9, page 4-65):

Any source-term analysis bin which represents containment failure, bypass or failure to isolate, [ occurring] with a frequency greater than 1E-5 events per year, and in which a l single function, system, operator action, or other element can i be identified which substantially contributes to the total frequency. The present state-of-the-art of containment systems analysis (as noted in Generic Letter 88-20) may be considered when evaluating any potential vulnerability identified by this criterion.

The FNP IPE team identified and implemented several front-end plant improvements, which were procedural enhancements.

Important features of the FNP containment that affected the back-end analysis are: (1) the configurations of the reactor cavity and instrument tunnel, which form an effective structural Farley IPE Back-End Review vi March 1995

l l \

barrier to debris dispersal through high-pressure melt ejection, i and (2) a containment design that does not facilitate cavity j flooding, and thus prevents water from cooling debris to reduce l core-concrete interaction.

E6. OBSERVATIONS Based on the review SCIENTECH noted the following strengths and weaknesses in the Farley IPE back-end submitted are noted:

The IPE team performed a MAAP sensitivity analysis that is recommended in EPRI TR-100167.

The peer review process is well described.

It is difficult to understand how the submittal authors justify the quantitative results of the back-end portion of the IPE. The key issues that drive the important quantitative results are not addressed in the FRTs. The quantification is addressed in the MAAP analyses and in the phenomenological evaluation summaries (not included in the IPE submittal). For this reason, the NRC staff is currently evaluating the phenomer.ological evaluation i summaries, provided to the NRC by SNC. i l l 1 !

l i l

1 l l l l

l Farley IPE Back-End Review vii March 1995

I I

i l

l I. INTRODUCTION l

I.1 REVIEW PROCESS ;

1 This technical evaluation report (TER) documents the results of j the SCIENTECH review of the back-end portion of the Joseph M. <

Farley Nuclear Power Plant Individual Plant Examination (IPE) j submittal [1,2]. This technical evaluation report complies with i the requirements for IPE back-end reviews of the U.S. Nuclear Regulatory Commission (NRC) in its contractor task orders, and adopts the NRC review objectives, which include the following:

To determine if the IPE submittal provides the level of detail requested in the " Submittal Guidance Document,"

NUREG-1335

To assess if the IPE submittal meets the intent of Generic Letter 88-20

To complete the IPE Evaluation Data Summary Sheet A draft TER for the Back-End portion of the Farley IPE submittal was submitted by SCIENTECH to NRC on June 14, 1993. Based in part on this draft submittal, the NRC staff submitted a Request for Additional Information (RAI) to Southern Nuclear Operating Company on August 12, 1994. Southern Nuclear Operating Company responded to the RAI in a document dated November 9, 1994. This final TER is based on the original submittal and the response to the RAI.

Section II of the TER summarizes SCIENTECH's review and briefly describes the Farley IPE submittal, as it pertains to the work requirements outlined in the contractor task order. Each portion of Section II corresponds to a specific work requirement. -Section II also outlines the insights gained, plant improvements identified, and utility commitments made as a ,

result of the IPE.Section III presents SCIENTECH's overall observations and conclusions. References are given in Section IV. The Appendix contains an IPE evaluation and data summary sheet.

1 I.2 PLANT CHARACTERIEATION Both units at the Farley Nuclear Plant are PWR-3s with large, !

dry containments. Each unit was designed to produce a reactor j thermal power output of 2652 MW with a gross electric power ,

output of 813 MW from Unit 1 and 823 MW from Unit 2. Units 1 i Farley IPE Back-End Review 1 March 1995

l and 2 began commercial operation in December 1977 and July 1981, respectively.

1 i

II. CONTRACTOR REVIEW FINDINGS II.1 REVIEW AND IDENTIFICATION OF IPE INSIGHTS This section is structured in accordance with Task Order Subtask 1.

II.1.1 Completeness and Methodology In most respects, the submittal appears to be complete in accordance with the level of detail requested in NUREG-1335. In a few respects, however, it does not. Although a large body of information is provided in the back-end portion, no containment structural analysis is presented nor are references made to like containments that have undergone structural analyses.

~

The IPE submittal appears to meet the NRC sequence selection screening criteria described in Generic Letter 88-20.

The IPE team performed its examination by integrating analyses of plant responses to both core damage accident sequences and to source terms. The IPE team developed PRTs and a mechanistic model to examine the peat core damage behavior. The team calculated containment response and radioactive source terms for these PDSs using the MAAP 3.0B, Revision 17.03 analysis for a 48-hour mission time. Several phenomenological issues were addressed by using FNP-specific position papers and a best- '

estimate containment failure fragility curve for the containment response analysis. The FNP IPE team did not develop CETs to characterize containment response to core melt sequences, but used PRTs developed in the Level I PRA, which incorporated some CET aspects. The " containment analysis" portions of the PRTs addressed system availabilities (yes or no) and vessel pressure at failure.

II.1.2 Multi-Unit Effects and As-Built As-Operated Status The differences between the two units are minor and have no effect on the back-end analysis results. As stated in the submittal:

Farley IPE Back-End Review 2 March 1995

-The PRA models reflect the as-built, as designed, as-maintained FNP conditions as it existed on May 1, 1991, except that certain later procedure or hardware modifications have also been accounted for . . .

The IPE team performed a plant walkdown to gather and verify informstion on the equipment / environment interaction and containment design.

II.1.3 Licensee Participation and Peer Review Fauske and Associates led the back-end analysis. A senior-level engineer who had experience in Level II analysis and who was a member of the PRA group within the SNC corporate Technical Services department was responsible for performing the following: technical reviews, containment walkdown, Level I and Level II interfaces, and technology transfer related to the Level II portion of the FNP IPE. The utility architect / engineer firms of Southern Company Services and.Bechtel reviewed the containment-structure-overpressurization' position paper and the methodology for evaluating thermal loading of containment penetrations.

'An IRG, consisting of four members of the FNP staff, three members of the SNC corporate staff, and a consultant from PLG, reviewed the FNP IPE results. The back-end analyses that the IRG reviewed consisted of a Recovery Analysis Notebook, Level 2 phenomenological evaluations, and source-term analysis. The IRG held seven meetings over a period of 2 years. Meeting agenda items that related to the back-end analys . included source-term analysis, Level II results, and phenomenological evaluations on hydrogen deflagration and detonation, direct containment heating, and containment overpressurization. The reviewers had comments on the IPE results related to direct. containment heating, hydrogen generation in the cavity, and containment isolation. These comments and their subsequent resolution are detailed in Table 5.3-1, pages 5-12 and 5-13, of the submittal.

II.2 CONTAI3BEENT ANALYSIS /tw m t"FERIZATION II.2.1 Front-end Back-end Dependencies The IPE team used PRTs to model both front-end and back-end aspects of severe accident progression. Accident sequences were binned into PDSs or " functional sequences" that have similar characteristics. Definition.of PDSs involved the following attributes: initiating event, core damage timing, functional Farley IPE Back-End Review 3 March 1995

r a .

, failures occurring during the sequence, containment status, and RCS pressure.

II.2.2 Sequences with Significant Probabilities Table 3.4.1-1, page 3.211 of the submittal, compares the FNP l

sequence screening to the Generic Letter 88-20 screening criteria. The top 100 sequences, which contributed about 65 percent of the total CDF, are listed in Table 3.4-4, pages 3-178 through 3-204. The FNP IPE appears to have met the sequence selection criteria, as outlined in Appendix 2 to the Generic i Letter 88-20.

II.2.3 Failure Modes and Timing Table 4.1-1, page 4-4 of the submittal, lists important containment data including the following:

i 54 Design pressure (psip))

Design temperature (F 280 Inner diameter (ft) 130 ,

j Interior height (ft) 183 Cylinder wall thickness (ft) 3.75 Dome thickness (ft) 3.25 i Internal free volume (f ts) 2.05E6 Cavity floor thickness (ft) 60 Cavity floor area (f ta) .;

l The IPE team performed a plant-specific structural analysis to calculate the internal pressure capacity and the likely failure

< locations associated with this pressure. The team analyzed the following containment features: containment penetrations, i hatches, encapsulation vessels, and the containment structure.

1 The dominant failure locations are the cylindrical section of

the shell wall (resulting from vertical stress and hoop stress) and the basemat/shell junction. The median failure pressure is 114 psig. The containment fragility curve calculated is shown in Figure 4.1-1, page 4-15 of the submittal. In performing the source term analysis, members of the IPE team conservatively used the 5-percent-probability failure pressure of 102 psig.

t As

. calculated using the MAAP computer code, 2 the expected containment failure area is 0.01 ft. No structural analysis of the containment fragility was provided, just the results.

The team considered the following causes of containment failure unlikely to occur within the Level II 48-hour mission time:

steam explosion, molten core-concrete interaction, direct containment heating, vessel thrust force, thermal attack on

! Farley IPE Back-End Review 4 March 1995

4 containment penetrations, and hydrogen detonation and deflagration. Containment failure mechanisms that the team did consider likely were: containment overpressurization, containment bypass, and failure to isolate containment.

II.2.4 Containment Isolation Failure The FNP IPE team concluded that isolation would cause the containment to fail under any of the following circumstances (in addition to the condition where all check valves in fluid lines must fail) (Section 4.4.3, page 4-22):

A fluid line of mechanical penetration, which is intended to close manually during power operation, is left unisolated.

A fluid line whose isolation valves, which are intended to close automatically following generation of an isolation signal, fail to close.

A fluid line, which is a part of a safety system required to remain open following generation of an isolation signal, is not closed by the operators even when the system is

" failed" or the system operation has terminated.

The FNP IPE team used containment isolation failure as a top event (Top Event CI) in FNP PRTs. The success criterion for this top event (for all sequences except ISLOCA) was that all PDS AFALI represent the sequences that result in containment isolation failure. The functional sequence SLE27NH represented by System Sequence No. 273 is the only sequence involving containment isolation failure. The frequency of this sequence was 7.19E-8 (conditional probability of 0.0006).

In Section 4.2, pages 4-5 and 4-6 of the submittal, it is'noted that the FNP equipment, personnel, and emergency hatches all employ nonmetallic gaskets, and the electrical penetration assemblies employ nonmetallic seals and potting compounds, and are of Conax, Westinghouse, or General Electric design.

II.2.5 System / Human Response The IPE team used the following back-end operator actions as top events in the PRTs: cool down and depressurize RCS (OAC),

isolate ruptured steam generators (OAI), establish containment spray recirculation (OAS), and isolate containment (OCI). Using SLIM methodology, the team calculated the operator failure error probability for these events as 1.94E-4 and 1.00E-3. Equipment Farley IPE Back-End Review 5 March 1995

s

^

I

recovery was not credited for the back-end analysis: As in the front-end sequence analysis, equipment assumed to have failed i was assumed to have remained failed during the 48-hour Level II mission time. j II.2.6 Radionuclide Release Characterization ;

1 Section 4.7, pages 4-25 through 4-40 of the submittal, describes l how the FNP radionuclide release was characterized. Table 4.7- ,

4, on pages 4-35 and 4-36, defines 19 release categories. i However, the IPE team calculated that the FNP releases would j occur only under the conditions described in the following five j categories: l A No containment failure within the 48-hour mission time, but ;

eventually failure could occur without accident management

' action; noble gases and less than 1/10-percent volatiles l'

. released G Containment failure prior to vessel failure with noble ,

gases and up to 10-percent volatiles released (containment 4 isolation impaired)

]

K Late containment failure with noble gases and less than 1/10-percent volatiles released (containment failure greater than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after vessel failure; containment not bypassed; isolation successful prior to core damage)

S Success (leakage only, successful maintenance of I containment integrity; containment not bypassed; isolation i successful prior to core damage)

T Containment bypassed with noble gases and no more than 10-percent volatiles released Conditional probability of releases of volatiles in the above categories were calculated to be 0.931, 0.0006, 0.031, 0.033, and 0.0036, respectively, for A, G, K, S, and T (Table 4.8-1, page 4-63).- Table 4.7-5, on pages 4-41 and 4-42 of the submittal, lists MAAP-run summary results of the FNP source term analysis.

Generic Letter 88-20 states that the following should be reported:

any functional sepence that has a core damage frequency greater than 1x10~ per reactor year and that leads to containment failure which can result in a radioactive release j i

Farley IPE Back-End Review 6 March 1995 !

1

. . - . , _~ .-.. - l

. , l l

l magnitude greater than or equal to BWR-3 or PWR-4 release categories of WASH-1400.

The FNP IPE appears to have met this reporting requirement.

(See Section 4.7.2, pages 4-23 and 4-28.) l l

, II.3 ACCIDENT PROGRESSION AND CONTAINMENT PERFORMANCE !

ANALYSIS I j

l

! II.3.1 Severe Accident Progression The FNP IPE team found that the following severe accidents are not likely to threaten the FNP containment: steam explosions, molten core-concrete interactions, direct containment heating, vessel thrust forces, thermal attacks on containment penetrations, and hydrogen detonation and deflagration. The l bases for this finding are the phenomenological evaluation

summaries, which are not sufficiently described in the submittal ;

l to judge how well the FNP understood the threat to the ;

containment from severe accidents. (See Section 4.4.2, i pages 4-14 through 4-21.) The phenomenological evaluation summaries are currently under review by the NRC staff.

l II.3.2 Dominant Contributors: Consistency with IPE Insights Table 1 in this report shows the results of the SCIENTECH comparison of the dominant contributors to the FNP containment failure probability with those contributors identified during the IPEs performed at the Diablo Canyon, Maine Yankee, Palo Verde, Kewaunee, Zion, Haddam Neck, and Point Beach plants, and with the NUREG-1150 PRA results obtained at Zion and Surry. The results of the IPEs conducted at the Kewaunee, Zion, and Point Beach plants also indicated the unlikelihood of any early containment failure occurring there. Compared with these three plants, however, FNP was shown to have a higher late containment failure conditional probability (after 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months ) and a lowsr containment-intact conditional probability. (The Kewaunee aad Point Beach plants had no late containment failure probabi:.it.'es within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .)

Farley IPE Back-End Review 7 March 1995 l

i Table 1. Containment Failurt as a Percentage of Total CDF: Farley IPE Results Compared with the Results of the Diablo Canyon, Maine Yankee, Palo Verde, Kewaunee, Zion, Haddam Neck, and Point Beach IPEs and with the Zion and Surry NUREG-1150 PRA Results Contaiament Diablo Maine Palo Kewaunec Zion Haddam Point Zion / Surry/ Farley ,

Failure Canyon Yankee Vestle IPE IPE Neck Beach NURE NURE IPE IPE' IPE2 IPE IPE IPE G- G-1150 1150 l CDF 8.8E-5 7.4E-5 9.0E- 6.6E-5 4.0E-6 1.8E-4 1.04E-4 6.2E-5 4.lE-5 1.3E-4 (per rx year) 5 Early 4.6 8 10 0 0 0.18 0 1.5 1 0 5

Late 66.6 48 14 49 4

5 54 17.4* 25 6 96.2 Bypass 1.8 2.1 4 8 30 6.5 6.1 0.5 12 0.36 NA ** 0.06 Isolation 7

O' O.023 2 0.5 0.031 Intact 20 43 72 43 63 39 76.6 73 81 3.3

Bypass and isolation combined '

- Included in early failure

' Reflects the IPE results without takIng credit for recovery of containment heat removal 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months after event initiation 2

Values do not add to "100" -

5 Pmbability is less than 0.001, conditional on core melt

Probability of late failure is zem within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months 8

Probability of late failure is 0.031 within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Farley IPE Back-End Review 8 March 1995

. . _ _ . - - _ _ . _ . . _ _ _ _ _ _ _ . _ _ - _ - . _ _ _ . _ _ _ _ _ - . _ _ _ - . _ - _ _ - - - ---_--- - . _ - _ _ . _ _ - - -. - ,-- - A

__m._ _ _ _ . . . _ _ . _ _ . . _ . _ . _ _ _ _ _ . . _ , _ ._._._ _ _

4 4 * . .

J

! II.3.3 Characterization of Containment Performance t

The FNP IPE team characterized the core damage and containment

performance using PRTs for different core damage initiators.

4 The following are the PRT top events related to the back-end

, analysis (Table A-1, pages A-153 through A-155):

l Top Event CI -

Containment isolation I

Top Event CS - Containment spray injection Top Event.CSI - Containment spray recirculation Top Event FC -

Containment fan coolers

' Top Event OA -

Operator action (OA) to cool down and l

depressurize RCS Top Event OAI - OA to isolate ruptured steam generator

-Top Event OAS - OA to establish containment spray 1 recirculation

{ Top Event OCI -

OA to isolate containment V

The PRT structure is system-oriented, i.e., the containment phenomenology issues are not addressed,in the PRT structure.

The lack of treatment of phenomenological issues related to 1 severe accident releases is a limitation of the IPE submittal.

. However, under separate cover, SNC has submitted the phenomenological evaluation summaries for Farley; these summaries are currently being evaluated by the NRC staff.

1 j II.3.4 Impact on Equipment Behavior s

j The following is noted in the submittal -(Section 4.1.2, page 4-6):

Only the fan driver motor needs to be considered in assessing equipment survivability. . . Inspection of the

, source-term results for those sequences where fan coolers

! are operational indicates that the FCs are expected to 3 function under the analyzed accident conditions.

l II.4 REDUCING PROBABILITY OF CORE DAMAGE OR FISSION PRODUCT-RELEASE II.4.1 Definition of Vulnerability The SNC defined a severe accident vulnerability as (Section 4.9, page'4-65):

I i l Farley IPE Back-End Review 9 March 1995 l

. . - - - , . . , , , . . - . ~ -- ,- . -. c . , - - - - -. ,

Any source-term analysis bin which represents containment failure, bypass or failure to isolate, [ occurring) with a frequency greater than 1E-5 events per year, and in which a single function, system, operator action, or other element can be identified which substantially contributes to the total frequency. The present state-of-the-art of containment systems analysis (as noted in Generic Letter 88-20) may be considered when evaluating any potential vulnerability identified by this criterion.

Based on the above definition, the IPE team found no severe accident vulnerabilities to exist at the FNP.

II.4.2 Plant Improvements As described in Section 6 of the submittal, several front-end plant improvements have been implemented at FNP. These improvements are mainly procedural enhancements with minor hardware modifications.

II.5 RESPONSES TO CPI PROGRAM RECOMMENDATIONS One of the CPI Program recommendations that pertains to PWRs with large, dry containments is that utilities evaluate their containment and equipment vulnerabilities to hydrogen combustion (local and global) as part of their IPEs and that they identify the need for improvements in PWR procedures and equipment.

1 Section 4.4.3, pages 4-14 and 4-15 of the submittal, describes the phenomenological evaluations of hydrogen deflagration and l detonation, which the IPE team performed for the FNP. Based on i bounding analyses and conservative assumptions involving a ;

worst-case station blackout (SBO) sequence, the IPE team concluded that hydrogen combustion could not threaten the FNP containment integrity. Additional hydrogen burn analyses have been provided to the NRC by SNC; they are currently under evaluation by the NRC staff. )

1 I

I II.6 IPE INSIGHTS, IMPROVEMENTS AND COMMITMENTS j In Section 4.8, pages 4-61 through 4-64 of the submittal, the authors note the following insights as the result of performing the IPE:

No early containment failures would be expected to result Farley IPE Back-End Rhview 10 March 1995

{

i' from severe accident phenomena, including steam explosions,

! direct' containment heating, vessel thrust forces, thermal 1 attack on containment penetrations, and hydrogen detonation and deflagration.

The reactor cavity and instrument tunnel would provide an effective barrier to debris dispersal fro:m the cavity following a high-pressure vessel blowdown.- However, the containment design would not~ facilitate flooding of the reactor cavity.

Because the containment design at FNP would not facilitate reactor cavity flooding following an accident, most core damage sequences (about 98 percent) would result in significant concrete ablation in the cavity (3 to 7 feet at 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months ) due to molten core-concrete interaction. In such cases, basemat meltthrough would be expected to occur within 80 to 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months - (based on extrapolation of MAAP results at 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months ) if no action were taken by the plant i staff to. quench the molten core debris in the reactor j cavity. !

1

j The frequency of an uncontrolled fission product release (due to containment overpressure, bypass, or isolation failure) would be 4.4E-6 per. reactor year. This release frequency would be the result mostly of overpressure ,

failure events (3. 9E- 6/yr) , but also the result of SGTR 1 events (2. 7E- 7/yr) , ISLOCAs (1. 8 E- 7 /yr) , and containment isolation failure (7.2E-8/yr) . j i

With respect to fission product retention, an important feature of the FNP containment is that it would remain i intact following core damage long enough to allow natural !

deposition mechanisms to remove. airborne fission products from the containment atmosphere, and long enough to implement additional accident mitigation activities.

The primary system would provide good fission product ,

retention, even after vessel failure and during containment '

bypass sequences, due to deposition on primary system internal structures.

The SNC implemented several front-end plant improvements at FNP, which are mainly procedural enhancements with minor hardware modifications. They have made no commitments to implement additional plant or procedural improvements.

Farley IPE Back-End Review 11 March 1995

l 8 a 6

4 III. CONTRACTOR OBSERVATIONS AND CONCLUSIONS As discussed in Section II of this report, the IPE submittal contains a large amount of back-end information, which contributes to the resolution of severe accident vulnerability issues at FNP. Some areas and issues that do not appear to be addressed completely in the IPE submittal are being evaluated separately by the NRC staff.

We note in particular that it was difficult to understand how the submittal authors justify the quantitative results of the back-end portion of the IPE without providing the phenomenological evaluation summaries. The key issues that drive the important quantitative results are not addressed in the PRTs. The quantification is addressed in the MAAP analyses and in the phenomenological evaluation summaries which are currently under review by the NRC staff.

Farley IPE Back-End Review 12 March 1995

I ie . . -

t IV. REFERENCES i l

1. Southern Nuclear Operating Company, "Farley Nuclear Plant .

Individual Plant Units 1 and 2 Examination Report," June i 1993. ]

2. Southern Nuclear Operating Company, " Joseph M. Farley Nuclear Plant: Responses to the Request for Additional l Information on IPE Submittal," November 1994. l l

l \

i i

! l l

r i

i i

l l

l i

l l

Farley IPE Back-End Review 13 March 1995 l

. , s APPENDIX IPE EVALUATION AND DATA

SUMMARY

SHEET l l

PWR Back-End Facts i Plant Name Farley Containment Type PWR, large, dry ;

Unique Containment Features The configurations of the reactor cavity and instrument tunnel, which together provide an effective structural barrier to debris dispersal from high-pressure melt ejection The containment design that would not facilitate cavity flooding, and therefore would prevent water from cooling debris and reducing core-concrete interaction Unique Vessel Features None found Number of Plant Damage States 13 Ultimate Containment Failure Pressure 114 psig Additional Radionuclide Transport and Retention Structures i None credited _ ,

Conditional Probability That The Containment Is Not Isolated

.0006 l Important Insights, Including Unique Safety Features 1

Listed under Unique Containment Features 1

Farley IPE Back-End Review 14 March 1995 l

l t , ,

i l

4 APPENDIX (continued)

IPE EVALUATION AND DATA

SUMMARY

SHEET Implemented Plant Improvements l I

None i C-Matrix Information given in the submittal is insufficient to generate a c-matrix l

)

l 4

l i

l 4

i s

4 l

a J

1 e

i i

Farley IPE Back-End Review 15 March 1995

i

- s . .

l a

i l l

4

ENCLOSURE 4 i

! FARLEY NUCLEAR POWER PLANT

INDIVIDUAL PLANT EXAMINATION i

l TECHNICAL EVALUATION REPORT

, (HUMAN RELIABILITY ANALYSIS) 4 4

i s

d I 4

1 i

4 1

t

s s

CA/TR 93-019 25 JOSEPH M. FARLEY NUCLEAR PLANT TECHNICAL EVALUATION REPORT ON THE IPE SUBMITTAL HUMAN RELIABILITY ANALYSIS FINAL REPORT By:

P. M. Haas Prepared for:

U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Safety Issue Resolution Draft Report March,1994 Final Report March,1995 CONCORD ASSOCIATES. INC.

Systems Performance Engineers 725 Pellissippi Parkway Knoxville,TN 37932 Contract No. NRC-04-91-069 Task Order No. 25

TABLE OF CONTENTS E. EXECUTIVE S UMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 i E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 l

E.2 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 E.3 Human Reliability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 i

. E.3.1 Pre-Initiator Human Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 l E.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 E.4 Generic Issues and CPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . . 4 E.6 Observations and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

)

I. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.1 HRA Review Process ..................................... 6 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 ,

i l

II. TECHNICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 l 2.1 Licensee IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . 8 l 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status . . . . . . . . . . . 8 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . . . . 9 2.1.3.1 Licensee Participation .......................... 9 l 2.1.3.2 Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 l 2.2 Pre-Initiator Human Actions . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 11 l 2.3 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 l 2.3.1 Types of Post-Initiator Human Actions Considered . . . . . . . . . . . . 13 2.3.2 Process for Identification and Selection of Post-Initiator Human i Ac tion s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.3.3 Screening Process for Post-Initiator Human Actions . . . . . . . . . . . 14 2.3.4 Quantification Process for Post-Initiator Human Actions . . . . . . . . 14 l 2.3.4.1 Timin g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1 2.3.4.2 Consideration of Plant-Specific Factors for Post-Initiator i Human Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 ;

2.3.4.3 Consideration of Dependencies for Post-Initiator Human j E ve n ts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 j 2.4 Vulnerabilities, Insights and Enhancements . . . . . . . . . . . . . . . . . . . . . . . 23 l 2.4.1 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 !

2.4.2 Insights Related to Human Perfonnance . . . . . . . . . . . . . . . . . . . . 23 1 2.4.2.1 Imponance of Human Error In Dominant Accident Sequences ................................... 24 2.4.2.2 Sensitivity Studies on Human Error . . . . . . . . . . . . . . . . . 27 2.4.3 Human-Performance-Related Enhancements . . . . . . . . . . . . . . . . . 29 2'.4.3.1 Reactor Coolant Pump Seal LOCA . . . . . . . . . . . . . . . . . 29 1 2.4.3.2 Realignment of ECCS to Cold Leg Recirculation I

Following Failure of Hot Leg Recirculation _. . . . . . . . . . . . 32 2.4.3.3 Verification of Load Shed Prior to Aligning a Backup Diesel to a B us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 III. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . . 33 IV. DATA

SUMMARY

SHEETS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 40 t

.L l

I l

l l

l i

l

E. EXECUTIVE

SUMMARY

l This Technical Evaluation Repon (TER) is a summary of the documentation-only review of the human reliability analysis (HRA) presented as pan of the Joseph M. Farley Nuclear Plant (FNP) Units 1 and 2 Individual Plant Examination (IPE) submitted by Southern Nuclear Operating Company (SNC) to the U.S. Nuclear Regulatory Commission (NRC). The review was performed to assist NRC staff in their evaluation of the IPE and conclusions regarding whether the submittal meets the intent of Generic Letter 88-20.

E.1 Plant Characterization Farley Units 1 and 2 are both three-loop Westinghouse pressurized water reactors (PVvRs).

Unit 1 began commercial operation in 1977; Unit 2, in 1981. Similar units in operation are Surry and North Anna. Emergency operating procedures apparently are in the Westinghouse two-column format. The major operator actions identified are consistent with those identified in other PWRs with generally similar safety features, e.g., manual switchover of emergency core cooling from injection to recirculation mode.

E.2 Licensee IPE Process l

The HRA process focused on post-initiator human actions, though a limited assessment of l pre-initiator actions was included. Two methods were employed to assess and quantify human error: (1) the Success Likelihood Index Method (SLIM), and (2) the Westinghouse implementation of the Technique for Human Error Rate Prediction (THERP). The submittal discussions of the methodology were generally complete, but lacked sufficient detail to complete the review. Additional material provided by the licensee in response to NRC requests for additional information was, in general, sufficient to complete the evaluation. The licensee's process included review of documentation, plant walkdowns, and discussions with utility personnel. These actions provided some assurance that the HRA represents the as-built, as-operated plant. Licensee participation included site personnel with knowledge of plant design and operational practice and experience in operations, training, engineering and other areas. A peer review process was conducted which also included site and utility personnel and which provided assurance that the HRA methodologies selected were appropriately implemented.

E.3 Human Reliability Analysis E.3.1 Pre-Initiator Human Events l l

The submittal discussion of pre-initiator human actions was extremely limited. In response to ,

an NRC request for additional information, the licensee indicated that restoration errors were I considered, but calibration errors were not. The rationale for dismissing calibration errors from consideration is that "...Such error would be as likely to produce an early actuation as a delayed or prevented actuation, and there are normally multiple input signals or actuated devices." Further, the licensee states that, "Such errors have seldom been shown to be important in past probabilistic risk assessments."

l

< . . -i We do not concur with this judgment by the licensee to not assess calibration errors. There have been some PRAs, including IPEs, in which calibration errors have been significant ;

contributors to plant risk and have been among the most important human actions. It is unlikely that the omission of calibration errors critically impacts the licensee's overall conclusions from the IPE. However, by " arbitrarily" dismissing miscalibration fmm the IPE model, the licensee may have missed an opportunity to identify potential cost-effective ;

enhancements. I E.3.2 Post-Initiator Human Actions As indicated above, post-initiator human events were treated using two different approaches -

the Success Likelihood Index Methodology (SLIM), and the Technique for Human Error Rate Prediction (THERP). SLIM was used to address control room operator actions identified in the EOPs for response to accident events. THERP was used to address recovery actions, actions outside of the control room, and other actions that were not defined prior to the SLIM evaluations and to address " lower level" actions incorporated into fault trees. The submittal discussions of the implementation of both methodologies are very general and high-level, i especially for THERP. Substantial additional information was obtained from the licensee in l response to NRC RAIs. i The HRA addressed two types of post-initiator events: (1) actions directed by EOPs, AOPs and SOPS in response to an initiating event, and (2) recovery actions taken to recover failed systems. The process for identification and selection of post-initiator human events important enough to quantify was essentially review of procedures and/or sequence analysis results.

Based on the submittal discussions of the accident sequence analysis and comparison of the actions treated with actions treated in other PWR PRAs, we conclude that the licensee's process for identification of post-initiator human events was reasonable. No numerical screening process was employed. All actions identified and selected for inclusion in the model were retained and quantified using " nominal" estimates.

The licensee's quantification process included a reasonable assessment of plant-specific performance shaping factors and dependencies, though the application of the Westinghouse THERP methodology suffered from some of limitations inherent to that approach which have been identified in previous IPEs. Most notable is the restricted, and probably optimistic, treatment of diagnosis actions. Sequence-specific effects on the human error probability were accounted for through the event-tree quantification rules. Dependencies among multiple human actions in a sequence were treated using the THERP dependency model. Recovery actions.were identified after initial quantification from review of dominant sequences.

I Recovery actions were quantified and added to specific cutsets where applicable.

E.4 Generic Issues and CPI No HRA issues applicable.

2

- . e i

E.5 Vulnerabilities and Plant Improvements l

The licensee's vulnerability screening followed the guidance and criteria provided in l NUMARC 91-04. No vulnerabilities or necessary enhancements were identified, beyond

those aheady identified during the course of the IPE. During the development of the IPE a number of procedure enhancements were identified as necessary, committed to by the i

licensee, and endited in the IPE. Several of these procedure enhancements addressed

, important operator actions related to mactor coolant pump (RCP) seal LOCA, which was the

. dominant contributor to core damage frequency. Credit for two of these operator actions was

shown to decrease the CDF by a factor of 5. Other procedure enhancements addressed: (1)

! actions related to ECCS realignment to cold leg recirculation in the event that transfer to hot

leg recirculation (required after 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months ) is unsuccessful, and (2) load shedding in order to l reduce the potential for failure of the backup diesel due to overload when it is aligned to the bus.

I E.6 Observations and Conclusions It is our general conclusion from the review of the submittal and the additional material provided by the licensee in response to NRC requests for additional information that the -

licensee's HRA process provided the licensee with the ability to meet the objectives of GL 88-20. This conclusion is based on the findings and of observations of strengths and limitations of the licensee's approach, including the following:

(1) The submittal and supporting documentadon indicates that utility personnel were involved in the HRA, and that the walkdowns and documentation reviews constituted a viable process for confirming that the HRA portions of the IPE represent the as-built, as-operated plant (at least for the post-initiator error evaluation).

(2) The licensee perfortned an in-house peer review that provides some assurance that _ j the HRA techniques have been correctly applied and that documentation is accurate.

(3) Pre-initiator human actions were considered in the analysis, though the treatment was not as complete and rigorous as has been performed for typical IPE/PRA i analysis. In particular, dismissal of calibration errors without significant plant-specific analysis is considered a limitation of the licensee's approach that could have led to overlooking potentially significant contributors to plant risk.

(4) The treatment of post-initiator human actions was reasonably complete and thorough. Both response-type and recovery type actions were included.

Quantification of post-initiator errors appears to have appropriately employed the chosen HRA techniques - SLIM and Westinghouse THERP. Some of the limitations noted with in previous applications of the Westinghouse THERP process are evident. However, with the exception of the treatment of diagnosis, the results 3

c . .

J 4

and insights presented by the licensee indicate that the process permitted the licensee to gain an understanding of the quantitative impact of human perfonnance on core damage and radioactive material irlease frequencies.

(5) During the course of the IPE a number of important human actions were identified which had high error probabilities and which contributed significantly to core damage sequences, in parsular, recovery actions to limit the potential for seal LOCA. Procedure enhancements expected to reduce the likelihood of human error -

were identified and credited in the IPE.

4 f

l j

l 4

d 4

l l l

1 t

1 l

l l

1 1

(

4 4

.. .-. - - . - . - - . . - - - . - - - - . _ - - . . - . - - - . ~ . - . -

4 1

- 1 1

I. INTRODUCTION i

This Technical Evaluation Report (TER) is a summary of the documentation-only review of i

the human reliability analysis (HRA) presented as part of the Joseph M. Farley Nuclear Plant (FNP) Units 1 and 2 Individual Plant Examination (IPE) submittal from the Southern Nuclear j Operating Company (SNC) to the U.S. Nuclear Regulatcry Commission (NRC). The review i

was psformed to assist NRC staff in their evaluation of the IPE and conclusions regartling !

i whether the IPE submittal meets the intent of Generic I.etter 88-20.

l 1.1 HRA Review Process

The HRA review was a " document-only" process which consisted of essentially four steps

i

! (1) Comprehensive review of the IPE submittal focusing on all information pertinent to i HRA.

j (2) Preparation of a draft TER summarizing preliminary findings and conclusions, noting i specific issues for which additional information was required fit >m the licensee, and

! formulating requests to the licensee for the necessary additional information.

I j (3) Review of preliminary findings, conclusions and proposed requests for additional j information (RAls) with NRC staff and with " front-end" and "back-end" reviewers j (4)

Review of licensee responses to the NRC requests for additional information, and j j preparation of this final TER modifying the draft to incorporate results of the i j additional information provided by the licensee and finalize conclusions.

i Findings and conclusions are limited to those that could be supported by the document-only )

l review. No visit to the site was conducted. No discussions were held with plant personnel or j

- IPE/HRA analysts, either during the initial review of the submittal, nor after receipt of 1 '

licensee responses to NRC RAIs. No review of detailed " Tier 2" information was performed,

except for selected details provided by the licensee in direct response to NRC RAIs. In

general it was not possible, and it was not the intent of the review, to reproduce results or i verify in detail the licensee's HRA quantification process. The review addressed the i reasonableness of the overall approach with regard to its ability to permit the licensee to meet ,

j the goals of Generic 1.ener 88-20.

l 1.2 Plant Characterization l

l Farley Units 1 and 2 are both three-loop Westinghouse pressurized water reactors (PWRs).

Unit 1 began commercial operation in 1977; Unit 2, in 1981. Similar units in operation are Surry and North Anna. Based on indirect comments in the licensee's response to one of ,

NRC's RAIs, it appears that the emergency operating procedures are in the Westinghouse i two-column format. Reactor Coolant Pump (RCP) seal LOCA was determined to be a 5

i i

dominant contributor to core damage frequency (CDF), and operator failure to provide cooling (via restoring service water or component cooling water, aligning alternate cooling, or quickly I tripping the RCPs are important contributors to these sequences. In general, other important actions for Farley are typical of similar PWRs, e.g., initiation of bleed and feed operation, cooldown and depressurization, and manual switchover from injection to recirculation mode.

l l

I I

l 6

1 j '- . .

)

I II. TECHNICAL REVIEW i l

2.1 Licensee IPE Process :

2.1.1 Comolereness and Methodology-l The submittal information on the HRA process was generally complete in scope, but limited !

in detail. Two areas in which information was panicularly lacking were the treatment of I pre-initiator human actions and the quantification of recovery actions. - Additional information l

obtained from the licensee in response to the NRC RAls on these two issues and on other specifics of the analysis was sufficient to complete our assessment of the overall HRA.

];

The HRA did address both pre-initiator and post-initiator human actions, but focused heavily 1 on the latter. 'Ihe evaluation of pre-initiator actions was very limited.~ For example, the ,

potential contribution from calibration errors was assumed to be negligible, and these errors l were excluded from the analysis. Post-initiator actions were quantified using two methods: 1) i The Success Likelihood Index Method (Ref.1,2) and the Westinghouse adaptation of the Technique for Human Error Rate Prediction (THERP) (Ref. 3). Both response-type and ,

recovery-type post-initiator actions were addressed. Response-type actions modeled by SLIM !

were incorporated as top-level events in the event trees (plant response trees). Additional _ j response actions calculated using THERP were incorporated into fault trees. Recovery j actions, which typically involved actions in procedures other than emergency or abnormal l operating procedures, were added to cutsets. Timing of operator actions and other imponant l

~

performance shaping factors, such as stress, human-machine interface, and procedure quality were addressed subjectively in the SLIM analysis by teams of operations personnel, and in the THERP prxess by the HRA analysts with review by operations personnel. Dependencies 1 among multiple human actions were treated using the THERP dependency model. During the i course of the IPE/HRA, the licensee identified a number of procedures enhancements that would reduce the ermr probability on certain critical operator actions. Those enhancements i were credited in the IPE and were shown by sensitivity studies provided by the licensee to ;

have a significant impact on reducing the estimated core damage frequency.

2.1.2 Multi-Unit Effects and As-Built. As-Operated Status Information for evaluating the licensee's process for confirming that the IPE represents the as-built, as-operated plant was drawn primarily from submittal Section 2.4, "Information Assembly," and discussions in Section 5 on utility staff involvement, on the IPE Quality Assurance program, and on the IRG activities. Our conclusion is that the process used by the licensee to confirm that the IPE represents the as-built, as-operated plant was reasonable.

Findings from the submittal review that support this conclusion, in particular as it relates to the HRA, include the following:

1) The submittal notes that the latest revisions available of drawings, documents and plant procedures were used, and it provides a listing of plant-specific data information 7

l

sources that appears to be comprehensive. Information sources of particular interest !

for the HRA were listed, such as abnormal and emergency operating procedures, l surveillance test procedures, maintenance procedures, system operating procedures, maintenance work requests, and operating logs.

2) Plant walkdowns were conducted for evaluation of specific plant systems, of containment and containment systems, and of intemal flooding. Checklists were -

developed and used which included specific items pertinent to the.HRA, e.g., room environment, availability and usability of local controls and indications, and control room alarms / indications for particular systems or components.

3) Through the application of the SLIM process, operations and training staff were involved directly in the assessment of human error probabilities. Review by ROs and SROs of specific performance shaping factors in the context of the event being analyzed provides another mechanism for assuring the IPE/HRA model represents actual plant operational conditions. Operations, Training and other plant staff also ,

were involved in the initial systems analysis and sequence analysis. l

4) The submittal notes that the IPE was developed in accordance with a formal quality assurance (QA) program conforming to 10CFR50, Appendix B requirements. Detailed reviews were conducted to ensure that the models accurately represent the plant.

Independent reviews were conducted of notebooks and calculation packages.

5) The Independent Review Group involved site and corporate personnel with experience in plant operations, including ROs and SROs. j 2.1.3 Licensee Particioation and Peer Review 2.1.3.1 Licensee Particination. The summary of the IPE Program Organization in Section j 5.1.1 of the submittal states that the responsibility for conducting the IPE rested with a team of engineers and analysts from the Nuclear and Advanced Technology Division of Westinghouse Electric Corporation, Fauske and Associates, Inc. .(FAI), and the Probabilistic Risk Assessment (PRA) group within the corporate Technical Services department. Overall !

responsibility for the IPE program is the responsibility of the corporate manager of Nuclear Engineering and Licensing. The manager of the IPE effort was a project engineer from the licensing group. The IPE manager also coordinated the Independent Review Group (IRG) activities and interfaced with the corporate Technical Services department, who provided direct project management and technical oversight of the IPE team.

Site personnel and personnel from Corporate Nuclear Engineering and Licensing department

- participated by supporting Level 1 and I.evel 2 walkdowns. Site personnel from Operations, Performance and Planning, and Training provided information to the IPE team during the initial development of the systems descriptions and event sequence diagrams. Site and corporate engineers and specialists were involved in the review of system notebooks and other 8

4 IPE notebooks containing infonnation related to system configurations and operations. Site Operations and Training staff, and staff from Corporate Nuclear Engineering and Licensing, who held Reactor Operator (RO) or Senior Reactor Operator (SRO) licenses panicipated in the HRA, as " subject matter expens" in the Success Likelihood Index Method (SLIM) quantification of human errors. Site personnel from Operations, Maintenance, Training and Planning and Performance, each of whom held an RO or SRO license, participated in meetings to review the initial quantification and identify recovery actions for dominant sequences. Site personnel also were involved in the Independent Review Group (IRG). i It appears that the majority of the IPE was perfonned by Westinghouse and FAI. Two lead i engineers from the corporate PRA gmup participated directly with the contractors in the IPE 1 effon. This provided some level of technology transfer from the more experienced contractor staff. And, it appears that there was considerable information input from site personnel with appropriate qualifications and experience in operations, training, maintenance, engineering and other specialties. Specific citation of the involvement of ROs and SROs in the HRA is a ,

positive finding. Finally, the IRG provided a mechanism for involvement by, and technology !

transfer to, site and corporate personnel. Based on these findings, it is concluded that, given there was limited PRA/HRA experience already existing within the utility, the utility staff was appropriately involved in the IPE.

2.1.3.2 Peer Review. The fonnal QA process noted above appears to have involved substantial independent technical review of all IPE documentation. In addition, the licensee formed the Independent Review Group to conduct an independent in-house review of the IPE. :

l The IRG was composed of plant and corporate personnel with plant experience who were not involved in the direct production of the IPE work products. Membership included plant senior staff members from Operations, Training, Maintenance Engineering Suppon, and Performance and Planning. Corporate staff included the Manager of Licensing, Senior Engineer of Safety Audit and Engineering Review, and the Vice President for Technical Services. Five of the eight IRG members hold current SRO licenses for FNP. PRA expenise on the group was provided by a contractor, PLG, Incorporated. The IRG provided general review of IPE documentation for completeness, consistency and reasonableness. More detailed review of selected portions of the analysis were performed for the IRG by PLG, Inc.

These more detailed reviews included comparison of methodology with other PSAs performed or reviewed by PLG.

The submittal summarizes the documents and specific topics reviewed by the IRG in seven meetings over a two-year period. It also includes sample comments and resolutions. One of the sample comments was directly pertinent to the HRA methodology, and resulted in a l change in the pmcess for establishing calibration, or " correlation", values for human error j probabilities (HEPs) derived using the SLIM process.

Based on the general summary discussion of the QA program applied during preparation of the IPE and of the IRG process and results, it appears that the licensee had a reasonable independent internal review process.

9 i

I i

i I

2.2 Pre-Initiator Human Actions

! The only references to pre-initiator human events in the submittal are in the general introductory paragraphs to Section 3.3.3, " Human Failure Data" (page 3-118). In those

! paragraphs, the submittal notes that human interfaces with the system are often significant j contributors to system unavailability, and that human actions may involve failure to restore the equipment to operability following test and maintenance tasks. The submittal also states f that operator actions important to system operation were identified in the systems analysis j (fault tree analysis), and that, "These actions were typically ermrs of omission (that is, failure

to follow plant procedures, systems-related miscalibration, failure to return equipment to i service, misposition after test or maintenance, and so forth)." Our review of the remaining HRA discussions in Section 3.3.3 of the submittal, the summary of quantification of

system / function unavailability in Section 3.3.5, the accident sequence delineation in Section i 3.1, and the systems analysis in Section 3.2 could not identify any comments regarding j treatment of miscalibration or restoration errors. The listing of HEPs in Table 3.3.3-2 does

! include one human action that clearly is a pre-initiator - restore auxiliary feedwater valves j after test. The HEP value is 1.87E-03, and the table indicates it was estimated using THERP.

There is another action in this table - detect misposition of valves QV003C & QV003D -

l a which appears to be a recovery action and may or may not be related to a pre-initiator error.

! Numerous other valve alignments are listed, but it is not clear whether any of them are i pre-initiator actions. No discussion of those HEPs is provided in the submittal.

i l In zesponse to an NRC request for additional information, the licensee indicated that restoration errors (" failure of test and maintenance personnel to return valves, pumps, and other safety system components to their normal position after test and/or maintenance") were considered as credible faults in the development of fault tree models if:

l (1) proper valve positioning cannot be detected using specified pump flow tests; or i

j (2) valve or other component misposition is not immediately detectable by status lights

and/or alarms at the main control board, and the valve is not automatically realigned by an ESFAS signal.

l The licensee's response further indicated that sources of information used to identify j misposition errors included the FNP System Operating Procedures, Surveillance Test Procedures, Technical Specifications, and Maintenance Work Requests. l l

The licensee's response stated that calibration errors were not modeled, "Since such error !

l j would be as likely to pmduce an early actuation as a delayed or prevented actuation, and 1

there are normally multiple input signals or actuated devices." The licensee states that, "Such

errors have seldom been shown to be important in past probabilistic risk assessments." l

} .

] In response to an NRC request, the licensee reported results of an importance calculation l j performed using a post-processing program which showed that as a group, pre-initiator human f

4 10 l

i

errors modeled in the IPE contribute less than 5% of the total CDF. However, this ,

calculation does not fully address the issue of completeness of the pre-initiator assessment, [

since it addresses only those relatively few pre-initiators that were included in the IPE model. i The licensee's msponse to a separate NRC request included a listing of the top 20 human !

errors, as ranked by the individual contribution to CDF. It is noted that pre-initiator restoration errors are included among the top 20 human errors. I Overall, the information in the submittal and the licensee's response to the NRC RAI indicate that the licensee's HRA process did consider the impact of pre-initiator human error, but the assessment performed was somewhat limited in scope and was less rigorous than typically has been performed in other IPEs. The two criteria identified above for including / eliminating i restoration errors are generally reasonable and consistent with practice in other PRAs, assuming that the conditions in actual practice were verified; that is, specified pump flow tests would indeed identify mispositioning of the specific valve in question, and that status lights and/or alarms identifying mispositioning truly are " compelling signals" which could not be missed by responsible plant personnel. The level of detail of discussions in the submittal and supporting information is (by intention) limited, and the level of detailed examination is not clear. The licensee's response to the NRC RAI indicating review of operating and surveillance procedures, technical specifications, and work requests suggests some level of plant-specific review to support the judgment to eliminate certain restoration errors from consideration. We do not concur with the licensee's judgment regarding calibration errors.

In fact, there have been some PRAs, including IPEs, in which calibration errors have been ;

significant contributors to plant risk and have been among the most important human actions. !

By " arbitrarily" dismissing miscalibration from the IPE model, the licensee may have missed an opportunity to identify potential cost-effective enhancements.

i 2.3 Post Initiator Human Actions Post-initiator human events were treated using two different approaches - the Success Likelihood Index Methodology (SLIM), and the Technique for Human Error Rate Prediction (THERP). SLIM was used to address control room operator actions identified in the EOPs for response to accident events. These actions were modeled as top events in the plant response trees (PRTs), i.e., event trees. THERP was used to address actions that were not defined prior to the SLIM evaluations (most of the recovery actions), actions outside of the control room, and " lower level" human actions included in system fault trees. The submittal provides a very general, description of the implementation of both methodologies, especially for THERP. It is not possible from the information presented in the submittal to trace the quantification of specific human error probabilities by either methodology. Sample calculations provided in response to an NRC request for additional information indicate that the THERP calculations were performed using the Westinghouse adaptation of THERP, which has been reviewed previously by NRC as part of other IPE submittal reviews. Some of the inherent limitations of that approach that have been previously identified are embodied in the FNP calculations. These are identified in the review of the quantification process in Section 2.3.4 below.

I1

2.3.1 Tvoes of Post-Initiator Human Actions Considered.

The HRA addressed: (1) operator actions directed by EOPs, AOPs and SOPS in response to an initiating event, and (2) recovery actions taken to recover failed systems. The brief submittal discussion of types of actions considered did not fully explain the distinction made i

between the two types of actions. Information from the licensee in response to an NRC RAI l provided clarification. In general, operator actions called for in' the FNP emergency or l

abnormal procedures were considered " expected" (response-type) actions rather than recovery I actions, as long as there was a clear path through the procedures for each event being considered. Relatively straightforward corrective actions that could be taken from the control room, and for which the operators would receive indication of the need for action, were treated as response actions, rather than recoveries. Examples are manually starting a pump '

that failed to start automatically, or operating valves that failed to actuate automatically. This latter type of action generally was modeled in the fault trees. As indicated above, response actions idendfied in the initial model development were quantified using SLIM and were modeled in the PRTs. 'Ihe submittal did not clearly explain how recovery actions were incorporated into the IPE model. However, the licensee's response to the NRC RAI indicates that recovery actions were incorporated into cursets, this is the preferred treatment because recovery actions typically are cutset-specific. ;

2.3.2 Process for Identification and Selection of Post-Initiator Human Actions.

The process for identification and selection of post-initiator human events important enough to quantify, for both the SLIM and the THERP approach, was essentially review of procedures and/or sequence analysis results. There is very little detail provided in the submittal about the process, especially for recovery actions. For the SLIM analysis, the submittal states that, "The list of operator actions to be evaluated was developed based on a review of the plant response trees (PRTs) available when the SLIM analysis began." No other information is provided. For the THERP analysis, the only information provided is that j the first step of the THERP process was "... Delineating the procedural steps that were i necessary for successfully completing a given task," and that, the FNP EOPs, SOPS, and i AOPs were used for defining all operator steps (subtasks) tequired by a task.' Additional information discussing a systematic process for identification and selection of the post-initiator human events that were quantified would have suengthened the submittal.

However, the review of the accident sequence delineation discussions in the submittal indicates significant emphasis on the identification of operator response actions as part of the sequence analysis. Comparison of the operator actions selected to those actions typically addressed in other PSAs did not reveal any important omissions. And, most of the response-type actions of importance identified by the NRC front-end reviewers were addressed. For these reasons, we conclude that the licensee's process for identification of post-initiator response actions was effective.

The licensee's response to an NRC RAI provided additional information regarding identification and selection of recovery actions. The initial step in the recovery analysis was a 12

t review of quantification results, fault tree models, PRTs, and support system models to identify where the contribution of dominant contributors to CDF could appropriately be reduced by credit for human actions or equipment that had not already been incorporated into the model. Recovery actions typically are actions outside of the control mom, or actions that ,

i are in procedures other than EOPs or AOPs. Credit was not taken for a human recovery action unless that action was proceduralized, or a commitment was in place to establish a procedure. The licensee's response states that for most of the items selected, analysts prepared a summary which included a description of the situation for which recovery is needed and proposed to be credited, information on the operator actions involved and the time r available, equipment available, and procedural guidance; and that these summaries were reviewed and commented on by SNC and FNP personnel. In general, this process for .

identification and selection of recovery actions appears to be reasonable. !

2.3.3 Screening Process for Post-Initiator Human Actions.

The submittal does not indicate that any numerical screening was performed for post-initiator actions. Obviously, qualitative screening was performed to select the set of operator actions to be quantified. The selection / screening was supported by a review of procedures and substantial discussion with plant operations personnel on the actual performance of required ,

tasks. In fact, the submittal notes that additional information was often needed to determine ;

any deviation between the written procedures and the actual steps taken by plant operators, and that this additional information was obtained from discussions with systems analysts or plant personnel.

2.3.4 Ouantification Process for Post-Initiator Human Actions.

2.3.4.1 Timine. The timing of operator actions, in particular the expected time for operator action relative to the time available for action, is an important factoring determining the estimated probability of success in most HRA quantification techniques. The SLIM analysis included timing considerations as one of the seven performance shaping factors (PSFs) rated by the evaluation team. In the SLIM process, the impact of performance shaping factors (including timing considerations) on the likelihood of success is estimated by the team of evaluators. This evaluation process is discussed in Section 2.3.4.2.1 below. The submittal notes that the information assembled on each operator action and presented to the evaluators included the time window from the first compelling signal for initiation of the action, the time window available for completion of the action once initiated, the time required to complete the action, and the " observable boundary" event / conditions that mark these time windows.

The submittal notes that expected or " average" time for operators to perform the action, which should include time for detection, diagnosis and decision as well as executie, is best determined from actual time measurements from, say, simulator observations or walkthroughs.

However, expected times were determined entirely on the basis of subjective judgment, apparently due to constraints on the avr.ilability of operations personnel. No simuhdons were performed. Time estimates obtained from subjective estimates from operators often are optimistic. .

13

For most IPEs reviewed to date, the time window available has been determined from system 1

analysis using results of transient codes, such as MAAP. The source of the estimates for the FNP analysis was not made clear in the summary statements in the submittal. In the l I

licensee's response to an NRC RAI, it is stated that the time available was determined fmm calculations related to the success criteria, or, in cases for which those calculations were not available and the time available was substantially greater than time required, from enginee, ring ;

judgment. l l

The submittal notes that the first step in the THERP analysis involved listing of key operator steps that must be accomplished in a predetermined time period. However, no other reference is made to consideration of timing in the quantification of human error. In applying THERP, the most direct means by which timing influences the estimated HEP is via the diagnostic l model, which is essentially a " time reliability correlation" in which the estimated HEP is a I direct function of the relative time available. Examination of summaries of sample calculations pmvided by the licensee in response to an NRC RAI indicates that approximate time available and expected operator time were identified. However, it does not appear that the time-dependent THERP diagnosis model was used in the FNP THERP calculations. It appears that, typical of the Westinghouse application of THERP, the diagnosis portion of the operator response, when it was considered, was treated as an error of omission and/or commission in carrying out a step-by-step procedure, rather than a part of a dynamic response influenced by time. The predominant use of the relative timing values appears to have been determination of whether sufficient " slack time" exists to take credit for recovery actions. In the sample calculations provided by the licensee, the time available for the operator to accomplish a particular action (a particular step in the overall action) and the expected time required was listed.' In fact, in some cases, the two time values were essentially equal (e.g.,

approximately 20 minutes available and 20 minutes required). However, since these actions / steps were treated as errors of omission and/or commission in a step-by-step procedure, timing considerations had no direct influence on the estimated HEP. (Although it is not stated directly in the submittal or the licensee's response to the NRC RAI, it is possible that there may have been some indirect influence of timing on the estimated HEP; for example, a higher stress level may have been assumed by the analysts for cases in which the expected time did not significantly exceed the time available.) l l

2.3.4.2 Consideration of Plant-Soecific Factors for Post-Initiator Human Events. The performance shaping factors considered in the quantification of human error and the approach to evaluation of performance shaping factors was somewhat different for the two HRA methodologies employed.

2.3.4.2.1 Performance Shaoine Factors in the SLIM Analysis. The SLIM assessment i considered seven performance shaping factors:

(1) Complexity of the Operator Action (2) Time Factors (discussed above)

(3) Crew's Level of Knowledge, Training, and Experience 14 l l

a i

(4) Adequacy of Guidance Materials i (5) Characteristics of the Interface Relevant to This Task 5

^

(6) Previous, Subsequent, and Concurrent Actions (7) Stress l Three operator crews were used as evaluators at different times during the HRA development.

Two crews consisted of a supervisor (who was also a licensed SRO), a shift technical adviser (STA), and two licensed operators. The third crew consisted of a supervisor and two 4 operators. The submittal states that additional data were collected from the FNP Training

Department and from corporate Nuclear Engineering and Licensing personnel, who held '

5 current SRO licenses; but, it does not indicate how this " additional data" was incorporated l into the SLIM analysis.

l 4

The development of human error probabilities (HEPs) appropriately follows the SLIM j process. Each operator action to be quantified was analyzed, and a written summary j describing the action and the initiating event context was prepared. The submittal provided a list of the information contained in those summaries. Based on the abbreviated description of the process provided in the submittal, and on supplemental information provided in response to an NRC RAI, it appears that the SLIM process was appropriately implemented. Examples of results of the subjective process provided by the licensee indicate that the process resulted not only in quantification of the errors presented to the evaluation teams, but in some cases resulted in revised assumptions and improvements in the IPE modeling. For example, based on findings during the expert evaluation session, it was determined that the time available for assumed actions to provide main feedwater as a backup to auxiliary feedwater was insufficient, and credit for this action was removed from the IPE model.

2.3.4.2.2 Performance Shaoine Factors in the THERP Analysis. Regarding the application of performance shaping factors in the implementation of THERP, the submittal states only that, "PSFs were also used to modify the nominal HEP." No other information is presented. PSFs applied are not identified, and no discussion of plant-specific evaluation of PSPs is included.

Additional information provided by the licensee in response to an NRC RAI indicates that the PSPs addressed in the SLIM evaluation were, at least indirectly, applied in the THERP analysis. Obviously, the judgments on those PSFs were made by the THERP analyst, not by evaluation by the " expert" teams as in the SLIM process. Four of the SLIM " categories" of PSFs were applied directly in the THERP quantification:

(1) Stress (2) Timing (3) Characteristics of the interface (4) Adequacy of guidance materials The other three of the seven PSFs listed above for SLIM are said to be incorporated indirectly in the THERP analysis. For example, item (3) in the SLIM list, " Crew's Level of Knowledge, Training, Experience," is said to have been considered in the analysts' judgment 15

9 .

i on the level of stmss. Item 1, " Complexity of the Operator Action," and item 6, " Previous, Subsequent, and Concurrent Actions," were incorporated into the assessment of dependencies ;

(discussed in Section 23.4.3 below). !

i The treatment of stress consisted of multiplying the (nominal) HEP value from the selected . !

THERP table by a factor of 1,2 or 5, corresponding to the analysts' judgment of stmss as low, moderate, or high. These factors are consistent with THERP guidance for " step-by-step" actions, which are defined in THERP as " Routine, procedurally guided [ actions), such as l carrying out written calibration procedures." Dynamic actions, per the THERP definition, require a higher degree of man-machine interaction, such as decision-making, keeping track of several functions, controlling several functions, or any combination of these. Response to :

abnormal events often involves dynamic tasks. THERP guidance for assessing impacts of stress in dynamic actions can lead to a higher HEP. One of the issues identified with the ,

Westinghouse implementation of THERP is that essentially all actions are assumed to be s step-by-step actions, including post-initiator actions. The assumptions made regarding the ;

impact of stress in the FRP analysis may therefore be optimistic, at least in comparison to l THERP guidance. l Timing

. The tmatment of timing was discussed previously. Apparently, the only impact of timing was i the judgment as to whether or not credit for human error recovery was appropriate. The -l Westinghouse application of THERP employs the concept of " slack-time", i.e., the difference ;

between the time available and the time required. A multiplying factor (< 1.0) is applied to reduce the nominal HEP value if the slack time exceeds some minimum, say 5 minutes. l Typically, the reduction is gmater for greater slack time. The underlying rationale for using ;

this model is that additional slack time increases the probability for "unproceduralized t checking" and correction of human error by other crew members, supervision, technical support center staff, etc. Issues with the use of this model have been identified in pmvious :

IPE reviews, including the fact that the underlying data sources (tables) from the THERP >

Handbook (Ref. 3) are intended to be used for pre-initiator human actions only, not for actions in response to an accident. The sample calculations provided by the licensee in response to the NRC RAI do not happen to show a case in which the slack-time model was applied; but the HRA summary sheets list the slack-time model as one of the options. !

Interface Characteristics ;

The licensee's discussion of the evaluation of the human interface provided in the response to ;

the NRC RAI consists of the following:

"Creditfor this PSF in the THERP evaluation considers the clarity of equipment controls and control room layout, and, of equal importance, the operating philosophy with the use of symptom-based procedures. Based on engineering judgment, the nominal HEPs for errors of commission are multiplied by 0.1, if the criteria for this PSF are satisfied, The errors of 16

1 i .

commission, referred to in this context, are errors of selecting wrong controls or mis-reading plant parameters."

i i This statement suggests that there were " criteria" applied to evaluate the interface for each ,

j action, and the multiplying factor of 0.1 was applied only if those criteria were met. In

! previous IPEs using the Westinghouse THERP approach, one of the issues identified was that this credit was applied in a " blanket" fashion to essentially all ermrs of commission and was i not justified by a case-specific assessment. From the limited information provided by the

} licensee, it is not possible to judge the degree and rigor of the assessment of the human interface. From the example calculations presented, it appears that the 0.1 credit was taken for essentially all errors of commission. On the other hand, the licensee does state in its ,

! response to the NRC RAI that, " Reviews of each action modeled using THERP were 1 pedoms; by IPE analysts familiar with the event sequences and success criteria, and j generally familiar (through plant and contml room walkthroughs) with the operator interfaces.

, Reviews were also performed by SNC personnel with experience in FNP operations. These j reviews helped to provide a high degree of confidence that the actions as modeled,, and the

! PSFs evaluated for those actions, accurately reflect FNP." Based on these general statements j from the licensee, it appears that a reasonably case-specific evaluation was performed, i

j Adeauacy of Guidance Material i The licensee's response to the NRC RAI states that the nominal HEPs were multiplied by a ,

j factor of 2 for any critical step in the FNP procedures that was judged by the IPE/HRA i analysts as inadequate to denne the actions necessary, or confusing to the operating crew.

} This is one of the " standard" multiplying factors in the Westinghouse THERP guidance.

Other PSFs Considered in the THERP Analysis c

Based on the review of the sample calculations provided by the licensee, it appears that three

! other PSPs that are part of the Westinghouse THERP were applied in the FNP analysis, but i were not discussed in the submittal or the licensee's response. The first is a multiplier of 0.1

! on diagnostic actions. The rationale provided in the model description for this multiplier is as

! follows: "Due to the assumed operating crew experience, it is believed that failure to diagnose

! the event by not responding to the appropriate alarm (s) is less than nominal." From review of

the limited number of sample calculations provided by the licensee, it appears that this j multiplying factor was applied to all actions modeled as diagnostic actions. The second PSF

! applied but not discussed is observed in the sample calculation provided by the licensee for l

operator action to isolate RCP seal return line. A multiplying factor of 0.1 is applied for unproceduralized checking by 2 people. It has been noted in previous reviews of the

Westinghouse THERP methodology that the rationale for this factor is incorrectly based on a 1

THERP table that is intended to apply to pre-initiator actions only. The third PSF applied is

a multiplier of 0.1 applied to all errors of commission. The rationale for this multiplier is

, that, " Errors of commission are believed to less than nominal due to operator experience and proper labeling." From the review of the sample calculations provided by the licensee, this

factor appears to have been applied to every error of commission, without case-by-case i assessment.

, 17

Limitations of the THERP Analysis. As discussed above, the THERP analysis for the FNP HRA is subject to limitations inherent to the Westinghouse implementation of THERP, which have been noted in reviews of previous IPEs using this methodology. These limitations include:

1) A verv restricted, and senerally ontimistic treatment of diaenostic error. An underlying assumption of the Westinghouse methodology is that because of good

_ training, experienced crews, and the use of symptom-based procedures, there is very little " cognitive" demand on the operators, i.e., very little diagnosis to perform, and the error probability is low. Diagnosis is not treated at all for some actions. When a diagnostic action is included, the quantification treats the diagnostic action as an error of omission / commission in execution of a procedure and does r.ot employ the THERP time-dependent diagnostic model or similar models that are typically used in other HRA techniques. In addition, the nominal HEPs from THERP tables are reduced by a factor of ten, typically without case-by-case assessment due to the

" assumed operating crew experience." These assumptions and the treatment of diagnosis actions is generally more optimistic than most other HRA techniques and is not supported by in-depth assessment by the licensee.

2) A generally " mechanistic" aooroach to cuantifyine human error, without in-death.

olant-specific assessment. In previous IPEs, it has been noted that the multiplying factors associated with the Westinghouse THERP treatment of PSFs have been applied in a somewhat mechanistic fashion, "across the board", without case-by-case plant-specific evaluation. As discussed above, it does appear that for FNP there was some case-by-case evaluation of PSFs, while in other cases (e.g., multiplying all diagnostic errors by 0.1 and all errors of commission by 0.1) the factors were applied without significant assessment.

3) Misacolication of THERP tablestnuidance. The Westinghouse methodology has embedded several misapplications of tables and guidance provided in the THERP Handbook. One example, which was included in the FNP analysis and was discussed briefly above, is the application of basic (nominal) error probabilities intended for pre-initiator actions to post-initiator actions. Another example is the

" blanket" application of stress factors for step-by-step actions rather than for dynamic actions. These assumptions are generally consistent with the licensee's underlying rationale that symptom-based procedures and improved training have essentially reduced operator action in response to an accident to simply following step-by-step procedures. In our view, this is an optimistic view of operator response. It is not supponed by licensee analysis and is not generally accepted by the HRA community.

4) Use of fault trees for human error modeling. The Westinghouse THERP methodology uses fault tree representations to model human error. Since fault trees do not represent time-dependent behavior, it is difficult to model the dynamic nature l

18 l i

l

4

of human performance; and, it is difficult to model in fault trees the l sequence-specific impacts of the scenario on human performance and vice versa. It also is more difficult to identify and account for dependencies among multiple human actions. As discussed in Section 2.3.4.3 below, the licensee attempted to

address the issues of sequence-specific dependencies and dependencies among l multiple human actions. Dependencies among top-level actions in event trees, 4

dependencies between operator actions on multiple components, and dependencies i of recovery actions on sequence-specific (actually cutset-specific) conditions am

, addressed. There still remains the potential for inappropriate compounding of HEPs

modeled in fault trees, but it is r.ot possible to identify the significance of this j potential problem from the document-only review.

2.3.4.3 Consideration of Deoendencies for Post-Initiator Human Events. The submittal i' describes a separate dependency evaluation that was performed to assess the conditional

, failure probability between operator actions in the same accident sequence. This discussion l appears to apply only to those operator actions quantified using SLIM and appearing as top j l events in the PRTs. Thus it add esses dependency between multiple operator actions in an i

accident sequence, but not dependency among subtasks'for a given operator action. The subjective evaluation process used in SLIM, which addresses each action in context,

. inherently tends to aid consideration of dependencies among subtasks and of event-specific l' influences on a given operator action.

!- j l The dependency evaluation for top-level human actions that were evaluated by SLIM and ;

4 wem modeled in the PRTs considered the stress level of the preceding event on which the !

subsequent task depends. The ' stress level was determined from the information gathered to i support the SLIM evaluation. The submittal states that the dependency evaluation also

! considered the time window, amount of slack time (difference between time available and

~

expected performance time), task complexity, and type of procedural guidance. The submittal i states that each factor considered, "Had a YES or NO response," indicating that a simple decision tme was used to assess the level of dependency. However, no specific information is )

given on the questions in the decision tree, the names or meanings of the levels of

dependency, or the means for quantifying the impact of the various levels of dependency.

4 In response to an NRC RAI, the licensee provided a thorough summary of the treatment of ;

dependencies in' post-initiator human actions, including copies of the decision tme used to assign the level of dependency between multiple top-level actions and an explanation of the terms used. Actually, three different decision trees were used, one for low, moderate, and high stress, respectively, associated with the preceding task. For example, a subsequent task with time window 515 minutes, a slack time 2 5 minutes, that is rated simple (vs. complex) and with procedural guidance rated clearly defined (vs. not clearly defined) would be rated as

. highly dependent if the preceding task were performed under high stress, but would be rated moderately dependent if the preceding task were performed under moderate or low stress.

1 4

19

T The licensee's response also verified / clarified that the numerical values applied to the dependent HEP were consistent with the values and guidance in Chapter 10 of the THERP Handbook. For an unconditional failure probability N, the adjusted dependent value was:

Dependency Level Ns; 1.0E-02 N> 1.0E-02 l Low 0.05 (1+19N)/20 Medium 0.15 (1+6N)/7 High 0.50 (1+N)/2 The licensee's response provided additional information on the evaluation of "within person" dependencies in manipulating two or more of the same type of component:

a) Failure to operate 2 of 2 controls was modeled with an assumed moderate dependency on the second action; the conditional error probability was calculated as l BHEP x 0.15, where BHEP is the basic human error probability for the first action.

b) Failure to operate 3 of 3 controls is modeled with low dependency of the second action and moderate dependency of the third action: BHEP x 0.05 x 0.15.

c) Failure to operate N of N controls (N24) is modeled with low dependency for the second action, moderate dependency for the third action, and high dependency for the fourth and all subsequent actions; BHEP x 0.05 x 0.15 x 0.5 x ... x 0.5. ,

d) Failure to operate M of N controls (where 25;M<N) is modeled by applying the appropriate dependency level as above for the value of M and the binomial coefficient of "M out of N"; for example, failure to operate 2 of 4 controls is estimated as BHEP x 0.15 x 6. ,

Other comments clarifying the treatment of dependencies were made as part of the licensee's .

response to several different questions from NRC: j i

1) In the assessment of ncovery actions, some recovery actions were assigned by the analysts an HEP consistent with the THERP values for moderate or high dependency (HEP = 0.15 or 0.50, instead of a calculated HEP) because the top event with which the recovery action is associate follows other failed events in the event sequence.

2) The review of procedures to select the operator actions to be included in the mcxiel included consideration of dependency, in that individual steps, or subtasks, were evaluated and in most cases a subtask that is a recovery action for a previous step, or is redundant with a previous step, was assumed to be completely dependent on the previous step and was not modeled. The licensee noted that this was particularly true in evaluating omission errors considering the two-column format of 20

the emergency procedures. - If a' step in the primary path (one column) were omitted, then credit would not be taken for a recovery action in the alternate path (the other column), since that action too would most likely be missed. Similarly, some operator actions that verify component status or system parameters were omitted because they were judged to be completely dependent on the previous step.

In selected cases, it was determined that redundant actions were dependent, but dependency was less than complete, and the THERP dependency model was applied.

3) In some cases, more than one recovery action was modeled in a single sequence, but the licensee's response indicates that consideration was given to dependency among the recovery actions. In some cases, a higher failure probability was assigned to the subsequent recovery action; in other cases it was determined that the dependency was not significant, and the value was not modified. No details of this assessment process were provided.

i l A different concept related to dependency is the fact that human behavior is highly j context-dependent. 'Ihus operator actions that are essentially the same but occur in different

accident sequences may have significantly different error probabilities. It was noted in l Section 2.3.1 above, but not discussed, that some of the post initiator human errors were

incorporated into event trees, and some were incorporated into fault trees. From the limited l information in the submittal, it appeared that this included both recovery actions and

[ response-type actions. It was also noted in Section 2.3.1, that the SLIM process inherently

tends to account for sequence-specific impacts because each action is evaluated in the context ' i of the scenario in which it occurs. However, recovery actions, in general, were evaluated

using THERP, rather than the SLIM process; further, recovery actions typically are

! cutset-specific and are best treated at the cutset level rather than in event trees or fault trees. !

The licensee's response to an NRC RAI included an expanded discussion of the analysis of l ORX1, which is one of the important recovery actions (including human action and l equipment failure) treated as a top-level event in the PRTs. In the discussion, the licensee l confirms that multiple values for ORXI were obtained and that initiating event and sequence

. specificity were accounted for through the event tree quantification rules, which define the l particular value to be used depending on the available support conditions and the initiating j l event. Subsequent discussion indicates that the recovery actions are evaluated at the cutset level:

i l "The ORXI values are quantified based on review of cutsets in thefault trees

for the various CCW and SW cases. Those cursets for which recovery action is l identified are multiplied by the appropriate recoveryfailure probabilities, The ratio of the new (recovered) unavailability to the old (non-recovered) ,

! unavailability is used in ORX1 as the non recoveryfraction." i i

Based on these limited comments from the licensee for the example calculation, it appears that HEPs for individual actions associated with the top-level event in the PRT were 1

21 i

4 w

i i

calculated from THERP and added to specific cursets deemed appropriate by the analyst, not at the sequence level. The overall recovery probability for the top-level event was calculated based on the overall impact of the recovery actions on specific cutsets. The evaluation of the top-level event, in this case ORX1, may be performed for different combinations of initiating events and/or support system availability, and the selection of the appropriate value is controlled by the event-tree quantification rules. In summary, it appears that the issue of context-specific dependencies was considered by the licensee for both response-type actions treated using the SLIM analysis and for recovery-type actions treated using THERP.

2.4 Vulnerabilities, Insights and Enhancements 2.4.1- Vulnerabilities.

1 The licensee employed the guidance from NUMARC 91-04 to gmup accident sequences .

according to initiating event and results and to screen results for plant-specific vulnerabilities.

The following two screening criteria wem employed:

1) Any functional core damage sequence that contributes greater than 1.0E-04, or greater than 50 percent of core damage frequency per reactor year.

2) The dominant core damage sequences resulting in containment bypass that contribute, when summed together as a group, greater than 1.0E-05, or greater than 20 percent of core damage frequency per reactor year.

No vulnerabilities were identified using these screening criteria. Following the NUMARC guidance, additional screening criteria were applied to identify whether additional enhancements (beyond those already credited in the IPE) were warranted. No additional enhancements were deemed necessary. The submittal provides a summary discussion of the rationale employed to conduct this additional screening for potential enhancements per the-NUMARC criteria. The human performance enhancements that were already identified during the course of the IPE, and credited in the IPE models, are discussed in Section 2.4.3 below.

2.4.2 Insights Related to Human Performance.

Results and licensee insights from the IPE are identified in Section 3.4 of the submittal for the front-end analysis, and Section 4.4 through 4.7 for the back-end analysis. Plant improvements and unique safety features are discussed in Section 6. There is no direct discussion of post-core-melt human actions in the back-end analysis, and essentially no indication that human error was considered, or that credit was taken for operator recovery actions, beyond those actions identified and quantified in the front-end analysis. The submittal tabulates core damage frequency (CDF) contributions by initiating event (Table 3.4-1) and by plant damage state (Table 3.4-3). It also lists (Table 3.4-4) the 100 highest-frequency systemic sequences that lead to core damage. The information in Table 22

) -

l .

i j 3.4-4 includes a succinct listing of the events (equipment failures, operator errors, or ;

combination of both) in the event trees for each sequence and the quantitative value used in

, the event tree. For the most important sequences (those contributing more than 1% to total j CDF), it also provides a brief narrative summary of the sequence which is useful, since

narrative descriptions are not provided in Section 3.1 on Accident Sequence Delineation.

Plant response trees are provided in the submittal. Importance calculations were performed, i

and those events contributing more than 1% to total CDF are listed (Table 3.4-5) in order of

their contribution.

I i The total core damage frequency estimate for FNP is 1.3E-4/ year. Five initiating events ,

contribute 60 percent of the total CDF: )

l 1) Loss of service water Train A causing loss of component cooling water cooling (22.4%)

i 2) Small LOCA (13.34%)

! 3) Loss of 4160V Bus F (9.83%)

l 4) Loss of offsite power - dual unit (7.80%) l

5) Loss of offsite power - single unit (7.25%)

l j

Initiating events were grouped into general categories. These categories and the contribution

- to core damage frequency are listed in Table 2.4-1. The category of "Special" events includes j loss of service water and loss of component cooling water events and lost of the 4160V AC j- emergency bus that powers the CCW train providing reactor coolant pump and charging pump cooling. These events result in seal LOCAs, which is the major damage-state

contributor to CDF. The ' Transient" category includes loss of heat sink (LOHS) events, i which is the second highest contributing damage state.- LOHS events involve loss of all

! secondary side cooling with subsequent failure of bleed and feed, primarily following l

transients and special initiators, but also following loss-of-offsite power events that do not ;

j progress to station blackout. The contributions from categories of core damage states is j j summarized in Table 2.4-2. )

i i 2.4.2.1 Imoortance of Human Error In Dominant Accident Seauences. Table 3.4-5 of the l submittal identifies the top events that are the key contributors to core damage frequency.

j Operator actions, either modeled as top events or a major contributor to the top event, are j clearly identified as important contributors to CDF. Table 2.4-3a below shows top events j from the submittal listing that are operator actions or appear to have a major contribution j i from an operator action. The table lists the human error probability and the % contribution of i

the top event to CDF. Operator failure to recover service water and/or component cooling !

i water within 20 minutes (modeled in ORX1), and operator failure to quickly trip reactor

! coolant pumps upon loss of the on-service CCW train (ORC) are important contributors to seal LOCA, the dominant contributor to CDF.

1 l t l

} l 1

I 1,

i l 23 1

i

Table 2.4-1 Contributions to FNP CDF from Initiating Event Categories EVENT CATEGORY FREOUENCY PERCENT CDF Special 6.07E-05 46.6 LOSP - Dual unit and single unit 1.96E-05 15.1 Small LOCA 1.74E-05 13.3 Transient 1.38E-05 10.6 Flood 1.17E-05 9.0 Large LOCA 3.76E-06 2.9 Medium LOCA 2.67E-06 2.1 Steam Generator Tube Rupture 2.66E-07 0.2 Interfacing System LOCA 1.81E-07 0.1 Reactor Vessel Rupture 1.00E-07 0.1 Table 2.4-2 FNP CDF Contributions by Core Damage Category CORE DAMAGE CATEGORY FREOUENCY PERCENT CDF Seal LOCA 6.13E-05 47.1 Loss of Heat Sink 3.19E-05 24.5 Small LOCA 1.74E-05 13.4 Station Blackout 1.22E-05 9.4 Large LOCA 3.76E-06 2.9 Medium LOCA 2.67E-06 2.1 Steam Generator Tube Rupture 2.66E-07 0.2 Interfacing System LOCA 1.81E-07 0.1 Reactor Vessel Rupture 1.00E-07 0.1 Anticipated Transient Without Trip 7.33E-08 0.06 Others 1.77E-07 0.1 24

Table 2.4 3a Important Human Error Contributions to Core Damage Frequency (Top Events)

Top Event % CDF '

Name Description HEP h I

ACB 4160V AC Buses FAG - Load breakers fail and operator i fails to align diesels, diesels unavail and aux relay fails N/A 26.56 i CCW Operator fails to start CCW pump A on Train B, CCW pumps fail to run and fail to start, loss of service water '

which causes loss of CCW N/A 25.75 AFW Failure of steam generator low-low-level signal, failure of operator to manually start AFW pumps, and failure of system check valves N/A 22.56 ORXI Recovery of SW/CCW - Failure to restore service water Multiple and/or component cooling water within 20 minutes Actions 19.39 i

ORC Operator failure to trip the reactor coolant pumps upon loss of on-service component cooling water train 2.25E-02 11.27 OAF Operator failure to estab. steam generator feed (main feed-l water flow or condensate flow) to 2 of 3 steam generators 5.16E-01 10.46 OAB Failure to establish bleed and feed - operator fails to open one pressurizer PORV and init. high-head safety injection 7.05E-02 9.64 OAS Failure to establish containment spray recirculation - operator fails to align the containment spray pumps to the containment sumps 1.94E-04 7.42 OMH Operator failure to align the miscellaneous CCW header to the CCW Train B pump 1.28E-02 7.28 OHS Operator failure to start and align the standby charging pump to nonnal charging Train B upon failure of CCW and the Train B charging pump 2.17E-01 6.88 FWTR Diesel-driven fire protection water pump to charging pump lube oil cooler - operator failure to establish fire protection water flow to a charging pump lube oil cooler N/A 6.00

, OAC Operator failure to cool down and depressurize the RCS using both primary side and secondary side equipment 7.16E-03 3.47 25

2 i L . . .

I !

?

} . !

(

Table 2.4-3a (Continued) '

l.

p l OAR Operator failure to establish low-head or high-head recire. (a) 3.35 !

' i t

{ OHB Operator failure to start Train B charging pump upon failure i of on-service train of CCW 8.92E-03 2.62 j j

i AN2 Air / Nitrogen Backup for PORVs - operator failure to aliga altrogen to the PORVs N/A .2.10

[ l l

OAT Operator failure to tenninate SI and estab. normal chging. 2.60E-04' 1.49 !

OAP Operator failure to depressurize the RCS using PORVs 4.86E-03 1.20 l l

{ ' (a) Multiple HEP valuca; not clear which are applicable. l I

I i ;

} in response to an NRC RAI, the licensee also identified the most imponant operator actions j!

{ modeled in fault trees. Those with a contribution to CDF of 1% or greater are listed in Table

! 2.4-3b. l 3

2.4.2.2 Sensitivity Studies on Human Error. NUREG-1335, paragraph 2.1.6.6 item 1 l; i requests that the licensee identify and discuss (including information on the timing and i complexity of postulated human actions) any sequence that drops below the core damage l

frequency criteria because the frequency has been reduced by more than an order of 1 magnitude by credit'taken for human recovery actions.- In response to this request, the l

licensee conducted a sensitivity study by increasing the HEP for any human action that ;

1 contributed 1 percent or more to the baseline estimate of CDF. Fourteen HEPs were modified i for the sensitivity study. All initiating events were requantified using the increased HEP ;

j values. l

]

l The submittal identifies (Table 3.4.1-3) each error probability that was modified, the baseline j

[

i value, and the value used for the sensitivity study. Typically, the baseline value was j multiplied by a factor of ten. If the HEP was estimated on the basis of dependency estimates, i

< the dependency ~ level was increased to "High"; thus the HEP value was raised from 0.05 or )

0.15 to 0.50. If the baseline HEP was greater than 0.1, the HEP was raised to 1.0. In cases ,

for which the overall probability included both operator error and equipment failure, the increase in the overall failure probability was less than a factor of 10. (In one case, the value is listed as slightly greater than a factor of 10 higher, though the reason is not given in the

' submittal; in another case, ORXI, the combined human-equipment failure probability is multiplied by a factor of 10, and the licensee cites this as a " conservative" estimate because increasing the HEP by a factor of 10 should increase the overall failure probability by le;s than a factor of 10.) The submittal also provides a summary tabulation of the top 50 core damage sequences for the sensitivity case. The overall core damage frequency increased from 26

1.3E-4 to 2.1E-3, a factor of 16. The risk profile was affected as well. Twenty nine of the top fifty sequences were in the list of top 100 sequences from the baseline case; twenty one were not in the original list. The submittal notes that each of the latter twenty one sequences contained more than one human action, and that the effect of the sensitivity is therefore magnified. Overall, the CDF is still dominated by RCP seal LOCAs.

Table 2.4-3b Important Human Error Contributions to Core Damage Frequency (Human Actions Modeled in Fault Trees)

Top HEP Designator Event Description jg_P3.

.C.QE 1AF-FTSMANUALHAL AFW Failure of operator action to manually start AFW pumps from hot shutdown panel following cable spreading room flooding 4.97E-02 4.61 l l

IDGOPOPERDG2CHDE ACB Align loads onto DG 2C, given sequencer failure 9.98E-02(a) 4.15 )

IDGOPOPERDGICHDE ACB Align loads onto DG IC, given sequencer failure 9.98E-02 4.00 1ACCPMA HAL CCW Operator fails to stan CCW pump A on train B 1.43E-02 3.77 ORXI 1 1CCXVQV310C-GAL HHI Post-maintenance mispositioning of charging pump C lube oil cooler valve 310C 6.15E-03 2.38 IDGOPDUALUNITHDE ACB Operator fails to restan DG and align loads manually 1.50E-01 1.08 IDGOPALIGNDICHDE ACB Operator fails to remotely start DG IC and sequence loads 8.27E-03 1.00 (a) The action for DG 2c does not appear in tables provided in the submittal or in the licensee's response to the NRC RA1; it is assumed that the top event and HEP are the same as for DG IC.

The submittal discussed the significant dependence of CDF on RCP seal LOCA contribution and the imponance of operator action in seal LOCA sequences. A separate sensitivity study was done pertaining to seal LOCA sequences. Four top events - OMH, ORC, ORX1, and FWTR - are important to preventing a seal LOCA. (Refer back to Table 2.4-3 for a description.) When the values for those probabilities are set to the baseline value, with all other operator actions at the increased value, the estimated CDF is 7.1E-04, a factor of about 5 increase over the baseline case, instead of 16. Thus much of the sensitivity to human error i

27

is related to the seal LOCA actions. In this second sensitivity study, the dominant operator actions are those associated with establishing long-term cooling - starting AFW, establishing bleed and feed, and establishing ECCS recirculation. This indicates that these latter actions are imponant, but the dominant actions are those related to the RCP seal LOCA.

Further evidence of this conclusion was provided by a third sensitivity study in which the long-term cooling actions - OAR, OAB, AFW - were set at the nominal values, while all other HEPs were set at the increased values. The resulting CDF estimate was 1.7E-3, only about 20% less than the estimate of 2.1E-3 for the first sensitivity case with "all" HEPs increased. Enhancements to procedures for the operator actions related to seal LOCA were credited in the IPE. These are some of the key enhancements discussed in Section.6 of the submittal, which are summarized in Section 2.4.3 below.

2.4.3 Human-Performance-Related Enhancements.

A number of plant enhancements, primarily procedures improvements, that have the potential to reduce severe accident vulnerability were identified during the course of the IPE. Specific enhancements that were credited in the IPE quantification, and that have been implemented at the plant are summarized in Section 6 of the submittal. As noted in Section 2.4.2 above, operator actions related to RCP seal LOCA are important to CDF estimates. Pmcedures enhancements related to those actions are some of the primary improvements identified from the IPE. These procedures improvements are discussed below, along with procedures enhancements related to ECCS switchover to recirculation and single-unit loss-of-offsite power sequences are discussed below.

2.4.3.1 Reactor Coolant Pumo Seal LOCA. Reactor coolant pump seal cooling is provided by either: a) seal cooling via component cooling water to the RCP thennal barrier heat exchanger, or b) seal injection flow from the charging pumps. Failure to recover one of these sources for a prolonged period of time is expected to cause a seal failure and LOCA. less of the on-service train of CCW results in a loss of seal cooling almost immediately. It also results in a loss of cooling to the running charging pump, which will cause charging pump failure and loss of seal injection flow in approximately 20 minutes. If an altemate source of cooling can be established to the charging pump oil coolers, seal injection flow can be maintained and a seal LOCA avoided. Procedures enhancements were made and pre-staged equipment was implemented in the plant to better address loss of RCP seal cooling events. A sensitivity study indicated that the estimated CDF is significantly reduced (from 7E-4 to 1.3E-4) by credit taken for the enhancements associated with two of these operator actions:

Isolate RCP Seal Return Line Followine Loss of CCW If cooling from the on-service CCW train fails but the standby train is available, the operators can establish seal cooling by manually starting the standby CCW train and manually aligning the miscellaneous CCW header (which provides RCP thermal barrier heat exchanger cooling) to that train. This action was estimated to require at least 20 minutes, which was judged too long to ensure RCP seal integrity without injection.

28

i However, RCP seal injection can be maintained for a prolonged period by starting the standby charging train and aligning charging pump suction to the RWST to maintain a cool water source; this requires operation of the nonnally running charging pump 1 without cooling for a short period while the alignment is made. Changes were made to the Abnormal Operating Procedure (AOP) for I.oss of CCW. Instructions were added '

~

that direct operators to perform one of several sequences of steps, depending on I available equipment, to maintain RCP seal cooling. Steps include aligning charging pump suction to the RWST and isolating RCP seal retum flow to minimize heatup of the injection flow due to the addition of pump heat in the charging pump miniflow line.

The IPE assumed that these actions had to be completed within twenty minutes, and that failures of actions outside of the control room are not recoverable.

The estimated HEP (modeled in top event OMH) without the enhancement was estimated to be 1.0 (assumed failure), due to insufficient time. The HEP with the enhancement (OMH-B) is estimated to be 1.28E-2, using THERP. The licensee's response to an NRC RAI provided more detailed information on the HRA. The j calculation is subject to the limitations of the Westinghouse implementation of THERP, I in particular, the limited and probably optimistic treatment of diagnosis which was discussed previousiy. The basic approach to diagnostic action is to use the THERP annunciator model and treat failure to diagnose as failure to re: pond to 1 of N alarms with one or more (in this case three) annunciators alarming. The nominal THERP value is " arbitrarily" multiplied by 0.1 to take credit for crew experience. In addition, recovery credit is applied for "special short-term, one-of-a-kind checking with alerting factors," which is intended for pre-initiator errors only.

In response to an NRC RAI, the licensee provided an estimate of the impact of this enhancement on CDF by performing a sensitivity study in which the HEP was set to 1.0. The calculated CDF was 5.25E-04, compared to the base case value of 1.30E-04.

Thus, this enhancement reduced the estimated CDF by a factor of approximately 4. ;

l Establish Cooling to the Charrine Pumn Oil Coolers Using the Fire Protection Water l EMirSL 1 To pmvide an alternate source in the event of failure of both trains of CCW, steps were I added to the Loss of CCW AOP to direct operators to align the Fire Protection Water System to the charging pump oil coolers if no other cooling source can be aligned and no cooling is available for the charging pumps. The key steps include: (1) aligning charging pump suction to the RWST to maintain a cold water source, (2) isolating RCP seal return flow, since the normal Chemical Volume and Control System (CVCS) supply to the charging pumps would begin to heat up on loss of CCW, and (3) establishing the i fire protection water supply and a drain to the charging pump oil coolers using hoses.

Equipment necessary to connect the fire protection water to the charging pump has been assembled and pre-staged. The IPE assumes that the manual actions must be completed in 20 minutes, and that failures of actions outside the control room are not recoverable.

29

N 7

e j

The operator action associated with this enhancement is RCP-SEAL. It is modeled in top event FWTR. The top event is dominated by the operator action. The licensee's i

response to an NRC RAI included more detailed information on the calculation of this ;

i- HEP. The calculated value is 3.6E-02. The same assumptions noted above regarding )

l diagnosis were applied. As part of the licensee's response to an NRC RAI, the licensee reported a sensitivity case in which the top event FWTR was set to 1.0. The calculated .

CDF was 3.00E-04. This enhancement, therefore, reduced the CDF by a factor of more

, than 2. :

i ;

Additional enhancements related to the seal LOCA included the following: l Alinnment of Swinn CCW Pumo Without Electrical Realignment If the on-service CCW train A fails due to loss of train A water support, and the ;

standby train CCW pump A fails,it is possible to restore CCW cooling to the standby -

train B charging pump by realigning swing CCW pump B to discharge through the ,

train B CCW heat exchanger. Realignment of the swing CCW pump B from train A to train B normally requires that both the electrical power alignment and the i mechanical alignment be changed. The total time required to complete this action was l

estimated to be at least 20 minutes, which was judged to be too long to ensure RCP seal integrity without injection or thermal barrier cooling. However, if both trains of electrical power are available,it is possible to restore CCW flow to the train B l l

charging pump by allowing the swing pump to be operated with power from train A while it is mechanically aligned to the train B CCW heat exchanger. The CCW AOP was revised to include a caution to inform operators that electrical realignment of the ,

swing CCW pump may be delayed by plant conditions. The key steps to complete the action include aligning the discharge flow from swing CCW pump B to the train B CCW heat exchanger and isolating discharge flow from the CCW pump B to the train A CCW heat exchanger. The IPE assumes these actions can be completed must be completed in 30 minutes, and that failures of actions outside the control room are not i recoverable. The operator action, OA-CCWB-E, " align CCW pump 1B on train B without electrical realignment," has an estimated HEP of 8.40E-02. It is modeled in top event ORXI.

Plant Stabilization Following a Partial Loss of Service Water The normal success criteria for service water cooling is two pumps operating on each train. For events that involve a partial loss of service water, RCP seal cooling can be maintained with only one SW pump operating if non-essential loads supplied by SW are isolated. Instructions were added to the Loss of Service Water AOP for reducing the SW system loads to ensure adequate flow to the CCW heat exchangers. There are four key steps that have to be accomplished: isolation of the SW flow to the turbine building; isolation of flow to the standby CCW heat exchanger, isolation of CCW flow to the RHR and spent fuel pool heat exchangers; and throttling flow to the on-service CCW heat exchanger to prevent SW pump runout. The IPE assumes that the operator actions must be completed within 10 minutes, and that failure of operator actions are 30

1 i

not recoverable due to the short time available. The human action related to this procedure change is ISWLOSS1 PUMP HOE, " Ensure adequate SW after a partial loss l of SW." The HEP, estimated using THERP, is 2.32E-02. It is modeled in the fault g trees related to top events ORX1, PLOSSSWA, and LOSSSW. l I

Alignment of Swing SW Pump C to Train B Without Electrical Realignment. l Discussion of this enhancement was inadvertently omitted from the IPE submittal and i was provided in the licensee's response to an NRC RAI. It is similar to the alignment l of swing CCW pump described above. This action, ISWPICB-LOSP-E, has an ,

estimated HEP of 3.15E-01. It is modeled in top event ORXI. J l

2.4.3.2 Realignment of ECCS to Cold Lee Recirculation Following Failure of Hot Les )

Recirculation. Following a large or medium LOCA, it is necessary to establish Emergency Core Cooling System (ECCS) cold leg recirculation after the Refueling Water Storage Tank (RWST) is depleted. Eleven hours after event initiation, operators are instructed to change the alignment such that the recirculation flow is discharged to the RCS hot legs. If transfer to hot leg circulation cannot be completed, it is likely that flow to the reactor core will be reduced or completely stopped. Therefore, the operator must return the alignment to cold leg recirculation. A modification was made to the procedure for transfer to hot leg recirculation to specifically direct the operator to the separate procedure add essing switching from hot leg to cold leg recirculation. The applicable human action quantified in the HRA is RECIRC,

, " Realign back to cold leg recirculation."' The HEP value, estimated using THERP, is i 2.65E-03. The IPE assumes that the actions must be completed within 35 minutes. This HEP was incorporated into fault trees for top event HLR. The specific quantitative effect of this j procedure enhancement is not discussed.

l 2.4.3.3 Verification of Load Shed Prior to Aligning a Backuo Diesel to a Bus. A dominant j contributor to diesel generator failure is failure of load shed relays resulting in diesel i overload. In single-unit LOSP events, the operator can manually align a backup diesel to

, restore power to the ESF buses if the primary diesel for the bus fails. However, if the j i primary diesel failure resulted from overload due to failure of the load shed relays, the j j backup diesel could also be overloaded when it is aligned to the bus. Therefore, the operator i j must verify that the major electrical loads on the bus have been shed prior to aligning the !

l backup diesel. Revisions were made to the pertinent AOP for Contingency Electrical i Alignments and ECP (Emergency Condition Procedure) for I.oss of All AC Power to provide

instructions for the operator to verify that the breakers for major electrical loads powered i from the bus to be restored are open prior to closing the backup diesel output breaker. The

! IPE assumes that the operator actions must be completed within 30 minutes. The HEP

, corresponding to this procedure change is 1DGOPOPERDG-1CHDE, which was identified in j Table 2.4-3b above. The HEP estimate is 9.98E-02. The action is modeled in the fault trees i j for top event ACB.

3 k

i 31 l

.- - .. _.- ..... - ~- - - ...- -.-....--- - - -_- . - - ... - -

4 t l . . .

i s

i f l

IIL CONTRACTOR OBSERVATIONS AND CONCLUSIONS l l The intent of the IPE is summarized in four specific objectives for the licensee identified in i l

Generic Letter 88-20 and NUREG-1335

1

! (1) Develop an appreciation of severe accident behavior. j (2) Understand the most likely severe accident sequences that could occur at its plant.

i (3) Gain a more quantitative understanding of the overall probability of core damage and radioactive material releases.

l (4) If necessary, reduce the overall probability of core damage and radioactive material i release by appropriate modifications to procedures and hardware that would prevent

! or mitigate severe accidents.

! The intent of our document-only review of the licensee's HRA process is to determine l whether the process supports the licensee's meeting these specific objectives of GL 88-20 as i they relate to human performance issues. That is, whether the HRA process permits the licensee to:

} (1) Develop an overall appreciation of human performance in severe accidents; how .

l human actions can impact positively or negatively the course of severe accidents, and what factors influence human performance.

(2) Identify and understand the operator actions important to the most likely accident sequences and the impact of operator action in those sequences; understand how human actions affect or help determi'ie which sequences are important.

(3) Gain a more quantitative understanding of the quantitative impact of human performance on the overall probability of core damage and radioactive material .

release.

(4) Identify potential vulnerabilities and enhancements, and if necessary/ appropriate, implement reasonable human-performance-related enhancements.

1 It is our general conclusion from the review of the submittal and the additional material provided by the licensee in response to NRC requests for additional information that the licensee's HRA process provided the licensee with the ability to meet the objectives of GL 88-20 summarized above. This conclusion is based on the findings and of observations of strengths and limitations of the licensee's approach, including the following:

I 32 l

i>

h . .

l (1) The submittal and supporting documentation indicates that utility personnel were involved in the HRA, and that the walkdowns and documentation reviews

~

constituted a viable process for confirming that the HRA portions of the IPE -

! represent the as-built, as-operated plant (at least for the post-initiator error j evaluation).

(2): The licensee performed an in house peer review that provides some assurance that

the HRA techniques have been conectly applied and that documentation is accurate.

(3) Pre-initiator human actions were considered in the analysis, though the treatment was not as complete and rigorous as has been performed for typical IPE/PRA

! . analysis. In particular, dismissal of calibration errors without significant i plant-specific analysis is considered a limitation of the licensee's approach that

. could have led to overlooking potentially significant contributors to plant risk.

t i

(4) The treatment of post-initiator human actions was reasonably complete and.

thorough. Both response-type and recovery-type actions were included. The

< process for identification and selection of actions involved review of procedures and i discussions with plant personnel. No numerical screening process was performed.

l Quantification of post-initiator errors appears to reasonably complete and appears to

, have appropriately employed the chosen HRA techniques - SLIM and Westinghouse l THERP. Some of the . limitations of the Westinghouse THERP process identified in

previous IPE reviews are evident, in the FNP analysis, most notably (1) the limited ;

and probably optimistic treatment of diagnosis, and (2) the " blanket" application of i selected performance shaping factors (reductions) without case-by t ase assessment.

4 However, there was a degree of plant-specific, case-by-case evanc: Mon of ;

performance shaping factors and dependencies, which provided the licensee with the l

( opportunity to gain an improved understanding of human performance in severe j

'- accident response. With the exception of the treatment of diagnosis, the process j

! overall appears to have permitted the licensee to gain an understanding of the !

. quantitative impact of human performance on core damage and radioactive material j l release frequencies.

j i (5) Quantitative results, sensitivity studies and insights reported by the licensee indicate

that the HRA provided the licensee with an appreciatior4 for the importance of human error to the estimated core damage and radioactiw material release fractions.

Human action was noted as an important contributor in the dominant sequences.

Credit for human action in the recovery analysis was noted as a significant factor in ;

reducing the estimated core damage frequency.

(6) During the course of the IPE a number of important human actions were identified which had high error probabilities and which contributed significantly to core damage sequences, in particular, recovery actions to limit the potential for seal LOCA. Procedure enhancements were developed and were credited in the IPE-33 i

modeling to reduce the core damage estimate that otherwise would have been obtained. These actions by the licensee to provide enhancements which reduce the estimated core damage frequency indicate ah effective implementation of the IPE process.

(7) The licensee employed a reasonable process to screen for vulnerabilities or necessary enhancements beyond those identified and credited during the course of t the IPE.

e I

i i

34

i IV. DATA

SUMMARY

SHEETS Important Operator Actions / Errors:

The following is a listing of top-level events, either containing imponant operator actions, or consisting entirely of operator actions, which contribute 1% or more to the estimated CDF:

% CDF N_gg!g Descriotion HEP _G.g.nl ACB 4160V AC Buses F&G - Load breakers fail and operator fails to align diesels, diesels unavail. and aux. relay fails N/A 26.56 CCW Operator fails to start CCW pump A on Train B, CCW pumps fail to run and fail to start, loss o:service water which causes loss of CCW N/A 25.75 AFW Failure of steam generator low-low-level signal, failure of operator to manually start AFW pumps, and failure of system check valves N/A 22.56 l 1

l ORXI Recovery of SW/CCW - Failure to restore service water Multiple ;

and/or component coohng water within 20 minutes Actions 19.39 ;

1 :

ORC Operator failure to trip the reactor coolant pumps upon loss i of on-service component cooling water train 2.25E-02 11.27 OAF Operator failure to estab. steam generator feed (main feed-water flow or condensate flow) to 2 of 3 steam generators 5.16E-01 10.46 OAB Failure to establish bleed and feed - operator fails to open one pressurizer PORV and initiate high-head safety injection 7.05E-02 9.64 OAS Failure to establish containment spray recirculation - operator fails to align the containment spray pumps to the containment sumps 1.94E-04 7.42 OMH Operator failure to align the miscellaneous CCW header to the CCW Train B pump 1.28E-02 7.28 OHS Operator failure to start and align the standby charging pump to normal charging Train B upon failure of CCW and the Train B charging pump 2.17E-01 6.88

, 35 l

~

l FWTR Diesel-driven fire protection water pump to charging pump lube oil cooler - operator failure to establish fire protection water flow to a charging pump lube oil cooler N/A 6.00 OAC Operator failure to cool down and depressurize the RCS l using both primary side and secondary side equipment 7.16E-03 3.47 l

OAR Operator failure to establish low-head or high-head recire. (a) 3.35 i

OHB Operator failure to start Train B charging pump upon failure l of on-service train of CCW 8.92E-03 2.62 l AN2 Air / Nitrogen Backup for PORVs - operator failure to align nitrogen to the PORVs N/A 2.10 i i

OAT Operator failure to terminate SI and estab. nonnal chging. 2.60E-04 1.49 OAP Operator failure to depressurize the RCS using PORVs 4.86E-03 1.20 (a) Multiple HEP values; not clear which are applicable.

The following is a list of operator actions modeled in fault trees which contributed 1% or more to the CDF:

Top HEP Designator Event Description HEP .%,,,

CDF 1AF-FTSMANUALHAL AFW Failure of operator action to manually start AFW pumps from hot shutdown panel following cable spreading room flooding 4.97E-02 4.61 IDGOPOPERDG2CHDE ACB Align loads onto DG 2C, given sequencer failure 9.98E-02(a) 4.15 IDGOPOPERDGICHDE ACB Align loads onto DG IC, given sequencer failure 9.98E 02 4.00 1ACCPMA HAL CCW Operator fails to stan CCW pump A on train B 1.43E-02 3.77 ORXI ICCXVQV310C--GAL HH1 Post-maintenance mispositioning of charging pump C lobe oil cooler valve 310C 6.15E-03 2.38 36

IV. DATA

SUMMARY

SHEETS

. Important Operator Actions /Errcrs:

The following is a listing of top-level events, either containing important operator actions, or consisting entirely of operator actions, which contribute 1% or more to the estimated CDF:

- % CDF Name Descriotion HEP ,Q,qntr.

ACB 4160V AC Buses F&G - Load breakers fail and operator fails to align diesels, diesels unavail. and aux. relay fails N/A 26.56 CCW Operator fails to start CCW pump A on Train B, CCW pumps fail to run and fail to start, loss of service water which causes loss of CCW N/A 25.75 AFW Failure of steam generator low-low-level signal, failure of operator to manually start AFW pumps, ar.d failure of system check valves N/A 22.56 ORX1 Recovery of SW/CCW - Failure to restore service water Multiple and/or component cooling water within 20 minutes Actions 19.39 ORC Operator failure to trip the reactor coolant pumps upon loss of on-service component cooling water train 2.25E-02 11.27 OAF Operator failure to estab. steam generator feed (main feed-water flow or condensate flow) to 2 of 3 steam generators 5.16E-01 10.46 OAB Failure to establish bleed and feed - operator fails to open one pressurizer PORV and initiate high-head safety injection 7.05E-02 9.64 OAS Failure to establish containment spray recirculation - operator fails to align the containment spray pumps to the containment sumps 1.94E-04 7.42 OMH Operator failure to align the miscellaneous CCW header to the CCW Train B pump 1.28E-02 7.28 OHS Operator failure to start and align the standby charging pump to nonnal charging Train B upon failure of CCW and the Train B charging pump 2.17E-01 6.88 FWTR Diesel-driven fire protection water pump to charging pump lube oil cooler - operator failure to establish fire protection water flow to a charging pump lobe oil cooler N/A 6.00 35 I

OAC Operator failure to cool down and depressurize the RCS using both primary side and secondary side equipment 7.16E-03 3.47 OAR Operator failure to establish low-head or high-head recire. (a) 3.35 OHB Operator failure to start Train B charging pump upon failure of on-service train of CCW 8.92E-03 2.62 AN2' Air / Nitrogen Backup for PORVs - operator failure to align nitrogen to the PORVs N/A 2.10 OAT Operator failure to terminate SI and estab. normal chging. 2.60E-04 1.49 OAP Operator failure to depressurize the RCS using PORVs 4.86E-03 1.20 (a) Multiple HEP values; not clear which are applicable.

The following is a list of operator actions modeled in fault trees which contributed 1% or more to the CDF:

Top HEP Designator Event Description HEP ,7pq CDF ,

I 1AF-FTSMANUALHAL AFW Failure of operator action to manually start AFW pumps from hot shutdown panel following cable ;

spreading room flooding 4.97E-02 4.61 1DGOPOPEitDG2CHDE ACB Align loads onto DG 2C, given sequencer failure 9.98E-02(a) 4.15 IDGOPOPERDGICHDE ACB Align loads onto DG IC, given sequencer failure 9.98E 02 4.00 1ACCPMA HAL CCW Operator fails to start CCW pump A on train B 1.43E-02 3.77 ORXI ICCXVQV310C-GAL HHI Post-maintenance mispositioning of charging pump C lube oil cooler valve 310C 6.15E-03 238 1DGOPDUALUNITHDE ACB Operator fails to restart DG and align loads manually 1.50E-01 1.08 IDGOPALIGNDICHDE ACB Operator fails to remotely start DG IC and sequence i loads 8.27E-03 1.00 l (a) The action for DG 2c does not appear in tables provided in the subminal or in the licensee's response to the NRC RA!; it is assumed that the top event and HEP are the same as for DG IC. I i

1 36

_l' Human-Performance Related Enhancements:

Procedure enhancements were made during the course of the IPE and credited in the IPE models, including:

1) Loss of RCP Seal Cooling

a. Loss of Component Cooling Water AOP-9.0 - revised to include instructions to enhance the ability of operators to start the standby CCW train and manually align the miscellaneous CCW header when the on-service CCW train fails,

b. Loss of Component Cooling Water AOP-9.0 - revised to include instructions (and assembled and pre-staged equipment) to direct the operators to align the Fire Protection Water System to the charging pump oil coolers if both trains of CCW cooling are unavailable and no other source of cooling is available for the charging pumps.

c. Loss of Component Cooling Water AOP-9.0 - revised to include guidance to mechanically align the swing CCW pump without having to realign electrical power.

d. Loss of Service Water AOP-10.0 - revised to provide instructions for reducing service water loads to enable operation of the system upon loss of one of two pumps.

c. Alignment of Swing SW Pump C to Train B Without Electrical Realignment -

similar to the alignment of swing CCW pump described above.

2) ECCS Realignment to Cold Leg Recirculation - revised Emergency Operating Procedure ESP-1.4, Transfer to Hot Leg Recirculation to provide a transition to ESP-1.5, Transfer from Hot Leg to Cold I.cg Recirculation if the attempt to transfer to hot leg recirculation (required after 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months ) is unsuccessful.

3) Load Shed Prior to Aligning Backup Diesel to a Bus - revised AOP-5.1, Contingency Electrical Alignments, and Emergency Contingency Procedure ECP-0.0, Loss of All AC Power, to provide instructions to verify that the breakers for major electrical loads powered from the bus to be restored are open prior to closing the backup diesel output breaker. This reduces the potential for failure of the backup diesel due to overload when it is aligned to the bus.

37

REFERENCES

1. Embrey, D.E., et al., " SLIM-MAUD: An Approach to Assessing Human Error Probabilities Using Structured Expert Judgment, Volume I: Overview of SLIM-MAUD," NUREG/CR-3518, Vol. I, March,1984.

2. Embrey, D.E., et al., " SLIM-MAUD: An Approach to Assessing Human Error Probabilities Using Structured Expert Judgment, Volume II: Detailed Analysis of the Technical Issues," NUREG/CR-3518, Vol. II, July,1984.

3. Swain, A.D., and H.E. Guttmann, " Handbook of Human Reliability Analysis Procedures, with Emphasis on Nuclear Power Plant Applications (Final Report),"

NUREG/CR-1278-F, August,1983.

i l

l i

38 l

a J a a. 4 ma_se-._.am.. a., ; ,.*4_ aa. a a s. a - - a .e..-- - .- .aA-- -a =--.4_ ,e.a. s. _. - u ..

h a e ENCLOSURE 5

SUMMARY

OF THE FARLEY NUCLEAR POWER PLANT l

lNDIVIDUAL PLANT EXAMINATION (IPE)

SUBMITTAL ON INTERNAL EVENTS 1

l

FARLEY UNIT 1 & 2 DATA

SUMMARY

SHEET

1 INTERNAL EVENTS 1 Plant Type:

Westinghouse 3-loop PWR Containment Type:

Large Dry Total core damage frequency (CDF) :

1.3E-4/ year (The CDF from internal flooding is 1.2E-5/ year) o Major initiating events:

fontribution_

1%1 Loss of train A service water (SW)

Loss of 4160 V AC bus FSmall loss of coolant accident Dual unit loss of offsite power 22%

13%

10%

Single unit loss of offsite power 8%

Loss Loss ofCCW of all in-service component cooling water 7%

6%

(CCW)

Flood in cable spreading room 6%

! Turbine trip

{ Large LOCA 4%

3%

o Major system failures contributing to CDF:

. Contribution _

SW 1%1 4160 V AC buses 27 CCW 26 ECCS injectionEmergency core cooling system (ECCS) recirculation 25 25 23 o

Major operator action failures:

i Failure to restore SW and/or CCW within 20 minutes .

Failure to trip the reactor coolant pumps

! component cooling water (CCW) water train. (RCPs) upon loss of on-service Failure to establish steam generator (SG) feed to 2 of 3 SGs.

{ Failure to establish bleed and feed.

I Failure to establish containment spray on.

recirculati 1

I B pump.

Failure to align the miscellaneous CCW header h to the CCW Train ing Failure to start and align the standby charging pump to normal c train B upon failure of CCW and the train B charging(RCS) pump.

l l Failure to cool down and depressurize the reactor coolant system using both primary side and secondary side equipment.

Failure to establish low-head or high-head recirculation.

o Contribution to total containment failure probability given core damage:

0%

Early Containment Failure 96.2%

Late Containment Failures 0.36% F Containment Bypasses L 0.06%

Containment Isolation Failure 3.3%

No Containment Failure o Significant PSA findings: for Use of charging pumps for high head ECCS injection which use pump cooling.

Ability to provide diesel driven firewater for cooling to charging pumps.

No automatic alignment of ECCS from injectioni toDGs recirculation.

Presence of five diesel generators (DGs), three of which are sw ng that can provide power to either unit.

d o

Improvements identified in the FNP IPE proposed to be impleme Aligning charging pump suction to the refueling to the water storag (1) lign the on-service CCW train in order to allow additiona miscellaneous CCW header to the opposite train. ling if tinued (2) Aligning plant fire protection water to provide cha operability of at least one charging pump. l it (3)

Aligning the swing CCW pump to the standbyhtrain mechanic is supplied with power from the opposite train ,

failure of the standby CCW pump. S9 Stabilizing the plant with only one operating SW pump by reduc (4) system loads in order to maintain CCW cooling.

i Realigning the ECCS to the cold leg recirculation alignment fo (5) failure to establish hot leg recirculation.

2

k, . ..

4 Failure to align the miscellaneous CCW header to the CCW Train B pump.

Failure to start and align the standby charging pump to normal charging train B upon failure of CCW and the train B charging pump.

Failure to cool down and depressurize the reactor coolant system (RCS) using both primary side and secondary side equipment.

Failure to establish low-head or high-head recirculation.

I o Contribution to total containment failure probability l given core damage: j Early Containment Failure- 0%

Late Containment Failures- 96.2% i Containment Bypasses- 0.36% <

Containment Isolation Failure- 0.06% l No Containment Failure- 3.3%

o Significant PSA findings:

Use of charging pumps for high head ECCS injection which use CCW for pump cooling.

Ability to provide diesel driven firewater for cooling to charging ;

pumps.

No automatic alignment of ECCS from injection to recirculation.

Presence of five diesel generators (DGs), three of which are swing DGs that can provide power to either unit.

, o Improvements identified in the FHP IPE proposed to be implemented:

(1) Aligning charging pump suction to the refueling water storage tank (RWST) and isolating RCP seal return flow upon a loss of cooling to the on-service CCW train in order to allow additional time to align the miscellaneous CCW header to the opposite train.

(2) Aligning plant fire protection water to provide charging pump cooling if CCW cooling is lost and cannot be recovered in order to ensure continued operability of at least one charging pump.

(3) Aligning the swing CCW pump to the standby train mechanically while it is supplied with power from the opposite train to maintain seal injection flow on a loss of SW in the on-service train combined with failure of the standby CCW pump.

(4) Stabilizing the plant with only one operating SW pump by reducing SW system loads in order to maintain CCW cooling,

, (5) Realigning the ECCS to the cold leg recirculation alignment following failure to establish hot leg recirculation.

2

h F

~

(6) Verifying that major loads on the ESF buses have been shed prior to aligning a backup diesel to the bus on a single unit loss of offsite power. ;

(7) Replacing the current RCP seal 0-rings with new high temperature 0-rings during the next scheduled seal maintenance on each RCP.

(* Information has been taken from the Farley IPE and has not been validated ,

by the NRC staff.) ;

l 1

l l

3 i

FARLEY UNIT 1 & 2 DATA

SUMMARY

SHEEl*

(INTERNAL EVENTS)

Plant Type: Westinghouse 3-loop PWR Containment Type: Large Dry Total core damage frequency (CDF) : 1.3E-4/ year (The CDF from internal flooding is 1.2E-5/ year) o Major initiating events:

Contribution L%1 Loss of train A service water (SW) 22%

Small loss of coolant accident (LOCA) 13%

Loss of 4160 V AC bus F 10%

Dual unit loss of offsite power 8%

Single unit loss of offsite power 7%

Loss of in-service component cooling water (CCW) 6%

Loss of all CCW 6%

Flood in cable spreading room 4%

Turbine trip 3%

Large LOCA 3%

o Major system failures contributing to CDF:

Contribution 15).

SW 27 4160 V AC buses 26 CCW 25 Emergency core cooling system (ECCS) recirculation 25 ECCS injection 23 o Major operator action failures:

Failure to restore SW and/or CCW within 20 minutes.

Failure to trip the reactor coolant pumps (RCPs) upon loss of on-service component cooling water (CCW) water train.

Failure to establish steam generator (SG) feed to 2 of 3 SGs.

Failure to establish bleed and feed.

Failure to establish containment spray recirculation.

1

l l

Failure to align the miscellaneous CCW header to the CCW Train B pump.

Failure to start and align the standby charging pump to normal charging train B upon. failure of CCW and the train B charging pump.

Failure to cool down and dapressurize the reactor coolant system (RCS) using both primary side and secondary side equipment.

Failure to establish low-head or high-head recirculation.

o Contribution to total containment failure probability l given core damage:

Early Containment Failure 0%

Late Containment Failures 96.2% i Containment Bypasses 0.36% <

Containment Isolation Failure 0.06% 1 No Containment Failure 3.3%

o Significant PSA findings: ,

Use of charging pumps for high head ECCS injection which use CCW for !

pump cooling. l l

Ability to provide diesel driven firewater for cooling to charging !

pumps.

No automatic alignment of ECCS from injection to recirculation.

Presence of five diesel generators (DGs), three of which are sw'ng DGs that can provide power to either unit.

o Improvements identified in the FNP IPE proposed to be implemented:

(1) Aligning charging pump suction to the refueling water storage tank (RWST) and isolating RCP seal return flow upon a loss of cooling to the on-service CCW train in order to allow additional time to align the miscellaneous CCW header to the opposite train.

(2) Aligning plant fire protection water to provide charging pump cooling if CCW cooling is lost and cannot be recovered in order to ensure continued operability of at least one charging pump.

(3) Aligning the swing CCW pump to the standby train mechanically while it ,

is supplied with power from the opposite train to maintain seal l injection flow on a loss of SW in the on-service train combined with l failure of the standby CCW pump. I (4) Stabilizing the plant with only one operating SW pump by reducing SW l system loads in order to maintain CCW cooling.

(5) Realigning the ECCS to the cold leg recirculation alignment following failure to establish hot leg recirculation.

2

( ;

4 . ,e o

Failure to align the miscellaneous CCW header to the CCW Train B pump.

Failure to start and align the standby charging pump to normal charging train B upon failure of CCW and the train B charging pump.

Failure to cool down and depressurize the reactor coolant system (RCS) using both primary side and secondary side equipment.

Failure to establish low-head or high-head recirculation.

o Contribution to total containment failure probability given core damage:

Early Containment Failure- 0%

Late Containment Failures- 96.2%

Containment Bypasses- 0.36%

Containment Isolation Failure- 0.06%

No Containment Failure- 3.3%