ML20106J138
| ML20106J138 | |
| Person / Time | |
|---|---|
| Site: | Calvert Cliffs  |
| Issue date: | 01/16/1996 |
| From: | Darby J, Sciaccs F, Thomas W SCIENCE & ENGINEERING ASSOCIATES, INC. |
| To: | NRC |
| Shared Package | |
| ML20106J140 | List: |
| References | |
| CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-92-553-033, SEA-92-553-033-A:3, SEA-92-553-33, SEA-92-553-33-A:3, NUDOCS 9603290323 | |
| Download: ML20106J138 (41) | |
Text
SEA 92-553 033-A:3 January 16,1996 Calvert Cliffs 1 and 2 Technical Evaluation Report on the individual Plant Examination Front End Analysis NRC-04-91-066, Task 33 John L. Darby, Analyst Frank W. Sciacca, Analyst W. Thomas, Editor Science and Engineering Associates, Inc.
Prepared for the Nuclear Regulatory Commission 93g3999323 XR 1
i i
l l
l
)
L TABLE OF CONTENTS E. EXEC UTIVE SU M M ARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.2 Licensce's lPE Process ................................. 2 E.3 Front End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 E.4 G ene ric Iss ue s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 E.5 Vulnerabilities and Plant improvements . . . . . . . . . . . . . . . . . . . . . . 5 E . 6 O b s e rvatio n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
- 1. I N TR O D U CTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.1 R e view P ro ce s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2 Plant Characte rization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
- 2. TEC H N IC AL R EVI EW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 l
2.1 Licensee's lPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.1 Comoteteness and Methodology ..................... 9 2.1.2 Multi-Unit Effects and As-Built As-Ocerated Status . . . . . . . . 9 1
2.1.3 Licensee Particioation and Peer Review . . . . . . . . . . . . . . . . 10 '
2.2 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . 11 2.2.1 Initiating Events . . .............................. 11 2.2.2 Event Trees . . . . . . . ............................ 12 2.2.3 Syste ms An alvsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.4 System Decendencie s . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3.1 Quantification of Accident Seauence Freauencies . . . . . . . . . 18 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses. . . . . . . 19 2.3.3 Use of Plant Soecific Data ......................... 19 2.3.4 U se of G ene ric Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.3.5 Common Cause Quantification ...................... 20 2.4 Inte rface issue s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.4.1 Front End and Back-End Interfaces . . . . . . . . . . . . . . . . . . . 21 2.4.2 Human Factors Interfaces . . . . . . . . . . . . . , , . . . . . . . . . . 22 2.5 Evaluation of Decay Heat Removal and Other Safety issues . . . . . . . 22 2.5.1 Examination of D H R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.5.2 Diverse Mean s of D H R . . . . . . . . . . . . . . . , . . . . . . . . . . . . 2?
- 2. 5.3 U n ia u e Fe at u re s o f D H R . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.5.4 Other GSI/USI's Addressed in the Submittal . . . . . . . . . . . . . 24 2.6 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.6.1 Intemal Flooding Methodology . . . . . . . . . . . . . . . . . . . . . . 24
! 2.6.2 Internal Floodina Results .......................... 24 2.7 Dominant Core Damage Sequences ........................ 25
- 2.7.1 Dominant Core Damaae Secuences . . . . . . . . . . . . . . . . . . 25
- 2.7.2 Vulne rabilitie s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 1
i ll
2.7.3 Prooosed imorovements and Modifications . . . . . . . . . . . . . . 30
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS ............... 33
- 4. DATA
SUMMARY
SHEETS .................................... 34 REFERENCES................................................ 39 l
l t
t i
i k
ill ,
I l
l
LIST OF TABLES Table 2-1. Plant Specific Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Table 2-2. Common Cause Factors for 2-of 2 Components . . . . . . . . . . . . . . . . 21 Table 2-3. Top 5 Core Damage Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Table 2-4. Vulnerability Screening, Core Damage, Containment Not Bypassed . . 29 Table 2-5. Vulnerability Screening, Core Damage, Containment Bypassed . . . . . 29 Table 2-6 Vulnerability Review Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Table 2-7. Vulnerabilities and Corrective Actions . . . . . . . . . . . . . . . . . . . . . . . 31 Table 4-1. Initiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 l
l l
l 1
I I
iv
l E. EXECUTIVE
SUMMARY
i This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for Calvert Cliffs 1 and 2. This review is based on information contained in the IPE submittal along with the licensee's responses to a Request for Additional Information (RAl).
E.1 Plant Character'zation i The Calvert Cliffs site has two Pressurized Water Reactor (PWR) power plants. Rated l power for each unit is 2700 megawatts thermal (MWt). Combustion Engineering (CE) was the Nuclear Steam Supply System (NSSS) vendor and Bechtel was the Architect Engineer (AE). The Calvert Cliffs units each have two primary loops. A similar plant in operation is Palisades.
l l Design features at Calvert Cliffs that impact the core damage frequency (CDF) relative to other PWR plants are as follows:
Reauirement for air to coerate Auxiliarv Feedwater (AFW) The requirement for air to open AFW valves tends to increase the CDF for transients involving loss of main feedwater.
e No seal iniection for Reactor Coolant Pumos (RCPs) Since seal injection to the RCP seals from the charging pumps is not provided in the design, loss of Component Cooling Water (CCW) thermal barrier cooling alone results in loss of seal cooling; this tends to increase the CDF from seal Loss of Coolant Accidents (LOCAs) compared to plant designs in which seal injection from charging pumps that do not require CCW cooling is also available to provide seal cooling.
Presence of a swina Diesel Generator (DG) The use of a swing DG tends to raise the CDF compared to plants with more than one DG dedicated to each unit. The swing DG must be dedicated to the unit for which the preferred DG has failed, thereby rendering it potentially unavailable to the unit with the accident. Also, the swing DG 12 does not automatically load following a loss of offsite power incident, and operator action is required to load the DG within 10 minutes or it will trip on high jacket water temperature.
Shared DC oower The sharing of DC power between the two units tends to increase the CDF due to loss of offsite power, because if the DG normally dedicated to one unit falls, the swing DG must power that unit resulting in loss of charging power to selected batteries at the other unit.
i 1
l
= Two hour batterv lifetime The two hour battery lifetime is relauvely short and this tends to increase the CDF from station blackout since it restricts the time .
available to recover offsite power. Load shedding was considered for station i blackout events.
- Ability to crosstie motor driven AFW oumo and clant air between units The ability to crosstle AFW and plant air between the two units lowers the CDF due l
to transients by providing extra redundancy for AFW and air.
l l
- Reauirement for 2 Power Ooerated Relief Valves (PORVs) to feed and bleed Both PORVs are required for feed and bleed cooling; this tends to increase the CDF compared to plants where only one PORV is reau' ed.
E.2 Licensee's IPE Process i
The IPE is a level 2 Probabilistic Risk Assessment (PRA). The freeze date for the IPE l
model was March 19,1992. The information in the IPE did not consider any pending plant modifications after the freeze date; however, the overall CDF was re-calculated based on changes implemented as a result of the PRA. These changes are l discussed in Section 2.7 of this report.
Utility staff were involved in all aspects of the IPE. Consultants from the following organizations were utilized, including: Pickard, Lowe and Garrick (PLG), Risk and -
l Safety Engineering, EQE International, and GKA.
Plant walkdowns were performed by the system analys'.s as necessary to verify the system configurations. These walkdowns were accomplished over a three year i period. Also, walkdowns were specifically completed as part of the internal flooding analysis. l l Major documentation used in the IPE included: the Updated Final Safety Analysis l Report (UFSAR), the Technical Specifications, licensee event reports (LERs),
procedures, piping and instrumentation diagrams (P&lDs), technical manuals, and documents for establishing the success criteria. Other IPE/PRA studies and related information were reviewed, notably: the Interim Reliability Evaluation Program (IREP)
PRA for Calvert Cliffs, the PRA for Maine Yankee, and the PRA for Palisades.
Two independent in house reviews of the IPE were performed. Also, two external independent reviews were performed.
The submittal states that the licensee intends to maintain a "living' PRA.
l t
2
E.3 Front-End Analysis The methodology chosen for the Calvert Cliffs IPE front-end analysis was a Level i PRA the large event tree /small fault tree technique was used and quantification was performed with RISKMAN.
Forty three internal initiating events were evaluated. These initiating events can be categorized into the following groups: 9 LOCAs,8 generic transients, and 26 plant specific initiating events.
Both loss of instrument air and loss of Heating Ventilating and Air Conditioning (HVAC) were modeled as plant-specific initiating events.
The criterion for core damage was peak cladding temperature in excess of 2200 F.
System level success criteria were based on: the UFSAR, consideration of non-safety systems, plant specific calculations, and past PRA studies.
Support system dependencies were modeled in a support systems event tree. Tables of inter-system dependencies were provided.
The IPE used plant specific data to Bayesian update generic data for: initiating events, hardware failures, testing / maintenance unavailabilities, and common cause failures. -
The plant specific data used in the IPE were comparable with data used in typical IPE/PRAs.
The Multiple Greek Letter (MGL) method was used to model common cause failures.
Common cause failures were modeled within systems. Generic data from the PLG data base and from the Electric Power Research Institute (EPRI) data base were used to quantify common cause failures. Plant specific data on common cause failures were used to bayesian update generic common cause failure data.
Internal flooding was quantified using transient event trees, modified to consider the failures resulting directly from the flooding events. Spray induced failures of equipment were considered. Internal flooding was calculated to cont"!bute about 5%
to the overall CDF.
The total baseline CDF from internal initiating events was 3.2E-4/ reactor-year . The IPE requantified the CDF with credit for certain corrective actions and the revised CDF was 2.4E-4/ reactor year. The submittal reported core damage sequences consistent with the systemic reporting criteria of NUREG 1335. The top 100 core damage sequences were reported. For the revised CDF, the top 100 sequences contributed 50% to the overall CDF.
4 initiating events contributing the most to the overall revised CDF were as follows:
3
i 1
l loss of offsite power 15.2% i small LOCA 8.7% 1 very very small LOCA 6.4%
very small LOCA 6.4%
plant trip 6.0%
loss of control room ventilation 5.1%.
Section 4 of this report provides a more comprehensive listing of the CDF by initiating event. )
l l The submittal provides the importance ranking of systems for mitigation, based on the i risk reduction measure. This ranking indicates that the most important systems for I mitigation in decreasing order are: Reactor Coolant System (RCS) seals and PORVs, AFW, Emergency Safeguards Features Actuation System (ESFAS),120 VAC, DGs, 1 Emergency Core Cooling System (ECCS) Injection, and salt water cooling.
The licensee performed an analysis of the CDF for the top 50 core damage l sequences with all operator actions set to guaranteed failure. This analysis provided a l risk increase importance measure for operator actions. Important operator actions 1 from the risk increase perspective were associated with: AFW, main feedwater, control and switchgear room HVAC, CCW, tripping of RCPs following loss of seal cooling, and i loading of the swing DG during a non-LOCA accident. l l .
For the revised model (total CDF of 2.4E-4/ reactor year), the submittal states that the l CDF by dominant Nuclear Management and Resource Council (NUMARC) accident j category is as follows: '
Transient without Early Heat Removal 9.2E-5/ reactor-year 38.5 %
Induced LOCA without Early Inventory 2.8E 5/ reactor year 11.7 %
Control Failure of Reactivity Control 2.4E-5/ reactor-year 10% l Induced LOCA without Late Inventory 2.3E-5/ reactor-year 9.6%
Control Very Small LOCA without Early Inventory 2.2E-5/ reactor-year 9.2%
Control Small, Medium, or Large LOCA 2.1 E-5/ reactor-year 8.8%
without Early Inventory Control l 1
l Level 1 core damage sequences were binned into Plant Damage States (PDSs) at the cut set level for subsequent back-end analysis. The binning criteria were comparable l with typical PRA/IPE practice.
l i
4 l
l
E.4 Generic lasues The submittal specifically addressed loss of decay heat removal (DHR), considering DHR as both core cooling and ultimate heat removal. Loss of DHR for general :
transients contributed 45% to the overall CDF; failures of AFW contributed 34% and I were influenced by failures in hand operated valves needed for long term supply of water for AFW after the Condensate Storage Tank (CST) is depleted. Failures associated with inadvertent actuation of ESFAS and auxiliary feedwater actuation system (AFAS) contributed 18% to the overall CDF.
Vulnerabilities associated with loss of DHR were identified as discussed in Subsections E.5 and 2.7.3 of this report.
The licensee does not propose to resolve any other generic issues with the IPE.
1 E.5 Vulnerabilities and Plant improvements l l
The licensee used the NUMARC guidance in determining a vulnerability. Subsection 2.7.2 of this report summarizes the criteria used to determine a vulnerability. The following seven vulnerabilities were identified, with the indicated corrective actions.
Vulnerability Corrective Action Status of Corrective Action Loss of Switchgear HVAC causes Provide Fans for Backup Room Fans were staged near each of
~
failure of both 4 kV Safety Cooling the four switchgear rooms.
Related Buses for a Single Unit Procedures for use of fans were issued. Surveillance ensures fans remain in place.
Loss of Main Feedwater (MFW) Digital Feedwater Control System Modifications installed.
following Plant Trip Likely to Modification to Rapidly Reduce Occur MFW Pump Speed after Plant Trip to prevent MFW Pump Trip on High Discharge Pressure Several Normally Closed Manual improve Surveillance to Ensure Enhanced surveillance Valves are Needed to Supply Operability of Valves implemented.
Water for AFWif the CSTis Lost or is Depleted Depressurization of Primary Consider Revising EOPs to Allow Incorporated into EOPs.
Following SGTR Cannot be Use of Pressurizer Vent Valves Accomplished with Main for Depressurization Pressurizer Spray due to Proceduralized Trip of RCPs inadvertent ESFAS/RPS/AFAS Complete Training on Scenario implemented.
Actuation Results from Failure of including Simulator Training 2120 V AC Buses which Significantly Challengos Operators 5
Vulnerability Correcthre Action Status of Corrective Action I,oss of CCW with RCP Seal Reduce Frequency for Loss of Determined not to be required.
LOCA is Dominant CDF CCW due to Failure of Many Sequence Single Isolation Vent and Drain Valves Significant Likelihood for failure of Add Manual isolation Valves to Modification was implemented.
Both Turbine-Driven AFW Pumps Upstream and Downstream Sides due to Maintenance or Common for Both AFW Turbine Driven Cause Pumps to Reduce Dual Pump Unavailability due to Maintenance The licensee recently provided information that stated that all the corrective actions have been completed. [RAI Responses, p.13]
E.6 Observations The licensee appears to have analyzed the design and operations of Calvert Cliffs to discover instances of particular vulnerability to core damage. it also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained 1 an understanding of the most likely severe accidents at Calvert Cliffs; gained a quantitative understanding of the overall frequene/ of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.
Strengths of the IPE are as follows. The evaluation and identification of plant-specific initiating events is thorough in comparison to many other IPE/PRA studies. Also, the i modeling of interfaces between the two units (shared systems and the ability to.
crosstle specific equipment) is thorough in comparison to other IPE/PRA studies for multiple unit sites.
I We identified no major shortcomings in the IPE.
- Significant findings on the front-end portion of the IPE are as follows
a RCP seal LOCAs are an important contributor to the overall CDF. IPEs for some other CE plants have assumed a more optimistic RCP seal LOCA model, ,
and thus have lower CDF contributions from RCP seal LOCAs. l a The CDF due to ATWS is 2.4E-5/ reactor year, a relatively large value. The l IPE model for mitigation of an ATWS is less optimistic than other typical i IPE/PRA models. IPEs for most other PWRs credit more options for mitigating an ATWS than does Calvert Cliffs.
a internal flooding contributes about 5% to the overall CDF. Internal flooding is a small contributor due to the layout of the plant.
l' 6
1 l
- 1. INTRODUCTION 1.1 Review Process This report summarizes the results of our review of the front end portion of the IPE for Calvert Cliffs 1 and 2. This review is based on information contalaed in the IPE submittal along with the licensee's responses to RAl.
l.2 Plant Characterization.
The Calvert Cliffs site has two PWR power plants, located on the Chesapeake Bay in Maryland. CE was the NSSS provider and Bechtel was the AE. The Calvert Cliffs units are pre-System 80 plants with two primary loops. The two units achieved commercial operation in 1975 and 1977, respectively. Rated power for each unit is 2700 megawatts thermal (MWt), and 825 megawatts electric (MWe) (net). A similar unit in operation is Palisades.
The two units share the following systems: the 13 KV electrical system, DC electrical power, HVAC for the control and cable spreading rooms, and the fire protection system. Also, crosstie of the following systems to the opposite unit is possible: onsite 1E AC power, the motor driven AFW pump, and plant air. Plant air is required for operation of AFW flow control valves. The pressurizer has two relatively small PORVs, and both are required for feed and bleed with one HPSI pump. -
Design features at Calvert Cliffs that impact the CDF relative to other PWR plants ara as follows: :
Reauirement for air to coerate Auxiliarv Feedwater (AFW) Th'e requirement for air to open AFW valves tends to increase the CDF for transients involving loss of main feedwater.
No sealiniection for Reactor Coolant Pumos (RCPs) Since sealinjection to the RCP seals from the charging pumps is not provided in the design, loss of Component Cooling Water (CCW) thermal barrier cooling alone results in loss of seal cooling; this tends to increase the CDF from seal Loss of Coolant Accidents (LOCAs) compared to plant designs in which seal injection from charging pumps that do not require CCW cooling is also available to provide seal cooling.
Presence of a swina Diesel Generator (DG) The use of a swing DG tends to raise the CDF compared to plant with more than one DG dedicated to each unit. The swing DG must be dedicated to the unit for which the preferred DG has failed, thereby rendering it potentially unavailable to the unit with the accident. Also, the swing DG 12 does not automatically load following a loss of 7
offsite power incident, and operator action is required to load the DG within 10 minutes or it will trip on high Jacket water temperature.
l Shared DC cower The sharing of DC power between the two units tends to increase the CDF due to loss of offsite power, because if the DG normally dedicated to one unit falls, the swing DG must power that unit resulting in loss of charging power to selected batteries at the other unit.
l .
Two hour batterv lifetime The two hour battery lifetime is relatively short and l this tends to increase the CDF from station blackout since it restricts the time available to recover offsite power. Load shedding is credited in station blackout events to extend the battery lifetime.
- Ability to crosstle motor driven AFW oumo and olant air between units The ability to crosstie AFW and plant air between the two units lowers the CDF due to transients by providing extra redundancy for AFW and air. j l
=
Reautrement for 2 Power Ooerated Relief Valves (PORVs) to feed and bleed l Both PORVs are required for feed and bleed cooling; this tends to increase the CDF compared to plants where only one PORV is required.
I i
8 r__ __ __ m-__ ..-- .- _ _ _ _ - - -
- 2. TECHNICAL REVIEW .
2.1 Licensee's IPE Process We reviewed the process used by the licensee with respect to: completeness and methodology; multi-unit effects and as-built, as-operated status; and licensee participation and peer review.
2.1.1 Comoleteness and Methodoloov.
The Calvert Cliffs IPE is a level 2 PRA. The submittal is complete in terms of the overall requests of NUREG 1335 and Generic Letter 88-20. [ submittal, Section 1.0)
No obvious omissions in the submittal were noted.
1 The front end portion of the IPE is a level l PRA. The specific technique used for the
- level 1 PRA was a large event tree /small fault tree technique and it was clearly
- described in the submittal.
j The submittal described additional details of the technique. Support systems were modeled in a support system event trees and accident sequences were solved by event tree linking. System descriptions were provided. Tables of inter-system dependencies were provided. Data for quantification of the models were provided,
- including common cause data. The IPE did not include an uncertainty analysis. The -
submittal did include a limited sensitivity analysis.
The PRA upon which the IPE is based was initiated in response to Generic Letter 88-
- 20. (submittal, Section 2.0) 2.1.2 Multi-Unit Effects and As-Built As-Ocerated Status. I r
4 Calvert Cliffs is a two unit site and the two units share the following systems: the 13 '
KV electrical system, DC electrical power, and HVAC for the control and cable
] spreading rooms. Also, crosstie of the following systems to the opposite unit is possible: onsite 1E AC power, the motor driven AFW pump, and plant air. The submittal Indicates that HVAC for the electrical switchgear rooms is not shared between the two units. [ submittal, Section 6.0)
The IPE modeled Unit 1 and concluded that the results of the analysis for unit 1 are also applicable to Unit 2. [ submittal, Sections 1.0 and 3.4.5]
The IPE did consider the need provide shutdown cooling for Unit 2 while mitigating an accident at Unit 1.
9
i 1
At Calvert Cliffs the dual unit CDF is not negligible due to the sharing of systems, particularly electrical power. For example, a swing DG is provided to serve either unit, and it swings to power the unit with the accident; station blackout at one unit can be due to failure of this swing DG which increases the likelihood for simultaneous station
- blackout at the other unit. Furthermore, following loss of offsite power to both units, if l j the turbine driven AFW pumps fall at one unit, the motor driven AFW pump must be dedicated to that unit and is not available for crosstie to serve the opposite unit. The Calvert Cliffs' AFW arrangement has two turbine-driven and one motor-driven pumps per unit, and the motor-driven AFW pumps can be cross tied to the opposite unit.
4.
- Information from a sensitivity study summarized in the submittal indicates that dual unit
- CDF from station blackout is about 7% of the total CDF; after the two additional DGs l are installed in 1996, this contribution is expected to decrease to less than 1%.
[ submittal, Page 3.4.1-33)
The submittal states that plant walkdowns were performed by the system analysts as necessary to verify the system configurations. (submittal, Section 2.4.4) These walkdowns were accomplished over a three year period. Also, walkdowns were
- - specifically completed as part of the internal flooding analysis. (submittal, Section 2.4.4.2]
Major documentation used in the IPE included: the UFSAR, the technical
- specifications, LERs, procedures, P& ids, technical manuals, and documents for -
establishing the success criteria. (submittal, Section 2.4.3) Other IPE/PRA studies and 1
related information were reviewed, notably: the IREP PRA for Calvert Cliffs, the PRA 4
for Maine Yankee, and the PRA for Palisades. [ submittal, Section 2.4.2)
The freeze date for the IPE model was March 19,1992. (submittal, Section 2.4.3) The information in the submittal did not consider any pending plant modifications after the freeze date; however, the CDF was re-calculated based on changes implemented as a
. result of the PRA. [ submittal, Page 1-3] These changes are discussed in Section 2.7 of this report.
l 2.1.3 Licensee Particioation and Peer Review.
The IPE was performed primarily by utility personnel. Utility staff were involved in all aspects of the IPE. [ submittal, Section 5.1) Consultants from the following organizations were utilized, including: PLG, Risk and Safety Engineering, EOE International, and GKA.
The submittal states that the utility intends to maintain a "living" PRA. (submittal, Page 2-3) i 4
10 l
Two independent in house reviews of the IPE were performed. Also, two external independent reviews were performed. (submittal, Section 5.1) The licensee indicates that the documentation of the independent reviews was not' complete as of the date of the submittal. (submittal, Section 2.0) The licensee stated that numerous upgrades to the IPE model are in process, and that this has delayed the formal independent reviews, but formal review of completed documents continues to be a high priority and is the focus of considerable effort. [IPE Responses) 2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies provided in the submittal.
2.2.1 Initiatino Events.
The identification of initiating events considered both generic and plant specific events.
(submittal, Section 3.1.1) Sources for g3neric initiating events included: EPRI NP-2230, PLG-0500, and other PRAs. Plant historical data were reviewed to quantify actual plant trip events, based on the time period between 1985 and 1992. If the number of plant specific initiating events for a specific event exceeded 2, then plant specific data were exclusively used for that initiating event. If the number was less than 2, then the plant specific data were used to bayesian update generic data for that -
I Initiating event. (submittal, Section 3.1.1.5) Generic data were used exclusively for low frequency generic initiating events, such as LOCAs.
Plant specific initiating events due to failures in support systems were quantified by evaluating failures in these systems using the models developed for these systems.
(submittal, Section 3.1.1.5) To quantify the frequency of pipe breaks for internal flooding, the Thomas Pipe Break Correlation was used. i Forty three internal initiating events were evaluated. (submittal, Table 3.1.1.3] These initiating events can be categorized into the following groups: 9 LOCAs,8 generic transients, and 26 plant specific initiating events.
The consideration of plant specific initiating events in the Calvert Cliffs IPE was more '
thorough than some other IPE/PRA studies. The IPE addressed a large number of plant specific initiating events as listed in Table 3.1.1.3 of the submittal. The fc!!cwir.g '
plant specific initiating events are of note, since they are sometimes not explicitly addressed in other IPE/PRAs: spurious engineered safety features actuation system (ESFAS) actuation, loss of control room ventilation, loss of CCW cooling for RCP seals, loss of switchgear room ventilation, and loss of 120 V vital AC buses. The IPE does consider spurious isolation of containment as an initiating event, and the impact of this event on cooling of the RCP seals. [IPE Responses]
11
i l
l The IPE considered both a very small LOCA initiating event and a very very small LOCA initiating event. The very very small LOCA range is 0.00044 sq ft to 0.005 sq ft in size. The success criteria for both the very small LOCA and the very very small i LOCA are similar; both require either steam generator cooling or feed and bleed and neither credit normal charging for makeup. Also, the two events have identical frequencies. (submittal, Table 3.1.1.3) The very very small LOCA does not cause sufficient RCS depressurization within 45 minutes to allow for once-through-core-cooling, while the very small LOCA causes sufficient depressurization within 45 !
minutes for once-through-core cooling to be used. [lPE Responses] l l
Breaks in a feedwater line or in a main steam line, both inside and outside l containment, were considered as initiating events. The IPE lumped feedwater and steam line breaks together into the same initiating event.
The point estimate frequencies assigned to most of the initiating events were comparable with typical values used in PRA/IPEs. For example, the frequency for a very small LOCA was 1.22E-2/ year. Tne frequency for loss of offsite power, !
0.136/ year, is somewhat higher than in many other IPE/PRAs, since this event was quantified based on the two loss of offsite power events that actually occurred at the site. [ submittal, Table 3.1.1.3) The frequency for loss of instrument air was quantified as 9.65E-3/ year, considering the one loss of instrument air event that occurred at the plant. -
i~
A complete listing of the initiating events used in the Calvert Cliffs IPE and their frequencies are included in Section 4 of this report.
2.2.2 Event Trees.
The submittal states that ev'ent trees were not developed for the PRA. [ submittal, Section 3.1] Instead, rules that represent the event trees were used in the application of RISKMAN software.
The licensee defined core damage as peak cladding temperature in excess of 2200 F.
(submittal, Section 3.1.2.1) This criterion for core damage is part of the licensing basis for the plant as discussed in the UFSAR. Other IPE/PRAs have used more optimistic criteria for core damage.
The submittal states that a large LOCA can be successfully mitigated if 3 safety injection tanks (SITS) inject to the downcomer (1 SIT injects out the break) and if one of 2 high pressure safety injection (HPSI) pumps successfully inject. [ submittal, Section l 3.1.2.1.2c and Table 3.1.2 2] Therefore, the IPE does not require that low pressure safety injection (LPSI) function to mitigate a large LOCA. The UFSAR requires that
. one of two LPSI pumps inject to mitigate a large LOCA. (UFSAR, Section 6.3.5) The 12
I 1 REP PRA for Calvert Cliffs required injection with one of two LPSI pumps to mitigate a large LOCA. [lREP, Table 4.1) Also, the IPEs for the following CE plants required LPSI injection to mitigate a large LOCA: Maine Yankee, San Onofre, and Palo Verde.
The licensee states that best estimate analyses performed by CE with the CENTS computer code indicate that LHSI is not required to mitigate a large LOCA. [IPE Responses]
l The IPE used success criteria for mitigation of an anticipated transient without scram l (ATWS) that are less optimistic than many other PWR IPE/PRA studies. The
- submittal states that to mitigate a transient,74 of the 77 control rods must be inserted l within 5 minutes. (submittal, Section 3.1.2.1.1a] The IPE does not credit the l
moderator temperature coefficient (MTC) effect for mitigating an ATWS. [ submittal, Page 3.1.2-5) Most PWR IPE/PRAs credit negative temperature feedback during an i ATWS to allow for the ATWS to be mitigated with AFW and boration, except for a certain fraction of time early in core life when the MTC is insufficiently negative to l prevent overpressurization of the primary. The success criteria used for mitigation of i an ATWS in the IPE results in the IPE ca!culating a high CDF due to ATWS. The IPE calculates that the CDF from an ATWS has a frequency of 2.4E-5/ reactor year, which is significantly higher that the CDF from ATWS typically calculated in IPE/PRAs for j PWRs. The IREP for Calvert Cliffs credited boration and addressed the impact of the MTC. [IREP, Section 8.1.1) The IREP study did calculate a high CDF due to ATWS l l
(2.8E-5/ reactor year); however, the IREP was completed in 1983 and it gave no credit i for operator action to insert control rods and it assumed that the MTC was -
- insufficiently negative to prevent overpressure 50% of the time for loss of feedwater l initiating events. The licensee stated that the options previously discussed for mitigation of an ATWS are being considered for future incorporation into the IPE. (IPE Responses)
The submittal states that for LOCAs, the following containment cooling systems are required: one train of containment spray or two containment fan coolers. (submittal, '
Section 3.1.2.1.4 and Table 3.1.2 5) This differs from the licensing requirements in the UFSAR of: both trains of containment spray, or three containment fan coolers, or one train of containment spray and two containment fan coolers. [UFSAR, Page 6-29] '
With the minimum containment cooling capability as specified in the IPE success criteria, the containment environment will be maintained within the equipment qualification limits of 285 F and 50 psig for all accidents except a large LOCA; however, for a large LOCA the tem;erature exceeds 285 F for only 2.5 minutes. (IPE
!- Responses) The licensee did discover that with only 2 containment air coolers in operation following a LOCA with loss of offsite power, the design service water system for the DGs can be exceeded, but the licensee considers this to be of low risk significance. Also, containment cooling with only one containment spray pump or two containment air coolers can result in higher room temperatures due to increased l
13
_ _. _ _ _ _ _ _ _. _ _ _ , _ _ _ _ _ _ _ . -~ -
containment sump water temperature, but the licensee considers this to have minor impact on the results of the IPE.
The licensee stated that the IPE model requires containment cooling to support feed and bleed operation. [lPE Responses)
The submittal states that successful feed and bleed requires both PORVs and one HPSI pump. [ submittal, Section 3.1.2.1.3b] This is more restrictive than the success criteria for feed and bleed used in many IPEs, which require only one PORV. The size of the PORVs at Calvert Cliffs are small for the full power rating of the plant. The UFSAR for Calvert Cliffs states that a PORV can release 153,000 lbm/hr saturated steam at 2400 psia. [UFSAR, Table 4-18] The PORVs at other PWRs of comparable power can relieve on the order of 200,000 lbm/hr.
The IPE for Calvert Cliffs did not credit depressurization with the steam generators for mitigating a small LOCA. [ submittal, Page 3.1.2-9] Some IPEs have credited depressurization and establishment of shutdown cooling in the long term response to a small LOCA so that recirculation from the containment sump is not required. A few IPEs have credited depressurization and use of LPSI as an option for mitigating a small LOCA if HPSI is not available for injection.
The model for mitigation of a SGTR credits refill of the RWST for continued injection
~
into the primary if depressurization is not possible. [lPE Responses]
The IPE requires long term core flush within 18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> in response to a large LOCA to prevent core damage due to precipitation of boron leading to blockage of core flow.
[ submittal, Section 3.1.2.1.3d] Most IPE/PRAs for PWRs do not require long term realignment of ECCS following a large break LOCA to prevent potential core damage due to boron precipitation, but a few do.
The IPE considered the possibility of an RCP seal LOCA if cooling is lost to the RCP seals, using a model based on a CE Owner's Group analysis. [lPE Section 3.4.2.3.3.a]
Failure of RCP seals was assumed to lead to leakage of 220 gpm per RCP. Calvert Cliffs uses Byron Jackson pumps with a 4 stage seal; the original Byron Jackson SU seals were replaced with seats manufactured by Setzer Bingham Pumps. [UFSAR, Section 4.1.3.3) The licensee stated that an RCP seal LOCA is treated as a very very small LOCA in the IPE. If CCW cooling is lost to the seals for 45 minutes the probability of a seal LOCA was taken as 1.5E-3. The IPE assumed that operators have a 20% chance of stopping running RCPs prior to seal failure given the operators do not isolate the RCPs within 45 minutes. [lPE Responses)
Some other IPEs for CE plants with similar pumps and seals assumed that a seal LOCA is not possible within the mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for a RCP that is tripped, even if no seal cooling is provided; some of these IPEs also assumed that the 14
l l
operator has up to 30 minutes to trip a running RCP without seal cooling. (IPE Maine Yankee) [lPE San Onofre) Therefore, the seal LOCA model in the Calvert Cliffs IPE is substantially different than the seal LOCA model used in the IPEs for some other CE ;
plants, and these differences appear to be due to differences in modeling assumptions l rather than due to seal design differences. In contrast to the design at many PWRs, ;
seal cooling at Calvert Cliffs is only provided by CCW cooling of the RCP thermal !
barrier cooler and no seal injection from the charging pumps is provided; also, at some of the PWRs that use sealinjection from the charging pumps, the charging pumps do not require CCW for cooling. An RCP seal LOCA due to loss of CCW was determined to be a significant contributor to core damage at Calver1 Cliffs.
1 The IPE model for a steam line break required closure of MSIVs and isolation of feedwater to the bad SG. [ submittal, Section 3.1.2.4.5]
The submittal discussed the support module used to model support system requirements. (submittal, Section 3.1.4.1.2] The support module considered: AC and DC electrical power, switchgear room ventilation, control room and cable spreading room ventilation, plant and instrument air, salt water air compressors, salt water cooling system, service water cooling system, and the component cooling water system. The system description for electrical power implies that loss of offsite power does not include loss of the 13 KV line and that this line is available following loss of offsite power. [ submittal, Page 3.1.4-3 and Page 3.2.1-28] The licensee confirmed that loss of offsite power does not include loss of the 13 KV line. (IPE Responses) Two -
options for using the DGs to provide 1E power are considered. The preferred option is to use DG 11; if this option falls, the swing DG 12 can be used to provide 1E power at Unit 1 if DG 21 is successful for powering Unit 2. If DG 21 fails to provide power to unit 2, the swing DG 12 must be dedicated to unit 2, and it is therefore not available for unit 1.
2.2.3 Svstems Analvsis.
System descriptions are included in Section 3.2 of the submittal. System schematics i are included in the submittal. Our comments on the system descriptions are as follows.
The 125 V DC power system is shared between the two units. The DC battery lifetime was taken as two hours. During station blackout events, operators are instructed to shed several large battery loads to extend the battery life. [ Submittal, p. 3.1.4-15]
The HVAC system for the cable spreading room was assumed to be required to support long term operation of the 125 V DC system.
The system descriptions for AC electrical power discuss the power supplies available if normal 500 KV power is lost, specifically, the 13 KV SMECO line and the three onsite DGs. One of the DGs is a swing DG that powers the unit with the accident. The 15
l l
l swing DG automatically aligns to a particular unit if an SIAS coincident with bus undervoltage occurs at that unit; without an SIAS, the swing DG must be manually :
loaded. The other two DGs are normally each dedicated to one specific unit, but the l capability exists to power a bus at the opposite unit from either of these DGs. '
[UFSAR, Section 8.4.1.2) The IPE did not credit crosstie of the dedicated DGs l between the two units, since with loss of offsite power the dedicated DG is needed to ;
supply power for shutdown cooling at the unit without the accident (Unit 2 in the IPE). )
During a loss of offsite power event, the swing DG does not automatically load since ,
no SIAS signalis generated. The submittalindicates that operator action is needed I within 10 minutes to manually load the swing DG 12 or it will trip on high Jacket water I temperature, since the cooling water for the DG requires power from the DG .
[ submittal, Page 3.4.1-29]
The service water system provides cooling for the DGs, for air compressors, and for the containment fan coolers; the heat sink for the service water system is the salt water system. The swing DG can be cooled by service water from either unit. Also, it is possible to use the Unit 2 plant air compressor to provide air to Unit 1, and the service water system for Unit 2 is required to cool the plant air compressor at Unit 2.
(submittal, Page 3.1.4-21]
The CCW system provides cooling for the following loads: RCP seals, CS pumps, LPSI pumps, HPSI pumps, and the shutdown cooling heat exchangers. CCW is cooled by the salt water system. -
The system description for the compressed air system briefly discusses three sources of air: instrument air, plant air, and the salt water system air compressors. We found the system description for instrument ale to be incomplete for understanding where air is required for support and for understanding the different air supply options. There is no system description for the nitrogen supply system, although the system description l for AFW Indicates that the nitrogen system can be used for the AFW flow control ;
valves. Sources of cooling for the air compressors and sources of electrical power for l the air compressors are not clear. It is not clear which systems require instrument air l for support, but other information in the submittal indicates that air support is I important. For example, in the discussion of the support systems event tree, the submittal states that air is needed for: AFW flow centrol, salt water flow control, and l RCP seal cooling. [ submittal, Page 3.1.4-18] Also, it is possible to use the salt water i air compressors to provide air for AFW, as discussed in the system description for l compressed air. The licensee provided more details on the impact of loss of air. [lPE Responses]
The submittal contains system descriptions for HVAC systems that provide room cooling for electrical switchgear room and for the control room and cable spreading rooms; the HVAC system for cooling the control and cable spreading rooms is shared between the two units. HVAC for all of these areas is normally provided by a l
l 16 l
__ I
a combination of outside air and recirculation using air conditioning units. Chilled water from mechanical refrigeration supports the air conditioning units. If HVAC to the l switchgear room is lost, operator action can be taken to align fans for room cooling.
The submittal states that loss of instrument air forces HVAC systerns for the l switchgear rooms and the control / cable spreading rooms to be operated totally in a l
recirculation mode thereby requiring operation of the air conditioning units.
The submittal discussed the room coolers for the ECCS pump rooms. These coolers are required for: HPSI, LPSI and CS pumps. The saltwater system provides the heat sink for these room coolers.
l The system description for the saltwater system indicates that the salt water air compressors provide an alternate supply of air for valves in the salt water system.
l The main feedwater system uses turbine driven main feedwater pumps, one pump in each of two trains.
l The main steam system has 8 safety valves on each of two main steam lines. Four
! turbine bypass valves are available that can handle up to 40% of full power. One I
atmospheric dump valve is available on each steam line, each of which can handle l 2.5% of full power. Two MSIVs are provided, one in each main steam line.
The RCS has two PORVs and two safety valves on the pressurizer. The PORVs are AC powered, and require DC control power.
Three HPSI pumps are provided, two aligned for automatic start. The HPSI pumps are distinct from the charging pumps. Two LPSI pumps are provided, these are the residual heat removal (RHR) pumps aligned for ECCS injection. (UFSAR Page 6-7j After ECCS injection from the refueling water tank (RWT), automatic switchover to the containment sump is provided. Recirculation from the containment sump is provided by the HPSI pumps. Two trains of containment spray are provided; in recirculation the spray system transfers heat to the component cooling water system through the RHR shutdown cooling system heat exchangers.
The chemical and volume control system (CVCS) does not provide seal injection to the RCP seals at Calvert Cliffs. Seal cooling is totally dependent on CCW cooling of the thermal barrier cooler in the RCPs. CVCS provides emergency boration in response to an ATWS. Three positive displacement pumps are provided in the CVCS.
one is normally operating at full power to provide for makeup.
The AFW system consists of one motor driven pump and two turbine driven AFW pumps for each unit. It is possible to crosstle flow from the motor driven AFW pump at the other unit. Air is required for operation of AFW flow control valves and for AFW feed flow block valves. Room cooling to the AFW turbine pump room is provided by 17
. _ _ _ ~ - _ _ _ . _ . . _ _ _ _ _ - _ . . - . _ __ -
service water. A 350,000 gallon capacity CST is the normal supply of water for AFW, and this CST provides a minimum of 300,000 gallons to service both units. [UFSAR Section 10.3.2). Operator action is necessary to provide for long term makeup to the CST. The submittal indicates that the inventory will last for 17.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. (submittal, Page 3.4.1-25] Operator action is necessary in the long term to supply water for AFW after the CST is depleted.
l l
2.2.4 Svstem Decendencies.
l l The submittal contains tables of inter system dependencies. (submittal, Tables 3.2.3-1 l
through 3.2.3 29] These tables provide the dependencies by event tree split fractions.
We have the following comments on the system dependency tables.
l CCW is required for cooling of both the HPSI and LPSI pumps during recirculation i l from the containment sump. CCW is not required for cooling of the containment spray l pumps. The IPE model did not require room cooling for the service water pump l rooms; however, on further review the licensee found that without room cooling the l
service water pump rooms can exceed 130 F following a LOCA. The licensee states l that the impact of this finding is not expected to have a significant impact on the PRA l results, but the IPE model will be revised to incorporate room cooling for the service l water pump rooms. [lPE Responses) l 2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences. It also summarizes our review of the data base, including consideration given to plant specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed, if any, were also reviewed.
2.3.1 Quantification of Accident Seouence Freauencies.
The process used to quantify accident sequences at either the functional or systemic level was reviewed. The following topics were addressed in the review: the technique used to quantify accident sequences, the truncation limit (s) used in the quantification, and the quantification of shared component dependencies and common cause failures.
The Calvert Cliffs IPE used the large event tree /small fault tree model with event tree linking for quantifying core damage. Support systems were modeled in a support system event tree, but support system states were not used. (submittal, Section 3.3.6)
The Cutset and Fault Tree Analysis (CAFTA) code was used to quantify system fault trees and the RISKMAN computer code was used to quantify accident sequences.
(submittal, Section 3.2.2.3) A mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> was used. (submittal, Page i
i 18
I
~
3.2.2 4]' Truncation limits were 1E 8 to 1E 9 for sequences. (submittal, Page 3.3.7-2)
Common cause failures were modeled directly in the fault trees. (submittal, Page 69] l l
2.3.2 Point Estimates and Uncertaintv/Sensitivitv Analvses.
. Mean values were used for point estimate failure frequencies and probabilities. ,
(submittal, Page 3.3 3)
The IPE did not evaluate uncertainty.
The iPE did present the results of a limited sensitivity study. [ submittal, Section l> 3.4.1.6] This sensitivity study focused on the impact of eleven of the more sensitive assumptions in the models. The following of these assumptions had the most impact on the CDF: impact of loss of control / cable spreading room HVAC on 120 V AC buses and 125 V DC buses; and, the amount of leakage from failed RCP seals.
2.3.3 Use of Plant Soecific Data, t .
- Plant specific data from both units were used from the time period 1985 through 1992.
! - The evaluation of plant specific data also included an evaluation of plant specific common cause data. (submittal, Section 3.3.2.2] Plant specific data were used to Bayesian update generic data.
l .
Plant specific data for component fa!!ures are listed in Table 3.3.2 2 of the submittal.
l This table designates components by an acronym used in the quantification process, and it' is not clear which components are actually listed in this table; however, the updated set of data for component failures used in the actual quantification is given in Table 3.3.2-3B of the submittal, and this table s'pecifically identifies the components.
Plant specific data were also used to Bayesian update generic data for test and maintenance. (submittal, Section 3.3.2.2.2) Table 3.3.21 summarizes unavailabilities due to maintenance calculated from plant specific data. The updated set of data for testing and maintenance unavailabilities used in the actual quantification is given in Tablo 3.3.2.3-A of the submittal.
We performed a spot check of the updated data for component failures. The results of this check are summarized in Table 21 of this report. Since the Calvert Cliffs IPE used the PLG generic data base, the comparison in Table 2-1 is made with PLG generic data from the South Texas Project (STP) probabilistic safety assessment (PSA). (South Texas PSA, Table 7.3-1) i i
19
--,n.. .- _ . - - - . , , - -- ,v+ - -. - . ,-- , - - ,-w-, , -, .- -,r-- -- - mm, ,s.,.-m , ,
Table 21. Plant Specific Data ,
I' Component and Calvert Cliffs Updated STP PSA Failure Mode Valueok m Submittal Generic Data Uk*
Table 3.3.2 3B Diesel Generator 2.5E 3 2.1 E-2 Fail to Start Diesel Generator 3.1E 3 (first hour of 1.7E 2 (first hour of operation)
Fall to Run operation) 2.5E 3 (after first hour)
LPSI Pump Fail to Start 1.2 E 3 3.3E 3 LPSI Pump Fall to Run 5.3E 6 3.4E 5 HPSI Pump Fall to Start 1.2E 3 3.3E-3 HPSI Pump Fail to Run '3' 5.3E 6 3.4E 5 !
Turbine Driven AFW Pump Fall to Start 1.2E 2 3.3E-2 Turbine Driven AFW Pump Fall to Run 7.1 E-4 1.0E 3 1.2 E 3 )
i Motor Driven AFW Pump Fail to Start 3.3E 3 j Motor Driven AFW Pump Fail to Run 5.3E 6 * 3.4E 5 '
(1) Failure to start values are probabilities. !
(2) Failure to run values are frequencies in 1/hr.
l (3) Data for 4 KV Safety Related Pump from submittal Table. :
- l Based on the data in Table 2-1 of this report, the plant specific component failure data for the following failures are about a factor of 10 lower than data typically used in many IPE/PRAs: DG fall to start, DG fall to run, and 4 KV motor driven pumps fall to run (HPSI, LPSI, and AFW). The licensee provided information supporting these relatively low failure values; these values reflect plant specific data. (lPE Responses] J The licensee also stated that the PLG generic value for DG Fail to run after one hour" !
was used in the iPE, namely: 2.5E-3.
2.3.4 Use of Generic Data !
i The primary source of generic data was the PLG generic data base. (submittal, !
Section 3.3.1.1) Other sources of generic data included: IEEE Standard 500, WASH- !
1400, and NUREG/CR 4639. I i
We reviewed the generic data listed in Table 3.3.1-1 A. These data are comparable to !
data used in other IPE/PRAs. l l
2.3.5 Common Cause Quantification. '
The MGL method was used to model common cause failures. (submittal, Section 3.3.4] Common cause failures among similar components within the same system 20
l l 1
were modeled. The common cause failures were incorporated into the fault tree files.
[ submittal, Page 3.3.4-3] The submittal does not describe the process used to select components for common cause failure modeling, but the lists of components in Tables 3.3.4-1 and 3.3.4-2 indicate that the scope of the common cause failure analysis in terms of components considered is comparable with other IPE/PRAs.
The sources of generic data for common cause failure were: the PLG Generic Database and the EPRI common cause database. Plant specific common cause data were used to update generic common cause failure data. Table 3.3.4-3 of the submittal provided the updated plant specific MGL common cause factors used in the analysis.
l We reviewed the values assigned to common cause failures by performing a ' spot check of the data used in the IPE, as summarized in Table 2 2 of this report.
Based on the data in Table 2-2 of this report, the common cause failure data used in l the IPE are comparable to data used in typical IPE/PRAs.
Table 2-2. Common Cause Factors for 2-of-2 Components
, Cornponent Calvert Cliffs Beta Factor STP PSA l Submittal Table 3.3.4-3 Generic Data Diesel Generator 0.0032 (fail to start) 0.0029 (fall to start)
O.0023 (fall to run in 1st hour) 0.0154 (fail to run)
AFWTurbine Driven Pump 0.12 (fail to aart) not available Standby Pump (not AFW) 0.060 (f*E to start) 0.062 HPSI (fail to start)
O.m 4 (fail to run) 0.0074 HPSI (fail to run)
Circuit Breaker $016 (480 V AC and above) 0.07 (480 V AC and above) 2.4 Interface issues This section of the report summarizes our review of the interfaces between the front-end and back- end analyses, and the interfaces between the front-end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.
l 2.4.1 Front-End and Back-End Interfaces.
l As discussed previcusly in Section 2.2.2 of this submittal, the success criteria for containment coollag to support core cooling are less restrictive than those used in the licensing basis in tne UFSAR.
21 )
i i
I
The IPE assumed that following any LOCA, containment cooling is required to support core cooling.
No credit for core cooling was taken for sequences with no containment cooling and containment failure.by overpressurization. :
The IPE did model the impact of containment isolation on RCP seal cooling. !
The IPE binned core damage sequences into PDSs for subsequent back-end analysis.
[ submittal, Section 3.1.5] 116 PDSs were generated using the following binning parameters: RCS pressure at core damage, amount of water on the containment floor before, during, and after core melthrough of the vessel, containment status: Isolated, unisolated, or bypassed, and the availability of containment cooling systems: sprays and fan coolers. The binning process for PDSs was comparable with that used in other IPE/PRAs.
2.4.2 Human Factors Interfaces.
Based on our front-end review, we noted the following operator actions for possible consideration in the review of the human factors aspects of the IPE.
. providing power with the swing DG l
= use of feed and bleed core cooling -
- using plant air from Unit 2 e using the motor driven AFW pump from Unit 2
- using salt water system air compressors (SWACs) for AFW air operated valves
. using nitrogen for AFW air operated valves a trip of RCPs following loss of seal cooling
- recovery of HVAC or use of mitigating ventilation measures for loss of HVAC to electrical switchgear rooms a perform long term core flush after large break LOCA to prevent boron precipitation e open AFW pump room doors to provide ventilation
. provide long term supply of water for AFW after the CST is depleted.
As discussed in Subsection 2.2.3 of this report, the swing DG 12 does not automatically load following a loss of offsite power incident, and operator action is required to load the DG within 10 minutes or it will trip on high Jacket water temperature. [ submittal, Page 3.4.129] As discussed in Subsection 2.7.2 of this report, operation of manual valves is required to provide a long term source of water for AFW after the CST is depleted.
22
2.5 Evaluation of Decay Heat Removal and Other Safety issues This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USl's, if they were addressed in the submittal, were also reviewed.
2.5.1 Examination of DHR.
The submittal provides an evaluation of DHR. (submittal, Section 3.4.3) The evaluation addressed DHR by accident type and provided the contribution of loss of DHR to the total CDF by accident type.
3 Loss of DHR for general transients contributed 45% to the overall CDF; failures of AFW contributed 34% and were influenced by failures in hand operated vaives needed for long term supply of water for AFW after the CST is depleted, and this was identified as a vulnerability. More frequent surveillance of these valves was implemented to address this vulnerability, and this action was credited in the revised IPE model. [RAI Responses, p.13] Failures associated with inadvertent actuation of ESFAS and AFAS contributed 18% to the overall CDF; inadvertent actuation due to
- loss of 120 V AC vital buses was identified as a vulnerability. Improved operator i training was implemented to address this vulnerability. [RAI Responses, p.13] No other vulnerabilities associated with loss of DHR were identified.
The submittal evaluated the impact of a dedicated shutdown DHR system. [ submittal, Section 3.4.3.4] The particular system considered included a single train of high pressure injection makeup and a single train of emergency feedwater with dedicated
- power and makeup sources. The failure probabilities assigned to this conceptual
- system were 0.052 per demand with offsite power available and 0.10 per demand without offsite power. With credit for this system, the overall CDF would be reduced by 36%. However, the in progress addition of a diesel generator at the plant should
2.5.2 Diverse Means of DHR.
i Section 3.4.3.1 of the submittal provides a summary of the options for proWing DHR:
j steam generator heat removal with main feedwater and AFW, once through fend and bleed cooling, and ECCS injection and recirculation. The IPE model considered all
- necessary support systems required for successful operation of these frontline systems for DHR. Required support systems included
- HVAC, pump cooling, instrument air,
. and containment heat removal.
4 2.5.3 Uniaue Features of DHR.
] Design features at Calvert Cliffs that impact the core damage frequency (CDF) from
23
l l
1 Requirement for air to operate Auxiliary Feedwater (AFW)
No seal injection for Reactor Coolant Pumps (RCP)
= Presence of a swing Diesel Generator (DG)
= Shared DC power
= Two hour battery lifetime
=
Ability to crosstie motor driven AFW pump and plant air between units ,
a Requirement for 2 Power Operated Relief Valves (PORVs) to feed and bleed !
l The impact of these design features on CDF is discussed in Subsection 1.2 of this l report.
2.5.4 Other GSI/USI's Addressed in the Submittal.
The licensee states that no issues other than USl A-45 for DHR are proposed for resolution by the IPE. (submittal, Section 3.4.4.1]
2.6 Intemal Flooding This section of the report summarizes our reviews of the process used to model internal flooding and of the results of the analysis of internal flooding.
2.6.1 Internal Floodino Methodoloov.
The IPE summarized the analysis of internal flooding. (submittal, Section 3.3.8) ,
Equipment failures due to submergence or spray were evaluated. (submittal, Section 1
3.3.8-2] The process for modeling internal flooding involved the following steps. Flood l sources and locations were identified. Locations were screened if they did not contain equipment important for mitigating a plant trip, or if the flood sources were of insufficient volume to damage such components, and if the flood propagation to rooms i containing sensitive components was not possible. For locations retained after the l initial screening, the impact of the flood, including the effect of flood propagation, was studied. Flood scenarios were quantified. The transient event tree was used to quantify the CDF from internal flooding; components failed as a direct result of the flood were assumed to be pre-existing failures in the event tree. (submittal, Pages )
3.1.3-2 and 3.3.8-8] Operator recovery actions for flood isolation were considered.
2.6.2 Internal Floodino Results.
Four flood initiating events were determined to be most important. (submittal, Section 3.4.1-8] The important flood initiating events and flood locations were as follows:
AFW suction line break in the service water pump room; break of service water, fire protection, CCW, or demineralized water piping in the personnel access room; break of a salt water system line in the service water pump room; and break of a salt water line in an ECCS pump room. For these flood events, core damage was due to loss of DHR or a seal LOCA that could not be mitigated.
24 l
l 1
The total CDF from internal flooding was 4.9% of the overall CDF. The top flood sequence contributed 0.66% to the overall CDF. This contribution of flooding was for the original model. As discussed in Subsection 2.7 of this report, the overall CDF was recalculated considering enhancements to the plant and the relative contribution of internal flooding increased slightly; however, the details related to the internal flooding results that are provided in the submittal are for the original model.
The submittal states that the CDF from intemal flooding is not sensitive to human recovery actions. [ submittal, Page 3.3.8-9) 2.7 Dominant Core Damage Sequences This section of the report reviews the dominant core damage sequences reported in the submittal. The reporting of core damage sequences- whether systemic or functional- is reviewed for consistency with the screening criteria of NUREG-1335.
The definition of vulnerability provided in the submittal is reviewed. Vulnerabilities, enhancements, and plant hardware and procedural modifications, as reported in the submittal, are reviewed.
2.7.1 Dominant Core Damaae Seauences.
The total CDF from internal initiating events was calculated to be 3.2E-4/ year, and the -
total CDF from intemal flooding was calculated to be 1.55E-5/ year. [ submittal, Sections 3.3.8.3 and 3.4) However, the licensee recalculated the CDF crediting various enhancements; the new total CDF was 2.4E-4/ reactor year. Internal flooding contributed 5.6% of the total revised CDF. [ submittal, Figure 1-2) The enhancements credited for the revised CDF are discussed in Section 2.7.3 of this report.
The IPE reported results using the systemic reporting criteria of NUREG-1335.
[ submittal, Section 3.4-1] Results were reported for both the original model and the model with the enhancements credited. Section 3.4.1-10 of the submittal provides the results for the enhanced model.
- Based on Table 3.4.1.10-4 of the submittal, the CDF by initiating event for the revised model (total CDF of 2.4E-4/ reactor year) was as follows':
loss of offsite power 15.2%
small LOCA 8.7%
very very small LOCA 6.4%
very small LOCA 6.4%
plant trip 6.0%
loss of control room ventilation 5.1 %
'A complete set of initiating event CDF contributors is given in Table 3.4.1.10-4 of the subrnittal.
25
1 i
l loss of CCW 4.3%
loss of one 480 V AC bus 3.8%
i loss of 120 V AC bus 1Y01 3.7%
! loss of main feedwater 3.2%
loss of a DC bus 1D01 3.0%
loss of 13 kV bus 2.6%
inadvertent PORV opening 2.5%
l large LOCA 2.4%
l loss of DC bus 2D01 2.1%
l SGTR 1.9%.
The CDF by accident type is not clearly provided in the submittal, but by using l Information scattered throughout the submittal, we were able to gather information on l the CDF by class of accident. For the baseline model (total CDF of 3.2E-4/ reactor year) the submittal provides the following information for the major contributors to CDF: [ submittal, Page 3.4.1-33)
Site Station Blackout (all 4 kV Buses Lost) 2.3E-5/ year 7%
Unit 1 Station Blackout (4 kV Buses 11 7.4E-5/ year 23%
14 Lost)
, RCP Seal LOCA 4.7E-5/ year 15%
Inadvertent ESFAS/RPS/AFAS 4.7E-5/ year 15%
For the revised model (total CDF of 2.4E-4/ reactor year), the submittal states that the CDF by NUMARC accident category is as follows: [ submittal, Table 3.4.2.4-1)
L Transient without Early Heat Removal 9.2E-5/ year 38.5 %
Transient without Late Heat Removal 1.5E-7/ year 0.1 % ,
Induced LOCA without Early inventory 2.8E-5/ year 11.7 %
Control Induced LOCA without Late inventory 2.3E-5/ year 9.6%
Control Very Small LOCA without Early Inventory 2.2E-5/ year 9.2%
Control Very Small LOCA without Late inventory 8.8E-6/ year 3.7%
l Control l l Small, Medium, or Large LOCA 2.1 E-5/ year 8.8%
l without Early inventory Control l Small, Medium, or Large LOCA 6.8E-6/ year 2.8%
without Late inventory Control Failure of Reactivity Control 2.4E-5/ year 10%
i Containment Bypass LOCA 1.9E-6/ year 0.8%
SGTR 4.4E-6/ year 1.8%
Pressurized Thermal Shock 3.4E-7/ year 0.1 %
1 26
l The top five core damage sequences for the revised model (total CDF of 2.4E-4/ reactor year) are presented in Table 2-3 of this report, based on information from Table 3.4.1.101.
These dominant sequences provide interesting insights into the CDF for Calvert Cliffs.
l RCP seal LOCAs are an important contributor to the overall CDF at Calvert Cliffs.
Other CE IPEs for plants with similar seal designs assumed the RCP seal LOCAs are
- extremely unlikely to occur. The plant design does not incorporate seal injection from the charging pumps; loss of CCW seal cooling results in loss of all seal cooling.
l Table 2-3. Top 5 Core Damage Sequencees l Initiating Event (Failures Independent CDF in 1/ year and in l due to initiating Event) Failures % of Total l Loss of CCW RCP seal LOCA 1.0E 5 4.2%
! (loss of RCP seal cooling) l (loss of HPSI purnp cooling)
Plant Trip Failure to Trip Reactor 7.1 E-6 3.0%
Loss of Offsite Power Failure of EDG 21 requires alignrnent of 4.4E 6 1.8%
l swing DG 12 to Unit 2 resulting in loss of charging to 125 V DC Bus 12 and 21 batteries; failure to recover offsite power results in loss of 125 V DC Buses 12 and l 21; Operator fails to align 120 V AC Bus 13 to Backup DC Bus resulting in 2/4 ESFAS/RPS/AFAS trip which closes AFW block valves causing loss of AFW; Operator falls to open AFW block valves
, Large LOCA Failure to Trip Reactor; inadequate Boron 2.7E-6 1.1 %
l In RWT due to failure of RWT heating and Boron precipitation Partial Loss of MFW Failure to Trip Reactor 2.4E-6 1.0%
Failure to scram contributes to two of the dominant sequences, both initiated by a !
generic transient. As discussed previously in Subsection 2.2.2 of this report, the IPE model does not credit any capability for mitigation of failure to scram with AFW and boration. Most PWR IPEs credit AFW and boration for mitigating an ATWS, given trip of the turbine and MTC conditions sufficient to prevent primary overpressurization.
Therefore, ATWS is a higher contributor to the overall CDF and has a much higher absolute CDF in this IPE than in most PWR IPEs due to the pessimistic modeling assumptions used for mitigation of an ATWS.
One sequence involves failure to provide adequate boration with ECCS injection following a large LOCA. Without boration, and with injection of large quantities of cold water from ECCS, even if the reactor is tripped long term shutdown cannot be assured 7
since below hot zero power temperature shutdown margin is lost. Boration is lost due 1
27 i
to failure of the RWT heating system and subsequent boron crystallization. This is a unique sequence for this IPE not typically identified in other PWR IPE/PRAs.
The sequence involving loss of offsite power is not a station blackout sequence. This sequence involves failure of the DG dedicated to Unit 2 thereby requiring use of the swing DG for Unit 2, resulting in loss of certain DC buses for Unit 1 if offsite power is not recovered. Trip of safety related I&C results in isolation of AFW. This sequence is described in detailin Section 3.4.2.3.1b of the submittal. DC power is shared between the two units; loss of either DG 11 or 21 results in the need for the swing DG 12 to power the unit with the loss, thereby leading to partial loss of DC power.
Our evaluation of the dominant core damage sequences, the CDF by initiating event, and the details of the model indicates that:
RCP seal LOCAs contribute significantly to overall CDF ATWS is a significantly higher contributor to CDF than in most PWR IPE/PHAs station blackout is a significant a contributor to overall CDF The frequency for loss of offsite power is about a factor of 3 higher than the frequency typically used in other IPEs and the battery lifetime is only two hours. These factors tends to increase the CDF from station blackout. However, the values used for failure of a DG to start and for failure of a DG to run are lower than values that are sometimes used, and this tends to lower the CDF from station blackout. Of the *.nree -
- DGs on site, the swing DG is only available for powering a unit if the DG that ir i normally dedicated to the opposite unit successfully operates; this tends to increase the CDF from station blackout.
The submittal provides the importance ranking of systems for mitigation, based on the risk reduction measure. (submittal, Table 3.4.1.10-6] This ranking indicates that the most important systems for mitigation in decreasing order are: RCS (seals and 3 PORVs), AFW, ESFAS,120 V AC, DGs, ECCS Injection, and salt water cooling. )
The licensee performed an analysis of CDF for the top 50 core damage sequences with all operator actions set to guaranteed failure. (submittal, Section 3.4.1.2) This j analysis provides a risk increase importance measure for operator actions. Important !
operator actions from the risk increase perspective were associated with: AFW, main feedwater, control and switchgear room HVAC, CCW, tripping of RCPs following loss of seal cooling, and loading of the swing DG during a non-LOCA accident.
2.7.2 Vulnerabilities.
Section 3.4.2 of the submittal discusses front-end vulnerabilities. The Calvert Cliffs submittal summarizes the process for evaluating potential vulnerabilities. The licensee
. usad the NUMARC Severe Accident Closure Guidelines, NUMARC 91-04, to identify
. potential vulnerabilities. The underlying causes of these potential vulnerabilities were 28
i I
l l
l reviewed against additional criteria to determine if corrective actions are warranted, l The core damage sequences were grouped by the NUMARC accident categories.
(submittal, Table 3.4.2) The criteria used to determine vulnerabilities within these accident categories were as follows. (submittal, Section 3.4.2.1]
Table 2-4. Vulnerability Semening, Com Damage, Containment Not Bypassed Mean CDF of Accident Category, Percent CDF Risk Potential 1/ year
> 1 E-4 > SO High 1E-4 to 1E-5 2 to 50 Medium 1E-5 to 1E-6 NA Low
< 1 E-6 NA Screened 1
l Table 2-5. Vulnerability Screening, Core Damage, Containment Bypassed I
Mean CDF of Accident Category, Percent CDF Risk Potential l 1/ year I
> 1 E-5 > 20 High 1E 5 to 1E-6 5 to 20 Medium 1E-6 to 1 E-7 NA Low
< 1E 7 NA Screened Using these criteria, corrective action was evaluated based on the Risk Potential and consideration of other factors as follows.
Table 2-6. Vulnerability Review Criteria Review Criteria High Risk Potential Medium Risk Potential Low Risk Potential Risk >3% 0.3% to 3% < 0.3%
> 1E 5 1E-5 to 1E 6 < 1 E-6 Confidence Well Understood Some Open issues Controversial Cost > 250 K 50-250 K < 50 K Risk Improvement No Longer Risk Significantly Reduced < 10% improvement Significant HIGH Risk Potentialissues having HIGH Confidence and LOW Cost fixes and HIGH Risk Improvement were considered to be plant-specific vulnerabilities. Items not meeting this critoria were evaluated as to whether or not they were vulnerabilities on an item specific basis. An exception to this criteria was made for model changes; risk 29
{
i improvements through improvements in modeling were not considered to be vulnerabilities.
During the performance of the IPE, selected items were addressed by implementing corrective actions at the plant. (submittal, Section 3.4.2.3.13] These corrective actions were responsible for reducing the CDF from 3.4E-4/ reactor year to 2.4E-4/ reactor year.
The corrective actions are discussed in Section 2.7.3 of this report.
The submittal provides a lengthy discussion of the vulnerability assessment for the various accident categories, for both the base case and following implementation of the corrective actions. (submittal Sections 3.4.2.3 and 3.4.2.4] l l
Seven vulnerabilities were identified for the base case model. (submittal, Section 6.0] !
These vulnerabilities, the proposed corrective actions, and the status of the corrective actions are listed in Table 2-7.
The ilcensee provided further information which stated that the original IPE CDF of 3.2E-4 credited four of these corrective actions, these being: (IPE Responses)
(1) Presence of Staged Fans for Switchgear Room Cooling l (2) Use of Pressurizer Vent Valves to Depressurize following a SGTR (3) Improved Surveillance of AFW CST Manual Valves (4) Presence of Digital Control System for MFW. -
l , The licensee provided further information which stated that all of the corrective actions identified for these vulnerabilities have now been completed. (IPE Responses) 2.7.3 Prooosed imorovements and Modifications.
The Calvert Cliffs IPE identified improvements to the IPE modeling efforts as well as improvements to the plant and its operations. Both types of improvements are discussed in the following sections.
2.7.3.1 Imorovements to the IPE Model. The IPE CDF was revised downward from 3.2E-4/yr to 2.4E-4/ year by incorporating the following changes to the baseline model.
(IPE Responses]
(1) An improved assessment of human actions to control AFW flow.
(2) Operator action was considered to isolate instrument air to the steam admission valves in the AFW system within 20 minutes following loss of DC power. An additional action of re-throttling AFW flow given failure of one of the two remaining flow paths was also added.
I I
30
Table 2-7. Vulnerabilities and Corrective Actions Vulnerability Corrective Action Status of Corrective Action Loss of Switchgear HVAC Provide fans for backup room Fans were staged near esbh of !
causes failure of both 4 kV cooling the four switchgear rooms. '
Safety Related Buses for a Procedures for use of fans were Single Unit {
issued. Surveillance ensures fans l remain in place.
Loss of MFWfollowing Plant Digital feedwater control system Modifications installed. I Trip Likely to Occur modification to rapidly reduce m*w l pump speed after plant trip to prevent mfw pump trip on high discharge pressure Several Normally Closed improve surveillance to ensure Enhanced surveillance Manual Valves are Needed to operability of valves implemented.
Supply Water for AFWif the CST is Lost or is Depleted Depressurization of Primary Consider revising eops to allow incorporated into EOPs. l Following SGTR Cannot be use of pressurizer vent valves for l Accomplished with Main depressurization Pressurizer Spray due to Proceduralized Trip of RCPs Inadvertant ESFAS/RPS/AFAS Complete training on scenario implemented. l Actuation Results from Failure including simulator training -
of 2120 V AC Buses which Significantly Challenges Operators Loss of CCW with RCP Seal Reduce frequency for loss of ccw Determined not to be required.
LOCA is Dominant CDF due to failure of many single Sequence isolation vent and drain valves by capping piping Significant Likelihood for failure Add manual isolation valves to Modification was implemented, of Both Turbine-Driven AFW upstream and downstream sides Pumps due to Maintenance or for both afw turbine driven pumps Common Cause to reduce dual pump unavailability due to maintenance (3) The unavailability of dual turbine-driven AFW pumps was reduced by crediting a recent modification that allows for maintenance on one steam admission valve without having to remove both turbine-driven AFW pumps from service.
(4) The impact of RCP seal failure was reduced by enhancing the IPE model to fully reflect the benefit of the third CCW pump and the recent power modificaticns to the salt water throttle valves.
(5) The model was revised to reflect that the component cooling valves to the waste evaporator are only open 50% of the time.
(6) A recovery action was added to recover the satt water system pumps on loss of instrument air.
31
(7) The hot leg injection method of core flush was added to the revised model.
(8) The contribution of the SGTR was removed from the V sequence initiating event, since a SGTR is modeled with its own _ initiating event.
(9) A recovery action of manually starting the HPSI pumps was added to the i revised model.
l Note that these modeling improvements, with the exception of item (3), the addition of I manual valves to reduce maintenance dependencies of the AFW steam admission valves, are separate from the physical and procedural modifications listed in Table 2-7.
2.7.3.2 Procedural and Physical Modifications. As discussed in Section 2.7.2 of this report, the IPE credited four of the seven corrective actions identified during the performance of the IPE. These modifications and their status are indicated in Table 2-7 The licensee provided further information which ectimated the impact on the CDF for each of the seven improvements addressed in Table 2.7 of this report. [IPE Responses] These impacts are relative to the original IPE CDF of 3.2x10-4/ reactor-year. Two of these improvements had tae most significant impact on reducing the CDF. Without staging of fans near the four switchgear rooms the baseline CDF would increase by about 75% to 5.5x10-4/ reactor-year. Without the digital feedwater control-system, the baseline CDF would increase by about 50% to 4.7x10-4/ reactor-year..
Each of the remaining changes were estimated to have a small(<2.5%) impact on the -
CDF.
The submittal also provided a measure of the impact on the CDF from the pending i
installation of two additional DGs. (submittal, Section 3.4.1.3] The two additional DGs are scheduled for implementation in 1996. One of the DGs will be safety related and one of the DGs will be non-safety related. This modification will reduce the overall i baseline CDF by 18% from the original baseline CDF of 3.2E-4/ reactor year.
l (submittal, Page 3.4.1-33] This modification will reduce the overall revised CDF by i 17% from the revised CDF of 2.4E-4/ reactor year, resulting in a new overall CDF of 2.0E-4/ reactor year. [ submittal, page 3.4.1-57]
l l
i P
32 l
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS
{
This section of the report provides our overall evaluation of the quality of the front-end portion of the IPE based on this review. Strengths and shortcomings of the IPE are j summarized. Important assumptions of the model are summarized. Major insights from the IPE are presented.
Strengths of the IPE are as follows. The evaluation and identification of plant-specific initiating events is thorough in comparison to many other IPE/PRA studies.' Also, the modeling of interfaces between the two units (shared systems and the ability to crosstie specific equipment) is thorough in comparison to other IPE/PRA studies for multiple unit sites.
We identified no major shortcomings of the IPE.
Based on our review, the following modeling assumptions have an impact on the t overall CDF:
l (a) LPSI is not required to mitigate a large LOCA l j (b) Reactor trip is required to mitigate an ATWS l l (c) RCP seats can fail with loss of CCW cooling.
I i j The first assumption lowers the CDF from a large LOCA by not requiring a safety l j system specifically designed to mitigate a large LOCA. The second assumption I j results in ATWS accidents being a relatively high contributor to the overall CDF. The third assumption results in seal LOCAs being a significant contributor to the overall j CDF; IPEs for some other CE plants have assumed that a seal LOCA is very unlikely.
] Significant findings on the front-end portion of the IPE are as follows:
4 = RCP seal LOCAs are an important contributor to the overall CDF. IPEs for
- some other CE plants have assumed a more optimistic RCP seal LOCA model, j and thus have lower CDF contributions from RCP seal LOCAs.
a The CDF due to ATWS is 2.4E-5/ reactor year, a relatively large value. The IPE model for mitigation of an ATWS is less optimistic than other typical '
IPE/PRA models. IPEs for most other PWRs credit more options for mitigating an ATWS than does Calvert Cliffs.
- Internal flooding contributes about 5% to the overall CDF. Internal flooding is a small contributor due to the layout of the plant.
4 l
i a
33
l l
- 4. DATA
SUMMARY
SHEETS i
This section of the report provides a summary of information from our review.
Overall CDF The total baseline CDF internal initiating events including flooding was calculated to be !
3.2E-4/ reactor year, and the total CDF from internal flooding was calculated to be l
1.55E-5 reactor year. The total revised CDF was calculated to be 2.4E-4/ reactor year, with 5.6% due to internal flooding.
Dominant initiatino Events Contributina to CDF l l !
The revised CDF by initiating event is as follows: !
loss of offsite power 15.2% I small LOCA 8.7%
very very small LOCA 6.4%
very small LOCA 6.4%
plant trip 6.0% i loss of control room ventilation 5.1 % !
loss of CCW 4.3% -
loss of one 480 V AC bus 3.8%
loss of 120 V AC bus 1Y01 3.7%
loss of main feedwater 3.2%
loss of a DC bus 1D01 3.0%
loss of 13 kV bus 2.6%
inadvertent PORV opening 2.5%
large LOCA 2.4%
loss of DC bus 2D01 2.1 %
SGTR 1.9%.
1
( The complete list of the Calvert Cliffs IPE initiating events, together with their
! frequencies, are shown in Table 4-1.
i i
j 34 l
7 Table 4-1. Initiating Events 4
1rdtisting Event Plant Model Point Estimate, l Events per Year Loss of Coolant Accidents Inadvertent PORV opening 6.84E-02 Small V sequence (< or = 4') 2.61 E-08 Large V sequence (>4*) 2.46E-07 Large RCS pipe break inside containment 2.02E 04
~
Medium RCS pipe break inside containment 4.62E 04 Steam generator tube rupture 3.79E-03 Small RCS pipe break inside containment 5.04E-03 Very, very small RCS pipe break inside containment 4.39E-03 Very small RCS pipe break inside containment 4.39E 03 Transients Excessive main feedwater 2.35E-01 Loss of condenser vacuum 2.35E-01 Totallos of main feedwater 4.70E-01
~
Large feed or steamline break, outside containment, downstream of 2.67E-04 MSIVs Large feed or steamline break, outside containment, upstream of MSIVs 7.05E-05 Partialloss of main feedwater 7.06E-01
)
Plant Trip (includes reactor trip & turbine trip) 2.12E+00 Large feed or steamline break, inside containment 1.99E-04 Support System Faults Loss of CCW heat exchanger 2.82E-02 Inadvertent ESFAS actuation (spurious UV) 1.40E-02 Loss of 120V bus 1YO1 (1YO2) 4.14E-02 Loss of 120V bus 1YO3 (1YO4) 4.14E 02 l
Loss of one 480V bus 11 A,11B, or MCC 114R 6.01 E-02 :
Loss of one 480V bus 14A,14B, or MCC 104:[ 6.01E 02 Loss of one 500kV bus 5.03E-02 Loss of a single DC bus (1D01) 4.10E-03 Loss of one ser/ ice water header 2.02E-01 Loss of one salt water header 3.48E 02 Loss of component cooling water (pumps) 6.14E-03 Loss of control room ventilation 1.03E-02 35
Table 4-1. Initiating Events initiating Event Plant Model Point Estimate, Events per Year Loss of single DC bus (2D01) 4.19E-03 Loss of instrument air 9.65E-03 Loss of component cooling water flow path to RCP seals 5.09E-02 Loss of switchgear room ventilation 2.44E-02 Loss of offsite power 1.36E-01 Loss of service water 4.16E-03 Loss of salt water 8.74 E-04 Loss of service water to the turbine building 8.68E-02 Loss of 13kV bus including 4kV NSR buses 6.94E-02 Loss of 4kV bus 11 3.13E-03 Loss of 4kV bus 12.13,14 9.39E-03 Loss of Control Room inlet / Outlet Dampers 2.03E-02 Loss of Unit 2 Cable Spreading Room inlet / Outlet Dampers 1.90E-02 Loss of Unit 1 Cable Spreading Room inlet / Outlet Dampers 1.90E-02 l
Dominarit Hardware Failures and Ooerator Errors Contributing to CDF The submittal provides the importance ranking of systems for mitigation, based on the risk reduction measure. [ submittal, Table 3.4.1.10-6] This ranking indicates that the most important systems for mitigation in decreasing order are: RCS (seals and j PORVs), AFW, ESFAS,120 V AC, DGs, ECCS Injection, and salt water cooling.
The submittal performed an analysis of CDF for the top 50 core damage sequences with all operator actions set to guaranteed failure. [ submittal, Section 3.4.1.2] This I analysis provides a risk increase importance measure for operator actions. Important operator actions from the risk increase perspective were associated with: AFW, main feedwater, control and switchgear room HVAC, CCW, tripping of RCPs following loss of seal cooling, and loading of the swing DG during a non-LOCA accident.
Dominant Accident Classes Contributing to CDF For the revised model (total CDF of 2.4E-4/ reactor year), the submittal states that the CDF by NUMARC accident category is as follows: [ submittal, Table 3.4.2.4-1]
Transient without Early Heat Removal 9.2E-5/ year 38.5%
Transient without Late Heat Removal 1.5E-7/ year 0.1%
Induced LOCA without Early Inventory Control 2.8E-5/ year 11.7%
36 J
induced LOCA without Late Inventory Control 2.3E-5/ year 9.6%
Very Small LOCA without Early Inventory Control 2.2E-5/ year 9.2%
Very Small LOCA without Late inventory Control 8.8E-6/ year 3.7%
Small, Medium, or Large LOCA 2.1E-5/ year 8.8%
without Early Inventory Control Small, Medium, or Large LOCA 6.8E-6/ year 2.8%
without Late Inventory Control Failure of Reactivity Control 2.4E-5/ year 10%
Containment Bypass LOCA 1.9E-6/ year 0.8%
SGTR 4.4E 6/ year 1.8%
Pressurized Thermal Shock 3.4E-7/ year 0.1%
Desian Characteristics Imoortant for CDF The following design features impact the CDF:
requirement of air for operation of AFW no seal injection for RCPs presence of a swing DG shared DC power 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> battery lifetime ability to crosstie motor driven AFW pump and plant air between units requirement for 2 PORVs to feed and bleed. -
The impact of these design features on the overall CDF is discussed in Section 1.2 of l this report.
Modifications ,
1 1
Vulnerability Corrective Action Status of Corrective Action Loss of Switchgear HVAC causes Provide Fans for Backup Room Fans were staged near each of l failure of both 4 kV Safety Cooling the four switchgear rooms.
Related Buses for a Single Unit Procedures for use of fans were issued. Surveillance ensures fans remain in place.
Loss of MFW following Plant Trip Digital Feedwater Control System Modifications installed.
Likely to Occur Modification to Rapidly Reduce MFW Pump Speed after Plant Trip to prevent MFW Pump Trip on High Discharge Pressure 37
l Vulnerability Corrective Action Status of Corrective Action Several Normally Closed Manual Improve Surveillance to Ensure Enhanced surveillance l Valves are Needed to Supply Operability of Valves implemented.
Water for AFWif the CST is Lost or is Depleted Depressurization of Primary Consider Revising EOPs to Allow incorporated into EOPs.
Following SGTR Cannot be Use of Pressurizer Vent Valves Accomplished with Main for Depressurization Pressurizer Spray due to Proceduralized Trip of RCPs Inadvertent ESFAS/RPS/AFAS Complete Training on Scenario implemented.
Actuation Results from Failure of including Simulator Training 2120 V AC Buses which Significantly Challenges Operators Loss of CCW with RCP Seal Reduce Frequency for Loss of Determined not to be required.
LOCA is Dominant CDF CCW due to Failure of Many Sequence Single isolation Vent and Drain Valves Significant Likelihood for failure of Add Manual isolation Valves to Modification was implemented.
Both Turbine Driven ArW Pumps Upstream and Downstream Sides due to Maintenance or Common for Both AFW Turbine Driven Cause Pumps to Reduce Dual Pump Unavailability due to Maintenance Other US!/GSIs Addressed None.
Sianificant PRA Findinas Significant findings on the front-end portion of the IPE are as follows:
RCP seal LOCAs are an important contributor to the overall CDF. IPEs for some other CE plants have assumed a more optimistic RCP seal LOCA model, and thus have lower CDF contributions from RCP seal LOCAs.
The CDF due to ATWS is 2.4E-5/ reactor year, a relatively large value. The IPE model for mitigation of an ATWS is less optimistic than other typical IPE/PRA models. IPEs for most other PWRs credit more options for mitigating an ATWS than does Calvert Cliffs.
- Internal flooding contributes about 5% to the overall CDF. Internal flooding is a small contributor due to the layout of the plant.
4 38
i REFERENCES i
j (GL 88-20] ' Individual Plant Examination For Severe Accident Vulnerabilities - 10 CFR 50.54 (f)", Generic Letter
) 88.20, U.S. Nuclear Regulatory Commission, l November 23,1988 i l
~
[NUREG-1335] " Individual Plant Examination Submittal Guidance',
NUREG-1335, U. S. Nuclear Regulatory l Commission, August,1989 i
(IPE] Calvert Cliffs IPE Submittal Decembe': 301993
[lPE Responses] Letter from R.E. Denton, Baltimore Gas and Electric i Co. to NRC responding to RAI for IPE, September l 12,1995.
[UFSAR] Updated Final Safety Analysis Report for Calvert Cliffs (Soutn Texas PSA) "A Review of the South Texas Project Probabilistic l Safety Analysis for Accident Frequency Estimates -
l and Containment Binning", NUREG/CR-5606, August 1991.
[NUREG/CR 4550 Surry] " Analysis of Core Damage Frequency: Surry, Unit 1 1
Internal Events", NUREG/CR-4550, Vol. 3. Rev.1, Part 1, April 1990.
[IREP] " Interim Reliability Evaluation Program Analysis of the Calved Cliffs, Unit 1 Nuclear Power Plant.
Volume 1 Main Report",NUREG/CR-3511-V1, May 1984.
[lPE Maine Yankee] IPE Submittal for Maine Yankee
[lPE Palisades] IPE Submittal for Palisades
[lPE San Onofre] IPE Submittal for San Onofre l [lPE Palo Verde] IPE Submittal for Palo Verde l
l r
39 l