Text

TER on IPE Front End Analysis
	ML20107J996
Person / Time
Site:	Hope Creek
Issue date:	12/20/1995
From:	Darby J, Sciacca F, Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20107J981	List: ML20107J996; ML20107K016; ML20107K023;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-92-2337-010, SEA-92-2337-010-A:2, SEA-92-2337-10, SEA-92-2337-10-A:2, NUDOCS 9604250366
	Download: ML20107J996 (36)
	v • d • e

. _.. _ _. _

14 4

SEA 92-2337-010-A:2 December 20,1995 Hope Creek Technical Evaluation Report on the IndMdual Plant Examination Front End Analysis NRC-04 91-066, Task 37 John L. Darby, Analyst Frank W. Sciacca, Analyst Willard R. Thomas, Editor Science and Engineering Associates, Inc.

Prepared for the Nuclear Regulatory Commission 9604250366 960423 PDR ADOCK 05000354 P

PDR

.l 4

y j

.I l

t TABLE OF CONTENTS 2

i I

E. EXECUTIVE

SUMMARY

1 l

E.1 Plant Characterization...................................

1 j

E.2 Licensee's lPE Process 2

E.3 Front-End An alysis.....................................

2 1

E.4 G ene ric issues........................................

4 E.5 Vulnerabilities and Plant improvements......................

5 j.

E. 6 Ob se rvation s..........................................

5 i

l

1. I N T R O D U C TI O N............................................

7 1.1 Review P roce s s.......................................

7 l

1.2 Plant Characterization...................................

7

2. TEC H N IC AL R EVI EW........................................

8 2.1 Licensee's lP E P roces s..................................

8 l

2.1.1 Comolateness and Methodologv......................

8 i

2.1.2 Multi Unit Effects and As-Built. As-Ooarated Status........

8 i

2.1.3 Licensee Particioation and Peer Review................

9 l

2.2 Accident Sequence Delineation and System Analysis............

9 2.2.1 Initiating Events................................. 10

2. 2. 2 E ve n t T re e s.................................... 11 2.2.3 Svste ms Analvsis................................ 14 2.2.4 System Denendencies 15 2.3 Quantitative Process.................................... 15 2.3.1 Quantification of Accident Seauence Freauencies......... 15 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses 16 2.3.3 Use of Plant Soecific Data 16 2.3.4 U se of G ene ric Data.............................. 18 2.3.5 Common Cause Quantification 18 2.4 Inte rface issues....................................... 19 2.4.1 Front-End and Back-End Interfaces................... 20 2.4.2 Human Factors Interfaces.......................... 20 2.5 Evaluation of Decay Heat Removal and Other Safety Issues....... 21 2.5.1 Examination of D H R,............................. 21 2.5.2 Dive rse Me an s of D H R............................ 21 2.5.3 Unlous F eatures of DH R........................... 21 2.5.4 Other GSliUSN Addressed in the Submittal............. 22 2.6 Inte rnal Flooding....................................... 22 2.6.1 Intemal Floodir o Methodoloov....................... 22 2.6.2 Intemal Floodhg Results 23 2.7 Core Damage Sec.v.,nce Results........................... 23 2.7.1 Domi. ant Core Damage Seauences 23 2.7.2 Vulne rabilities................................... 25 il

2.7.3 Prooosed Imorovements and Modifications.............. 25

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS 26

4. DATA

SUMMARY

SHEETS

.................................... 28 REFERENCES................................................

31 A

lii

%i USY OF TABLES Table 2 1. Plant Specific Data..................................... 17 Table 2-2. Generic Component Failure Data 18 Table 2-3. Common Cause Factors for 2-of-2 Components................ 19 Table 2-4. Accident Classes and Their Contribution to Core Damage F re q u e n cy.......................................... 23 Table 2-5. Initiating Events and Their Contribution to Core Damage Frequency. 24 Table 2-6. Top Five Core Damage Sequences..................

24 m

iv

1 l

E. EXECUTIVE

SUMMARY

This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for the Hope Creek nuclear power plant. This i

review is based on information contained in the IPE submittal (IPE Submittal) along with the licensee's responses (RAI Responses) to a request for additional information

{

(RAl).

j E.1 Plant Charactertration l

The Hope Creek Generating Station (HCGS) is located in New Jersey on the l

Delaware River and shares the dual unit Salem site. Hope Creek is a single unit site, i

although some building areas were constructed for unit 2 which was cancelled. The plant is a BWR 4 reactor with a Mark I containment. GE was the nuclear steam j

system supplier (NSSS); Bechtel was the architect / engineer (AE). The unit achieved i

commercial operation in 1986. Rated power for the unit is 3293 megawatts thermal (MWt) and 1067 net megawatts electric (MWe).

Design features at Hope Creek that impact the core damage frequency (CDF) relative j

to other BWR 4 plants are as follows:

Four diesel aanerators (DGs). The presence of 4 DGs tends to lower the L

overall CDF from station blackout as compared to plants with fewer DGs.

Four hour batterv lifetime. The four hour battery lifetime tends to raise the CDF from station blackout compared to plants with longer battery lifetimes, i

Ability to use alternate inlection to the vessel. The ability to inject makeup to j

the vessel through the RHR piping with low pressure systems, specifically, fire water, SSW, and condensate storage and transfer, tends to lower the CDF by providing alternate low pressure injection systems for cooling the core.

i Automatic actuation o'f standbv liauld control (SLC). The SLC system at Hope l

Creek is automatically actuated following an ATWS; this tends to lower the CDF from anticipated transient without scram (ATWS) accidents compared to plants i

for which SLC must be manually initiated.

j Hardened torus vent. The hardened torus vent provides a capability to support operation of altemate injection systems for core cooling if containment cooling j

systems fall. This tends to lower the CDF from accidents associated with loss of 4

containment cooling systems, i

i a

1

_.. _. _. _. _. _. _. _. _ _ _. ~ _..

l E.2 Licensee's IPE Process The IPE is a level 2 probabilistic risk assessment (PRA). The freeze date for the IPE model was August,1993. One change to the plant after the freeze date was incorporated into the IPE model, that being a change identified during the performance l

of the PRA. The change was implementation of a procedure for recovery of heating, l

-ventilating, and air conditioning (HVAC) to electrical equipment areas; this reduced the

)

CDF from the dominant loss of HVAC sequence from 3.29E-3/ year to 9.87E-7/ year.

l l

Utility personnel were involved in data collection, system modeling, human error l

Identification and quantification, and quantification of the level 1 model. Support from selected contractors and consultants was used for: event tree development, special l

initiating events analysis, human reliability analysis, cut set editing and analysis, use of l

the Modular Accident Analysis Program (MAAP) code, interfacing systems LOCA (ISLOCA) analysis, and independent review.

i PRA analysts responsible for modeling each system performed a walkdown of the l

system.

Other IPE/PRA studies and related information reviewed included NUREG/CR-4550 studies for Peach Bottom and Grand Gulf.

An independent review of the IPE was performed.

1 The submittal implies that the licensee intends to maintain a 'living" PRA although this Is not' explicitly stated in the submittal.

l E.3 Front-End Anafysis The methodology chosen for the Hope Creek IPE front-end analysis was a Level I i

PRA; the small event tree /large fault tree technique was used and quantification was performed with NUS Corp. (NUS) PRA workstation software.

The IPE quantified 15 groups of initiating events: 5 LOCAs,5 plant specific transients (including intomal flooding), and 5 generic transients. The IPE developed mixed functional / systemic event trees to model the plant response to initiating events.

Initiating events were quantified using plant specific data and industry data for frequent events, data from previous PRAs for infrequent events, and component failure data for plant specific initiating events.

l Both loss of instrument / service air and loss of HVAC were modeled as plant-specific initiating events.

The criteria for core damage was sustained collapsed water level below 1/3 core height, as supported by MAAP calculations.

l 2

-.. ~. _.

i System level success criteria were based on system flow capabilities, success criteria 1

in PRAs for similar systems, and a number of MAAP calculations.

Support system dependencies were modeled in the fault trees. Tables of inter-system dependencies were provided, and partial as well as complete dependencies were i

addressed.

i The IPE used plant specific data to bayesian update generic data for hardware failures i

for diesel generators and pumps. Testing / maintenance unavailabilities were quantified with plant specific data.

The multiple Greek letter (MGL) method was used to model common cause failures.

Common cause failures were modeled within systems; however, common cause failures between the high pressure coolant injection (HPCI) and reactor core isolation j

cooling (RCIC) turbine driven pumps were also considered. Numerous standard j

generic data bases were used to quantify common cause failures, and the data were i

consistent with generic data used in most IPE/PRAs.

Internal flooding was quantified using transient event trees, modified to consider the i

failures resulting directly from the flooding events. Operator action to terminate flooding was credited. Internal flooding was calculated to have a CDF of 5.1E-7/ year, l

thereby contributing only a small amount to the overall CDF.

I The total CDF from internal initiating events is 4.58E-5/ year for base IPE,1.29E-5 for late revisions. The submittal reported core damage sequences consistent with the systemic reporting criteria of NUREG-1335.

The initiating events that contribute most to the CDF and their percent contribution are listed below:'

Loss of Feedwater 25.4 %

i Loss of Offsite Power (LOSP) 20.1 %

~

Main Steam Isclation Valve (MSIV) 13.8%

l Closure / Loss of Condenser Vacuum j

intermediate LOCA 12.3%

Main Turbin's Trip 7.7%

l Loss,of HVAC 7.6%

l Turbine hip ATWS 4.6%

interaal Flooding and failure to 4.2%

isolate within 30 minutec i

i

'A complete list of initiating event CDF contributors is provided in Table 2 4 of this report.

1 3

1 5

l

_t

q Loss of SSW/ SACS 2.2%

Small LOCA 2.1%

Major classes of accidents contributing to the total CDF, and their percent contribution are as follows:

. Transients with Loss of all High Pressure injection and Failure to depressurize 42.9 %

Station Blackout 18.1 %

l LOCAs 15.5 %

i Plant-Specific initiating Events 10.8 %

j ATWS 5.7%

Transients with Loss of all High and Low 2.7%

Pressure injection Loss of Offsite Power (DGs operate) 1.9%

Stuck Open SRV 1.8%

Loss of decay heat removal (DHR) 0.6%

i These results indicate that transients with loss of feedwater and loss of high pressure j

injection, coupled with failure to depressurize accounts for almost half of the CDF.

t The contribution from station blackout is less than that at many BWRs because of the presence of the four diesel generators. The contribution of ATWS to overall CDF is small; the SLC system at Hope Creek is automatically initiated following an ATWS which reduces the likelihood of core damage from an ATWS.

Dominant hardware failures contributing to CDF are failures of: HPCI, RCIC, DGs, SSW, and SACS. Dominant human errors contributing to the CDF are not provided in the submittal.

4 Level 1 core de. mage sequences were binned into Plant Damage States (PDS) for subsequent back-end analysis. The binning criteria were based on the NUREG/CR-4550 Peach Bottom PRA approach.

E.4 Generic issues Although the IPE evaluated all aspects of decay heat removal, the evaluation of DHR in the submittal is restricted to the final heat sink options: RHR, primary coolant system (PCS), or containment venting. The licensee review of the scenarios involving loss of DHR indicated that the contribution of support system failures to core damage is dominated by failures of the following systems. Their relative importance as to the CDF is also indicated.

4

l Sucoort Svstem Contribution to CDF emergency diesel generators (SBO scenarios) 13%

station service water 5.4%

i station auxiliary cooling system 3%

Sequences with loss of AC and/or DC power, due to both LOSP initiating events and j

due to support system failures (but excluding SBO), contribute about 60% to the CDF.

i Loss of DHR, as defined by the licensee, contributes only 0.6% to the overall CDF.

1 The submittal highlights the redundancy of the RHR system, the ability to crosstie DG i

cooling _from the two SACS loops, and the design characteristics of the SACS system.

l No DHR related vulnerabilities were noted by the licensee.

I The licensee proposes to resolve GSI 105, "Intersystem LOCA Outside Containment' l

with the IPE submittal. However, GSI 105 has recently been generically resolved by the NRC, and no further licensee action is needed.

4 E.5 Vulnerabilities and Plant improvements For a sequence or an event to be considered indicative of a vulnerability, it had to pass the screening criteria for reporting systemic sequences from NUREG-1335 and contribute inordinately to the CDF with respect to either (1) other sequences or events

=

in the IPE, or (2) in comparison with PRA results for other plants.

j l

During the performance of the IPE, transients involving HVAC failure were determined to contribute inordinately to the CDF. For example, loss of switchgear or 1E panel room HVAC had a CDF of 3.29E-3/ year. This was labeled as a vulnerability, and a procedure to provide attemate ventilation was developed. The implementation of the procedure removed this vulnerability. No other vulnerabilities were identified by the licensee.

The utility evaluated the success criteria for SSW and SACS to see if one pump in a loop is sufficient for success rather than both pumps as was modeled in the IPE described in the submittal. A refined model of these systems was prepared, and the assessment was made that SACS could be operated under beyond design basis conditions. The relaxed success criteria reduced the CDF from station blackout significantly and reduced the overall CDF by about a factor of four compared to the results presented in the submittal.

j E.6 Observations The licensee appears to have analyzed the design and operations of Hope Creek to discover instances of particular vulnerability to core damage, it also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained i

5 l

an understanding of the most likely severe accidents at Hope Creek; gained a j

quantitative understanding of the overall frequency of core damage; and implemented i

changes to the plant to help prevent and mitigate severe accidents.

i l

Major strengths of the IPE are as follows. The requirements for HVAC support systems appears to have been more thoroughly assessed than comparable analyses in some other IPE/PRA studies. Various aspects of the IPE, such as the assumption that fire water cannot be used for injection during station blackout due to relatively high containment / vessel backpressure and the significant flow pressure losses, indicate that careful attention was paid to plant specific system characteristics.

One possible shortcoming of the IPE is the limited use of plant specific failure data.

Significant findings on the front end portion of the IPE are as follows:

i transients with a loss of all high pressure injection and failure to depressurize e

contribute the most to the overall CDF HVAC support is required for many frontline systems and for electrical areas,

=

and many of the preferred HVAC systems require mechanical refrigeration units to operate; provisions for supplying alternate HVAC to electrical rooms greatly j

lowers the overall CDF i

battery lifetime is 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months

=

core cooling can be maintained with loss of containment cooling and failure of e

containment venting j

automatic initiation of SLC following an ATWS results in a low contribution of ATWS to overall CDF internal flooding contributes a small amount to the overall CDF.

=

4 I

f i

6

]

N j

1. INTRODUCTION 1

1.1 Review Process l

This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for the Hope Creek nuclear power plant. This review is based on information contained in the IPE submitta! (IPE Submittal) along with the licensee's responses [RAI Responses] to a request for additional information (RAl).

1.2 Plant Characterization l

The Hope Creek Generating Station (HCGS) is located in New Jersey on the Delaware River and shares the dual unit Salem site. Hope Creek is a single unit site, although some building areas were constructed for unit 2 which was cancelled. The plant is a BWR 4 reactor with a Mark I containment. GE was the nuclear steam system supplier (NSSS); Bechtel was the AE. The unit achieved commercial operation in 1986. riated power for the unit is 3293 MWt and 1067 MWe (net).

I Design features at Hope Creek that impact the core damage frequency (CDF) relative l

to other BWR 4 plants are as follows:

j Four diesel aenerators (DGs). The presence of 4 DGs tends to lower the e

=

l overall CDF from station blackout as compared to plants with fewer DGs.

I Four hour batterv lifetime. The four hour battery lifetime tends to raise the CDF from station blackout compared to plants with longer battery lifetimes.

Ability to use alternate inlection to the vessel. The ability to inject makeup to the vessel through the RHR piping with low pressure systems, specifically, fire water, SSW, and condensate storage and transfer, tends to lower the CDF by providing altemate low pressure injection systems for cooling the core.

i Automatic actuation of SLC. The SLC system at Hope Creek is automatically actuated following an ATWS; this tends to lower the CDF from ATWS accidents compared to plants for which SLC must be manually initiated.

t Hardened torus vent. The hardened torus vent provides a capability to support l

i operation of altamate injection systems for core cooling if containment cooling j

systems fail. This tends to lower the CDF from accidents associated with loss of j

containment cooling systems.

1 i

1 7

4

2. TECHNICAL REVIEW 4

2.1 Licensee's IPE Process The process ~used by the licensee was reviewed with respect to: completeness and methodology; multi unit effects and as built, as-operated status; and licensee participation and peer review.

2.1.1 Comoleteness and Methodoloov.

The submittalis complete in terms of the overallinformation requests of Generic Letter 88-20 and NUREG 1335. No obvious omissions in the submittal were noted.

The front-end portion of the IPE is a level l PRA. The specific technique used for the level l PRA was a small event tree /large fault tree technique, and it was clearly described in the submittal.

The submittal described the details of the technique used for performing the IPE.

Support systems were modeled in the fault trees and accident sequences were solved by fault tree linking. System descriptions were provided. Inter-system dependencies were described in the system descriptions, and tables of inter-system dependencies were provided. Data for quantification of the models were provided, including common cause and recovery data. The licensee quantified the uncertainty of dominant core damage sequences, and summarized sensitivity analyses that were performed for selected items.

4 The PRA upon which the IPE is based was initiated prior to issuance of Generic Letter 88-20. The original PRA was updated in late 1990. The back-end portion of the IPE was completed in 1992. Both the level 1 and level 2 portions of the PRA were updated in 1994 to form the basis of the IPE. [Section 2.1.1 of submittal) 2.1.2 Multi-Unit Effects and As Built. As-Ocerated Status.

i Hope Creek is a single unit plant, but it is co-located with the two Salem units. It appears that the only sharing of systems among units is an interconnection between the Hope Creek and Salem switchyards that allows offsite power to be supplied to Hope Creek through the Salem switchyard, and vice versa. This interconnection does not have a major impact on the CDF for Hope Creek. (Hope Creek UFSAR, Figure 8.2-2) [ Salem UFSAR, Figure 8.2-2)

The PRA analyst responsible for modeling a particular system performed a walkdown of the system in all cases. [Section 1.2 of submittal)

Major documentation used in the IPE included: the Updated Final Safety Analysis Report (UFSAR), System Descriptions and Configuration Baseline Documentation, 8

3 1

Procedures, discussions with cognizant plant personnel, and walkdowns. Other IPE/PRA studies and related information were reviewed, particularly, the NUREG/CR-4550 PRAs for Peach Bottom and Grand Gulf. (Section 2.4 of submittal)

The freeze date for the IPE medel was August,1993. One change to the plant after the freeze date was incorporated into the IPE model, that being a change identified l

during the performance of the PRA. The change was implementation of a procedure l

for recovery of HVAC to electrical equipment areas. This procedural change reduced l

the CDF from the dominant loss of HVAC sequence from 3.29E 3/ year to 9.87E-7/ year. [ Transmittal letter, Section 2.4 of submittal) 2.1.3 Licensee Particloation and Peer Review.

- The IPE was performed primarily by utility personnel. Utility staff performed the quantification of the level 1 and level 2 models. Utility personnel performed data collection, system modeling, human error identification and quantification, and basic event and risk model quantification. [Section 2.2.2 of submittal]

AnIndependent review of the IPE and associated documentation was performed. This review was performed in two parts. First, a senior level review of ongoing work was done by the review team leader and consultants. Then, a formal review of the IPE was completed near the end of the study. [ Sections 2.3.2.14,5.0 of submittal)

Consultants from the following organizations were used for selected activities in the front-end portion of the IPE. Science Applications international Corp. (SAIC) provided technical direction for the updated IPE in the following areas: event tree development, special initiating event analysis, human reliabliity analysis, and cut set editing and analysis. Halliburton NUS provided training and leadership for the baseline quantification tasks. Gabor, Kenton, and Associates reviewed a portion of the MAAP parameter file. ERIN Engineering (ERIN) provided primary leadership and assistance in the quantification of interfacing systems LOCAs. Reliability and Performance Associates provided technical direction for the independent review of the IPE. (p. i of submittal)

The submittal implies that the utility intends to maintain a "living' PRA, although this is not explicitly stated. The submittal states that a goal of the IPE was to increase the ability of the utility to perform and maintain the PRA. Also, the submittal states that the IPE continues to be utilized in design review, procedure review, and personnel training as part of the on-going PRA program. (Sections 1.1 and 2.1.2 of submittal) 2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies provided in the submittal.

9

g 2.2.1 Initiatina Events.

The identification of initiating events for the Hope Creek IPE was a two step process:

generic and plant specific. Sources for generic initiating events included: EPRI NP-2300, NUREG/CR-3863, licensee event reports (LERs) from 1984 through 1989, and j

prior PRA studies. Reviews of these sources identified 55 potentialinitiating events.

l

[Section 3.1.1.1 of submittal) i A review of the Hope Creek design and plant operating experience was performed to

{

evaluate the applicability of the previously-identified generic initiating events to Hope Creek and to identify unique plant-specific initiating events. The data base used for l

this review was the entire operational history of Hope Creek from 1986 through July 31,1993.

l A plant specific intemal flooding study was performed to identify internal flood initiating events.

Fifteen groups of initiating events were retained for analysis: 5 generic transients,5 LOCAs, and 5 plant-specific events (including intemal flooding events). The plant-specific initiating events were as follows: loss of SSW or SACS, loss of Reactor Auxiliary Cooling System (RACS), loss of HVAC, loss of instrument air or service air, and intemal flooding. (Table 3.1.1-5 of submittal]

f The submittal summarizes the evaluation of plant systems to identify plant-specific l

initiating events and provides the basis for not considering certain failures in systems j

as unique initiating events. The identification and screening of plant specific initiating i

l events is comparable to standard PRA practice Plant-specific initiating events retained for analysis were quantified with system fault trees.

l The small LOCA initiating event includes a recirculation pump seal LOCA and the frequency of the small LOCA is dominated by the seal LOCA. (Table 3.1.2-1 of submittal]

l The frequency for an interfacing systems LOCA distinguishes between leakage and rupture. Credit was taken for low pressure piping not failing when exposed to greater than design basis pressure. This is standard practice in some other BWR IPEs. (p.

j 3.1-50 of submittal) l The Hope Creek IPE also performed sensitivity studies to evaluate the importance of i

loss of AC and loss of DC buses as plant-specific initiating events. These studies j

indicated that these initiating events contributed very little to the CDF.

i LOCAs outside of' containment were screened from analysis. Many IPEs for BWRs j

have analyzed LOCAs in steam, feedwater, and HPCl/RCIC lines outside containment and found them to not be significant contributors to overall CDF. Such LOCAs are i

10 i

i i

design basis accidents; however, consideration of LOCAs outside containment should not greatly impact the overall CDF. [p. 3.1.9 of submittal]

The point estimate frequencies assigned to the initiating events are comparable to typical values used in PRA/IPEs, except for the frequency assigned to inadvertent L

opening of an SRV (IORV),0.038/ year. This value is low compared to that used in other studies. For example, the Peach Bottom PRA used 0.19/ year and the Grand I

Gulf PRA used 0.14/ year. [NUREG/CR-4550, Peach Bottom] [NUREG/CR-4550, l

Grand Gulf) i i

in supporting the frequency of inadvertent opening of an SRV used in the Hope Creek i

IPE, the licensee stated that such an event has occurred only once at the plant, and j

that was early in the plant life. That single event was not considered to be representative of current plant conditions, so industry-wide data were used to establish j

the frequency of IORV. Also, the licensee searched LERs in the data base between 1990 and 1993 and found 3 IORV events. The period covered represented 100 BWR plant years of operation. Assuming an 80% capacity factor, the resulting IORV initJating event frequency of 0.038/ year was obtained. [RAI Responses, pp.12-13]

Loss of offsite power was quantified using NSAC-182; the frequency for loss of offsite j

power was 0.034/ year, which is at the lower range of values typically used in other IPE/PRAs.

?

2.2.2 Event Trees.

Each accident initiating event-was included in an appropriate class of initiating events, l

and each class of initiating events had a corresponding event tree. All functions or systems important to the accident sequences were reflected on the event trees. The interface among the events in the event trees and the correspondlag mitigating systems were clearly indicated. The event trees properly accounted for: time ordered response, system level dependencies, sequence specific effects on system operability-such as environmental conditions, and high level operator actions as appropriate.

The IPE defined core damage as being when the sustained water level is below about 1/3 core height, as indicated by MAAP calculations. (p. 3.1-13 of submittal]

Success criteria for depressurization following a transient with successful scram and loss of high pressure makeup was taken as opening of 2 of 4 SRVs, based on MAAP calculations. (Section 3.1.1.4 of submittal]

The IPE credited CRD from both pumps for core cooling after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , based on MAAP calculations. The system description for CRD in the submittal !ndicates that both pumps can provide 180 gpm. (Section 3.1.1.4 of submittal]

11

The submittal states that RCIC can mitigate a stuck open SRV initiating event prior to PCS depressurization and prior to RCIC isolation on high containment back pressure.

The system description for RCIC in the submittal states that RCIC can provide 600 gpm to the vessel. [Section 3.1.1.4 of submittal]

No credit for firewater injection was taken during station blackout, due to uncertainty in system flow losses. During station blackout, containment cooling is lost and the containment / vessel pressure can increase such that firewater injection may be 1

inadequate. (p. 3.1-17 of submittal]

The battery lifetime during station blackout used in the IPE was 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Load i

shedding to extend battery lifetime was not included in these sequences. Recovery of offsite power and DGs was modeled with data from NSAC-182. (p. 3.1-16 of submittal]

4 l-The event trees credit operation of one RHR heat exchanger as providing adequate heat removal to support core cooling, if containment cooling is lost, the event trees credit containment venting as effective in maintaining core cooling. The submittal states that venting is initiated at a pressure of 65 psig, which corresponds to a i

saturation temperature of 312 F. [p. 3.1-29 of submittal) Based on information in the l

UFSAR, LPCI and core spray have adequate NPSH margin with a saturated i

suppression pool. [pp.6.3-25 and 6.3-29 of UFSAR] The NPSH margin for HPCI and RCIC pulling from the suppression pool is lost at a suppression pool temperature i

slightly above 170 F, indicating that RCIC and HPCI can not operate using a saturated i

suppression pool. [pp. 5.4 32 and 6.3-13 of UFSAR) Also, the submittal states that RCIC trips at a containment backpressure of 25 psig. (p.1-3 of submittal] For transient events with no failed SRVs, RHR (in the LPCI mode), core spray, or alternate injection systems can provide long term core cooling. HPCI can also perform this j

function providing its suction source is from the condensate storage tank (CST); RCIC j

cannot provide long term core cooling with failure of containment cooling due to its trip l

on high containment back pressure. [RAI Responses, p. 2]

j With loss of containment cooling and one SRV failed open, core cooling can be L

provided with LPCI, core spray (CS), or altamate injection systems. RCIC and HPCI l

are assumed to be unavailable for long term core cooling due to reactor system l

depressurization and/or high containment backpressure. With two of more SRVs j

falling open, LPCI and core spray can provide core cooling. The CS will be successful i

for long term cooling if its suction source is switched to the CST; otherwise it is assumed to fall due to high suppression pool temperatures. [RAI Responses, p. 2]

If both containment cooling and containment venting fall, the event trees credit 4

continued core cooling after containment failure (event Uv on the event trees). Under j

these conditions, the IPE assumed that equipment within the primary containment i

(within the drywell or wetwell) would fall due to excessive temperatures, pressures, j

moisture, or other environmental effects. However, equipment located outside of primary containment, but within the secondary containment (reactor building), such as

)

12

Q!

j control rod drive (CRD) and HPCI that can take suction from the CST were assumed i

to have a relatively high operational probability. Primary containment failure for most scenarios, if it occurs, is not expected to jeopardize operability of core cooling i

equipment located in the secondary containment areas. The survivability of this equipment is expected because of the anticipated primary containment failure locations, and because blowout panels in these areas should prevent catastrophic

]

failure of the secondary containment. For cases where containment failure may occur at relatively low elevations, most core cooling systems such as HPCI, core spray, i

LPCI, CRD, and RCIC were assigned relatively high failure probabilities since, under these conditions, such equipment would likely be exposed to harsh conditions. [RAI Responses,p.3) i i

The AMS success criteria state that '(operators) must inhibit ADS to avoid rapid system depressurization. The normal flow of HPCI must be modified as soon as possible, to avoid HPCI injection inside the shroud, via the core spray flow path".

(Section 3.1.1.4.14 of submittal) The ability of HPCI at Hope Creek to inject into both l

a feedwater line and over the core (via core spray piping) is unique for a BWR 4.

Typical BWR 4 designs have a HPCI system that injects into a feedwater line in the j

downcomer, and typical BWR 5/6 designs have a HPCS system that sprays over the j

core. Spray over the core following an A1WS is of potential significance due to the l

reactivity addition. The event tree for ATWS with MSIV closure assumed that core damage would be prevented if level control is successful, even with failure to prevent i

HPCI injection over the core and failure to inhibit ADS. However, the probability of operator success for such scenarios was assumed to be very low (HEP of about 0.9).

[RAI Response, p. 5]

The Hope Creek IPE evaluation of ATWS pessimistically assumed that, because of the large amount of heat deposited in the suppression poolin a relatively short time and because of the large uncertainties in thermal-hydraulic simulations, containment cooling by the RHR system would fail. For these scenarios, the IPE credited containment venting as the only option available for providing containment cooling.

(RAI Response, p. 6]

l The model for station blackout credits use of HPCI and RCIC in the early phases of the accident. The submittal does not explicitly state the limiting condition leading to i

long term unavailability of HPCI or RCIC, although these conditions are mentioned. If all decay heat is deposited into the suppression pool we estimate that it takes about i

these systems indicated in the UFSAR. This time is comparable to the battery 3.6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to heat the suppression pool from 95 F to 170 F, the temperature limit for lifetime; therefore, we conclude that HPCI and RCIC would be available for about 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months following station blackout. [p. 3.1-36 of submittal]

The model for mitigation of a recirculation pump seal LOCA credits operator action to close recirculation valves to isolate the LOCA. [p. 3.1-39 of submittal]

j i

l 1

)

13 i

l 1j

(

l 2.2.3 Systems Analvsis.

I l

i System descriptions are contained in Section 3.2 of the submittal. The system l

descriptions include system schematics.

i i

The HPCI system at Hope Creek is unique in that it injects both into the downcomer via a feedwater line and over the core via a core spray line. HPCI and RCIC can be l

manually re aligned to take suction from the CST. The core spray system can be 3

manually aligned to the CST.

The RHR pumps are cooled by SACS.

l 1

There are 14 SRVs, all two stage Target Rock valves. Five of the SRVs are 3

associated with ADS automatic operation, but all can be manually opened for J

depressurization, j

l The CRD pumps can be powered by 1E power. The CRD pumps require RACS for cooling, but do not require room cooling. Room coolers serviced by SACS are required for: RHR, core spray, HPCI, arm NCIC pump rooms.

)

The valves for containment venting are air operated but can be manually opened using hydraulic hand pumps given loss of air, i

The SLC system at Hope Creek is automatically initiated in response to an ATWS; this is a unique feature. The IPE success criteria require operation of both SLC pumps to mitigate an ATWS.

j l

The four DGs require SACS for engine cooling. The IPE assumed that if the train of SACS that normally cools a DG is lost, operator action can be taken to provide cooling with the alternate SACS train. (The submittal does not discuss how much time is available for operators to perform this action.) In addition, any two of the four SACS pumps can provide adequate cooling to SACS loads such as the diesel generators.

(RAI Responses, p. 48) The DGs require room cot. ling with SACS coolers and cooling of switchgear with chilled water. (p. 3.2104 of subneittal)

Offsite power is not supplied directly from the plant genarator, thus eliminating the need to transfer the source of offsite power supply after a plant trip. Offsite power is j

supplied from two lines and from an intercer.nection to the Salem switchyard.

i HVAC is required for the SSW system. Chilled water is required for room cooling to the following areas: electrical switchgear rooms and 1E panel rooms, SACS rooms, and the main control room. Upon loss of control room cooling, operators are instructed to open doors to the control room and to remove ceiling panels to better assure adequate cooling. Also, the assumption was made that if loss of control room cooling would render it uninhabitable, plant control could be provided from the remote 14

1-shutdown room. The chillers for the remote shutdown room are different.from those of the control room, and were considered as two different systems. (RAI Response, pp.

9,47]

As discussed in Section 2.1.2 of this report, as a result of the PRA/IPE, the licensee has instituted procedures for compensatory cooling of electrical switchgear following loss of normal HVAC.

j The instrument / service air system consists of two normal air compressors, and one emergency air compressor that can be powered by 1E power.

Attemate injection to the vessel can be provided by crosstle of the following low pressure systems to the RHR piping: SSW, firewater, and condensate storage and transfer.

2.2.4 Svstem Deoendencies.

'M The submittal contains tables of inter system dependencies. Partial as well as complete system dependencies are indicated in these tables. The dependencies indicated in the tables all agree with the information in the system descriptions in the submittal. [ Tables 0.2.3 and 3.2.4 of submittal) 2.3 Cuantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences. It also summarizes our review of the data base, including consideration given to plant specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed, if any, were also reviewed.

2.3.1 Quantification of Accident Seauence Freauencies.

The Hope Creek IPE used the small event tree /large fault tree model for quantifying core damage. Support systems were included in fault trees, and fault tree linking was used to quantify accident sequences. The RELMCS code was used to quantify accident sequences. A mission time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months was used. Truncation limits were 1E 10 for cut sets, in general, but sometimes 1E-9 was used. Common cause failures were modeled directly in the fault trees. [pp. 2-22,2-17,3.3-37 of submittal)

We reviewed the data used in the IPE for recovery of offsite power and for recovery of DGs. The IPE values were compared with those presented in NSAC 147 and the Surry Shutdown PRA. Based on this comparison, the data used for Hope Creek recovery of offsite power is comparable to that of the other sources for times less than about 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months . For times greater than 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , the Hope Creek data appears to be optimistic; however, since the battery lifetime used in the IPE is 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , this should have minor impact on the overall CDF. [ Table 3.3.3-8 of submittal) 15

1 The probabilities used for failure to recover DGs were as follows: 0.7 for failure to recover DGs within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months with independent failues of DGs, and 0.6 for failure to recover DGs within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months with common cause failures of DGs. These values are comparable to values used in other IPE/PRAs. [Tabie 3.3.3-8 of submittal) 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses.

Mean values were used for point estimate failure frequencies and probabilities.

The submittal summarizes the results of an uncertainty analysis of the top 180 core damage sequences that was performed with TEMAC. The submittal states that the mean of the distribution for core damage frequency differs from the point estimate core damage frequency due to the limited number of sequences modeled for uncertainty and the limited number of trials performed. The licensee should be aware that due to correlation, the mean of the distribution will always differ from the point estimate regardless of the quality of the sampling, as has been discussed in some other IPE submittals. [Section 3.4.1.4.1 of submittal)

Th'e submittal discussed the results of three sensitivity calculations and of an importance analysis. The sensitivity analyses explored the effects of DG mission time, loss of a 1E bus as an initiating event, and loss of a DC bus as an initiating event. A systems importance analysis was also performed. [Section 3.4.1.4.2 of submittal]

The submittal states that the baseline model assumed a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time for DGs, which is pessimistic, since offsite power can be recovered within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months with a 95%

probability. A sensitivity calculation was performed in which the DG mission time was decreased from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and the submiMal states that this reduced the overall CDF by 14%.

Two other sensitivity cases were discussed: loss of a 1E AC bus as an initiating event, and loss of a DC bus as en initiating event. Together, these additional initiating events increased the CDF by a minor amount, on the order of 3E-8/ year.

2.3.3 Use of Plant Soecific Data.

Plant specific data from the time period 1987 through July 1993 were used to quantify the following failures /unavailabilities: testing and maintenance, pump failures to start, and DG failures to start. Table 3.3.2-3 of the submittalincludes plant specific data for failure of DGs to run, indicating that plant specific data were also used for DG failures to run. The generic data were Bayesian updated with plant-specific data to provide final data used in the lPE. (p. 3.3 9, Section 3.3.2, Table 3.3.2-3 of submittal)

Plant-specific data are stated to nave been used for the most risk significant components. These were determined based on the importance of system trains rather than an eva!uction of the importance of each emnponent in a train. For pumps, emphasis was placed on plant specific test and maintenance unavailabilities, since 16

~

these unavailabilities were dominant compared to failure to start or failure to run. Also, failure to start unavailabilities were deemed to be substantially greater than failure to run; therefore, more emphasis was placed on using plant specific failure to start data.

The plant specific failure to start data for pumps were, in most cases, lower than i

generic data. [RAI Response, p. 6}

l

- Plant specific failure data for valves was not pursued because the IPE analysts concentrated their efforts on those components with the greatest impact on system unavailability. Pump unavailabilities were estimated to be about an order of magnitude higher than those for valves, in addition, for systems such as SSWS and SACS the valves that must be open following an initiating event are normally open. The licensee did perform a sensitivity study in which all valve demand failure rates were increased by a factor of ten. The results indicated that the overall CDF increased by more than i

100%, but that the dominant sequences and the system importance did not change l

significantly. [RAI Response, pp. 7,8]

The licensee performed a review of the preliminary results of the level 1 PRA to gain l

assurance that they accurately reflected plant operation. This review indicated that the most risk significant system trains were the HPCI, RCIC, DGs, SSWS, SACS, SRVs, and DC buses, and that plant specific information was used for important components in these systems. (RAI Response, p. 7, 8]

We performed a spot check of the plant specific data for component failures. The results of this check are summarized in Table 2-1 of this report.

l The data in Table 2-1 indicate that the DG failure rates are higher than those used in the NUREG/CR 4550 Peach Bottom analysis, but that the balance of the plant specific component failure data are factors of 3 to 8 lower than the NUREG/CR 4550 data.

l Table 2-1. Plant SpeclSc Data l

Hope Creelt NUREG/CR 4550 Value**'

m. m Component and Bayesien Updated Value Peach Bottom l

Failure Mode IPE Table 3.3.2-2 Table 4.9-1 Diesel Generator Fall to Start 6.3E 3/D 3.0E 3/D I

Diesel Generator Fall to Run 6.6E 3/H 2.0E 3/H HPCI Turbine Pump Fall to Start 4.2E 3/D 3E-2/D l

LPCI Pump Fall to Start 5.3E-4/D 3E 3/D Core Spray Pump Fall to Start 8.9E-4/D 3E 3/D RCIC Pump Fall to Start 4.2E 3/D 3E 2/D (1)

D is per demand; these values are probabilities.

l (2)

H is per hour, these values are frequencies.

17

]*

1 2.3.4 Use of Generic Data The generic data used for component failures are listed in Tables 3.3.1-1,3.3.1-2, and 3.3.1-3 of the submittal. Numerous sources of generic data were used as listed in Table 3.3.1-4 of the submittal, including: IEEE Std 500, EPRI NP-2433, Interim Reliability Evaluation Program (IREP), and WASH-1400.

We performed a comparison of IPE generic data to generic values used in the NUREG/CR 4550 studies (NUREG/CR 4550 Methodology). This comparison is summarized in Table 2-2. [pp. 3.3 50 to 3.3-60 of submittal)

As shown in Table 2-2, the IPE generic data for motor-driven pumps, motor operated valves, and diesel generator start failures are a factor of 3 lower than the corresponding NUREG/CR-4550 data. On the other hand, the IPE generic data for battery and battery chargar failures are higher by a factor of 3 and 5, respectively, than the NUREG/CR-4550 data. The remaining IPE generic data are the same or within a factor of 2 of the corresponding NUREG/CR-4550 data.

Tab 8e 2-2. Generic Component Failure Data Component IPE Mean Value Estimate NUREG/CR 4550 Mean Value Per Hour, Per Demand Estimate Turbine-Driven Pump 5.0E 02 Fail to Start 3E-02 Fail to Start 5.0E-05 Fail to Run SE-03 Fall to Run Motor-Driven Pump 1.0E-03 Fall to Start 3E-03 Fall to Start 1.0E 05 Fall to Run 3E 05 Fall to Run Motor Operated Valve 1.0E 03 Fall to Open or Close 3E-03 Fall to Operate i

Check Valve 1.0E 04 Fail to Open 1E-04 Fall to Open Battery Charger 5.0E 06 1E-06 Fall to Operate Battery 3.0E 06 Primary / Secondary Failure 1E-06 (unspecified failure mode)

Inverter 5.0E 05 Fall to Run 1E 04 (unspecified failure mode)

Diesel Generator 1.0E-02 Fail to Start 3E 02 Fail to Start 3.0E-03 Fall to Run 2E-03 Fail to Run 2.3.5 Common Cause Quantification The MGL method was used to model common cause failures. Common cause failures among similar components within the same system were modeled for the following components: valves, pumps, DGs, and other selected special components. Common cause failure between the HPCI and RCIC pumps was also modeled. Sources used to quantify common cause failure were: EPRI NP-3967, NUREG/CR-2098, NUREG/CR-2099, NUREG/CR-2770, and the Seabrook PSA. [Section 3.3.4, Table 3.3.4-1 of IPE) 18 t

k Tables 3.3.41 through 3.3.4-3 of the submittallist the MGL common cause factors that were used. Table 2 3 of this report compares the Hope Creek IPE CCF values with those used in other IPEs/PRAs.

The data in Table 2-3 of this report indicate that the common cause factors in the Hope Creek IPE are comparable to those used in other PRAs.

.l Table 2-3. Common Cause Factors for 2-of-2 Components Component Hope Creek Bete Factor Value from Source Indicated in IPE Table 3.3.41 Footnoto Diesel Generator 0.04 (fall to start) 0.04 '8^

0.04 (fall to run) 0.03

fail to run (0.006 for fail to start)

MOV 0.07 0.05 or 0.09 * (fail to open) 0.05

RHR Pump 0.23 (fail to start) 0.1 "^ *'

O.09 (fail to run) 0.1

fall to start (0.02 for fall to run) l Safety / Relief Valve 0.44 (fall to open) 0.1 "'(fail to open) 0.22 (fall to close) 0.3

fail to open on pressure

{0.1 fail to open on signal}

0.2 "r High Head Pump Core Spray Pump 0.23 (fail to start) 0.2 fail to start 0.09 (fail to run)

(0.02 for fall to run)

Service Water Pump 0.14 (fail to start) 0.03 "Y 0.09 (fail to run) 0.2

for 480 V and higher Circuit Breaker 0.07

for less than 480 V HPCl/RCIC Turbine Pump 0.03 HPCl\\RCIC Fall to Start 0,02 fail to start

0.02 HPCl\\RCIC Fail to Run 0.01 fail to start *

(0.009 for fall to run) l l-(1)

NUREG/CR 4550 Peach Bottom Table 4.91.

(2)

NUREG/CR 4550 Grand Gulf, Table 4.9 29 (3)

PLG Generic Data in Brown Ferry IPE submittal Table 3.3.410.

Failure Mode not specified 2.4 Interface issues This section of the report summarizes our review of the interfaces between the front-end and back-end analyses, and the interfaces between the front-end and human i

19

.. _ _... _. _= _ _ _.

M!

l factors analyses. The focus of the review was on significant interfaces that affect the i

ability to prevent core damage.

2.4.1 Front-End and Back End Interfaces.

The IPE credits containment venting as a successful backup for containment cooling.

Also, the IPE credits continued operation of certain core cooling systems if containment venting falls. Section 2.2.2 of this report reviews the key assumptions and bases used for such accident sequences, and they appear to be consistent with the capabilities of the Hope Creek systems. It is notable that loss of DHR contributes only 0.6% to the total CDF, indicating that the IPE took significant credit for maintaining core cooling with loss of containment cooling.

The IPE does not address loss of cooling to the recirculation pump seals during the mitigative portion of an accident. Leakage from pump seals should have a minor impact on the CDF since all core cooling systems at Hope Creek involve injection directly to the vessel.

Level 1 core damage sequences were binned into Plant Damage States (PDS) for subsequent back-end analysis. The binning criteria were based on the NUREG/CR-4550 Peach Bottom PRA approach. Table 4.3 2 of the submittal provides the PDS binning criteria. These criteria consider the nature of the initiating event, reactor criticality, electrical power status, core cooling systems status, and so on. The binning f

criteria used in the Hope Creek IPE are comparable to those typically used in IPE/PRAs. (Section 4.3.2 of submittal]

2.4.2 jdyman Factors Interfaces.

Based on our front end review, we noted the following operator actions for possible consideration in the review of the human factors aspects of the IPE:

manualinitiation of depressurization a

providing altemate ventilation for electrical areas e

inhibition of ADS during ATWS sequences

=

inhibition of HPCI injection via core spray following an ATWS

=

using alternate SACS loop for DG cooling implementation of altamate injection for core cooling e

isolation of intamal floods within 30 minutes manual initiation of containment venting e

manual isolation of ISLOCAs a

recovery of EDGs a

restoration of PCS alignment of CST for core cooling.

l t

I 20

L l

2.5 Evaluation of Decay Heat Removal and Other Safety issues This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USIs, if they were addressed in the submittal, were also reviewed.

2.5.1 Examination of DHR.

Although the IPE evaluated all aspects of decay heat removal, the evaluation of DHR in Section 3.4.4 of the submittal is restricted to the final heat sink options: RHR, primary coolant system (PCS), or containment venting. The licensee review of the scenarios involving loss of DHR indicated that the contribution of support system failures to core damage is dominated by failures of the following systems. [RAI Responses, p.14) Their relative importance to the CDF is also indicated.

Sucoort Svstem Contribution to CDF emergency diesel generators (SBO scenarios) 13%

station service water 5.4%

station auxiliary cooling system 3%

Sequences with loss of AC power and/or DC power, due to both LOSP initiating events and due to support system failures (but excluding SBO), contribute about 60%

to the CDF.

Loss of DHR, as defined by the licensee, contributes only 0.6% tc the overall CDF.

The submittal highlights the redundancy of the n;;R sysiem, the abilky to crosstie DG cooling from the two SACS loops, ar.d the design characteristics of the SACS system.

No DHR-related vulnerabilities were noted. The licensee considers USI A-45 resolved.

2.5.2 Diverse Means of DHR.

The IPE evaluated the diverse means for DHR and for core cooling. Cooling options evaluated included: main condenser /feedwater, high and low pressure emergency core cooling system (ECCS) injection with containment cooling or containment venting, and alternate injection for core cooling.

j l

The use of containment venting as a backup to suppression pool cooling is an important aspect of DHR modeled in the IPE. Also, the IPE credits continued operation of selected core cooling systems even if containment venting falls.

)

1 2.5.3 Uniaue Features of DHR.

i The unique features at Hope Creek that directly impact the availability to provide DHR l

are as follows:

3 i

21 l

l

1 Ability to use alternate iniection to the vessel. The ability to inject makeup to the vessel through the RHR piping with low pressure systems, specifically, fire water, SSW, and condensate storage and transfer, tends to increase the probability of successful DHR by providing alternate low pressure injection systems for cooling the core.

Hardened torus vent. The hardened torus vent provides a capability to support operation of altemate injection systems for core cooling if containment cooling systems fail.

2.5.4 Other GSl/USIs Addressed in the Submittal.

l The licensee proposes to resolve GSI 105, 'Intersystem LOCA Outside Containment".

The IPE calculated the CDF from interfacing systems LOCAs to be low, specifically 1.7E-9/ year. (Section 3.4.3 of submittal) However, the NRC has recently determined that this issue has been generically resolved, and that no further licensee action is needed.

l 2

Intemal Flooding 2.6.1 Intemal Floodino Methodoloov.

The IPE considered floods in the reactor building, turbine building, and service water

~

intake building. Floods in the reactor building or intake building do not directly impact l

equipment in the turbine building, and for these floods the turbine trip event tree was used for calculating the CDF. For floods in the turbine building, the MSIV closure event tree was used to quantify the CDF. The event trees were analyzed with l

different pre-existing failures resulting from floods in different locations. This was done l

by using two events at the front of the event tree, one for the flood initiating event, and i

another for failure of equipment in the room and in adjacent rooms due to flood propagation. The analysis was performed with a sequence truncation value of 1E-10/ year. (p. 3.3 44, Section 3.3.9.1 of submittal]

l l

The Hope Creek IPE internal flooding analysis assumed the frequency of such l

initiating events to be 1.0E 2 per year per room. This frequency was intended to account for spray effects, based on the leak before break concept. All equipment in a room where a leak / break was assumed to occur was assumed to fail. Thus, there was no distinction in equipment failures due to sprays or submergence. The assumption was made that sprays would only cause failure of equipment located in the affected room. The plant design basis provides train separation, both electrically and mechanically, into separate rooms so that spray-induced failures are assumed to impact only a single train. (RAI Responses, P.14]

l 22

%i 2.6.2 Internal Floodino Results.

The total CDF from intemal flooding was calculated to be 5.1E-7/ year.

)

l The table of initiating event frequencies states that the frequency of an internal flood is 0.7/ year, and the frequency of an internal flood that is not isolated within 30 minutes is i

1E 3/ year. This indicates that ' operator actions to isolate floods are important.

Operator actions to isolate floods are addressed in the discussion of the flooding j

scenarios of Section 3.3.9.2 of the submittal. (Table 3.3.3-5 of submittal]

j l

\\

Table 3.3.9-1 of the submittal summarizes representative flood sequences.

j i

2.7 Core Damage Sequence Results This section of the report reviews the dominant core damage sequences reported in I

the submittal. The reporting of core damage sequences-whether systemic or functional-is reviewed for consistency with the screening criteria of NUREG-1335.

The definition of vulnerability provided in the submittal is reviewed. Vulnerabilities, l

enhancements, and plant hardware and procedural modifications, as reported in the i

submittal, are reviewed.

2.7.1 Dominant Core Damaae Secuences.

\\

The IPE utilized mixed functional / systemic event trees, and reported results consistent with the criteria for systemic based analyses delineated in NUREG-1335. [Section 3.4.1 of submittal]

The total CDF from internal events excluding internal flooding is 1.29E 5/ year, based on a recently revised analysis. Major classes of accidents contributing to the total I

CDF, and their percent contribution are shown in Table 2-4 below.

l l

Table 2-4. Accident Classes and Their Contribution to Core Damage Frequency j

Accident Class Percent of CDF Transients with Loss of all High Pressure injection and Failure 42.9%

to Depressurize Station Blackout 18.1 %

I LOCAs 15.5%

Plant Specific Initiating Events 10.8%

ATWS 5.7%

Transients with Loss of all High and Low Pressure Injection 2.7%

Loss of Offsite Power, DGs Operate 1.9%

Stuck Open Safety Relief Valve 1.8%

Loss of Decay Heat Rernoval 0.6%

23

1 i

1 1

' Loss of DHR' as used in the IPE refers to loss of containment cooling. The CDF j

from internal flooding is 5.1E-7/ year. (Section 3.3.9 3 of submittal) f

.l Table 2 5 below summarizes the CDF contributions by initiating event. [RAI j

Responses, p.16]

j Table 2-5. Initiating Events and Their Contribution to Cote Damage Frequency 1

Inllisting Event Percent Contrtstion to CDF Loss of Feedwater 25.4 %

4 Loss of Offsite Power 20.1%

MSIV Closure / Loss of Condenser Vacuum 13.8%

j Intermediate LOCA 12.3 %

Main Turbine Trip 7.7%

I Loss of HVAC 7.6%

j Turbine Trip ATWS 4.6%

j Intemal Flooding and failure to isolate within 30 minutes 4.2%

Loss of SSW/ SACS 2.2%

I Small LOCA 2.1 %

j Large LOCA 0.8%

f Loss of RACS l

0.8%

i The top 5 core damage sequences for the unit are summarized in Table 2-6 of this l

report. These top 5 sequences comprise 68% of the overall CDF.

Table 2-6. Top Five Core Damage Sequences

]

1 Sequence

% of Miligeting System Frequency Total infliating Event Failures 1/ year CDF Total Loss of Feedwater Loss of RCIC; Loss of HPCl; Failure to 3.19E-6 24.7 %

Depressurize Loss of Offsite Power Loss of all DGs resulting in SBO; Failure to 2.19E-5 17 %

Recover Offsite and Onsite Power within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months leading to Loss of RCIC/HPCI at 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months due to battery depletion and core damage at 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Closure of MSIVs Loss of RCIC; Loss of HPCl; Failure to 1.43E 6 11.1 %

Depressurize j

Medium LOCA Failure of HPCl; Failure to Depressurize 1.03E 6 8.0%

Loss of HVAC to Panel Failure to Recover HVAC 9.45E 7 7.3%

Room or Switchgear Room 24

8 These results indicate that transients with loss of high pressure injection and failure to depressurize dominate the CDF. Station blackout is not a dominant contribution because four diesel generators are available to provide emergency AC power. The contribution of ATWS to overall CDF is small; the SLC system at Hope Creek is automatically initiated following an ATWS which reduces the likelihood of core damage from an ATWS. The contribution of loss of DHR to overall CDF is small due to the ability to vent containment and credit for continued core cooling using selected systems even if containment venting falls. (pp. 3.2-156 and 3.2-173 of submittal]

An importance analysis was performed on the highest frequency cut sets. The following systems were found to be important based on both risk increase and risk decrease importance measures: DGs, HPCI, RCIC, SSW, SACS, and alternate HVAC for the class 1E panel room. Dominant human errors contributing to CDF are not specifically discussed in the submittal. [Section 3.4.1.2 of submittal) 7 2.7.2 Vulnerabilities.

Section 3.4.2 of the submittal discussed front end vulnerabilities. For a sequence' or an event to be considered indicative of a vulnerability, it had to pass the screening criteria for reporting systemic sequences from NUREG-1335 and contribute inordinately to the CDF with respect to either (1) other sequences or events in the IPE, or (2) in comparison with PRA results for other plants.

During the performance of the IPE, transients involving HVAC failure were determined to contribute Inordinately to the CDF For example, loss of switchgear or 1E panel room HVAC had a CDF of 3.29E 3/ year. This was labeled as a vulnerability, and a procedure to provide alternate ventilation was developed. The implementation of the procedure removed this vulnerability. No other vulnerabilities were identified in the submittal.

2.7.3 Prooosed imorovements and Modifications.

The submittal states that the procedure for providing alternate ventilation to electrical areas was developed and implemented as a result of the IPE.

25

4 1

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS This section of the report provides our overall evaluation of the quality of the front-end portion of the IPE based on this review. Strengths and shortcomings of the IPE are summarized important assumptions of the model are summarized. Major insights from the IPE are presented.

Major strengths of the IPE are as follows. The requirements for HVAC support systems appear to have been more thoroughly assessed than comparable analyses in some other IPE/PRA studies. Various aspects of the IPE, such as the assumption that fire water cannot be used for injection during station blackout due to relatively high containment / vessel backpressure and the significant flow pressure losses, indicate that careful attention was paid to plant specific system characteristics.

One possible shortcoming of the IPE is the limited use of plant specific failure data.

Based on our review, the following modeling assumptions have an impact on the overall CDF:

(a) operator action to vent containment preserves core cooling (b) some core cooling systems remain available with las of containment cooling and failure of containment venting These assumptions tend to lower the overall CDF, since they result in core cooling options remaining available even if containment cooling / venting fall. Failure of containment heat removal, defined as loss of DHR by the licensee, contributes only 0.6% to the overall CDF. Some other BWR IPEs have calculated a much higher contribution, up to 74%; however, the impact of loss of containment cooling / venting on core cooling is plant-specific.

During performance of the IPE, the licensee discovered that loss of HVAC to electrical equipment contributed significantly to core damage. A procedure was prepared and implemented for providing alternate HVAC to these areas, and this change lowered the dominant sequence CDF involving loss of HVAC from 3.29E-0/ year to 9.87E-7 year.

Significant findings on the front-end portion of the IPE are as follows:

HVAC support is required for many frontline systems and for electrical areas, and many of the preferred HVAC systems require mechanical refrigeration units to operate; provisions for supplying altemate HVAC to electrical rooms greatly lowers the overall CDF battery lifetime is 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months core cooling can be maintained with loss of containment cooling and failure of a

containment venting 26

i t

automatic initiation of SLC following an ATWS results in a low contribution of

- ATWS to overall CDF Intemal flooding contributes a small amount to the overall CDF, 4

I s

4 27

%l I

4. DATA

SUMMARY

SHEETS This section of the report provides a summary of information from our review.

i Overall CDF The total CDF from internal initiating events is 4.6E-5/ year. The total CDF from l

internal flooding is 5.1E-7/ year.

1 Initiatina Event Freauencies Initiating Event Frequency per Year Main Turbine Trip 4.0 MSIV Closure / Loss of Condenser Vacuum 1.8E-1 Loss of Feedwater 5.5E-1 Inadvertent Open SRV 3.8E-2 Loss of SSW/ SACS 2.1 E-4 i

Loss of RACS 1.0E-2 i

Loss of HVAC 2.4E-3 Loss of Instrument Air 1.0E-2 l

Loss of Offsite Power 3.4E-2 Small LOCA 2.8E-2 Intermediate LOCA 3.0E-3 i

Large LOCA 7.0E-4 ISLOCA 1.0E 3 (leakage) 1.0E-5 (rupture)

Internal Flooding and failure to isolate within 30 1 E-3 minutes Dominant initiatina Events Contributina to CDE Loss of Feedwater 25.4 %

Loss of Offsite Power 20.1 %

MSIV Closure / Loss of Condenser Vacuum 13.8%

Intermediate LOCA 12.3%

i Main Turbine Trip 7.7%

Loss of HVAC 7.6%

Turbine Trip ATWS 4.6%

Internal Flooding and failure to isolate within 30 4.2%

j minutes Loss of SSW/ SACS 2.2%

28

1 Small LOCA 2.1 %

Large LOC \\

0.8%

Loss of RACC 0.8%

Dominant Hardware Failures and Ooerator Errors Contributino to CDF Dominant hardware fallures contributing to CDF include: HPCI, RCIC, DGs, SSW, and SACS.

Dominant human errors and recovery failures contributing to CDF were not provided in the submittal.

Dominant Accident Classes Contributina to CDF The dominant contributors to CDF by accident class are as follows:

Transients with Loss of all High Pressure 42.9 %

injection and Failure to Depressurize.

Station Blackout 18.1%

LOCAs 15.5%

Plant Specific initiating Events 10.8%

ATWS 5.7%

Transients with Loss of all High and Low 2.7%

Pressure injection Loss of Offsite Power, DGs Operate 1.9%

e l

Stuck Open Safety Relief Valve 1.8%

Loss of Decay Heat Removal 0.6%

Desian Characteristics Imoortant for CDF j

{

The following design features impact the CDF:

i Emergency AC power can be supplied by four DGs 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery lifetime 2

Ability to use altemate injection to the vessel Automatic actuation of SLC.

The impact of these design features on the overall CDF is discussed in Section 1.2 of i

this report.

1

~

29

Modifications During performance of the IPE, it was discovered that loss of HVAC to electrical equipment contributed significantly to core damage. A procedure was prepared and implemented for providing alternate HVAC to these areas and it lowered the dominant sequence CDF involving loss of HVAC from 3.29E-3/ year to 9.87E-7 year.

j Other USl/GSis Addressed The licensee proposes to resolve GSI 105, "Intersystem LOCA Outside Containment' with the IPE submittal.

Sianificant PRA Findinas Significant findings on the front-end portion of the IPE are as follows:

l transients involving loss of high pressure injection and failure to depressurize

=

contribute the most to the overall CDF HVAC support is required for many frontline systems and for electrical areas,

=

and many of the preferred HVAC systems require mechanical refrigeration units to operate; provisions for supplying alternate HVAC to electrical rooms greatly lowers the overall CDF battery lifetime is 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months core cooling can be maintained with loss of containment cooling and failure of

=

containment venting automatic initiation of SLC following an ATWS results in a low contribution of

=

ATWS to overall CDF internal flooding contributes a small amount to the overall CDF.

=

30

.g REFERENCES

[GL 88 20) ' Individual Plant Examination For Severe Accident Vulnerabilities - 10 CFR 50.54 (f)", Generic Letter 88.20, U.S. Nuclear Regulatory Commission, November 23, 1988.

4 (IPE) Hope Creek IPE Submittal, May 31,1994.

(NEDO 24708A] Additional Information Required for NRC Staff Generic Report on BWRs, August 1979, Rev 1, December 1980.

[NSAC-147] ' Losses of Offsite Power at U.S. Nuclear Power Plants through 1989",

NSAC-147, March 1990.

[NUREG/CR 4550, Grand Gulf) NUREG/CR 4550, Vol 6, Rev 1, Part 1, Analysis of Core Damage Frequency: Grand Gulf, Unit 1 Internal Events.

[NUREG/CR 4550, Methodology) NUREG/CR-4550, Vol 1, Rev 1, Analysis of Core Damage Frequency: Internal Events Methodology, January 1990.

[NUREG/CR 4550, Peach Bottom) NUREG/CR-4550, Vol 4, Rev 1, Part 1, Analysis of Core Damage Frequency: Peach Bottom, Unit 2 Internal Events.

(NUREG-1335) " Individual Plant Examination Submittal Guidance", NUREG-1335, U.

S. Nuclear Regulatory Commission, August 1989.

[RAI Responses) Response to Generic Letter 88 20 Individual Plant Examination for Severe Accident Vulnerabilities - 10 CFR 50.54 (f) Request for Additional Information Hope Creek Generating Station Facility Operating License No'. NPF 57 Docket No. 50-354 Submitted November 6,1995.

(Tech Specs] Technical Specifications for Hope Creek.

(UFSAR) Updated Final Safety Analysis Report for Hope Creek.

31 t

4 1

1 HOPE CREEK GENERATING STATION TECHNICAL EVALUATION REPORT (BACK-END)

-

ML20107J996

Contents

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20107J996

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search