Text

NPP TER on IPE Front End Analysis
	ML20117D068
Person / Time
Site:	Millstone
Issue date:	11/27/1995
From:	Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20117D072	List: ML20117D068; ML20117D074; ML20117D080;
References
	CON-NRC-94-91-066, CON-NRC-94-91-66 SEA-94-2335-010, SEA-94-2335-010-A:3, SEA-94-2335-10, SEA-94-2335-10-A:3, NUDOCS 9604050381
	Download: ML20117D068 (44)
	v • d • e

.

. 9 SEA-94-2335-010 A:3 November 27,1995 l

I i

l

! l l j Millstone 2 Nuclear Power Plant Technical Evaluation Report on the Individual Plant Examination Front End Analysis NRC-04-91-066, Task 35 Willard Thomas i Science and Engineering Associates, Inc.

L l

I Prepared for the Nuclear Regulatory Commission i

l

TABLE OF CONTENTS E. EXEC UTIV E S U MM A RY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.2 Licensee's IPE Process ................................. 2 E.3 Front End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 E.4 G ene ric issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . 5 E.6 Ob se rvation s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1. I N TR O D U CTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 l 1.1 R eview P roce s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 l 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2. TEC H N I C AL R EVI EW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.1 Licensee's lPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

, 2.1.1 Comoleteness and Methodology . . . . . . . . . . . . . . . . . . . . . 10 L 2.1.2 Multi-Unit Effects and As-Built. As-Ocarated Status . . . . . . . . 10 l

2.1.3 Licensee Particioation and Peer Review . . . . . . . . . . . . . . . . 11 2.2 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . 12 2.2.1 I nitiating Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2. 2. 2 E ve n t Tre e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.2.3 SyAte ms Analvsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.4 Svstem Deoendencies ............................ 17 2.3 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 l 2.3.1 Quantification of Accident Seauence Freauencies . . . . . . . . . 18 I 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses ...... 18 l 2.3.3 Use of Plant-Soecific Data ......................... 19 2.3.4 U se of Ge ne ric Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3.5 Common-Cause Quantification ...................... 22 1 2.4 Interface iss ues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.4.1 Front-End and Back-End Interfaces . . . . . . . . . . . . . . . . . . . 24 2.4.2 Human Factors Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 24 i 2.5 Evaluation of Decay Heat Removal and Other Safety Issues . . . . . . . 26 2.5.1 Examination of DH R . . . . . . . . . . . . . . . . . . . . . . . , . . . . . 26 2.5.2 Dive rse Me ans of D H R . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.5.3 Uniaue Features of DH R . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.5.4 Other GSI/USIs Addressed in the Submittal . . . . . . . . . . . . . 28 ;

2.6 Inte mal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.6.1 Intemal Floodina Methodoloav . . . . . . . . . . . . . . . . . . . . . . . 28 2.6.2 Intemal Floodina Results .......................... 29 2.7 Core Damage Sequence Results . . . . . . . . . . ................ 29 2.7.1 Dominant Core Damaae Seouences .................. 29

. 2.7.2 Vulne rabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.7.3 Procosed imorovements and Modifications . . . . . . . . . . . . . . 32 il

, a s-y a, em

. eg ,

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS ............... 34 I

4. DATA

SUMMARY

SHEETS ............... .................... 35 REFERENCES................................................ 39 r

l 1

l l

l l l

i i

I i-iii l

gg 1

I 1

L LIST OF TABLES i

l Table 2-1. Summary of Front-End Sensitivity Analyses . . . . . . . . . . . . . . . . . . . 18 l Table 2-2. Plant-Specific Component Failure Data . . . . . . . . . . . . . . . . . . . . . . 20 Table 2-3. Generic Component Failure Data .......................... 21 l Table 2-4. Comparison of Common-Cause Failure Factors . . . . . . . . . . . . . . . . 23 Table 2-5. Common Cause Beta Factor Screening Values ................ 23

, Table 2-6. Accident Types and Their Contribution to Core Damage Frequency . . 30 Table 2-7. Initiating Events and Their Contribution to Core Damage ......... 30 i

l l

l i

l l iv

(

4. o E. EXECUTIVE

SUMMARY

1 This report summarizes the results of our review of the front-end portion of the _

individual Plant Examination (IPE) for the Millstone Unit 2 Nuclear Power Plant. This review is based on information contained in the IPE submittal (IPE Submittal) along with the licensee's responses (RAI Responses) to a request for additional information (RAl).

E.1 Plant Charactertration l The Millstone Unit 2 Nuclear Power Plant is a Combustion Engineering (CE) I i

pressurized water reactor (PWR). The plant has power ratings of 2,700 megawatts thermal (MWt) and 863. megawatts electric (MWe), and first began operation in l

December 1975.

l Design features at Millstone 2 that impact the core damage frequency (CDF) relative to other PWRs are as follows:

Ability to remove decav heat with bleed-and-feed. The plant has the capability ,

to remove decay heat with primary bleed and-feed cooling in the event all j secondary heat remova: is lost. This design feature tends to reduce the CDF. !

. Automatic switchover of Emeraency Core Coolina System (ECCS) from iniection to recirculation. This design features tends to decrease the CDF over what it would otherwise be with a manual system.

Fire water backuo for Condensate Storaae Tank (CST). The plant fire water l system can be used as an alternate source of water to the auxiliary feedwater (AFW) pumps in the event water is unavailable from the CST. This design feature tends to reduce the CDF. However, the IPE did not take credit for this backup source of water.

New steam aenerators. The steam generators have been replaced with generators having an improved moisture separator design and the addition of l wide range level instrumentation. This design feature tends to reduce the CDF.

However, as stated in submittal, this feature did not directly impact the IPE models. )

l .

4.106 VAC electrical cross-connection between Millstone Units 1 and 2. There L is a 4,160 VAC electrical feeder cross-connection between Units 1 and 2. This l design feature tends to reduce the CDF. The IPE took credit for altemate j emergency power supplied from Unit 1 via this electrical cross-connection. !

. Instrument air cross-connection between Millstone Units 1 and 2. The

, instrument air systems at Millstone Units 1 and 2 can be cross-connected. This !

l design feature tends to reduce the CDF. The IPE took credit for attemate

! instrument air supplied from Unit 1 via this cross-connection.

/

l 1 ;

I --.

. . _ _ . _ _ _ _ . _ _ _ - . . _ _ . _ _ _ _ _ . _ _ _ ___..m _ _ _ _ _ _

, , "i l l

-. Caoability to suno!v nortions of 120 VAC vital cower system with the turbine batterv. The non class 1E turbine battery can provide alternate power to a portion of the 120 VAC vital power system. This design feature tends to reduce the CDF. The IPE took credit for the turbine battery as a backup power source for Engineered Safeguards Actuation System (ESAS) loads.

Eloht hour batterv caoacitv. The IPE credited operator load shedding actions specified in the Station Blackout Emergency Operating Procedure (EOP) to extend the battery lifetime to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime is longer than battery lifetimes at some other plants. This plant feature tends to reduce the CDF.

Containment air recirculation fan units. The plant design includes safety-grade containment air recirculation fan cooler units that are independent and ,

redundant to the containment spray system. This design feature tends to reduce the CDF. '

l E.2 Licensee's IPE Process

,To fulfill the requests of Generic Letter 88-20, the licensee updated and expanded an earlier Level 1 probabilistic risk assessment (PRA) that had been completed in 1991. l The IPE models the as-designed, as-operated plant following the refueling / steam generator replacement outage of 1992.

The licensee provided the overall technical management of the Millstone 2 IPE.

Essentially 100% of the front end analysis and approximately 80% of the back-end analysis was performed by licensee personnel.

Plant walkdowns were used to support the analysis. In addition, the PRA analysts made use of the plant-specific control room simulator.

Major documentation used in the IPE included WASH-1400, the Millstone 2 Updated Final Safety Analysis Report (UFSAR), Licensee Event Reports (LERs), Plant Incident Reports (PIRs), Emergency Operating Procedures (EOPs), and Abnormal Operating -

Procedures (AOPs).

Independent reviews by in-house staff were performed on all front-end areas, including: equipment failure data base development, system fault tree analyses, event tree analyses, human reliability analyses, and final quantification. An independent external review of the IPE was performed by Gabor, Kenton, and Associates.

The licensee intends to maintain a "living" PRA to enhance plant safety and to support the plant accident management program.

i t

l 2

- 9f E.3 Front-End Analysis The front-end portion of the IPE is a Level 1 PRA. The specific technique used for the Level 1 PRA was a small event tree /large fault tree technique with fault tree linking.

The Cutset and Fault Tree Analysis (CAFTA) software package was used to generate the accident sequence analysis.

The licensee defines core damage as occurring either when the clad temperature reaches 2,200 deg. F or when the vessel water level drops below the top of active fuel

, (TAF). The success criteria are based on Modular Accident Analysis Program (MAAP) calculations. The success criteria are generally consistent with success criteria used in other PWR IPE/PRA studies.

The IPE quantified 24 initiating events, exclusive of internal flooding; 5 primary system loss of coolant accidents (LOCAs), including steam generator tube rupture (SGTR); 4 categories of interfacing systems LOCA (ISLOCA); 7 generic transients, including 4 categories of secondary side breaks; and 8 special initiating events representing loss of support systems. The number of initiating events considered in the flooding analysis was not provided. -

Plant-specific component fa'ilure data appear to have been gathered from 1975 to l June 1987. Plant-specific initiating event data were gathered from 1975 to 1986.

However, the IPE is stated to model the as-designed, as-operated plant following the refueling / steam generator replacement outage of 1992. The licensee acknowledges i that the IPE may not reflect the as-built, as-operated plant because of the data cutoff dates. However, the licensee does not believe it likely that vulnerabilities have been overlooked due to various plant programs (for example Significant Event Tracking) and the fact that the PRA engineers are also utility engineers who have close interactions with the plant on a daily basis. In our judgment, the use of plant data cutoff dates 5 to 6 years prior to the 1992 analysis cutoff date represents a weakness in the IPE.

The Multiple Greek Letter (MGL) was used to model common cause failures, in ,

applying the MGL approach, the licensee appears to have used a " beta" multiplicative factor to account for all of the considered common cause failure events, including )

, failures of groups of 3 or more similar components. Data from the Electric Power Research institute (EPRI) were used to support quantification of the common cause events.

The total CDF estimate for Millstone 2 is 3.4E-05/yr,' including an internal flooding j contribution of 2.0E-07/yr. The initiating events that contribute most to the CDF and !

L their percent contribution are listed below.8 l

I

~

' As used here and in other portions of this report, the term 'yr* refers to reactor year.

I l 8

Only the most dominant initiating event contributors are listed here. A complete set of initiating l j event CDF co.itributors is provided in Table 3.1.1 1 of the submittal.

3

Loss of offsite power 25% '

General plant transient 13%

Loss of DC bus A 11 %

Loss of DC bus B 11 %

Steam break train A (upstream of non return valves) 7.7%

Loss of main feedwater 5.2%

Large LOCA 4.8%

Small LOCA 4.8%

Small-small LOCA 4.3%

Medium LOCA 3.7%

Loss of service water 2.8%

Loss of vital AC panels 10 & 30 2.5%

Steam generator tube rupture (SGTR) 1.5%

Core damage contributions by accident type are listed below:

l Transients 74 %

LOCA 18%

Anticipated Transient Without Scram (ATWS) 4.4%

SGTR 1.5% i Station Blackout 1.2% 1 Internal Flooding 0.6% i ISLOCA 0.2% l l

The most important events based on the Fussell-Vesely importance are (in decreasing order of importance):

Steam-driven AFW pump falls to deliver water to headers (module)

Failure to recover DC power (short term)

Failure to recover DC power (35 minutes)

Cognitive operator error - failure to initiate steam-driven AFW pump Motor-driven AFW pump 9B fails to deliver water (module)

Motor-driven AFW pump train A fails to deliver water (module)

Plant damage states (PDSs) were used to provide the interface between the front- and back-end analyses.

E.4 Generic lasues As part of the decay heat removal (DHR) examination, the licensee presents a list of special features and capabilities that enhance the reliability of the DHR function. ,

These special features include: (1) a means to use fire water system pumps as an alternate source of AFW suction supply; (2) EOPs that direct operators to use i condensate pumps for feedwater flow in the event main and auxiliary feedwater are unavailable; and (3) containment air recirculation fan cooler units that provide an 4

l -

alternate means of decay heat removal in the event shutdown cooling heat l exchangers are unavailable, i

The licensee also reviewed Appendix 5 of Generic Letter 88-20 to determine if it was applicable to the DHR function at Millstone 2. This portion of Generic Letter 88-20 is related to the IPE of External Events (IPEEE) analyses, and indicates that DHR l vulnerabilities are often related to a lack of system and component redundancy, separation, and physical protection. The submittal describes how plant features at Millstone 2 make the plant resistant to these types of DHR vulnerabilities.

i The licensee concludes that DHR does not represent a significant risk potential. No DHR-related vulnerabilities were noted.

The licensee does not propose to resolve any other generic safety issues / unresolved safety issues (GSis/USIs) other than DHR. I E.5 Vulnerabilities and Plant improvements The licensee does not have any formal criteria that define a vulnerability. However, the submittal lists five criteria that would generally be in line with the licensee's concept of a major vulnerability. These five criteria are summarized below:

The single failure of safety-or nonsafety related equipment, either active or passive, that has a significant impact on CDF.

Multiple safety or- nonsafety-related components that have a high potential for common mode failure and have a significant impact on CDF.

A support system with a relatively high probability of failure that could result in an unanticipated plant transient not covered by procedures, could result in the loss of multiple front-line and support systems, and has a significant impact on CDF.

An operator action having a reasonable probability of being required over the plant lifetime that has a moderately high probability of failure because of relatively complex procedures or operator unfamiliarity, and has a significant impact on CDF.

. A mode of early containment failure that has a relatively high probability of occurrence given a core melt accident (greater than about 10%).

The licensee identified the potential for an RCP thermal barrier tube rupture ISLOCA as a vulnerability. A modification to eliminate this vulnerability is planned for April 1997. This ISLOCA was evaluated separately from the IPE analysis described in the submittal, 5

_ , sM l

The only plant improvement or modification directly resulting from the IPE appt.ars to be the planned modification to eliminate the RCP thermal barrier tube rupture vulnerability noted above. However, the licensee does list five plant changes made as a result of the original 1991 Millstone 2 Internal Events PRA study, which preceded the IPE. These five changes were credited in the IPE and have been implemented.

These changes are listed below:

Imorove the overall availability of the DC switchaear room ventilation. I l

Install temoerature indicators / alarms for the DC switchaear rooms.

=

Include the use of AFW oumo discharae cross-tie motor ooerated valve (MOV) in EOPs.

Add accumulators for AFW reaulatina valves.

Perform surveillance testino of selected low oressure safety inlection (LPSI) check valves in selected cold leo iniection lines. .

1 t

Other plant modifications ar's reflected in the IPE analysis, through they were not identified in conjunction with the IPE. For example, the IPE accounts for the installation of a new battery-eliminating battery charger for DC bus 201B and changes in ESF room ventilation. Based on engineering judgment, the licensee estimates that credit for plant improvements and modifications identified independently of the IPE reduces the IPE CDF from approximately 1.1E-04/yr to 3.4E-05/yr.

Plant changes specifically due to the Station Blackout Rule were not credited in the analysis. However, the IPE did take credit for a plant modification that reduces the station blackout CDF, namely the electrical cross-tie between Units 1 and 2. This cross-tie was implemented in 1986 to address Appendix R fire protection issues.

Credit for this cross-tie reduces the station blackout CDF contribution by about 86%

(from 3.1E-06/yr to 4.2E-07/yr).

E.6 Observations No particular strengths of the IPE were noted.

Weaknesses of the IPE are as follows: The plant-specific data used in the analysis does not reflect the most recent plant operating history prior to the analysis freeze date. While the IPE analysis is stated to have a 1992 freeze date, the cutoff dates for l plant-specific data were June 1987 (for component failure data) and 1986 (for initiating i event data). Consequently, it is not clear that the licensee has modeled the as-operated plant.

f 6 .

na As a general observation, the IPE includes severalinstances where the modeling may be incomplete or overly optimistic. For example, the licensee has excluded LOSP initiating events involving durations less than one half hour. In addition, the licensee has yet to perform analyses to determine whether loss of intake building HVAC will cause a trip of the service water pumps; this type of HVAC-induced plant trip was not modeled in the IPE. Also, as acknowledged by the licensee, the human error probability (HEP) for operator failure to start the steam-driven AFW pump may have been quantified with too low a value. Individually, none of the preceding items appears to represent a major weaknesses of the IPE. Collectively, however, these aspects of the modeling process indicate that benefit would be derived from an update of the IPE. (As previously noted, the licensee intends to maintain a "living" PRA.)'

Significant level-one IPE findings are as follows:

Station blackout is a relatively small contributor to CDF because of (1) credit taken for alternate emergency power supplied from Unit 1 (2) an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery capacity, and (3) a reactor. coolant pump (RCP) seal LOCA model that appears to be more optimistic than used in some other PWR IPE/PRA studies.

l l

l i

\

7 1 1

1 1

-~ - - -. .

. . "3B

, R

1. INTRODUCTION 1.1 Review Process This report summarizes the results of our review of the front-end portion of the IPE for Millstone 2. This review is based on information contained in the IPE submittal [lPE Submittal) along with the licensee's responses [RAI Responses] to a request for additional information (RAl). ,

{

1.2 Plant Characterization I The Millstone Unit 2 Nuclear Power Plant is a Combustion Engineering (CE) pressurized water reactor (PWR). Bechtel Corporation was the engineer-constructor

! for this plant. Millstone 2 has power ratings of 2,700 MWt and 863 MWe, and first l began operation in December 1975. Calvert Cliffs and Palisades represent other plants similar to Millstone 2. [pp.1.1-1,1.1-2,1.3-1,1.6-1, 4.1-1 of UFSAR, pp. 3-3, 3-65, 4-54 of submittal]

The Millstone 2 plant is located on the north shore of Long Island Sound,40 miles SE of Hartford, Connecticut. Co-located on the same site are two other operating reactors, Millstone 1 and 3. Millstone 1 is a BWR, while Millstone 3 is a Westinghouse PWR. Northeast Nuclear Energy Company (NNECO) is responsible for the design, construction, and operation of all three plants. NNECO used the engineering staff of Northeast Utilities Service Company (NUSCO) to direct the design and construction of these plants. NUSCO provided overall technical management of the Millstone 2 IPE.

[pp. 1.1 -1,1.2-1, 1.6-1 of UFSAR,4-2,5-1 of submittal]

A number of design features at Millstone 2 impact the core damage frequency (CDF).

The design features that tend to lower the CDF are as follows: [pp.18,21 of RAI I Responses, pp. 3-65,6-2 to 6-4 of submittal]

. Ability to remove decav heat with bleed-and-fe.gsL The plant has the capability to remove decay heat with primary bleed and-feed cooling in the event all l secondary heat removal is lost. This design feature tends to reduce the CDF.

1

. Automatic switchover of Emeraencv Core Coolina Svstem (ECCS) from l inlection to recirculation. This design features tends to decrease the CDF over l what it would otherwise be with a manual system.

. Fire water backuo for Condensate Storaae Tank (CSA The plant fire water system can be used as an alternate source of water to the AFW pumps in the event water is unavailable from the CST. This design feature tends to reduce the CDF. However, the IPE did not take credit for this backup source of water.

1 . New steam aenerators. The steam generators have been replaced with generators having an improved moisture separator design and the addition of wide range level instrumentation. This design feature tends to reduce the CDF.

8

. . ii However, as stated in submittal, this feature did not directly impact the IPE models, l

4.106 VAC electrical cross-connection between Millstone Units 1 and 2. There i is a 4,160 VAC electrical feeder cass-connection between Units 1 and 2. This i design feature tends to reduce the CDF. The IPE took credit for alternate emergency power supplied from Unit 1 via this electrical cross-connection.

Instrument air cross-connection between Millstone Units 1 and 2. The instrument air systems at Millstone Units 1 and 2 can be cross-connected. This j l design feature tends to reduce the CDF. The IPE took credit for alternate . '

instrument air supplied from Unit 1 via this cross-connection.

. Caoability to suoolv oortions of 120 VAC vital oower system with the turbine ,

batterv. The non-class 1E turbine battery can provide alternate power to a I portion of the 120 VAC vital power system. This design feature tends to reduce l the CDF. The IPE took credit for the turbine battery as a backup power source i for Engineered Safeguards Actuation System (ESAS) loads. j

Elaht hour batterv canacitv. The IPE credited operator load shedding actions specified in the Station Blackout Emergency Operating Procedure (EOP) to extend the battery lifetime to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime is longer than battery lifetimes at some other plants. This plant feature tends to reduce the CDF.

. Containment air recirculation fan units. The plant design includes safety-grade containment air recirculation fan cooler units that are independent and redundant to the containment spray system. This design feature tends to reduce the CDF.

4 f

i

! l l

9

4g

2. TECHNICAL REVIEW 2.1 Licensee's IPE Process l We reviewed the process used by the licensee with respect to: completeness and methodology; multi-unit effects and as-built, as-operated status; and licensee l participation and peer review.

2.1.1 Comoleteness and Methodoloav.

To fulfill the requests of Generic Letter 88-20, the licensee updated and expanded an i earlier Level 1 PRA that had been completed in 1991. The submittal is complete with respect to the type of information requested by Generic Letter 88-20 and NUREG 1335. [pp. 2-1,2-2 of submittal] j l

The front-end portion of the IPE is a Level 1 PRA. The specific technique used for the I Level 1 PRA was a small event tree /large fault tree technique with fault tree linking. !

The CAFTA software package was used to generate the accident sequence analysis.

Accident sequence cut sets were developed to the level of specific component failures or basic events.

2.1.2 Multi-Unit Effects and As-Built. As-Ooerated Status.

Co-located on the same site with Millstone 2 are two other operating reactors, Millstone 1 and 3. Millstone 1 is a boiling water reactor (BWR), while Millstone 3 is a Westinghouse PWR. A number of facilities and systems that are shared among the three units, including the 345 KV switchyard and fire protection systems. There is also a 4,160 Vac electrical feeder connection between Units 1 and 2. In addition, the Unit 1 and 2 instrument air systems can be cross-connected. [pp. 3-83,3-87 of submittal, pp.1.2-14,15, 8.2-4 of UFSAR]

The IPE took credit for the 4,160 Vac electrical feeder connection between Units 1 and

2. This cross-connection can be fed by the Unit 1-13.5 MW gas generator, or from the Unit 1 emergency diesel generator system (3.3 MW). Because certain scenarios at Unit 2 would preclude the use of the Unit 1 diesel generator system, only the gas generator power source was credited in the IPE analysis. The IPE also took credit for the cross-connection of instrument air systems between Unit 1 and Unit 2. [pp.11 to 13,24 of RAI Responses, pp. 3-83, 3-87, 3-92 of submittal)

Based on information contained in the submittal and UFSAR regarding shared facilities and systems, we concluded that the IPE analysis has properly accounted for multi-plant interconnections and shared systems.

l A variety of plant-specific information was used to support the IPE including the Updated Final Safety Analysis Report (UFSAR), Licensee Event Reports (LERs), Plant 10 l

l _- ,_ _ , . - _

4

, , O) incident Reports (PIRs), Emergency Operating Procedures (EOPs), and Abnormal Operating Procedures (AOPs). Licensee PRA analysts made use of the plant-specific control room simulator and also performed plant walkdowns. About six years worth of completed Plant Design Change Records (PDCRs) were screened for potential use in the IPE model. The IPE models the as-designed, as-operated plant following the refueling / steam generator replacement outage of 1992. [pp.1-1,2-1,2-3,3-4, of submittal]

Plant-specific component failure data were gathered from 1975 to June 1987, while plant-specific initiating event data were gathered from 1975 to 1986. However, the IPE is stated to model the as-designed, as-operated plant following the refueling / steam generator replacement outage of 1992. Thus, the plant-specific data used in the analysis does not reflect the most recent plant operating history prior to the analysis freeze date. The cutoff dates for collection of plant-specific data were associated with the pre-IPE Millstone 2 Probabilistic Safety Study. The licensee states that the next IPE update willinclude more recent plant-specific failure data. The licensee acknowledges that the IPE may not reflect the as-built, as-operated plant because of the data cutoff dates. However, the licensee does not believe it likely that vulnerabilities have been overlooked due to various plant programs (for example Significant Event Tracking) and the fact that the PRA engineers are also utility engineers who have close interactions with the plant on a daily basis. In our judgment, the use of plant data cutoff dates 5 to 6 years prior to the 1992 analysis cutoff date represents a weakness in the IPE. [p.14 of RAI Responses, pp. 2-1,3-1, 3-106 of submittal]

The licensee intends to maintain a "living" PRA to enhance plant safety and to support the plant accident management program. [pp. 2,5 of transmittal letter) 2.1.3 Licensee Particioation and Peer Review.

Northeast Utilities Service Company (NUSCO) provided the overall technical management of the Millstone 2 IPE. The IPE project engineer role was assigned to an individual in the licensee's PRA section. Essentially 100% of the front-end analysis and approximately 80% of the back-end analysis was performed by licensee personnel. [p. 6 of submittal transmittal letter, p. 5-1 of submittal)

Independent reviews by in-house staff were performed on all front-end areas, l including: equipment failure data base development, system fault tree analyses, event tree analyses, human reliability analyses, and final quantification. An independent external review of the IPE was performed by Gabor, Kenton, and Associates. [pp. 5-1, 5-2 of submittal) 11

1

, Th 2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence ;

delineation and the evaluation of system performance and system dependencies l provided in the submittal.

2.2.1 initiatina Events.

The categories of initiating events included in the analysis are listed below: [pp. 3-1 l to 3-4, 3-123 of submittal).

l Generalfiypical Transients:

General Plant Transient l Loss of Main Feedwater Loss of Normal Power l Steam Line Break (3 separate initiating events to account for break location) ,

Main Feedline Break l l

Special Initiators:

Loss of instrument Air Loss of Service Water l Loss of Reactor Building Closed Cooling Water (RBCCW) i Loss of 2 Vital 120 VAC Panels (either VA-10 and 30, or VA-20 and 40) l Loss of 125 Vital DC Bus 201 A Loss of 125 Vital DC Bus 201B Loss of All Vital DC Power (2 categories of non-simultaneous DC bus loss)

LOCAs:

Small Small LOCA (0.3' to 1.0 " dia., primarily due to RCP seal leakage) l Small LOCA (1.0" to 1.9' dia.)

l Medium LOCA (1.9' to 4.3' dia.)

! Large LOCA (4.3' dia. or larger)

SGTR (equivalent leakage from 5 or fewer ruptured tubes) l ISLOCAs:

( Safety injection line l Shutdown cooling line i Letdown line Charging line Internal Flooding:

i Unspecified number of initiating events The general plant transient category was used to represent a set of initiators that have essentially identical plant responser and resulting damage states. initiating events in this category include: loss of reactor coolant system (RCS) flow, primary / secondary mismatch, turbine trip, reactor trip, and spurious safety injection actuation.

l 12

\

Four initiators are used to represent the potentialloss of 125 VDC. Two of these initiating events represent the loss of either 125 VDC Bus 201 A or 2018. The other two initiating events in this category represent the total, non-simultaneous loss of the vital DC buses, either as the result of (a) loss of vital 125 VDC bus 201 A, followed by the subsequent loss of vital 125 VDC Bus 201B, or (b) the reverse order of these two failures. [p. 3 2 of submittal)

One of the plant-specific initiating events represents the combined loss of vital AC j panels VA-10 and VA-30, or panels VA-20 and VA-40. These panels supply various

! ESAS and ECCS loads. As a result of recent plant modifications,'the deenergization of any two of these four 120 VAC panels will no longer result in the power operated relief valves (PORVs) opening on a false high pressurizer signal. [pp. 3-2, 3-3, 6-2 of l submittal) l Heating, ventilating, and air conditioning (HVAC) failures are not explicitly represented in the set of initiating events. However, the licensee states that HVAC failures were

! considered in the IPE. For example, loss of HVAC is implicitly included in the model used to develop the initiating event frequency for loss of vital 120 VAC. Loss of l

control room HVAC was evaluated as a potential initiating event but subsequently

. discarded due to plant features and potential operator mitigating actions that the licensee judged would make loss of control room HVAC an insignificant contributor.

)

For example, the control room has two redundant HVAC trains, each with a 100%

! heat removal capacity. In addition, control room HVAC could be provided by opening l doors between the Millstone Unit 1 and 2 control rooms. Loss of intake structure l HVAC was also excluded from the IPE as an initiating event. However, the licensee

! states that the next update of the IPE models will include a re-examination of intake structure HVAC loss to further determine the consequences of its loss. The intake structure contains both the circulating water pumps and the service water pumps, if loss of HVAC causes the circulating water pumps to trip before the service water pumps, the loss of intake HVAC initiating event would be bounded by the general plant transient initiating event. However, if loss of intake structure HVAC causes the j service water pumps to trip, the licensee will combine the loss of HVAC frequency into the frequency for the existing loss of service water initiating event. [pp.1-3 of RAI Responses) l A break in the steam supply to the turbine driven AFW pump would render the pump unavailable and also result in a manual reactor scram. However, this potential l

initiating event was omitted from the analysis, as it is expected to have a low frequency and minimal impact on other mitigating systems. Pipe segments that supply steam to the turbine-driven pump are located in the lower floor of the turbine building, and their rupture would not disable other mitigating systems, including the two motor-driven AFW pumps. Adequate secondary cooling can be provided by a single AFW 3

pump. [p.19 of RAI Responses) 13 J

, a

. i I

The IPE analysis described in the submittal explicitly included four categories of ISLOCA initiating events. These initiating events correspond to ruptures in: a safety l injection line, a shutdown cooling line, a letdown line, and a charging line. The licensee has evaluated RCP thermal barrier rupture ISLOCA events separately from the IPE analysis described in the submittal. As noted in Subsection 2.7.2 of this report, the possibility of an RCP thermal barrier tube rupture ISLOCA has been identified as a vulnerability. A modification to eliminate this vulnerability is planned for !

April 1997. (Licensee Sup. Info.) (p. 2 of RAI Supp., pp. 3-3,3-4, Appendix G of ,

l submittal]

In calculating the frequency for the loss of normal power (LNP) initiating event l category, the licensee omitted LNP events involving durations less than a half hour. ,

However, even a short-duration LNP event will cause demands on mitigating systems and can contribute to the overall CDF. The licensee states that short-duration LNP I events will be accounted for in the next IPE update. The LNP frequency to be used in the IPE update will be reduced from its current value of 0.09/yr to approximately l 0.04/yr. This updated frequency of approximately 0.04/yr is based on operating experience at U. S. plants in the past 10 years and does account for short-duration events.' Because the updated LNP frequency accounts for short-duration events and is lower than the value used in the original IPE analysis, the licensee concludes that the original IPE has not underestimated the CDF due to LNP events. [p.15 of RAI Responses, pp. 3-87, A-24 of submittal]

Plant-specific data were used to calculate the frequency for general plant transients, loss of main feedwater, and loss of normal power (LNP). Generic data were used to generate frequencies for the LOCA events, SGTR, and steam and main feedwater line breaks. Fault tree logic models were used to quantify the ISLOCA and special l initiating events. The ISLOCA frequencies represent unisolable conditions, i.e., the l

ISLOCA frequencies have been reduced to reflect credit for valve isolation. A list of initiating event frequencies is provided in Subsection 4 of this report. [pp. 3-1 to 3 3, 3-123 of submittal]

The IPE frequency for loss of an individual DC bus is an order of magnitude higher L than typical generic data. The frequencies of the other initiating events are generally

consistent with data used in other IPE and PRA studies. A list of initiating event

(. frequencies is provided in Subsection 4 of this report. (p. 3-123 of submittal).

2.2.2 Event Trees.

The following event trees were used to support the analysis: (pp. 3-4, 3-5, 3-113, 4-144, Appendix A of submittal) l

Based on actual industry experience reported by EPRI over the years 1975 through 1989 (NSAC 147], the average LOSP frequency is about 0,06 per site year. It is not clear what source of industry j data the licensee is using to support an updated IPE LOSP frequency of 0.04/yr.

14

Large Break LOCA

~

Medium Break LOCA Small Break LOCA Small Small Break LOCA Steam Generator Tube Rupture General Plant Transient Loss of Main Feedwater Loss of Normal Power Main Feedline Break Steamline Break Downstream of the Non-Return Valves Steamline Break "A" Upstream of Non-Return Valves Steamline Break "B" Upstream of Non-Return Valves Loss of DC Bus 201 A Loss of DC Dus 201B Loss of DC Bus 201 A Followed by 201B Loss of DC Bus 201B Followed by 201 A Loss of Instrument Air Loss of Service Water Loss of RBCCW Loss of Vital 120 V AC Buses V-10 and VA-30 ATWS Given a SGTR or General Plant Transient (GPT)

ATWS Given a LNP ATWS Given a Loss of Main Feedwater (MFW)

Consequential Small Break LOCA Consequential RCP Seal LOCA, Small-Small Consequential RCP Seal LOCA, Small Consequential SGTR Given a Main Feedwater Line Break (MFLB)

Consequential SGTR Given a Downstream Steam Line Break (SLB), Case A Consequential SGTR Given a Downstream SLB, Case B

. Consequential SGTR Given an Upstream SLB, Case A Consequential SGTR Given an Upstream SLB, Case B The structure of each event tree model was based on reviews of the Emergency Operating Procedures (EOPs), Abnormal Operating Procedures (AOPs), and the UFSAR. The mission time used in the core damage analysis was 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The front-end analysis considers the status of containment cooling in instances where is it is required to support core cooling. [p. 3-4, Appendix A, B of submittal]

The submittal has used two terms, core damage frequency (CDF) and core melt frequency (CMF), to describe the front-end results. However, the licensee states that the use of CMF was inadvertently used in the front-end analysis and that in fact CMF should be interpreted as CDF. The licensee defines core damage as occurring either when the clad temperature reaches 2,200 deg. F or when the vessel water level drops below the top of active fuel (TAF). The success criteria are based on MAAP 15

e p: !

l calculations. [pp. 9,10 of RAI Responses, pp. 3-4,35,36,4-19, Appendix A, B, C of submittal]

The IPE RCP seal LOCA model is based on an industry evaluation of Byron Jackson RCP seal performance [CE NPSD 755). This industry evaluation includes a Multiple Greek Letter (MGL) common cause analysis that considers failure of the 4 seal stages on a RCP. Given a loss of cooling, the analysis predicts a failure probability of 1.5E-03 that all four stages of seals will fail any one of the four RCPs. Given failure of all four seal stages, a leak rate of 220 gpm is predicted in the affected pump. The seal analysis also considers the failure of less than four seal stages. For example, the probability of a three stage seal failure among the four pumps is 1.7E-03, with a corresponding leak rate of 35 gpm in the affected pump. [pp. 4-124,4-125 of submittal)

The IPE does not take credit for mitigation of the unisolable conditions represented by the ISLOCA initiating events. Therefore, an ISLOCA event tree is not provided. [pp.

3-3, 3-116, 3-123, 3-125 of submittal]

Like some other PWR IPEs, the Millstone IPE assumes that if high pressure safety injection falls following a small or small-small LOCA, the primary system can be depressurized via the secondary system sufficiently fast so that the accident can be mitigated with low pressure safety injection. This assumption reduces the CDF from a small or small small LOCA. [pp. A-5, A-6, A 34 of submittal]

The IPE took credit for recovery of electrical power. The non-recovery data were based on industry data contained in an Electric Power Research Institute (EPRI)-

sponsored study [NSAC 182]. [pp. 3-87,3-123 of submittal) 2.2.3 Svstems Analvsis.

A total of 23 systems are described in the submittal. Included are descriptions for the following systems: ECCS, electrical power (AC and DC), safeguards actuation, instrument air, service water, reactor building closed cooling water (RBCCW), and AFW. Descriptions for two HVAC systems are also included, specifically the HVAC systems used to support engineered safety features (ESF) room cooling and DC switchgear room cooling. Each system description includes an overview discussion of the system function and operation, success criteria, major assumptions, dominant contributors, and system dependencies. Considerations related to Technical Specifications are occasionally noted. [pp. 3-6 to 3-102 of submittal]

= The IPE model accounts for periods when the PORVs are out of service due to leakage by assuming that the associated block valves are closed. The IPE assumed that an individual PORV train is unavailable about one month per year (unavailability of 6.99E-02). [p.17 of RAI Responses, pp. 3-44,3-134 to 3-136 of submittal) 16 '

2.2.4 Svstem Deoendencies.

The IPE addressed and considered the following types of dependencies in the following categories: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, and HVAC. A summary of system dependencies is provided in Table 3.2-1 of the submittal. This table identifies support system dependencies for each of the front line and support systems. The licensee also provided a table that contains com,hnent-specific ESAS dependencies and an

additional table with AFW component dependencies. Further dependency information is contained in the system descriptions. [pp.18,19 of RAI Responses, p. 3-133 of submittal]

Loss of control room HVAC was evaluated as a potential required support system but subsequently discarded due to plant features and potential operator mitigating actions that the licensee judged would make loss of control room HVAC an insignificant contributor. For example, the control room has two redundant HVAC trains, each with a 100% heat removal capacity. In addition, control room HVAC could be provided by cpening doors Wween the Millstone Unit 1 and 2 control rooms or via portable fans.

The licensee further stato '1at operators could shut the plant down from outside the control room by utilizing tht auxiliary shutdown panel. [pp. 2,3 of RAI Responses]

Analyses were used as the basis to eliminate HVAC as a required support system for the 4,160 VAC vital switchgear rooms. Loss of HVAC to the 4,160 VAC vibi switchgear areas would be expected to result in a maximum ambis.nl temperature of 91 deg. F, compared to an equipment qualification temperatmo. of 104 deg. F. The licensee further notes that the steam-driven AFW pump does not require ventilation per the system design basis. Per the UFSAR, ventilation is not required in the intake structure during post-accident conditions. [pp. 3,4 of RAI Responses, pp. 3-88, 3-89 of submittal, p. 9.9-40 of UFSAR)

HVAC was not modeled as a support system for the diesel generators. The licensee states that based on active components, the diesel generator HVAC unavailability would be on the order of 1E-02, and recovery actions would be expected to lower this unavailability by two or more orders of magnitude. Consequently, other diesel generator failure modes (such as " start" or "run") would dominate the diesel generator unavailability. However, it is important to note that the licensee is taking credit for recavery of HVAC by opening of diesel generator roll-up doors, whereas no .3 prescriptive procedures axist for this recovery action. [pp. 4-6 of RAI Responses, p.1

~

of RAI Supp., p. 3-4P a submittal]

The RBCCW system supplies cooling for the high pressure safety injection (HPSI), low pressure safety injection (LPSI), and containment spray pump seal coolers. The IPE modeled RBCCW as a required support system when long-term seal cooling was

required. It appears that RBCCW seal cooling was excluded as a required support system only in the case where the HPSI pumps were taking suction from die refueling 17 m

9 water storage tank (RWST) during a small or medium LOCA. [pp. 6,7 of RAI Responses,pp. 3-14, 3 18, 3-23, 3-34 of submittal, 9.4-2, 9.4-5 of UFSAR)

The IPE took credit for the use of a non-class 1E DC turbine battery to provide power to the ESAS in the event both class 1E DC sources were unavailable. However, credit was not taken for usirt the turbine battery to support other mitigating systems.

[p. 21 cf RAI Responses) 2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences. It also summarizes our review of the data base, including consideration given to plant-specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed were also reviewed.

2.3.1 Quantification_of Accident Seauence Freauencies.

The IPE used a small event tree /large-fault technique with fault tree linking to quantify core da!iage sequences. The event trees were systemic. The CAFTA software packege was used to generate the accident sequence analysis. Accident sequence cut sets were developed to the level of specific component failures or basic events.

The truncation limit for accident sequence cut sets was 1E-09/yr. [pp. 3-111,3-112 of submittal]

2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses.

Mean values were used to represent the fault tree event failure probabilities. The submittal does not indicate whetner or not inillating events are also mean values. The CDF results are presented in terms of point valus estimates. No statistica! uncertainty analyses were performed on the CDF. (pp. 1-2,3-106,3-123 of submittal)

The licensee presents two front-end sensitivity analyses. These analyses are summarized below in Table 2-1. (p.11 of RAI Responses. pp. 3-137, 5-7 of submittal]

Table 2-1. Summary of Front-End Sensitivity Analyses Type of SensitMty Analysis impact on CDF Remove credit for electrical cross-tie to Unit 1 Station blackout contribution will increase by about a factor of 7 (from 4.2E-07/yr to 3.0E-06/yr); overall CDF will increase from 3.4E-05/yr to about 3.7E-05/yr)

Merease human error probability (HEP) for 3-4% increase in total CDF (from 3.4E-05/yr to about operator failure to locally start the steam-driven 3.5E-05/yr)

AFW pump by factor of 10 (see note 1 below)

Notes: (1) As noted by the licensee, the existing HEP may be overly optimistic; see discussion in Subsection 2.4.2 of this report.

18

F.- . 9 The licensee performed a Fussell-Vesely importance measure analysis for components, component modules, and human errors. The most significant events based on this measure are listed below in decreasing order of importance: [pp. 0-116,

' 3-156 of submittal]

Steam-driven AFW pump fails to deliver water to headers (module)

L Failure to recover DC power (short term)

! Failure to recover DC power (35 minutes) .

Failure to inRiate steam-driven AFW pump

Motor-driven AFW pump 9B falls to deliver water (module) l Motor-driven AFW pump train A fails to deliver water (module)

L Diesel generator 15G-13U faults (module) l Diesel generator 15G-12U faults (module) l Steam-driven AFW pump out of service for maintenance Common cause failure of AFW common injection header valves 2.3.3 Us' e of Plant-Soecific Data.

I L

The primary sources of plant-specific data were Plant incident Reports (PIRs) and shift supervisor logs. The plant-specific data was used to update generic data via a Bayesian analysis. [p. 3-106,3-107 of submittal]

Plant specific component failure data appears to have been gathered from 1975 to June 1987. Plant-specific initiating event data were gathered from 1975 to 1986.

However, the IPE is stated to model the as-designed, as-operated plant following the refueling / steam generator replacement outage of 1992. Thus, the plant-specific data used in the analysis does not reflect the most recent plant operating history prior to the analysis freeze date. The cutoff dates for collection of plant-specific data were associated with the pre-IPE Millstone 2 Probabilistic Safety Study. The licensee states that the next IPE update will include more recent plant-specific failure data. The I

licensee acknowledges that the IPE may not reflect the as-built, as-operated plant because of the data cutoff dates. However, the licensee does not believe it likely that vulnerabilities have been overlooked due to various plant programs (for example Significant Event Tracking) and the fact that the PRA engineers are also utility engineers who have close interactions with the plant on a daily basis. (p.14 of RAI Responses,pp. 2-1, 3-1, 3-106 of submittal]

Sufficient plant data were available to quantify failure rates and/or maintenance unavailabilities for a number of major component types, including: various pumps, air compressors, valves, containment air recirculation fans, circuit breakers, batteries, l battery chargers, inverters and diesel generators. [pp. 3-106, 3-107, 3-134 of submittal]

! I Table 2-2 of this review compares the plant-specific data for selected components te

values typically used in PRA and IPE studies, using NUREG/CR-4550 data for j comparisem [NUREG/CR 4550, Methodology).

i 19 1

i

)

l Table 2-2. Plant Specific Component Failure Data' Component IPE Mean Value Estimate NUREG/CR 4550 Mean Value Estimate

~

Turbine Driven AFW Pump 4.8E-03 Fail to Start 3E-02 Fall to Start 8.0E-05 Fail to Run 5E-03 Fall to Run l Motor Driven AFW Pump 1.3E 03 Fall to Start 3E 03 Fall to Start 1.4E 05 Fall to Run 3E-05 Fall to Run HPSIPump 1.2E 03 Fail to Start 3E-03 Fall to Start 1.1E-04 Fall to Run 3E-05 Fall to Run LPSIPump 1.3E-03 Fall to Start 3E-03 Fall to Start 4.1E 05 Fail to Run 3E-05 Fail to Run

( Service Water System (SWS) 9.2E-04 Fall to Start 3E-03 Fall to Start l Pump 7.0E-06 Fall to Run 3E-05 Fall to Run l RBCCW Pump 1.2E-03 Fail to Start 3E-03 Fall to Start l 3.0E-06 Fail to Run 3E-05 Fall to Run

. Instrument Air System (IAS) 3.6E 02 Fall to Start 8E-02 Fail to Start Compressor 6.6E-05 Fail to Run 2E-04 Fall to Run -

[ Motor Operated Vrive 2s1E-03 Fail to Open or Close 3E-03 Fall to Operate f- Battery Charger Failure 1.6E-05 No output 1E-06 Fail to Operate l Battery 2.7E-06 Fall to provide proper output - 1E-06 Failure (unspecified mode) l Inverter Fadure 5.6E 05 No output 1E-04 Failure (unspecified mode) !

Circuit Breaker (4,160 V) 8E-04 Fall to Operate 3E-03 Fall to Transfer

, Circuit Breaker (480 V) 3.8E-04 Fall to operate 3E-03 Fall to Transfer

! Diesel Generator 9.8E-03 Fall to Start 3E-02 Fall to Start l 1.3E-03 Fall to Run 2E 03 Fail to Run l

l Notes: (1) Failures to start, open, close, operate, or transfer are probabilities of failure on demand. The other failures represent frequencies expressed per hour.

Table 2-2 shows that the plant-specific failure data for the steam-driven AFW pump are an order of magnitude or more lower than the comparable failure data listed in NUREG/CR-4550. Using plant data, the probabilities of steam-driven AFW pump failure to start and run are 4.8E-03 and 8.0E-05/hr, respectively. In comparison, the corresponding NUREG/CR-4550 data are 3E-02 and SE-03/hr. The IPE data for the pump start function are based on a generic prior of 3.73E-03 (from WASH-1400) and plant-specific experience of 1 failure in 105 demands. The IPE data for the pump run function are based on a generic prior of 7.99E-05/yr (from WASH-1400) and plant-l specific experience that shows no long-term pump run failures. Because the IPE analysis a.lready identifies the AFW and feed and bleed functions as important CDF

! contributors, the licensee does not feel that any poter.tial vulnerabilities have been j overlooked by the use of AFW pump failure data substantially lower than NUREG/CR-j 4550 data. [pp.15,16 of RAI Responses, p. 2 of RAI Supp.)

i j

3 20 i

t

4 i

I Table 2-2 also shows that the plant-specific failure data for SWS and RBCCW pump I

run failures are an order of magnitude below the respective NUREG/CR-4550 values.

-In addition, the plant specific data for battery charger failure and 480 VAC circuit l breaker transfer failure are an order of magnitude lower than the NUREG/CR-4550

value. The remaining categories of plant-specific data in Table 2-2 are comparable to corresponding NUREG/CR-4550 data.

Plant-specific dath were used to calculate the frequency for general plant transients, loss of main feedwater, and loss of normal power (LNP). Fault tree logic models were used to quantify the ISLOCA and special initiating events. Presumably, these fault

tree logic models included some use of plant-specific data. [pp. 3-1 to 3-3,3-123 of submittal) 2.3.4 Use of Generic Data.

WASH 1400 was the primary source of generic data used in the IPE. Additional l sources of generic data included IEEE 500, the Advanced Light Water Reactor i Requirements Document [EPRI ALWRRD], and the Millstone Unit 1 Probabilistic j l Safety Study. [p. 3-106 of submittal)

A list of generic data is provided in Table 3.3.1-1 of the submittal. However, this list appears to present generic data only for components that could not be quantified with l plant-specific data. Within the constraints of the reported generic data, we performed t

a comparison of the IPE generic data to generic values used in the NUREG/CR-4550 studies. This comparison is shown below in Table 2-3. [p.16 of RAI Responses, pp. '

3-106,3-134 of submittal]

Table 2-3.' Generic Component Failure Data Component IPE Mean Value Esemate NUREG/CR 4550 Mean Value Estimate Turbine-Driven Pump 3.75E-03 Fall to Start 3E-02 Fall to Start i 7.99E-05 Fall to Run 5E 03 Fall to Run

^

Motor Driven 2.0E-03 Fail to Start 3E-03 Fall to Start Pump 2.5E-05 Fall to Run 3E-05 Fail to Run Motor Operated Valve 3.75E-07 Plugs 1E-07 Plugs Check Valve 6.6E-04 Fail to Close 1E-03 Fail to Close Instrument Air Compressor 1.98E-04 Fall to Run 2E-04 Fail to Run Circuit Breakar 1.25E-03 Fail to Operate (for 3E-03 Fall to Transfer breakers less than 480 VAC) ,

Service Water Strainer 1.2E-05 Plugs 3E 05 Plugs

! Transformer (4,160 to 480 Vac) 2.9E-06 Short or Open 2E-06 Short or Open Circuit I Transmitter 2.7E-06 Fall to CWrate 1E 06 Fall to Operate i

f f

21 -

3 l

l

! With the exception of the turbine-driven pump, the IPE and NUREG/CR-4550 data are comparable. As previously noted in subsection 2.3.3 of this report, the IPE generic data for the turbine-driven pump are based on WASH-1400.

As previously noted, generic data were used to generate initiating event frequencies for LOCA events, SGTR, and steam and main feedwater line breaks.

2.3.5 Common Cause Quantification.

The IPE used the Multiple Greek Letter (MGL) common cause approach described in the Advanced Light Water Reactor' Requirements Document (EPRI ALWRRD). In applying the MGL approach, the licensee appears to have used a " beta" multiplicative factor to account for all of the considered common cause failure events, including failures of groups of 3 or more similar components. A number of component categories were modeled in the common cause analysis, including MOVs, air operated valves (AOVs), check valves, PORVs, pumps, diesel generators, instrumentation / sensors, circuit breakers, batteries, baitary chargers, inverters, and containment air recirculation fans. [pp. 3-140 to 3-142 of submittal] i Table 3.3.4-1 of the submittal lists the specific common-cause events that were quantified and included in the IPE. This table does not provide the specific beta :

factors used in the analysis. Rather, the table provides the quantified common cause )

events used in the fault tree models (beta factors multiplied by corresponding random l failures). However, it was possible to extract the IPE beta factors by using the random failure data for individual components (demand or per hour) listed in Table 3.3.1-1 of the submittal. For start failures, beta factors were derived by simply dividing common l cause events by their corresponding random failure probabilities. For run failures, beta factors were derived by dividing common cause events by (1) their corresponding random failure probabilities and (2) an additional factor of 24. The factor of 24 accounts for the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time assumed in the analysis.

We performed a comparison of IPE common-cause beta factors with generic values used in the NUREG/CR-4550 studies [NUREG/CR 4550, Methodology). This ,

I comparison is summarized in Table 2-4.

, Table 2-4 shows that the IPE common-cause beta factors are generally conedstent with l NUREG/CR 4550 data. The IPE beta factor for failure of motor-driven AFW pumps to l- start is about a factor of 3 lower than the NUREG/CR-4550 data. However, the IPE has also included a beta factor for common cause failure of these pumps to run.

! Table 2-4 also shows that the iPE beta factors for start failures of the SWS and i RBCCW pumps ar6 about a factor of 5 higher than corresponding NUREG/CR-4550 i +

data.

i 1 >

~

22 h

I

"($)3 Table 2 4. Comparison of Common-Cause Failure Factors Component IPE Beta Factor for 2 Component NUREG/CR 4550 Mean Value Group Beta Factor for 2 Component Group AFW Pump (Motor Driven) 0.019 Fall to Start 0.056 Fail to Start 0.058 Fail to Run l SWS Pump 0.14 Fail to Start 0.026 Fail to Start 0.039 Fall to Run RBCCW Pump 0.14 Fall to Start 0.026 Fall to Start 0.039 Fall to Run LPSIPump 0.14 Fail to Start 0.15 Fall to Start l

0.039 Fall to Run HHSIPump 0.14 Fail to Start 0.21 Fall to Start 0.008 Fail to Run l Containment Spray Pump 0.13 Fall to Start 0.11 Fail to Start 0.039 Fall to Run MOV 0.068 0.088 Fall to Open l Diesel Generator 0.038 Fail to Start 0.038 Fall to Start l 0.068 Fall to Run i

Finally, in cases where no representative beta factors were available, the licensee used screening values. Table 2-5 below lists examples of the beta factor screening values. [p. 3-111 of submittal]

Table 2-5. Common Cause Beta Factor Screening Values Group Size of Failed Components Beta Factor Screening Value 2 of 2 0.1 2 of 3 0.07 2 of 4 0.04 3 of 3 0.02 3 of 4 0.01

~

4 of 4 0.008 l

l 2.4 Interface issues This section of the repcrt summarizes our review of the interfaces between the front-end and back-end analyses, and the interfaces between the front-end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.

23 i

i I 2.4.1 Front End end Back-End interfaces.

The Millstone 2 plant has 4 containment air recirculation (CAR) fan cooling units and 2 ,

containment spray trains that provide containment cooling functions. The CAR units '

receive external ecoling from the RBCCW system. Heat from the containment spray system is also removed by the RBCCW system via the shutdown heat exchangers. ,

[pp. 3-18, 3-12, of submittal, 6.4-2, 6.5-2 of UFSAR)

The licensee's MAAP calculations explicitly accounted for pump failures due to loss of

, net positive suction head (NPSH). In situations where the calculated NPSH dropped l below the required NPSH, the MAAP code set the pump flow to zero, it appears that l the MAAP NPSH requirements have also ensured that credit for ECCS pump l operation was taken only within pump design temperature limits. For example, the l HPSI pump seats are designed to pump fluid at a maximum temperature of 350 deg.

l F. The MAAP calculations show that HPSI pump NPSH will be lost during sump recirculation before 350 deg. F is reached. The licensee further notes that the partial l

pressure of steam corresponding to a saturation temperature of 350 deg. F is about 135 psia. At this sump temperature, the total containment pressure would be about 150 psia (135 psia steam partial pressure plus 14.7 psia air partial pressure), which is very close to the median containment failure pressure. [p. 21 of RAI Responses)

, As previously noted in subsection 2.2.1 of this report, the licensee analyzed five l categories of ISLOCA initiating events. These initiating events correspond to ruptures i in: a safety injection line, a shutdown cooling line, a letdown line, a charging line, and l RCP thermal barrier tube. [pp. 3-3,3-4, Appendix G of submittal)

Plant damage states (PDSs) were used to provide the interface between the front- and back-end analyses. The PDS binning process appears to be consistent with other typical IPE/PRA studies. [pp. 3-5,4-41, C-1 to C-13 of submittal) 2.4.2 Human Factors Interfaces.

Per the Fussell-Vesely importance measure, the most significant human failures are:

[pp. 3-107 to 3-109,3-137 to 3-139,3-156 to 3-161 of submittal]

Failure to recover de power (short term),

l

Failure to recover de power (35 minutes),

Failure to initiate the steam-driven AFW pump (cognitive error),

i a Failure to initiate the steam-driven AFW pump in service due to procedural

, errors, and a Failure to initiate bleed and feed.

J During the licensee's IPE review process, a reviewer judged that a "non-conservative" human error probability (HEP) had been assigned to the operator action to locally start i

24

. . A '

During the licensee's IPE review process, a reviewer judged that a "non-conservative" j human error probability (HEP) had been assigned to the operator action to locally start '

l the steam-driven AFW pump. The review comment in the submittal states that this

' HEP (2.0E-03) should have been increased by one order of magnitude. The use of a ten-fold higher HEP value (2.0E-02) would result in a 3-4% increase in the CDF. TM l licensee states that this review comment will fully addressed in the next update of the j IPE model.- [pp. 3 137,5-7 of submittal]

I Credit was taken for the shutdown cooling system to mitigate small-small LOCAs and SGTR accidents. The IPE assumed that any shutdown cooling system valve required l to change position (excluding check valves and hot leg interface MOVs 2-SI-651 and 2-SI-652) can be manually positioned outside the control room, assuming that the ,

affected valve is not physically stuck or isolated because of maintenance. In the case of MOVs 2-SI-651 and 2-SI-652, which are located in containment, credit was taken l

for valve operations via local manual actions at the motor control center (MCC). The IPE further assumed that manual operator valve actions can maintain desired shutdown cooling system flow rates, and thus flow control valve support system dependencies are not modeled. The IPE also took credit for manual operator actions to. start pumps in the event of a control system failure. The licensee states that the i greater than 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months would pass before the shutdown cooling system would need to be initiated to stabilize plant conditions, and thus sufficient time would be available for the above operator actions. The licensee further states that procedures are in place to manipulate valves outside the control room and to start the shutdown cooling (LPSI) l pumps while bypassing pump circuitry. Even though support systems such as 125

! VDC or'120 VAC are not modeled in the shutdown cooling fault tree, the licensee assumed that a totalloss of these systems would be highly unlikely, and thus at least i one train of instrumentation would be available. [pp. 7-9 of RAI Responses, pp. 3-35, 3-36 of submittal]

HVAC was not modeled as a support system for the diesel generators. The licensee states that based on active components, the diesel generator HVAC unavailability would be on the order of 1E-02, and recovery actions would be expected to lower this unavailability by two or more orders of magnitude. Consequently, other diesel generator failure modes (such as " start" or "run") would dominant the diesel generator unavailability. However, it is important to note that the licensee is taking credit for recovery of HVAC by ope nia) of diesel generator roll-up doors, whereas no prescriptive procedures exist for this recovery action. [pp. 4 to 6 of RAI Responses, p.

3-48 of submittal) i The IPE took credit for an 4,160 VAC electrical feeder connection between Units 1 and 2. The use of this cross-connection requires a number of human actions. [pp.11 to 13,24 of RAI Responses, pp. 3-83, 3-87, 3-92 of submittal]

25 4

Q:

l 2.5 Evaluation of Decay Heat Removal and Other Safety lasues This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USls, if they were addressed in the submittal, were also reviewed.

l l

2.5.1 Examination of DHR. l l

As part of the DHR examination, the licensee presents a list of special features and !

capabilities that enhance the reliability of the DHR function. As reported by the '

l licensee, these special features include: (1) a means to use fire water system pumps j as an alternate source of AFW suction supply; (2) EOPs that direct operators to use condensate pumps for feedwater flow in the event main and auxiliary feedwater are unavailable; and (3) containment air recirculation fan cooler units that provide an alternate means of decay heat removal in the event shutdown cooling heat exchangers are unavailable. [pp. 3-118,3-119 of submittal]

I l The licensee also reviewed Appendix 5 of Generic Letter 88-20 to determine if it was j applicable to the DHR function at Millstone 2. This portion of Generic Letter 88-20 is l related to IPEEE analyses, and indicates that DHR vulnerabilities are often related to a !

l lack of system and component redundancy, separation, and physical protection. The l submittal states that the Millstone 2 DHR function is resistant to these potential

vulnerabilities because of the following: [pp. 3-119, 3-120 of submittal]

. Redundancv - The plant has 3 separate AFW trains that can be used for secondary side cooling. One train has a steam driven pump, while the other two trains have motor driven pumps. The main feedwater and condensate l systems are also available as potential sources of water for secondary side cooling. Also, two emergency diesel generators are available as a source of backup power for emergency equipment.

. Seoaration - The AFW pumps are located in two separate room in the turbine building. One of these rooms houses the two motor driven pumps, while the other room houses the steam driven pump. Two separate watertight rooms in the auxiliary building are used to house redundant ECCS equipment. Each of these two rooms contains a HPSI pump, a LPSI pump, and a shutdown heat exchanger.

! = Physical Protection - A flood wall system protects the turbine building from

{ potential flooding. An enclosure over the motor-driven AFW room stairwell

provides protection against a direct water stream that could result from an j overhead pipe failure. Both AFW pump rooms and both HPSl/LPSI pump rooms have separate floor drains and sump systems. The condensate storage

)

l 4

26 4

= - . . - . . - _ . ~ . . . -

A tank is missile protected by a concrete wall that extends to a height '

corresponding to the level of water adequate for a safe shutdown.

The licensee concludes that DHR does not represent a significant risk potential. No DHR-related vulnerabilities were noted. [pp. 3-119,3-120 of submittal) [

2.5.2 Diverse Means of DHR.

l The IPE considered the diverse means for accomplishing DHR, including: use of the power conversion system, feed and bleed, auxiliary feedwater, and ECCS. Cooling for l the RCP seals was considered. In addition, containment cooling was addressed. i 2.5.3 Uniaue Features of DHR.

i l

l The' unique features at Millstone 2 that directly impact the ability to provide DHR are as follows:

Ability to remove decav heat with bleed-and-feed. The plant has the capability to remove decay heat with primary bleed-and-feed cooling in the event all secondary heat removal is lost. This design feature tends to reduce the CDF.

. Automatic switchover of Emeraencv Core Coolino Svstem (ECCS) from inlection to recirculation. This design features tends to decrease the CDF over what it would otherwise be with a manual system.

l

. Fire water backuo for Condensate Storaae Tank (CST). The plant fire water system can be used as an attemate source of water to the AFW pumps in the event water is unavailable from the CST. This design feature tends to reduce ;

the CDF. However the IPE did not take credit for this backup source of water.

. New steam aenerators. The steam generators have been replaced with generators having an improved moisture separator design and the addition of ;

wide range levelinstrumentation. This design feature tends to reduce the CDF.

However, as stated in submittal, this feature did not directly impact the IPE models.

I l

. Containment air recirculation fan units. The plant design includes safety-grade ;

[ containment air recirculation fan cooler units that are independent and j redundant to the containment spray system. This design feature tends to l reduce the CDF.

{

l i

k i

27 g

2.5.4 Other GSl/USIs Addressed in the Submittal.

The licensee does not propose to resolve any other GSis/USis other than DHR. [p. 3-120 of submittal) 2.6 Internal Flooding This section of the report summarizes our reviews of the process used to model internal flooding and of the results of the analysis of internal flooding.

I 2.6.1 Intemal Floodina Methodoloay.

l The flooding analysis considered effects from effects from immersion, spray, and intrusion. The flooding analysis was performed in a manner consistent with I l NUREG/CR-2300, Vol. 2. Walkdowns were used to support the analysis. [pp. 3-112 l

to 3-115 of submittal)

Potential flooding sources included fluid systems that meet the following criteria during plant operation:[p.17 of RAI Responses)

Maximum operating temperature of 200 deg. F or less, and )

Maximum operating temperature of 275 psig or less.

I High energy line break (HELB) events were omitted from the analysis. The licensee assumed that other HELB reviews done separately from the IPE explicitly considered '

the qualification of equipment from HELB events. [p.17 of RAI Responses)

The licensee considered a number of potential causes of flooding events, specifically:

piping or hose failures, tank overfilling, pump seal failures, pump casing failures, ;

maintenance errors resulting in flooding, expansion joint failures, inadvertent fire suppression system actuation, and heat exchanger failures. Catastrophic valve failures were not considered significant flooding initiators because of their low probability of occurrence. In general, valve packing failures were not considered i because of the relatively small flows that would result. [p.18 of RAI Responses, p. 3-113 of submittal)

The analysis did not specifically consider the following phenomena: pipe ruptures l below grade, heavy equipment impact, water hammer phenomena, or water impact loads. In addition, the analysis did not cover the effects of naturally occurring water

accumulation problems, excessive ground water, or externally-induced flooding scenarios. [p. 3-113 of analysis)

The quantification of flooding sequences was performed with existing internal events i PRA fault and event trees that were modified as needed. The initiating events for the i 28 i

m __ _ _ _ _ _ _ _ _ _ ._ _ . . _ _ _ _ _ _ . _ _ . _ _ . . _ . _ _ _ _ _ _ _ _ _ . ___

T], '

j flooding analysis were quantified with fault tree models. In some instances, credit was taken for operator isolation of flooding sources. [pp. 52,53 of RAI Responses, p. 3-113 of submittal]

2.6.2 Internal Floodina Results.

Following a screening analysis, two plant areas were identified as having the potential to be risk significant from a flooding perspective. These two areas are the intake structure and the ground level of the turbine building. [pp. 3-113,3-114 of submittal]

The intake structure flooding scenario is postulated to result in a non-recoverable loss of service water. The loss of service water in turn disables cooling to the RBCCW.

The loss of RBCCW subsequently interrupts RCP seal cooling and disables cooling to

( several potentially important accident mitigating systems, for example the sump recirculation heat exchangers and high pressure safety injection pumps. The CDF due to flooding in the intake structure was estimated to be 5.3E-08/yr. The dominant sequences involve RCP seal failure. [pp. 3-70,3-114 of submittal]

l The turbine building flood scenario is postulated to fall several systems, including l instrument air, turbine building closed cooling water (TBCCW) and the condensate l pumps. Main feedwater is subsequently disabled. The CDF related to this scenario was estimated to be 1.5E-08/yr. The dominant sequences involve failures of AFW and failure of the bleed and feed method of cooling. [p. 3-114 of submittal]

The total contribution of intemal flooding to the mean core damage frequency was estimated to be 2.0E-07/yr, or about 0.6% of the overall intemal events CDF estimate. j

[p. 3-114 oi submittal) i 2.7 Core Damage Sequence Results l

This section of the report reviews the dominant core damage sequences reported in the submittal. The reporting of core damage sequences- whether systemic or l functional- is reviewed for consistency with the screening criteria of NUREG-1335.

The definition of vulnerability provided in the submittalis reviewed. Vulnerabilities, l

enhancements, and plant hardware and procedural modifications, as reported in the j submittal, are reviewed.

l- 2.7.1 Dominant Core Damaae Seauences.

The IPE utilized systemic event trees, and reported results using the screening criteria from NUREG-1335 for systemic sequences. The point estimate CDF is 3.4E-05/yr, i including an internal flooding contribution of 2.0E-07/yr. Accident types and initiating i events that contributed the most to the CDF, and their percent contribution, are listed I in Tables 2-6 and 2-7, respectively. Table 3.4.1-4 and Figure 7.1-2 of the submittal i

29 L . . - -- _- .- - .

'd l were used to develop the CDF contributors by accident type. [pp.11 of RAI Responses,pp. 1-2, 3 87, 3-116, 3-162 through 3 165, 7-2, 7-7, 7-17, A-10, C of submittal]

Table 2-6. Accident Types and Their Contribution to Core Damage Frequency l

Accident Type CDF Contribution pr yr. Percent Contribution to CDF Transients 2.5E-05 74 %

LOCA 6.0E-06 18%

ATWS 1.5E-06 4.4%

SGTR 5.2E-07 1.5%

Station Blackout 4.2E-07 1.2%

internal Flooding 2.0E-07 -

0.6%

ISLOCA 6.5E-08 0.2% l 1

l Table 2-7. InM sting Events and Their Contribution to Core Damage j 1

Initiatina Event CDF Contribution oer voar % Cont. to CDF Loss of offsite power 8.4 E-06 25 General plant transient 4.3E-06 13 Loss of DC bus A 3.9E-06 11 Loss of DC bus B 3.9 E-06 11 Steam break train A (upstream of NRVs) 2.6 E-06 7.7 Loss of main feedwater 1.8E-06 5.2 l Large LOCA 1.6 E-06 4.8 Small LOCA 1.6E-06 4.8 Small-small LOCA 1.5E-06 4.3 Medium LOCA 1.3E-06 3.7 Loss of service water 9.7E-07 2.8 Loss of vital AC panels 10 & 30 8.4E-07 2.5 SGTR 5.2E-07 1.5 Dominant accident sequences are summarized balow in Table 2-8. [pp. 3-41,3-148 to 3-155a,3-162, Appendix A of submittal]

l l

30

. . ?

i Table 2-8. Dominant Core Damage Sequences initiating Event Dominent Subsequent % Contrbution to l Failures in Sequence Total CDF )

Loss of normal power AFW fails, bleed-and-feed fails; (dominant cut set 14 involves failure of train B DG, failure of train A motor-driven (MD) AFW pumps and turbine-driven (TD) AFW pump; the loss of train B DG falls the train B MD AFW pump and also falls feed and bleed, as feed and blood requires 2 of 2 HPSI pumps)

Loss of DC bus A Fail to recover DC power within 35 minutes, failure of 8 I AFW; (dominant cut set involves failure of train B MD l AFW pump and TD AFW pump; train A MD AFW pump j is lost due to loss of DC bun A initiating event) l Loss of DC bus B Fall to recover dc power within 35 minutes, failure of 8 )

AFW; (dominant cut set involves failure of train A MD l AFW pump and TD AFW pump; train B MD AFW pump .

Is lost due to loss of DC bus B initiating event)

Main steamline A break AFW fails, bleed-and-feed fails; (dominant cut set 7 . !

upstream of non-retum involves steamline break associated with SG no.1 and valves (NRVs); break failure of TD AFW train; it appears that flow from MD assumed to be inside AFW trains is assumed to be isolated; operator fails to containment initiate feed and bleed)

General plant transient Steam generator cooling fails, bleed-and-feed fails; 5 (dominant cut set not clear)

Loss of main feedwater AFW falls, bleed-and-feed fails; (dominant cut set 4 involves common cause failure of secondary injection valves, operator failure to initiate feed and bleed) 2.7.2 Vulnerabilities.

The licensee does not have any formal criteria that define a vulnerability. However, the submittal lists five criteria that would generally be in line with the licensee's concept of a major vulnerability. These five criteria are summarized below: [p. 3-117 of submittal)

. The single failure of safety or nonsafety-related equipment, either active or passive, that has a significant impact on CDF.

.- Multiple safety or nonsafety-related components that have a high potential for common mode failure and have a significant impact on CDF.

i

. A support system with a relatively high probability of failure that could result in an unanticipated plant transient not covered by procedures, could result in the L loss of multiple front-line and support systems, and has a significant impact on CDF.

i 31

.. . M#

.. , N

. An operator action having a reasonable probability of being required over the plant lifetime that has a moderately high probability of failure because of relatively complex procedures or operator unfamiliarity, and has a significant impact on CDF.

. ~ A mode of early containment failure that has a relatively high probability of occurrence given a core melt accident (greater than about 10%).

I L The licensee identified the possibility of an RCP thermal barrier tube rupture ISLOCA as l a vulnerability. A modification to eliminate this vulnerability is planned for April 1997. A j rupture of the RCP thermal barrier could overpressurize the reactor building closed 4 cooling water (RBCCW) system. This modification will involve the installation of relief l valves to limit pressure buildup in the RBCCW system. These relief valves will discharge into containment. The RCP thermal barrier ISLOCA was evaluated j separately from the IPE analysis described in the submittal. (p. 2 of RAI Supp. , pp.1-5, ;

3 3,3-4,3-117, Appendix G of submittal, verbal information from NRC Project Manager]

! 2.7.3 Prooosed imorovements and Modifications, d.

h The only plant improvement or modification directly resulting from the IPE appears to be

, the planned modification to eliminate the RCP thermal barrier tube rupture vulnerability.

[ noted above. However, the licensee does list five plant changes made as a result of the

$ original 1991 Millstone 2 Internal Events PRA study, which preceded the IPE. These

[ five changes were credited in the IPE and have been implemented. These changes are - ,

listed below: [p.13 of RAI Responses, pp. 1-2,3-33,6-1,6-2 of submittal] !

l

. lmorove the overall availability of the DC switchaear room ventilation.

l

. Install temoerature indicators / alarms for the DC switchgear rooms.

. Include the use of AFW oumo discharge cross-tie MOV in EOPs.

. Add accumulators for AFW regulatina valves.

. Perform surveillance testing of selected LPSI check valves in selected RCS cold lea inlection lines.

The IPE describes other plant modifications that are reflected in the IPE analysis, through were not identified in conjunction with the IPE. For example, the IPE accounts for the installation of a now battery-eliminating battery charger for DC bus 201B and changes in ESF room ventilation. The IPE also accounts for modification of the PORV control circuit logic such that deenergization of vital 120 VAC panels will not result in the PORVs opening of a false high pressurizer signal. The PORV control circuit logic modification was made in response to an inadvertent ESAS actuation during the 1992 32

3;-

1 refueling outage that resulted in a partialloss of normal power. [pp. 1-2,1-3, 6-1, 6-2 of '

j the submittal)

Based on engineering judgment, the licensee estimates that credit for the above plant improvements and modifications (identified independently of the IPE) reduced the IPE CDF from approximately 1.1E-04/yr to 3.4E-05/yr. [p.13 of RAI Responses) l Plant changes specifically due to the Station Blackout Rule were not credited in the I j analysis. However, the IPE did take credit for a plant modification that reduces the !

a station blackout CDF, namely the electrical cross-tie between Units 1 and 2. This cross l tie was implemented in 1986 to address Appendix R fire protection issues. Credit for this i j cross-tie reduces the station blackout CDF contribution by about 86% (from 3.1E-06/yr i to 4.2E-07/yr). [pp.11,22 of RAI Responses) 4 f

33

. hf,j l

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS 4

l This section of the report provides an overall evaluation of the quality of the IPE based on this review. Strengths and weaknesses of the IPE are summarized. important assumptions of the model are summarized. Major insights from the IPE are presented.

No particular strengths of the IPE were noted.

Weaknesses of the IPE are as follows: The plant-specific data used in the analysis does l not reflect the most recent plant operating history prior to the analysis freeze date.

While the IPE analysis is stated to have a 1992 freeze date, the cutoff dates for plant-specific data were June 1987 (for component failure data) and 1986 (for initiating event data). Consequently, it is not clear that the licensee has modeled the as-operated plant. l As a general observation, the IPE includes several instances where the modeling may be incomplete or overly optimistic. For example, the licensee has excluded LOSP initiating events involving durations less than one half hour. In addition, the licensee has yet to perform analyses to determine whether loss of intake building HVAC will cause a trip of the service water pumps; this type of HVAC-induced plant trip was not modeled in

the IPE. Also, as acknowledged by the licensee, the human error probability (HEP) for operator failure to start the steam-driven AFW pump may have been quantified with too

, low a value. Individually, none of the preceding items appears to represent a major weaknesses of the IPE. Collectively, however, these aspects of the modeling process indicate that benefit would be derived from an update of the IPE. (As previously noted, ,

the licensee intends to maintain a "living" PRA.)

Significant level-one IPE findings are as follows:

Station blackout is a relatively small contributor to CDF because of (1) credit taken for alternate emergency power supplied from Unit 1 (2) an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery capacity, and (3) a RCP seal LCCA model that appears to be more optimistic than used in some other PWR IPE/PRA studies.

l Based on this review, the following aspects of the IPE modeling process have an impact on the overall CDF:

1

. The IPE assumes that if high pressure safety injection fails following a small or small-small LOCA, the primary system can be depressurized via the secondary system sufficiently fast so that the accident can be mitigated with low pressure safety injection.

This assumption reduces the CDF. Some other PWR IPE studies have made this same assumption.

1 l

34

1*(

4. DATA

SUMMARY

SHEETS This section of the report provides a summary of information from our review. i 1

l Initiatina Event Freauencies I initiating Event Frequency per Year Small-Small LOCA 4.65E-3 Small LOCA 2.25E-3 l Medium LOCA 7.10E-4 Large LOCA 6.40E-4 Steam Generator Tube Rupture 2.20E-2 l General Plant Transient 3.10 Loss of Main Feedwater 7.00E-1 i Steam Line Break Upstream of Non-Return Valve 2.45E-4 l (NRV) i Steam Line Break Downstream of NRV 2.20E-3 Loss of DC Bus A Followed by Bus B 1.13E-6 Loss of DC Bus B Followed by Bus A 1.13E-6 l Loss of Service Water 4.44E-3 Loss of instrument Air 5.52E-5 l Loss of Normal Power 9.10E-2 l Main Feed Line Break 9.20E-4 l Loss of RBCCW 1.06E-4 l Loss of Vital AC Buses VA10 and VA30 1.25E-2 Loss of DC Bus A 5.66E-2 Loss of DC Bus B 5.34E-2 l ISLOCA - Safety injection Line 8.32E-9 ISLOCA - Shutdown Cooling Line 3.15E-9 ISLOCA - Letdown Line 1.16E-8 ISLOCA - Charging Line 4.29E 8/yr Overall CDF

, The total point estimate CDF for Millstone 2 is 3.4E-05/yr, including an intemal flooding contribution of 2.0E-07/yr.

4

35 i

4

l . . p. 9 m

.l l

! Dominant initiatina Events Contributina to CDF The initiating events that contribute most to the CDF and their percent contribution are

! listed below."

Loss of offsite power 25 %

l General plant transient 13%

l Loss of DC bus A 11%

Loss of DC bus B 11 %

Steam break train A (upstream of non-return valves) 7.7%

Loss of main feedwater 5.2%

Large LOCA 4.8%

i Small LOCA 4.8%

l Small-small LOCA 4.3%

Medium LOCA 3.7%

Loss of service water 2.8%

Loss of vital AC panels 10 & 30 2.5%

l Steam generator tube rupture (SGTR) 1.5%

l Dominant Hardware Failures and Ooerator Errors Contributina to CDF i

Dominant hardware failures contributing to CDF include:

Steam-driven AFW pump falls to deliver water to headers (module)

Motor-driven AFW puinp 9B fails to deliver water (module)

Motor-driven AFW pump train A fails to deliver water (module)

Diesel generator 15G-13U faults (module)

Diesel generator 15G-12U faults (module)

Steam-driven AFW pump out of service for maintenance Common cause failure of AFW common injection header valves Dominant human errors and recovery factors contributing to CDF include:

1 Failure to recover de power (short term),

Failure to recover de power (35 minutes),

Failure to initiate the steam-driven AFW pump (cognitive error),

Failure to initiate the steam-driven AFW pump in service due to procedural errors Failure to initiate bleed and feed.

Dominant Accident Classes Contributina to CDF Transients 74 %

Only the most dominant initiating event contributors are listed here. A complete set of initiating event CDF contributors is provided in Table 3.1.1 1 of the submittal.

36

l LOCA- 18%

l Anticipated Transient Without Scram (ATWS) 4.4%

SGTR 1.5% i Station Blackout 1.2% I Internal Flooding 0.6% :

ISLOCA 0.2% )

Desion Characteristics Imoortant for CDF l

Ability to remove decav heat with bleed-and-feed. The plant has the capability to remove decay heat with primary bleed-and-feed cooling in the event all )

secondary heat removalis lost. This design feature tends to reduce the CDF. l

. Automatic switchover of Emergencv Core Cooling System (ECCS) from inlection to recirculation. This design features tends to decrease the CDF over what it would otherwise be with a manual system.

. Fire water backuo for Condensate Storaos Tank (CST). The plant fire water ,

system can be used as an alternate source of water to the AFW pumps in the event water is unavailable from the CST. This design feature tends to reduce the CDF. However, the IPE did not take credit for this backup source of water.

. New steam generators. The steam generators have been replaced with generators having an improved moisture separator design and the addition of wide range levelinstrumentation. This design feature tends to reduce the CDF. !

However, as stated in submittal, this feature did not directly impact the IPE

'models.

. 4.106 VAC electrical cross-connection between Millstone Units 1 and 2. There is a 4,160 VAC electrical feeder cross-connection between Units 1 and 2. This design feature tends to reduce the CDF. The IPE took credit for alternate emergency power supplied from Unit 1 via this electrical cross-connection.

. Instrument air cross-cobnection between Millstone Units 1 and 2. The instrument air systems'at Millstone Units 1 and 2 can be cross-connected. This design feature tends to reduce the CDF. The IPE took credit for alternate instrument air '

supplied from Unit 1 via this cross-connection. l

. Caoability to sunolv oortions of 120 VAC vital oower svstem with the turbine batterv. The non-class 1E turbine battery can provide alternate power to a portion of the 120 VAC vital power system. This design feature tends to reduce the CDF. The IPE took credit for the turbine battery as a backup power source for Engineered Safeguards Actuation System (ESAS) loads.

1

. Eight hour batterv caoacitv. The IPE credited operator load shedding actions specified in the Station Blackout Emergency Operating Procedure (EOP) to !

extend the battery lifetime to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime is longer than l 37

~?9

^

l battery lifetimes at some other plants. This plant feature tends to reduce the CDF.

Containment air recirculation fan units. The plant design includes safety-grade containment air recirculation fan cooler units that are independent and redundant to.the containment spray system. This design feature tends to reduce the CDF. ;

Modifications L

The licensee identified the possibility of an RCP thermal barrier tube rupture ISLOCA as

a vulnerability. A modification to eliminate this vulnerability is planned for April 1997. !

! This ISLOCA was evaluated separately from the IPE analysis described in the submittal.

The only plant improvement or modification directly resulting from the IPE appears to be the planned modification to eliminate the RCP thermal barrier tube rupture vulnerability noted above. However, the licensee does list five plant changes made as a result of the original 1991 Millstone 2 Internal Events PRA study, which preceded the IPE. These five changes were credited in the IPE and have been implemented. These changes are listed below:

l

. Imorove the overall availability of the DC switchgear room ventilation.

! . ' Install temoerature indicators / alarms for the DC switchaear rooms.

. Include the use of AFW oumo discharge cross-tie MOV in EOPs.

i

. Add accumulators for AFW reculatino valves.

. Perform surveillance testing of selected LPSI check valves in selected RCS cold leg iniection ~ lines.

Other USI/GSis Addressed The licensee does not propose to resolve any other GSis/USIs other than DHR.

Significant PRA Findinos Significant findings on the front-end portion of the IPE are as follows:

Station blackout is a relatively small contributor to CDF because of (1) credit taken for alternate emergency power supplied from Unit 1 (2) an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery

{ capacity ~, and (3) a RCP seal LOCA model that appears to be more optimistic i than used in some other PWR IPE/PRA studies.

+

)

38 !

4

.. . 4$. l REFERENCES

[CE NPSD 755] Reactor Coolant Pump Seal Failure Probability Given a Loss of Seal Cooling, CEOG Task 742, Subtask 1, November 1992 (modified by the attachment to CEOG letter to the Severe Accident Working Group, CEOG-93-302, June 15,' 1993).

[EPRI ALWRRD] Advanced Light Water Reactor Requirements Document, Appendix A, )

I Rev. O, EPRI, June 1989.

[lEEE 500] IEEE Guide to the Collection and Presentation of Electrical, Electronic l Sensing Component, and Mechanical Equipment Reliability Data for Nuclear Power l Generating Stations, IEEE Std. 500-1984,1983.

1

[lPE Submittal] Millstone Unit 2 IPE Submittal, December 30,1993.

l l [lN 89 54] Overpressurization of the Component Cooling Water System, NRC l Information Notice No. 89-54, June 1989.

[ Licensee Sup. Info.] Individual Plant Examination for Severe Accident Vulnerabilities Supplemental Information, letter to NRC from Northeast Nuclear Energy Co., B12850,

May 31,1994.

[NSAC 147] Losses of Off-site Power at U.S. Nuclear Power Plants Through 1989, EPRI (Nuclear Safety Analysis Center), March 1990.

[NSAC 182] Loss of Off-Site Power at U. S. Nuclear Power Plants Through 1991, EPRI (Nuclear Safety Analysis Center), NSAC-182, March 1992.

[NUREG/CR 2300] PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants, Vols.1 and 2, NUREG/CR-2300, January 1983.

[NUREG/CR 4550, Methodology] Analysis of Core Damage Frequency: Intemal Events Methodology, NUREG/CR 4550, Vol.1, Rev.1, January 1990.

[RAI Responses] Millstone Nuclear Power Station, Unit No. 2 Request for Additional Information Concernina the Individual Plant Examination. Letter from J. F. Opeka, Northeast Nuclear Energy Company, to NRC, B15351, September 20,1995.

[RAI Supp.] Supplemental Information Related to RAI Responses Provided by Millstone i

2 , October 27,1995.

[UFSAR] Updated Final Safety Analysis Report for Millstone 2.

[ WASH-1400] Reactor Safety Study, October 1975.

I

39

. o 1:

I l

l l

I l

l l

l MILLSTONE NUCLEAR POWER STATION, UNIT NO. 2 1

INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT (BACK-END) j I

\ l l

l i Enclosure 3

! l 1

2 k

i i

,%0r$50 % &

W~ ._ _ _- . _ _ _ .

ML20117D068

Contents

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20117D068

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search