Text

Technical Evaluation Rept on IPE Front End Analysis
	ML20117J291
Person / Time
Site:	Callaway
Issue date:	12/21/1995
From:	Darby J, Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20117J268	List: ML20117J291; ML20117J296; ML20117J300;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-92-2343-010, SEA-92-2343-010-A:3, SEA-92-2343-10, SEA-92-2343-10-A:3, NUDOCS 9605310065
	Download: ML20117J291 (47)
	v • d • e

.-

l l

SEA 92-2343-010-A:3 December 21,1995 l

l Callaway Technical Evaluation Report on the Individual Plant Examination i

Front End Analysis NRC-04-91-066, Task 43 l-John L. Darby Willard R. Thomas Science and Engineering Associates, Inc.

l l

Prepared for the

[

Nuclear Regulatory Commission 9605310065 960521 PDR ADOCK 05000483 P

pan

~.

---~.,-.- -.

l l

l TABLE OF CONTENTS E. EXECUTIVE SU MM ARY......................................

1 l

E.1 Plant Characterization....................................

1 L

E.2 Licensee's IPE Process 2

l l

' E.3 Front-End Analysis.....................................

3 l-E.4 Gene ric iss ues........................................

4

{

j E.5 Vulnerabilities and Plant improvements......................

5 L

E.6 Obse rvation s.........................................

7 i

1. I N TR O D U CTI O N............................................

8 i

l 1.1 Re view Proce s s.......................................

8 l

1.2 Plant Characterization...................................

8

2. TEC H N IC AL R EVI EW........................................ 10 2.1 Licensee's IPE Process.................................. 10 2.1.1 Comoleteness and Methodoloav..................... 10 2.1.2 Multi-Unit Effects and As-Built As-Coerated Status........ 10 2.1.3 Licensee Particioation and Peer Review................ 11 2.2 Accident Sequence Delineation and System Analysis............ 11 2.2.1 initiatino Events................................. 11 2.2.2 E ve nt Tree s.................................... 14-2.2.3 Systems Analysis................................ 19 2.2.4 System Denendencies 21 l

2.3 Quantitative Process.................................... 21 i

2.3.1 Quantification of Accident Seouence Freauencies......... 21 2.3.2 Point Estimates and Uncertaintv/Sensitivit*/ Angkagg 22 2.3.3 Use of Plant Soecific Data 22 2.3.4 Use of Generic Data.............................. 23 2.3.5 Common Cause Quantification 24 2.4 Interface issues....................................... 25 2.4.1 Front-End and Back-End interfaces................... 25 2.4.2 H uman Factors intadaces.,,....................... 26 2.5 Evaluation of Decay Heat Removal and Other Safety issues....... 27 2.5.1 Examination of DH R

............................. 28 2.5.2 Diverse Means of DH R............................ 28 2.5.3 Unlaue Features of DH R........................... 28 2.5.4 Other GSl/USis Addressed in the Submittal............. 29 2.6 Inte rnal Flooding....................................... 29 2.6.1 Intemal Floodino Methodoloov....................... 29 l-2.6.2 Intemal Floodino Results 30 l

2.7 Core Damage Sequence Results.......

31 2.7.1 Dominant Core Damaae Seouences 31 2.7.2 Vulne rabilitie s................................... 33 I

l il

i l

2.7.3 Procosed imorovements and Modifications.............. 34 i

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS 37

4. DATA

SUMMARY

SHEETS 38 i

4 REFERENCES...............................................

43 i

1 5

i l

l i

l l

l t

i d

ill

. =

q 1

I i

LIST OF TABLES

- Table 2-1. Plant Specific Data..................................... 23 Table 2-2. Generic Component Failure Data 24 Table 2 3. Common Cause Factors for 2-of 2 Components............... 25 Table 2-4. Important Contributors to CDF frorn Internal Flooding............ 30 Table 2-5. Accident Types and Their Contribution to Core Damage Frequency.. 31 i

Table 2 6. Initiating Events and Their Contribution to Core Damage Frequency. 32 l

Table 2-7. Top 5 Core Damage Sequences........................... 33 l

i i

9 i

i l

l t

l l

l lv l

l i.

E. EXECUTIVE

SUMMARY

I This report summarizes the results of our review of the front-end portion of the individual Plant Examination (IPE) for Callaway. This review is based on information contained in the IPE submittal [lPE Submittal] along with the licensee's responses [RAI Responses] to a request for additional information (RAl).

E.1 Plant Characterization Callaway is a single unit site with one four-loop pressurized water reactor (PWR).

Rated power is 3,565 megawatts thermal (MWt) and 1,120 net megawatts electric (MWe). Callaway is a Westinghouse Standardized Nuclear Unit Power Plant System (SNUPPS) design similar to Wolf Creek. Bechtel provided the architect / engineer (AE) services.

Design features at Callaway that impact the core damage frequency (CDF) relative to other PWRs are as follows:

Ability to oerform feed and bleed once-throuah cooling. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of feedwater.

Service water system flexibility and redundanev. The plant has dedicated

-standby essential service water (ESW) pumps that are available to provide backup flow to the ESW headers. During normal operation, non-essential service water pumps provide flow to the ESW headers. This design feature tends to decrease the CDF.

Ability to use the ESW system as a source of backuo water sunolv for the auxiliarv feedwater (AFW) system. The ESW system can provide a backup source of AFW suction water supply in the event water from the condensate storage tank (CST) becomes unavailable. This design feature tends to decrease the CDF.

Elaht hour batterv Iifetime for turbine-driven AFW oumo. Battery power for control of the AFW turbine-driven pump can be sustained for 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , apparently without load shedding. This 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime tends to lower the CDF from station blackout, as this time is longer than that available at many other plants.

Semi-automatic Emergency Core Cooling Svstem (ECCS) switchover. The l

switchover of residual heat removal (RHR) pumps from injection to sump recirculation is fully automated. However, the establishment of high pressure recirculation requires manual operator actions to align the suction of the safety l

r 1

.. - _ - - ~. --

sa.

injection and/or charging pumps to the discharge of the RHR pumps. This design feature tends to increase the CDF over what it would otherwise be with a fully automatic system.

New high temoerature aualified reactor coolant oumo (RCP) 0-rings. These

~=

new RCP O-rir,1gs tend to lower the CDF because of the increased ability of the RCP seals to withstand loss of cooling.

Ability to feed deoressurized steam generators from diesel-driven fire oumo.

j This design feature tends to. lower the CDF, though it was not credited in the IPE.

E.2 Licensee's IPE Process

'The IPE is a level 2 Probabilistic Risk Assessment (PRA). The freeze date of the analysis was September 1992, with one exception. This exception involves the installation of high temperature qualified RCP seal 0-rings.

The IPE was performed primarily by utility personnel. A permanently staffed group was established within the utility for developing and applying the PRA. Virtually all the plant departments, including operations, maintenance, training, and site engineering, provided input to the PRA development.

Consultants from the following organizations were utilized: NUS Corp. (NUS), Bechtel,

. Cermak Fletcher Associates (CFA), and Gabor Kenton Associates. NUS was the i

prime contractor.

l l-Two walkdowns' were conducted to support the overall front-end potion of the IPE.

[

Also, three walkdowns were condLcted specifically to support the internal flooding l

analysis. All walkdowns involved be l utility and contractor personnel.

u l

l' Major documentation used in the IPE included: the Updated Final Safety Analysis L

Report (UFSAR), the technical specifications, Licensee Event Reports (LERs),

l procedures, Piping and instrument Diagrams (P&lDs), and various calculations. Other IPE/PRA studies and related information were reviewed, notably: the NUREG 1150 studies of Surry, Sequoyah, and Zion, the Seabrook PSA, the Turkey Point IPE submittal, and the NSAC-60 PRA for Oconee.

All of the IPE/PRA task documentation received a peer review; a review by another individual involved in the IPE. All task documentation were reviewed by the appropriate PRA consultant. An inter-departmental review within the utility of certain documentation was performed. Union Electric, the operator of Callaway, and r

.WCNOC, the operator of Wolf Creek, performed reviews of each others level 1 PRA

{

portions of the respective IPEs; Callaway and Wolf Creek are similar plants, both 2

l. c being SNUPPS designs. A consultant from CFA also reviewed the level 1 PRA portion of the IPEs for both Callaway and Wolf Creek.

The submittal states that the licensee intends to maintain a "living" PRA.

l E.3 Front-End Analysis The methodology chosen for the Callaway IPE front-end analysis was a Leval i PRA; the smal! event tree /large fault tree technique was used and quantification was performed with the NUPRA software package and Set Equation Transformation System (SETS) code.

Seventeen internalinitiating events were evaluated. These initiating events can be categorized into the following groups: 6 LOCAs,8 generic transients, and 3 plant-specific initiating events.

The criterion for core damage was peak cladding temperature in excess of 2200 F.

System level success criteria were based on: the UFSAR, existing calculations and i

Modular Accident Analysis Program (MAAP) analyses. The success criteria are generally consistent with success criteria typically used in other PWR IPE/PRA studies.

Support system dependencies were modeled in the fault trees. Tables of inter-system i

dependencies were provided.

The IPE used plant-specific data to Bayesian update generic data for hardware failures. Plant-specific data were used for test and maintenance unavailabilities. The data used in the IPE were comparable with data typically used in other IPE/PRAs.

The Multiple Greek Letter (MGL) method was used to model common cause failures.

Common cause failures were modeled within systems. Generic data from NUREG/CR-4550 and NUREG/CR-4780 were used to quantify common cause faliures.

Internal flooding was quantified. The important flood events directly lead to core damage without the need for subsequent random failures of other equipment.

The total point estimate CDF for Callaway is 5.85E-05/yr, including internal flooding.

The CDF from internal flooding was calculated to be 1.78E-5/ year.

i The internal events that contribute most to the CDF and their percent contribution are listed below:'

l

' A complete set of initiating event CDF contributors is provided in Table 2-6 of this report.

I 3

Loss of offsite power (LOSP) 30.5 %

l ESW Flood in Control Bldg.' Elev.1974 16.9%

Transient-induced RCP Seal LOCA -

8.1 %

- i ESW Flood in Control Blgd. Elev. 2000 8.0%

intermediate LOCA-7.4%

i Small LOCA 7.3% -

j Loss of All Service Water 6.5%

Large LOCA.

3.7%

Firewater Flood in Control Bigd. Elev. 2016 3.5%

Firewater Flood in Control Blgd. Elev. 2000 1.6%

l SGTR 1.4%

l Loss of All Component Cooling Water (CCW).0.9%

i

. The initiating event " Transient-induced RCP Seal LOCA" listed above is actually an

[

accident class in which loss of RCP seal cooling occurs following an transient initiating i

i event. The loss of RCP seal' cooling is not directly caused by the transient, but is instead the result of subsequent post-initiator failures during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months analysis mission time. The relevant accident sequences represent an unmitigated'RCP seal LOCA condition.

. Core damage contributions by accident type are listed below:

L Intamal Floo'd 30.5 %

Station Blackout 30.3 %

LOCAs -

19.0%

Transient 17.7%

i Steam Generator Tube Rupture (SGTR) 1.4%

l Anticipated Transient Without Scram (ATWS) 0.7%

1 Interfacing Systems LOCA (ISLOCA) 0.3%

~

Based on importance measures, the following hardware failures and operator actions are important contributors to the total CDF: failure to recover offsite power, failure of Diesel Generators (DGs), failure to establish CCW cooling to the Residual Heat Removal (RHR) heat exchangers, failure of the turbine driven AFW pump, and failure to recover ESW.

The Level 1 core damage sequences were binned into plant damage states (PDSs) for

- subsequent back-end analysis. The binning criteria are consistent with typical PRA/IPE practice.

E.4 Generic lasues The licensee specifically addressed loss of Decay Heat Removal (DHR), considering DHR as both core cooling and ultimate heat removal. The contribution of loss of DHR to the total CDF by type of accident is as follows:

i 1

4 i

I

j l

l-Failure to Cooldown 3.2%

Failure of Secondary Heat Removal 12.8%

Failure of injection 15.2 %

Failure of Recirculation 24.9 %

Failure of Feed and Bleed 3.7%.

These contributions are not additive since the same core damage sequence can L

contribute to multiple failure categories. No DHR-related vulnerabilities were identified.

The submittal states that the licensee considers unresolved safety issue (USI) A-17, l

" Systems interactions" to be resolved.

E.5 Vulnerabilities and Plant improvements The process described in Nuclear Management and Resource Council (NUMARC) report 91-04 was used to identify potential plant-specific vulnerabilities.

The submittal states that two of the NUMARC groups warrant attention: Group IIA, that deals with induced seal LOCAs with loss of injection, and Group Vil, internal flooding.

The licensee concludes that group llAis not indicative of any vulnerability since RCP seal LOCAs are a significant contributor to the total CDF in most PWR PRAs. The licensee concludes that group Vil is not indicative of any vulnerability since the models used for calculating the CDF from internal flooding result in a " conservatively" high CDF.

The licensee concludes that no vulnerabilities were found as a result of the IPE.

The licensee identified several plant enhancements in conjunction with the IPE analysis. Summarized below are the proposed plant improvements, including their current status and CDF impact (if available). The status of the IPE model relative to j

each modification (amount of credit taken) is also noted.

j Installation of high temoerature aualified RCP seal O-rings. Installation of these

=

specially qualified 0-rings has been completed, and was credited in the IPE.

l Without this modification, the station blackout CDF contribution would increase l

by about 20% (from 1.77E-05/yr to 2.1E-05/yr), and the total CDF contribution l

would increase by about 6% (from 5.85E-05/yr to 6.2E-05/yr).

Erocedural and hardware changes to allow feed of deoressurized steam oenerators from diesel-driven fire oumo. This plant modification has been completed, but was not credited in the IPE. The total CDF (including internal flooding) would decrease by about 7% (from 5.85E-05/yr to 5.4E-05/yr) with credit for this modification.

f 5

Addition of crocedural auidance to re-establish normal service water should essential service water (ESW) fail. This procedural enhancement has been completed. The IPE did not take credit for this modification.

Addition of crocedural cuidance for coeratina the chargina and safety iniection oumos without CCW. Lube oil cooling for the charging and safety injection j

pumps is provided by the CCW system. This procedural enhancement, which has been completed, facilitates the use of charging and safety injection pumps in accident scenarios involving loss of.CCW. The IPE took credit for this plant modification.

Addition of crocedural auidance to verifv RHR oumo room cooiing at switchover to ECCS recirculation chase. This modification directs operators to locally start the RHR room coolers if they are not running at the time of ECCS switchover.

This procedural enhancement has been completed. The IPE did not take credit Mr this modification.

i Additica of i. black-start combustion turbine aenerator (CTG). The total CDF I

l (including intt.rnal flooding) would decrease by about 35% (from 5.85E-05/yr to about 3.8E-05/yr) with this modification. The licensee has determined that this type of plant enhancement is not cost-effective. No credit was taken in the IPE.

Addition of a black-start gasoline or diesel generator. As an alternative to the CTG discussed above, a smaller generator (gasoline or diesel) could be installed to power a battery charger and charging pump. The total CDF l

(including internal flooding) would decrease by at least 17% (from 5.85E-05/yr to about 4.8E-05/yr) with this modification. The licensee has determined that this type of plant enhancement is not cost-effective. No credit was taken in the iPE.

Reolacement of the oositive disolacement charging oumo (PDP) with a third centrifugal charoing oumo (CCP). The PDP has been replaced with a third CCP, the normal charging pump (NCP). Unlike the PDP, the NCP does not require cooling from the CCW. The NCP is powered from a non-safety bus rather than an independent, backup power supply. The IPE did not take credit for this modification.

Prov;de a switch to bvoass feedwater isolation in order to restore main feedwater. Following a reactor trip at Callaway, main feedwater is isolated. If AFW subsequently fails, procedures direct operators to attempt restoration of main feedwater. Without a special bypass switch, operators have to manually lift leads and install jumpers, a relatively time-consuming process. This plant modification is currently scheduled for the fall of 1996. It appears that the IPE did not take credit for this modification.

6 l

~

Procedural and hardware chanaes to reduce the core damaae risk due to

~

internal floodina. The lice'nsee has formed a task team to evaluate methods for reducing the CDF due the internal flooding. The team is considering various options to reduce flooding-related CDF, including flood detection, improved drainage, and response procedures. The improvements under consideration were'not credited in the IPE. At the present time, the licensee has not generated estimates of CDF reductions related to the proposed improvements.

Plant changes specifically due to the Station Blackout Rule were not included in the IPE model. However, the IPE did take credit for a plant modification that reduces the station blackout CDF, namely the installation of high temperature qualified RCP seal O-rings described above.

E.6 Observations The licensee appears to have analyzed the design and operations of Callaway to discover instances of particular vulnerability M core damage. It also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at Callaway; gained a quantitative understanding of the overall frequency of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.

Strengths of the IPE are as follows. The internal flooding analysis appears to be more thorough in comparison to the flooding analyses in some other IPE/PRA studies.

' No major weaknesses of the IPE were identified.

Significant level-one IPE findings are as follows:

Internal floodino is the most dominant accident class contributor to CDF. The most important flooding sequence involves a flood in the control building that disables all service water and leads directly to core damage. Operator recovery actions in this sequence are made difficult due to possible submergence of isolation valves. Two other important sequences involve floods in the control building that disable vital AC or DC electrical equipment.

7

!)

1. INTRODUCTION l

1.1 Review Process i

This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE)'for Callaway. This' review is based on information contained in the IPE submittal [lPE Submittal) along with the licensee's responses [RAI Responses) to a request for additional information (RAI).

j i

1.2 Plant Charactedzation Callaway is a single unit site with one four-loop PWR, located on the Missouri River in Missouri. Rated power is 3,565 MWt and 1,120 net MWe. Callaway is a

_ Westinghouse SNUPPS design similar to Wolf Creek. Bechtel was the' AE. The unit achieved commercial operation in 1985.

Design features at Callaway that impact the core damage frequency (CDF) relative to l

other Pressurized Water Reactor (PWR) plants are as follows: [pp. 3.2-8, 3.2-47, 3.2-l l

131,3.2-138,6-1, 6-2 of submittal) s j

Ability to nerform feed and bleed once-throuah coolina. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of feedwater.

l L

Service water system flexibility and redundanev. The plant h'as dedicated l

_ standby essential service water (ESW) pumps that are available to provide backup flow to the ESW headers. During normal operation, non-essential service water pumps provide flow to the ESW headers. This design feature l

tends to decrease the CDF.

l e'

Ability'to use the ESW system as a source of backuo water sunolv for the r

auxiliarv feedwater (AFW) system. The ESW system can provide a backup source of AFW suction water supply in the event water from the condensate L

. storage tank (CST) becomes unavailable. This design feature tends to decrease the CDF.

I-Elaht hour batterv lifetime for turbine-driven AFW oumo. Battery power for control of the AFW turbine-driven pump can be sustained for 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , apparently without load shedding. This 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime tends to lower the CDF from station blackout, as this time ~is longer than that available at many other plants.

Semi-automatic Emergenev Core Cooling System (ECCS) switchover. The switchover of residual heat removal (RHR) pumps from injection to sump 4

i recirculation is fully automated. However, the establishment of high pressure i

8

c.

I recirculation requires manual operator actions to align the suction of the safety injection and/or charging pumps to the discharge of the RHR pumps.-This design feature tends to increase tne CDF over what it would otherwise be with a fully automatic system.

l l

New hiah temoerature cualified reactor coolant oumo (RCP) O-rinas. These j

new RCP O-rings tend to lower the CDF because of the increased ability of the RCP seals to withstand loss of cooling.

Ability to feed deoressurized steam oenerators from diesel-driven fire oumo.

This design feature tends to lower the CDF, though it was not credited in the IPE.

l i

l I~

p 9

I

2. TECHNICAL REVIEW 2.1 Licensee's IPE Process We reviewed the process used by the licensee with respect to: completeness and methodology; multi-unit effects and as built, as-operated status; and licensee j

participation and peer review.

l l

2.1.1 Comoteteness and Methodoloay.

The submittal contains the information requested by Generic Letter 88-20 and NUREG 1335. No obvious omissions were noted.

1 The front-end portion of the IPE !s a level l PRA. The specific technique used for the j

level l PRA was a small event tree / largo fault tree technique and it was clearly described in the submittal. The PRA upon which the IPE is based was initiated in response to Generic Letter 88-20. [Section 2.2 of submittal]

)

l l

The submittal described the details of the technique. Support systems were modeled in fault trees and accident sequences were s]Ived by fault tree linking. System descriptions were provided. Tables of inter-system dependencies were provided.

Data for quantification of the models were provided, including common cause data.

The submittal summarizes the results of an uncertainty analysis. Sensitivity analyses were performed to estimate the reduction in CDF due to plant improvements under consideration. [ Sections 2.3.1, 3.3.8, 6.2.2 of submittal]

2.1.2 Multi-Unit Effects and As-Built As-Ocerated Status.

Callaway is a single unit site; therefore, mult!-unit considerations do not apply to this plant.

The licensee states that three main efforts ensured that the IPE model correctly reflected the plant, these being: the preparation of system work packages, site visits, and communication between IPE analysts and plant operating and engineering staff personnel. [Section 1.2 of submittal]

Two walkdowns were conducted to support the overall front-end portion of the IPE.

l I

Also, three walkdowns were conducted specifically to support the internal flooding analysis. All walkdowns involved both utility and contractor personnel. [ Letter 1/8/93]

j i -

Major documentation used in the IPE included: the UFSAR, the Technical l

Specifications, licensee event reports (LERs), procedures, piping and instrumentation diagrams (P&lDs), and various calculations. Other IPE/PRA studies and related information were reviewed, notably: the NUREG 1150 studies of Surry, Sequoyah, and I

4 10

I Zion; the Seabrook PSA; the Turkey Point IPE submittal; and the NSAC-60 PRA for Oconee. [ Letter 1/8/93]

The freeze date of the analysis was September 1992, with one exception. This I

exception involves installation of high temperature qualified RCP seal 0-rings. These new O-rings were installed in two RCPs in the fall of 1993, and in the two remaining RCPs in the spring of 1995. Without this modification, the station blackout CDF l

contribution would increase by about 20% (from 1.77E-05/yr to 2.1E-05/yr), and the total CDF contribution would increase by about 6% (from 5.85E-05/yr to 6.2E-05/yr).

[pp.1,16,17 of RAI Responses]

2.1.3 Licensee Particioation and Peer Review.

The IPE was performed primarily by utility personnel. A permanently manned group was established within the utility.or d.,veloping and applying the PRA. Virtually all the plant departments, including operations, maintenance, training, and site engineering, provided input to the PRA development. [ Letter 9/29/92] [Section 5.1 of submittal)

Consultants from the following organizations were utilized: NUS, Bechtel, Cermak Fletcher Associates (CFA), and Gabor Kenton Associates. NUS was the prime contractor.

The submittal states that the utility intends to maintain a "living" PRA. [ Letter 1/8/93]

All of the IPE/PRA task documentation received a peer review; that is, a review by another individual involved in the IPE. All task documentation was reviewed by the appropriate PRA consultant. An inter-departmental review within the utility of certain documentation was performed. Union Electric, the operator of Callaway, and Wolf Creek Nuclear Operating Corp. (WCNOC), the operator of Wolf Creek, performed reviews of each others level 1 PRA portions of the respective IPEs; Callaway and Wolf Creek are similar plants, both being SNUPPS designs. A consultant from CFA also ieviewed the level 1 PRA portion of the IPEs for both Callaway and Wolf Creek.

l

[Section 5.3 of submittal]

2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies l

provided in the submittal.

2.2.1 initiatina Events.

The identification of initiating events considered both generic and plant specific events.

The IPE used three techniques for identifying initiating events: development of a Master Logic Diagram, review of industry and plant-specific data, and performance of j

11 l

l

a Failure Modes and Effects Analysis (FMEA) on important support systems. The following sources were used to identify and quantify generic initiating events:

NUREG/CR-3862, NUREG-1150, the Seabrook PSA, and industry data. Plant records were reviewed to identify and quantify plant-specific initiating events that have occurred. Potential plant-specific support system initiating events were identified by j

performing a FMEA on the following systems: CCW, SW, instrument air, heating, ventilating, and air conditioning (HVAC), DC power, and AC power. The support system initiating events that were retained were quantified by analysis of support system fault trees which incorporated plant-specific data. The categories of initiating 1

events included in the analysis are listed below: [Section 3.1.1, Tables 3.1.1-11, 3.1.1-14, 3.3.9-9, pp. 3.1-103, 3.1-107, 3.1-111, 3.1-121, 3.3-107 of submittal)

Transients:

i Loss of Offsite Power Loss of Main Feedwater Transient with Main Feedwater Available Main Steamline Break Outside Contahment Main Steamline Break inside Containment Feedline Break Upstream of Last Feedwater Check Valve Feedline Break Downstream of Last Feedwater Check Valve Steam Generator Tube Rupture l

Special Initiators:

Loss of Component Cooling Water Loss of All Service ' Water Loss of a Vital DC Bus LOCAs:

Large LOCA (6" to 29")

Intermediate LOCA (2" to 6")

Small LOCA (3/8" to 2")

Very Small LOCA (less than 3/8")

ISLOCA (5 separate categories)

Vessel Rupture Internal Flooding 115 separate initiating events Loss of all CCW was treated as a specialinitiating event because it results in loss of all cooling to the RCP seals due to loss of cooling to the charging pumps and loss of cooling to the RCP thermal barrier coolers. Loss of a DC bus was treated as a special initiating event because it causes loss of control power to a train of electrical equipment. Loss of 1E switchgear HVAC was included in the loss of a DC bus initiating event, since it has the same effect as loss of a DC bus. Loss of all service l

water was treated a specialinitiating event since it results in loss of all seal cooling and cooling for numerous safety related pumps; this event requires loss of both normal and emergency service water.

12 l

Loss of an AC bus was not treated as a separate initiating event; the FMEA on the AC j

power system concluded that failures in the system were accounted for in the generic j

transient initiating events. Loss of instrument air was not treated as a separate initiating event. The FMEA for loss of instrument air concluded that loss of instrument air was accounted for within the generic transient initiating events.' (The AFW air operated valves and steam generator atmospheric dump valves have backup air provided by nitrogen accumulators. The pressurizer power operated relief valves i

(PORVs) are DC powered.)

j

(

Very small LOCAs, less than 3/8 inch equivalent diameter, were modeled as a

.j separate initiating event. The makeup required for LOCAs in this size range is within the normal charging system capability and as such most IPE/PRAs usually lump these l

.very small LOCAs in with general transients and do not modeled them separately.

[

Specific consideration of very small LOCAs in the Callaway IPE is notable. [ Table 3.1.1-11 and Section 3.1.3 of submittal]

l The following types of ISLOCA were considered in the analysis:

RHR pump suction isolation valves (shutdown cooling paths)

RHR pump cold leg injection paths

-=

RHR pump hot leg injection paths a

Safety injection pump cold leg injection paths a

Safety injection pump hot leg injection paths.

=

l l

All of the ab'ove potential ISLOCA paths involve a transition from high to low pressure piping. Overpressurization of the low pressure portion of the interfacing system was L

postulated to result in an ISLOCA. [pp.19,20 of RAI Responses]'

The point estimate frequencies assigned to most of the initiating events were comparable with typical values used in PRA/IPEs. The frequencies for loss of all CCW and loss of all service water are relatively low in comparison with some other IPE/PRAs, 6.4E-5/ year and 4.7E-5/ year, respectively; however, Callaway has 4-100%

CCW pumps and both a normal service water system and an emergency service water system, which tend to lower the frequencies for total loss of either of these systems. The frequency for loss of offsite power was 0.046/ year, which is comparable to the frequency used in most IPE/PRAs. Data from WASH-1400 were used to quantify the frequencies of LOCA initiating events. The ISLOCA initiating event frequencies were derived from fault tree logic models quantified with generic data.

The NUPRA code was used to obtain the overpressurization probability for each path.

The ISLOCA initiating event frequencies for RHR cold and hot leg injection paths are approximately an order of magnitude higher than values used in some other PRA/IPE studies. However, the ISLOCA frequencies do not account for possible mitigating actions. As will be further discussed in the next subsection of this report, ISLOCA i

i mitigation was considered in the event tree models. [pp.19,20 of RAI Responses, l

Section 3.1.1.3 of submittal)

]

i 13 l

l

2.2.2 Event Trees.

Each accident initiating event was included in an appropriate class of initiating events, and each class of initiating events had a corresponding event tree logic model. The following event tres models were developed: [Section 3.1.3 of submittal)

Loss of Offsite Power Loss of Main Feedwater (MFW)

Turbine trip with MFW Available Steam Generator Tube Rupture (SGTR)

Main Steam Line Break (MSLB) Inside Containment MSLB Outside Containment Feedline Break Upstream of Isolation Check Valve Feedline Break Downstream of Isolation Check Valve Loss of All Component Cooling Water (CCW)'

Loss of All Service Water Loss of Vital DC Bus NK01 Loss of Vital DC Bus NK04 Large LOCA Intermediate LOCA Small LOCA Very Small LOCA Five ISLOCA Event trees Anticipated Transient without Scram (ATWS)

Station Blackout.

Core damage was defined to be a peak cladding temperature in excess of 2,200 deg.

F. The submittal states that MAAP calculations were used to determine some of the success criteria for questionable accident sequences. [Section 3.1.2.2.1 of submittal)

Two sets of event trees were constructed; Level 1 event trees and Plant Response Trees (PRTs). The Level 1 event trees identify and quantify the sequences leading to core damage. The PRTs model the impact of containment systems on the core damage sequences, and serve as input to the back-end analysis. [ Sections 3.1.2 and 3.1.4 of submittal]

The Level 1 event trees do not explicitly include containment heat removal, and the success criteria for preventing core damage do not require any containment heat removal in response to any accident. However, for conditions resulting in the release of mass and energy into containment (for example, a LOCA), the IPE implicitly assumed the availability of containment cooling via one of the two RHR heat exchangers, though no credit for was taken for containment heat removal via the containment fan coolers. MAAP calculations were used to develop the basis for limiting conditions expected inside containment. The MAAP calculations specifically considered net positive suction head (NPSH) operability limits for ECCS pumps. The I

14

MAAP calculations predict that ECCS pump NPSH will be adequate with cooling from one RHR heat exchanger during postulated LOCA conditions. The licensee also notes that peak temperatures used to establish qualification requirements at Callaway exceed 358 deg. F, which is the fluid saturation temperature at the median containment failure pressure of 134.9 psig. [pp. 2 to 5 of RAI Responses, pp. 3.1-26, 3.1-29, Tables 3.1.3-4 through 3.1.3-20 of submittal)

The licensee provided further information to support the operation of equipment to mitigate the severe accidents modeled in the IPE. For example, active equipment used to provide core and containment cooling is located outside containment, and is not expected to experience environmental conditions beyond those currently postulated for equipment qualification (EO). The licensee provides various qualification data to support this conclusion. Additional discussions are provided to support credit for the operation of various types of instrumentation and detectors. For example, it is noted that terminal blocks have been spliced out of circuits for pressurizer pressure instrumentation and sump level transmitters to reduce the possibility of moisture !ntrusion. [pp. 7 to 11 of RAI Responses)

Information is also provided to support the IPE assumption that the PORVs and associated block valves will remain operable long-term for feed and bleed functions.

The Callaway PORVs have been tested under several types of conditions, including steam, steam-to-water, and water. The PORVs and block valves have been qualified to meet various parameter specifications, including peak temperature, peak pressure and radiation levels. As stated by the licensee, a comparison of these qualification specifications to output from MAAP calculations supports the engineering judgment that the PORVs and block valves should survive accidents for which they are credited.

As further noted by the licensee, the Equipment Qualification Risk Scopirt 9tudy

[NUREG/CR-5313] identifies poor sealing against moisture intrusion as a y ary mechanism for potential failure. The Callaway PORV pilot valve and position indication device (PID) are sealed with approved materials. In addition, the block valves have conduit routed directly from the bottom, and drains are installed in the low points of the motor housing. Additionalinformation to support the use of PORVs during feed and bleed is provided in the following two EPRI documents: [EPRI 2628) and [EPRI 4306). [pp. 8,14 of RAI Responses)

The IPE uses two different success criteria for feed and bleed, depending on the accident initiating event. For many conditions (including loss of main feedwater),

MAAP calculations demonstrated that a " standard" feed and bleed success criteria would be adequate, namely 1 of 4 centrifugal charging pumps or high head safety injection pumps, and 2 of 2 pressurizer PORVs. For a LOSP initiating event, MAAP calculations demonstrated that a safety injection pump would not provide sufficient flow to support core cooling, due to a higher reactor coolant system (RCS) pressure in the LOSP scenarios. Therefore, for LOSP initiators, a " modified" feed and bleed success criteria was used, specifically 1 of 2 charging pumps and 1 of 2 pressurizer PORVs.

MAAP analyses demonstrated that one PORV path would provide a sufficient bleed 15

l path for LOSP initiators due to the lower mass injection with 1 charging pump. The loss of a vitai DC bus represents another initiator where the " modified" feed and bleed success criteria were applied. In this instance, one PORV would be unavailable since there would be no DC power to its solenoid-operate 2 pilot valve. MAAP analyses demonstrated that the " modified" success criteria would be sufficient for DC bus loss initiators. [pp.13,14 of RAI Responses, pp. 3.1-33, 3.1-37 of submittal]

Main feedwater is automatically isolated following a plant trip. Therefore, AFW is the primary system for steam generator cooling for all transient initiating events even if the initiating event does not itself result in loss of main feedwater; if AFW fails, operator action to restore main feedwater is required to preserve use of the steam generators for heat removal, and this operator action involves re-starting main feedwater pumps and condensate pumps. [pp. 3.2-76, 3.2 79 of submittal]

The major difference between the models for a small LOCA and a very small LOCA are that rarmal charging can provide sufficient makeup to mitigate a very small LOCA.

The event tree models addressed transients progressing to LOCAs as a result of either RCP seal failures or stuck-open PORVs.

The IPE credited depressurization with the steam generators and injection with low pressure ECCS pumps as a way to mitigate a smail/ medium LOCA up to 3 inches in size with loss of all high pressure injection.2 This element of the success criteria is based on MAAP calculations. Initiation of secondary cooldown and depressurization was assumed to occur at 30 minutes into the event. The MAAP calculations predict that 2 accumulators will begin injection approximately 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months into the event, the point at which RCS pressure drops below 600 psia. The calculations further predict that the low head (RHR) pumps will begin injection at about 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months into the event, the time at which RCS pressure is expected to drop below the pump shutoff head. While the MAAP calculations predict a slight core uncovery at 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months into the event, level is recovered by accumulator and RHR injection, and no core damage is expected. A cooldown rate of 100 deg. F/ hour was never exceeded in the MAAP analyses (limits on the cooldown rate were programmed into the calculations). [pp.11,12 of RAI Responses,pp. 3.1-105, 3.1-109, 3.1-116, 3.1-117 of submittal]

The event trees credit any one of four centrifugal charging pumps or high head safety injection pumps as capable of mitigating a small LOCA or a medium LOCA in the smaller range. This element of the success criteria is based on MAAP calculations.

[pp. 23,24 of RAI Responses) 8 This option was not credited in the station blackout event tree, even though a station blackout-induced RCP seal LOCA could be mitigated with depressurization and low pressure injection if offsite power is recovered in sufficient time. The licensee omitted this cooling mode from the station blackout analysis to simplify the event tree and reduce the number of sequences requiring quantification. [pp.

14,15 of RAI Responses) l 16

Loss of CCW causes loss of RCP seal cooling. The IPE used the Westinghouse RCP seal LOCA model. The RCP seal LOCA model took credit for the new high temperature qualified O-rings that have been installed at Callaway. [p. 3.1-82, 3.1-94 i

of submittal]

The model for loss of CCW considers that recovery of CCW within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months can prevent core damage. The IPE assumes that even with no failure of RCP seal components, thermal effects will result in a minimum leakage of 21 gpm per pump. Therefore, the model requires that makeup be provided to the vessel for successful mitigation even if CCW is restored. The charging pumps and high head safety injection pumps require CCW for lube oil cooling. The model credits operator action to block automatic Si actuation of these purnps so that they will not fait due to loss of pump cooling and so that they can be used for makeup later given restoration of CCW This operator action has been proceduralized. [pp. 44 to 46 of RAI Responses, pp. 3.1-82, 3.3-72, 3.1-86, 3.1-87 of submittal]

The model for loss of CCW credits depressurization and use of injection with RHR for mitigating the accident; although RHR requires CCW for seal cooling, the'tPE assumes that seal failure will not prevent operation of the RHR pumps. (p. 3.2-36 of submittal]

The loss of service water (SW) model is similar to the loss of CCW model with the following major differences. Loss of SW causes eventual loss of RHR pumps due to loss of room cooling; the IPE assumed that RHR pumps can operate 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months without SW. Loss of SW causes loss of the motor driven AFW pumps due to loss of room cooling. [Section 3.1.3.2.2, Figure 3.1.3-10 Sequence # 1 of submittal]

The loss of SW model also differs from the loss of CCW model with respect to its impact on RCP seal cooling. Specifically, loss of SW does not cause a immed! ate loss of RCP seal cooling as does loss of CCW since failure of CCW as a result of failure of SW is delayed; the model assumes that CCW can operate for some time I

with loss of SW. The model credits recovery of SW within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months as preventing core damage. The licensee has documented the successful operation of the CCW system without SW for 1 hr. 49 minutes during normal operation without adverse consequences. During the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months period SW is assumed to be unavailable, the IPE assumes that one of the charging pumps could continue to provide RCP seal injection, and CCW could continue to provide RCP thermal barrier cooling. Plant operators could also take proceduralized actions to extend the time to equipment failures, such as opening doors to charging pump rooms and alternately operating the 3 charging pumps. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months window for restoring SW was chosen to be consistent with plant l

operational data and procedural guidance. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months window for SW restoration is i

also considered to be a suitable criterion for differentiating between accident sequance cut sets that are readily recoverable and those that are not. The licensee further notes that some of the recoverable cut sets represent accidents that would in fact be recoverable in times less than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , thus adding additional credibility to credit taken i

17

.o f

for CCW and pump room heat-up. Finally, it is noted that steam generator dryout l

would take approximately one hour followed by another hour for the RCS inventory to reach saturation and boil off to the top of the core after a loss of service water-induced RCP seal LOCA. [pp. 22,23 of RAI Responses, Section 3.1.3.2.2, Figure 3.1.3-10 l

Sequence # 1 of submittal]

The ISLOCA model considers the possibility that piping and components exposed to greater than design basis pressure do not fai! If depressurization in response to an l

ISLOCA is successful, the model credits continued addition of makeup to the primary using RHR pumps supplied frcm the RWST with makeup required to replenish the RWST inventory. [p. 3.1-126 of submittal]

Credit was taken for isolation of all ISLOCA initiators, except for those ISLOCAs j

involving the RHR pump suction paths (shutdown cooling lines). The ability to close l

valves against reverse differential pressure forces after an ISLOCA is dependent on l

sequence-specific factors that have not been quantified in the IPE. For example, the differential pressure experienced by isolation valves is dependent on the break location, friction losses associated with ruptured check valves, and line losses in the piping from the RCS to the isolation valve. The licensee acknowledges that closure of 1

motor operated valves (MOVs) under all postulated ISLOCA scenarios involving mdiple check valve failures has not been demonstrated. Rather, the ability of MOVs to close under ISLOCA conditions was based on engineering judgment. -To further l

investigate this topic, the licensee made a sensitivity analysis that eliminated credit for valve isolation during ISLOCA conditions. With no credit for valve isolation, the j

iSLOCA CDF contribution increases from 1.7E-07/yr to 7.9E-07/yr. The licensee

~

states that results from this sensitivity study represent an upper limit on the ISLOCA j

CDF, as the lack of credit for valve isolation is very pessimistic. [pp. 20,21 of RAI l

Responses,pp. 3.1-21, 3.1-125, 3.1-126, 3.1-130 of submittal]

The ATWS event tree credits operator action to insert control rods by either opening l

breakers to the rod drive MG sets or by running in the rods at the maximum rate; these actions are considered if the failure to trip is electrical in nature, but are not I

l considered if the failure to trip is mechanical in nature. The event for adequate primary pressure relief in response to an ATWS considers the effect of the early in life moderator temperature coefficient on the ability to provide adequate pressure relief.

The ATWS model requires ATWS Mitigating System Actuation Circuitry (AMSAC) to function to prevent core damage. [pp. 3.1-135,3.1-137 of submittal)

The ATWS event tree has two top events that represent manual control rod insertion.

The first of these events, " Manual Control Rod Insertion", represents operator actions to (1) begin stepping control rods into the core within one minute of the initiation of the ATWS event, and (2) continue to drive the rods in for one minute prior to the RCS i

reaching peak pressure. In sequences where " Manual Control Rod Insertion" is successful, a second event " Operator Actions for Long-Term Shutdown", is questioned for " conservatism", and represents the operator continuing to manually drive the rods 18

I into the core in order to achieve and maintain reactor subcriticality. The IPE AW/S model is based on the Westinghouse probabilistic model as presented in WCAP-11992 and WCAP-11993. [p. 23 of RAI Responses, Figure 3.1.3-23 of submittal]

The model for station blackout allows 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months for recovery of AC power if the turbine driven AFW pump fails. The model for station blackout assumes that an RCP seal LOCA does occur, in contrast to other IPEs which consider the possibility that a seal LOCA does not occur. Therefore, makeup to the primary is required to mitigate a station blackout event. The Westinghouse seal LOCA modelis used to estimate the probability that core uncovery occurs prior to recovery of AC power, and the event tree credits depressurization as a means of decreasing the leakage from a seal LOCA.

Depressurization with the steam generators can be accomplished during station blackout because the steam generator (SG) atmospheric dump valves (ADVs) have nitrogen accumulators to provide power for opening of the valves. The battery lifetime for providing control power to the turbine-driven (TD) AFW pump and the time over which the accumulators for the SG ADVs can supply air is 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . [ Figure 3.1.3-23 of submittal]

2.2.3 Systems Analvsis.

The submittal provides descriptions for 27 systems, including high pressure safety injection (HPSI), low pressure safety injection (LPSI), service water, CCW, containment spray, instrument air, and electrical power. The system descriptions provide a variety of information, including discussions of system components, system control, success criteria, major assumptions, system interfaces, maintenance considerations, and operational experience. Also included are simplified schematics that show major equipment items and important flow and configuration information.

[pp. 3.2-4 to 3.2-167 of submittal]

The AFW system consists of three pumps, two motor driven and one turbine driven.

One of the three pumps is required to provide cooling at shutdown. The AFW pumps are self cooled but the rooms with the motor driven ACW pumps require room coolirig.

The TD AFW train uses air operated valves (AOVs) for flow control and these valves fail open. [ Figure 3.2-1(b) of submittal). The steam supply to the TD AFW pump turbine is through normally closed, fail open AOVs. The CST is the normal source of water for AFW but ESW is an backup source. The UFSAR indicates that ESW backup supply for AFW is automatic. [ Figure 3.2.1(c) of submittal, UFSAR, page 9.2-6]

The high pressure ECCS consists of two centrifugal charging pumps and two high head safety injection pumps. In ECCS recirculation, operator action is required to piggyback these pumps off the RHR pumps. The pumps require CCW for oil coolers and ESW for room coolers.

Two RHR pumps provide for both shutdown cooling and low pressure ECCS injection.

One RHR heat exchanger is provided for each of the two RHR trains, and the RHR 19

H...

l l

l

)

I heat exchangers are cooled by CCW. Switchover from ECCS injection to

(

recirculation following a LOCA is semi automatic. [pp. 3.2-38 and 3.2-47 of submittal]

The RHR pumps require CCW for seal cooling; the IPE assumes that the pumps will leak without seal cooling but will operate. effectively. [p. 3.2-36 of submittal] The RHR pump rooms require operation of room coolers that are serviced by ESW; room cooling is not required during the injection phase. [ppi 3.2-36 and 3.2-41 of submittal]

i The SG Atmospheric Dump Valves (ADVs) require air to open and they are provided with nitrogen accumulators. Four valves are available, one per Main Steam Line l

(MSL), and the four in total can relieve 15% of rated steam, i

i-Cooling for the RCP seals is provided by either seal injection from the charging pumps or CCW cooling of the thermal barriers. Three charging pumps.are provided, two centrifugal pumps and one positive displacement pump, and the charging pumps l-require CCW for pump cooling. Tne twc centrifugal charging pumps are part of the high pressure ECCS system as previously discussed. The positive displacement charging pump requires room cooling with ESW. [p. 3.2-70 of submittal]

The containment spray system has two trains each with one purt p. During recirculation, containment spray is supplied directly from the containment sump and is l

not piggybacked off RHR recirculation; no heat exchangers are used in the containment spray system. [ Figure 3.2-15 of submittal] Operator action is necessary to switchover containment spray from injection to recirculation. The containment spray pumps are self-cooled but ESW is required for room coolers.

l The CCW system consists of two 100% trains each with two 100% CCW pumps. The pumps are self cooled. Room coolers serviced by ESW are provided, but the IPE I

assumes that room cooling for the CCW pumps is not required. [p. 3.2-130 of submittal]

The ESW system consists of two 100% trains. The two ESW pumps are normally in standby, with ESW normally supplied from the SW system. Following an accident, the ESW pumps start and ESW is provided from the UHS. ESW return goes to the ultimate heat sink (UHS) cooling tower. The ESW pump rooms are cooled by once through ventilation, but the IPE assumes that ventilation for the rooms is not required.

(p. 3.2-138 of submittal]

The SW system is a non-safety related system consisting of three 50% pumps, two of which are normally operating. The SW pumps are self-cooled and the pump rooms do not require room cooling.

Onsite 1E AC power is provided by two trains each powered by a 6201 KW DG. Air conditioning units provide cooling for rooms containing electrical switchgear, but the j.

IPE assumes that room cooling for the switchgear is not required during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months i

i l

l 20 i

o.

mission time based on a heatup calculation. The DG rooms are cooled by once through ventilation. [pp. 3.2-150,3.2-153 of submittal]

The DC batteries have a rated lifetime of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . However, the submittal states that DC power for control of the turbine driven AFW pump train can be maintained for 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , apparently without load shedding. Room cooling for DC equipment is only required during loss of offsite power conditions and compensatory actions to open doors can provide adequate room cooling during loss of power conditions. [pp. 3.2-155, 3.2-158, 6-1 of submittal]

2.2.4 Svstem Denendencies.

The submittal contains tables of inter-system dependencies. It is difficult to review the tables of dependencies because the dependencies are tabulated by sub-system acronym, and it is difficult to understand the acronyms. Nevertheless, we conclude that all dependencies have been accounted for, based on information contained in other portions of the submittal. [ Tables 2.5-1 through 2.5-15 of submittal]

2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences, it also summarizes our review of the data base, including consideration given to plant specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed, if any, were also reviewed.

2.3.1 Quantification of Accident Seauence Freauencies.

The IPE used the small event tree /large fault tree model with fault tree linking for quantifying core damage. Support systems were modeled in fault trees. The NUPRA software package and Set Equation Transformation System (SETS) code were used to quantify accident sequences. A mission time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months was used. Truncation limits for the fault trees generally ranged from 1E-7 to 1E-8, while accident sequence cut sets were generally truncated at 1E-09/yr. Common cause failures were modeled directly in the fault trees. [pp. 3.3-87 to 3.3-90, Section 3.3.7 of submittal]

The IPE took credit for recovery of components in the service water, ESW, and CCW systems. Non-recovery probabilities were based on the approach outlined in NUS-5272 and data contained in RP 3000-34. It was assumed that the following ESW

' failures were potentially recoverable in two hours: valve transfer failure, pump failure to start, and ESW-related dependent failures. Within eight hours, the following categories of component failures were assumed to be potentially recoverable: service water /ESW pump failures, service water pump discharge valve failures, ESW valve failures, and ESW-related dependent failures. The IPE also assumed that within one hour, the plant could potentially recover from failure of valve EFHV-52 to transfer open. This 21

[

,1 normally-closed valve would have to be opened to provide ESW cooling to the "B" CCW heat exchanger. [pp. 3.3-65 to 3.3-71 of submittal)

Credit was also taken for recovery of offsite power. Non-recovery data were generated from information stated to be from NUREG 1032 Figure B.7; however, there is no Figure B.7 in NUREG 1032. There is a figure B.7 in the draft version of NUREG 1032 and that is the figure referred to in the submittal. Beyond about 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , the non -

. recovery data are more optimistic than average industry experience reported in an Electric Power Research Institute (EPRI)-sponsored study [NSAC 147]. For example, at eight hours, the IPE probability for non-recovery of LOSP is about a factor of 3.5 lower than the corresponding EPRI data. At twelve hours, the IPE non-recovery data are approximately a factor of 10 lower than the EPRI data. [pp. 3.3-73, 3.3-74 of submittal]

2.3.2 Point Estjmates and Uncertaintv/ Sensitivity Analyses.

1 Mean values were used for point estimate failure frequencies and probabilities.

l The IPE did perform an uncertainty analysis of the core damage cut set equation, l

considering the uncertainty in data. [p. 3.3-99, Figure 3.3.8-2 of submittal]

The licensee made a sensitivity analysis that eliminated credit for valve isolation during j

ISLOCA conditions. With no credit for valve isolation, the ISLOCA CDF contribution I

l-increases from 1.7E-07/yr to 7.9E-07/yr. Additional sensitivity analyses were used to estimate the reduction in CDF due to plant modifications under consideration, as discussed in Section 2.7.3 of this report. [pp. 20,21 of RAI Responses, pp. 3.1-21, 3.1-125, 3.1-126, 3.1-130 of submittal.

The submittal Implies that other sensitivity analyses were performed to address modeling uncertainty. However, we could find no discussion in the submittal of the results of any sensitivity analyses that addressed modeling uncertainty. [p. 2-7 of submittal]

Finally, the licensee calculated three importance measures Fussell-Vesely, Risk Achievement, and Risk Reduction. The submittal states tiiat an importance analysis can be considered as a sort of global sensitivity analysis. [p. 3.3-98, Table 3.3.8-1 of j

submittal) i l

2.3.3 Use of Plant Soecific Data.

. Plant specific data were used from the time period January 1,1987 through May 15, 1990. Plant specific data were collected for all the major components modeled in the i

j system fault trees. Plant specific data were used to Bayesian update generic data.

Plant specific test and maintenance unavailabilities were used. The plant specific data base is provided in Table 3.2.2-3 of the submittal. The Bayesian updated data base 4

f 22

actually used for quaritification is provided in Table 3.3.2-4 of the submittal. [Section 3.2.2 of submittal]

We performed a spot check of the updated data for component failures. The results of this check are summarized in Table 2-1 of this report. [ Table 3.3.2-4 of submittal]

Table 2-1. Plant Specific Data '

Component IPE Bayesian Updated Point NUREG/CR 4550 knean Value Estimate Estimate Turbine Driven Pump (AFW) 6.3E-03 Fail to Start 3E-02 Fail to Start 1.0E-04 Fall to Run 5E-03 Fail to Run Motor Driven Pump 2.7E-03 Fail to Start 3E-03 Fail to Start 1.8E-04 Fail to Run 3E-05 Fail to Run

~

MOV 1.4E-03 Fail to Open 3E-03 Fall to Operate Check Valve 5.0E-05 Fail to Open 1E-04 Fall to Open Battery Charger 1.5E-05 Fail to Operate 1E 06 Fall to Operate.

Inverter 5.0E 06 Fall to Provide Power 1E-04 Failure (unspecified mode)

Circuit Breaker 2.1E-03 Fail to Transfer 3E-03 Fail to Transfer Diesel Generator 6.0E-03 Fall to Start 3E-02 Fail to Start 6.6E-03 Fall to Run 2E 03 Fail to Run Failures to start or open are probabilities of failure on demand. Failures to run are failure rates in 1/hr.

Most of the IPE failure data in Table 2-1 are lower than corresponding NUREG/CR 4550 data. For example, the IPE data for the turbine-driven AFW pump are lower than the NUREG/CR-4550 data by a factor of 5 for the pump start function, and a factor of 50 for the pump run function. The IPE data for motor-driven pump run failures and inverter failures are an order of magnitude lower than the NUREG/CR-4550 data. The IPE data for diesel generator start failures are about a factor of 5 lower than the NUREG/CR-4550 data, though the IPE diesel generator run failure data are about a factor of 3 higher than NUREG/CR-4550.

2.3.4 Use of Generic Data.

The primary source of generic data was EGG-SSRE-8875. We performed a spot check of the generic data for component failures. The results of this check are summarized in Table 2-2 of this report. [ Table 3.3.2-4 of submittal]

As shown in Table 2 2, much of the IPE generic failure data are consistent with NUREG/CR-4550 failure data. It is noted, however, that the IPE failure data for batteries and battery chargers are an order of magnitude higher than the 23

L..

i i

Table 2-2. Genetic Component Failure Data '

i Component IPE Mean Value NUREG/CR 4550 Mean Value Estimate Estimate Turbine Driven Pump (AFW) 3.0E-02 Fall to Start 3E-02 Fail to Start 1.0E-04 Fall to Run SE-03 Fail to Run Motor Driven 3.0E-03 Fall to Start 3E-03 Fail to Start Pump 3.0E-05 Fail to Run 3E-05 Fail to Run Motor Operated Valve 3.0E-03 Fail to Transfer 3E-03 Fail to Operate Check Valve 5.0E-05 Fall to Open 1E-04 Fail to Open Battery Charger 1.0E-05 Falls 1E-06 Fail to Operate Battery 1.0E-05 Falls 1E-06 Failure (unspecified mode)

I Inverter 5.0E-06 Falls to Operate 1E-04 Failure (unspecified mode) l Circuit Breaker 5.0E 04 Fall to Transfer 3E-03 Fall to Transfer i

I Diesel Generator.

1.0E-02 Fall to Start 3E 02 Fall to Start j '

5.0E-03 Fail to Rur.

2E-03 Fail to Run.

l' Filter 5.0E 06 Plugs 3E-05 Plugs Transformer 1.0E-06 Falls 2E-06 Short or Open l

Failures to start or open are probabilities of failure on demand. Failures to run are failure rates in 1/hr.

corresponding NUREG/CR-4550 data, while the IPE inverter data are an order of magnitude lower than the NUREG/CR-4550 data.

l 2.3.5 Common Cause Quantification.

l The MGL method was used to model common cause failures. Common cause failures among similar components within the same system were modeled. The common cause failures were incorporated into the fault trees. The submittal lists the components selected for common cause failure consideration; this list contains components typically considered for common cause failure in other IPE/PRAs. (pp.

3.3-37 to 3.3-40 of submittal)

The primary source of generic data for common cause failure was NUREG/CR-4550.

l Data from NUREG/CR-4780 were used to quantify common cause failure of motor

)

driven fans and check valves.

l I

We performed a spot check of the common cause failure data used in the IPE, as summarized in Table 2-3 of this report. The submittal does not explicitly list all beta factors; in cases where beta factors were not explicitly listed, we estimated them by dividing common cause event failure probabilities by corresponding random failure probabilities. [ Table 3.3.2-5 of submittal) 24 L

~. - _- -

I j

Table 2-3. Common Cause Factors for 2-of-2 Components Component Calloway Beta Fa.Jor Surry NUREG/CR 4550 l

Estimated from Beta Factor Submittal Table 3.3.2-5 Table 4.9 3 AFW Pump (Motor Driven) 0.1 '

O.056 RHR Pump (LPCI for Surry) 0.1 '

O.15 l

HHIPump.

0.1 '

O.21

)

(

Containment Spray Pump 0.1 '

O.11 j

MOV-0.09-0.088 Diesel Generator 0.038

.0.038 l-Safety / Relief Valve 0.07 0.07 l

l The IPE used one value for all motor-driven pumps.

l l

Based on the data shown in. Table 2-3 we concluded that the common cause failure data used in the IPE are comparable with data used in other IPE/PRAs.

j 2.4 Interface issues

+

f-This section of the report summarizes our review of the interfaces between the front-end and back-end analyses, and the interfaces between the front-end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.

2.4.1 Front-End and Back-End Interfaces.

The Level 1 event trees do not explicitly include containment heat removal, and the success criteria for preventing core damage do not require any containment heat removal in response to any accident. However, for conditions resulting in the release l

l of mass and energy into containment (for example, a LOCA), the IPE implicitly l

assumed the availability of containment cooling via one of the two RHR heat l

exchangers, though no credit for was taken for containment heat removal via the l

containment fan coolers. MAAP calculations were used to develop the basis for l

limiting conditions expected inside containment. The MAAP calculations specifically considered net positive suction head (NPSH) operability limits for ECCS pumps. The

. MAAP calculations predict that ECCS pump NPSH will be adequate with cooling from one RHR heat exchanger during postulated LOCA conditions. The licensee also notes that peak temperatures used to establish qualification requirements at Callaway l

exceed 358 deg. F which is the fluid saturation temperature at the median L

containment failure pressure of 134.9 psig. [pp. 2 to 5 of RAI Responses, pp. 3.1-26, l

3.1-29, Tables 3.1.3-4 through 3.1.3-20 of submittal]

t 25

.s

. 4 The licensee provided further information to support the operation of equipment to mitigate the severe accidents modeled in the IPE. For example, active equipment used to provide core and containment cooling is located outside containment, and is not expected to experience environmental conditions beyond those currently i

postulated for equipment qualification (EO). The licensee provides various qualification data to support this conclusion. Additional discussions are provided to support credit for the operation of various types of instrumentation and detectors. For example, it is noted that terminal blocks have been spliced out of circuits for l

pressurizer pressure instrumentation and sump level transmitters to reduce the possibility of moisture intrusion. [pp. 7 to 11 of RAI Responses]

The IPE used PRTs to model the impact of containment systems on the mitigati of core damage sequences. Each sequence from the PRTs was binned into an appropriate PDS, and the binned sequences were used in quantification of the containment event tree. Section 4.3 of.the submittal discusses the parameters used to group sequerices into PDSs. These parameters are: Status of Containment Bypass, Status of Containment Isolation, Type of Accident: Transient or LOCA, SBO, Power Recovery (if S30), Status of Containment Sprays, Status of Containment' Heat Removal, RCS Pressure at Vessel Failure, and the Status of In-Vessel injection. The binning resulted in 81 PDSs. Based on comparisons with typical IPE/PRAs, we conclude that the binning of core damage sequences into PDSs is consistent with other typical IPE/PRA studies. [ Sections 3.1.4,4.3 of submittal]

2.4.2 Human Factors interfaces.

Based on our front-end review, we noted the following operator actions for possible consideration in the review of the human factors aspects of the IPE:

j J

credit for depressurization and use of low pressure injection to mitigate a small and a small-medium LOCA if all high head injection is lost actions to initiate feed and bleed cooling compensatory actions to open doors to allow cooling of DC switchgear credit for operator actions to block automatic start of high head pumps given a seal LOCA due to loss of all CCW actions to isolate / mitigate internal flooding.

e Loss of CCW causes loss of RCP seal cooling. The model for loss of CCW considers l

that recovery of CCW within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months can prevent core damage. The IPE assumes that l

even with no failure of seal components, thermal effects will result in a minimum leakage of 21 gpm per pump. Therefore, the model requires that makeup be provided to the vessel for successful mitigation even if CCW is restored. The charging pumps and high head safety injection pumps require CCW for lube oil cooling. The IPE credits operator action to block automatic Si actuation of these pumps so that they will not fall due to loss of pump cooling and so that they can be used for makeup later 4

l 26

given restoration of CCW. This operator action has been proceduralized. [pp. 44 to 46 of RAI Responses, pp. 3.1-82, 3.3-72, 3.1-86, 3.1-87 of submittal)

The loss of SW model differs from the loss of CCW model with respect to'its impact on RCP seal cooling. Specifically, loss of SW does not cause a immediate loss of -

RCP seal cooling as does loss of CCW since failure of CCW as a result of failure of SW is delayed; the model assumes that CCW can operate for some time with loss of SW. The model credits recovery of SW within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months as preventing core damage.

The licensee has documented the successful operation of the CCW system without

(

SW for 1 hr. 49 minutes during normal operation without adverse consequences.

During the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months period SW is assumed to be unavailable, the IPE assumes that one of the charging pumps could continue to provide RCP seal injection, and CCW could

. continue to provide RCP thermal barrier cooling. Plant operators could also take proceduralized actions to extend the time to equipment failures, such as opening doors to charging pump rooms and alternately operating.the 3 charging pumps. The.2 nour window for restoring SW was chosen to be consistent with plant operational data and procerfural guidance. The 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months window for SW restoration is also considered to be a suitable criterion for differentiating between accident sequence cut sets that are readily recoverable and those that are not. The licensee further notes that some of j

the recoverable cut sets represent accidents that would in fact be recoverable in times t

L less than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , thus adding additional credibility to credit taken for CCW and pump l

l room heat-up. Finally, it is noted that steam generator dryout would take approximately one hour followed by another hour for the RCS inventory to reach saturation and boil off the to the top of the core after a loss of service water-induced RCP' seal LOCA. [pp. 22,23 of RAI Responses, Section 3.1.3.2.2, Figure 3.1.3-10 Sequence # 1 of submittal) i l

The IPE took credit for recovery of components in the service water, ESW, and CCW systems. Non-recovery probabilities were based on the approach outlined in NUS-5272 and data contained in RP 3000-34. It was assumed that the following ESW.

failures were potential recoverable in two hours: valve transfer failure, pump failure to start, and ESW-related dependent failuras. Within eight hours, the following catr,gories of component failures were assurred to be potentially recoverable: service water /ESW pump failures, service water pump discharge valve failures, ESW valve failures, and l

ESW-related dependent failures. The IPE also assumed that within one hour, the plant could potentially recover from failure of valve EFHV-52 to transfer open. This normally-closed valve would have to be opened to provide ESW cooling to the "B" CCW heat exchanger. [pp. 3.3-65 to 3.3-71 of submittal) 1-2.5 Evaluation of Decay Heat Removal and Other Safety lasues This section of the report summarizes our review of the evaluation of Decay Heat l

Removal (DHR) provided in the submittal. Other GSI/USIs, if they were addressed in the submittal, were also reviewed.

27

.- --.~.-_-

(

2.5.1. Examination of DHR.

The submittal provides an evaluation of DHR. The evaluation addressed DHR by accident type and provided the contribution of loss of DHR to the total CDF by accident type. [pp. 3.4-18,3.4-19 of submittalj The contribution of loss of DHR to the total CDF by type of accident is as follows:

[ Table 3.4.3-3 of submittal]

Failure to Cooldown 3.2%

Failure of Secondary Heat Removal 12.8%

Failure of injection 15.2%

Failure of Recirculation 24.9 %

Failure of Feed and Bleed 3.7%.

l These contributions are not additive since the same core damage sequence can contribute to multiple failure categories.

j No vulnerabilities associated with loss of DHR were identified by the IPE.

2.5.2 Diverse Means of DHR.

The IPE rsvaluated the various options for providing DHR, including: steam generator j

cooling, fead and bleed, and use of ECCS systems.

j 4

2.5.3 Uniaue Features of DHR.

l i

1 Design features at Callaway that impact the core damage frequency (CDF) from loss of DHR are as follows:

Ability to oerform feed and bleed once-throuch coolina. This design feature

)

lowers the CDF by providing an alternative method of core cooling given unavailability of feedwater.

i Abilitv to use the ESW system as a source of backuo water sunolv for the auxiliarv feedwater (AFW) system. The_ ESW system can provide a backup source of AFW suction water supply in the event water from the condensate storage tank (CST) becomes unavailable. This design feature tends to decrease the CDF.

Semi-automatic ECCS switchover. The switchover of RHR pun.ps from injection to sump recirculation is fully automated. However, the establishment l

of high pressure recirculation requires manual operator actions to align the suction of the safety injection and/or charging pumps to the discharge of the i

28 1.

RHR pumps. This design feature tends to increase the CDF over what it would otherwise be with a fully automatic system.

Ability to feed deoressurized steam aenerators from diesel-driven fire oumo.

This design feature tends to lower the CDF, though it was not credited in the I

lPE.

2.5.4 Other GSI/USIs Addressed in the Submittal.

The submittal states that the utility considers USI A-17, " Systems Interactions" to be resolved. (Section 3.4.4 of submittal]

The submittal also states that the IPE addresses Gl-105, "intersystem Loss of Coolant Accidents in LWRs", but the submittal does not state thai the licensee considers this Gl to be resolved.8 2.6 Intemal Flooding This section o< M report summarizes our reviews of the process by which the IPE mode!ad core t.:. mage from internal flooding, and the results of the analysis of internal flooding.

2.6.1 Internal Floodina Methodoloav.

The submittal summarized the analysis of internal flooding. Equipment failures due to spray, drip, and steam blanketing were evaluated as well as failures due to submergence. [p. 3.3-104, Section 3.3.9 of submittal]

A flood event was considered for quantification if it both (1) causes reactor trip and (2) causes a failure of components important for providing core cooling. Flood events that only cause reactor trip were assumed to be included within the scope of higher frequency generic transients.

The process for modeling internal flooding involved the following steps. Appendix R information was used to divide the plant into potential flood zones. A complete list of all safety related and non-safety related equipment was generated for each zone.

Zones were screened from further consideration that did not meet the criteria for quantification (cause trip and disable important equipment). Also, zones with insignificant risk were screened. Five flood zones were retained for more detailed analysis: CCW Pump area, Control Building Basement Piping Penetration Area, ESF Switchgear Area, DC Switchgear Area, and Circulating / Service Water intake Structure.

Flooding sources in the five zones were specifically identified by a walkdown of the

The NRC has recently determined that GI-105 has been generically resolved, and that no futher I

licensee action is needed.

f 29

zones. Flood initiating event frequencies were quantified using EPRI NP 6992L, EGG-SSRE-9639, NSAC-60, and engineering judgement. It appears that the licensee

' quantified 115 separate initiating events to support the flooding analysis. Credit was taken for operator actions to isolate or recover from flooding. If the time available for operator response was between 30 minutes and one hour, an error probability of 0.5 was used, and for times longer than one hour an error probability of 0.1 was used.

One exception to these criteria was made for a category 2 flood in zone 2 where 31 l

minutes are available for response; the required actions are simple and an error probability of 0.3 was used. With the exception of zones 1 and 5, quantification of the flooding events with event trees was not required because unmitigated floods led to j

core damage without random failures of other equipment not directly impacted by the floods. Floods in zones 1 and 5 were considered as subsequently discussed. [pp.

j l

3.3-105, 3.3-108, Tables 3.3.9-5, 3.3.9-9 of submittal) i 2.6.2 Internal Floodino Results.

Five flood zones were analyzed. A flood in zone no.1 causes loss of CCW and the loss of CCW model was used to quantify flooding in this zone. A flood in' zone no. 5 causes a loss of normal service water (SW) but no loss of essential service water (ESW); subsequent random failures leading to loss of all ESW are sufficiently rare so that the frequency of loss of total SW initiated by the flood is insignificant. Table 3.3.9-7 of the submittal summarizes the CDF calculated for each of the five flood zones; the CDF is significant for three of the five zones as summarized in Table 2-4 of this report.

All of the floods in these zones that result in loss of the indicated systems lead directly to core damage.

Table 2-4. Important Contributors to CDF from Internal Flooding j

Flood Zona No.

Flood Sources CDF (1/ year) and Type of Accident i

2: Area with ESW/SW Crosstie Valves Rupture in ESW Piping 9.9E-6 1

in Control Building (loss of ESW and SW) 3: AC Switchgear Roorns in Control Ruptures in ESW and Fire Protection 5.6E-6 Building (FP) Piping (loss of all AC) 4: DC Power, Battery, and Inverter Ruptures in ESW and FP Piping 2.3 E-6 Roorns in Control Building (loss of all DC)

The total CDF from internal flooding is 1.78E-5/ year. The largest contributor to CDF from internal flooding is due to a break in ESW piping in the area containing the l

ESW/SW crosstle valves. This flood causes total loss of all service water (SW and ESW) and leads directly to core damage. The second dominant flood scenario is flood-induced failure of AC switchgear leading directly to core damage. The third s

l dominant flood scenario is flood-induced failure of DC switchgear leading directly to core damage.

l 30

2.7 Core Damage Sequence Results This section of the report summarizes our review of the dominant core damage sequences reported in 'he submittal. The reporting of core damage sequences-whether systemic or functional-was reviewed for consistency with the screening criteria of NUREG-1335. The definition of vulnerability provided in the submittal was reviewed. Vulnerabilities, enhancements, and plant hardware and procedural modifications, as reported in the submittal, were reviewed.

2.7.1 Dominant Core Damaae Secuences.

The submittal reported results using the functional reporting criteria of NUREG-1335.

The total point estimate CDF for Callaway is 5.85E-05/yr, including internal flooding.

The CDF from internal flooding was calculated to be 1.78E-5/ year. [pp.1-6,3.4-1 of submittal]

The submittal does not provide a listing that displays a complete breakdown of accident types and their contribution to CDF. However, we were able to e'xtract this information from data contained in Table 7-1 of the submittal Table 2-5 below lists the accident types and their corresponding CDF contributions. [ Table 7-1 of submittal]

Table 2-5. Accident Types and Their Contribution to Core Damage Frequency Accident Type CDF Contribution Percent Contributen pr yr.

to CDF Internal Flood 1.78E-05 30.5 Station Blackout (see note 1) 1.77E-05 30.3 LOCAs 1.11 E-05 19.0 Transient (see note 2) 1.03E-05 17.7 SGTR 8.48E-07 1.45 ATWS 4.25E-07 0.73 ISLOCA 1.73E-07 0.30 Notes: (1) All of the station blackout cutsets originate from the LOSP event tree. [p. 3.1-139 of submittal]

(2) includes transient-induced RCP seat and stuck-open PORV LOCAs.

It appears that RCP seal failures contribute about 44% of the CDF. Initiating events that contributed the most to the CDF, and their percent contribution, are listed below in Table 2-6. [pp. 3.1-21, 3.1-139, 4.3-16, Tables 3.3.2-1, 3.3.8-1, 3.3.9-7, 3.4.2-1, 3.4.2-2,7-1 of submittal]

I 31

.q c.

l-Table 2-6.' initiating Events and Their Contribution to Core Damage Frequency initiating Event CDF Contribution / yr.

% Cont.

to CDF LOSP 1.78E-05 30.5 Rupture of ESW Piping in Elev.1974 of Control Eddg. (Flood) 9.9E-06

-16.9 l

l Transient-Induced RCP Seal LOCA 4.75E-06 8.1 Rupture of ESW Piping in Elev. 2000 of Control Bldg. (Flood) 4.6E 06 8.0 Intermediate LOCA 4.32E-06 7.4 Small LOCA 4.29E-06 7.3 Loss of All Service Water 3.81 E-06 6.5 Large LOCA 2.17E 06 3.7 Rupture of Firewater Piping in Elev. 2016 of Control Bldg.

2.1 E-06 3.5 (Flood)

Rupture of Firewater Piping in Elev. 2000 of Control Bldg.

9.5E-07 1.6 (Flood) j SGTR 8.48E 07 1.4 j

Loss of All Component Cooling Water 5.37E-07 0.9

-l l

Loss of Main Feedwater 5.19E-07 0.9 ATWS 4.25E-07 0.7 Reactor Trip -

3.14E-07 0.5 Reactor Vessel Rupture 3.0E-07 0.5 Loss of a Vital DC Bus 2.50E-07 0.4 l

Rupture of ESW Piping in Elev. 2016 of Control Bldg. (Flood) 2.3E-07 0.4

)

l RHR Suction Line ISLOCA 1.01 E-07 0.2 Very Small LOCA 6.81 E-08 0.1 l

RHR Pump Cold Leg injection Path ISLOCA 6.20E-08 0.1 J

Failure of a Pressurizer PORV to Reclose After Reactor Trip 3.72 E-08 0.06 i

Rupture of ESW Piping in Elev. 2026 of Control Bida. (Flood) 1.66E-08 0.03 Safety injection Pump Cold Leg laiection Path ISLOCA 1.01 E-08 0.02 i

All Secondary Line Breaks 4.42E-09 0.01 RHR Pump Hot Leg injection Path ISLOCA 1.32E 11 0.00002 Rupture of Circulating Water Sys. Piping in Circ /SW 7.4E-12 0.00005 Pumphouse (Flood)

Safety injection Pump Hot Leg injection Path ISLOCA 4.34E-12 0.000007 The initiating event " Transient-induced RCP Seal LOCA" listed above is actually an accident class in which loss of RCP seal cooling occurs following an transient initiating event. The loss of RCP seal cooling is not directly caused by the transient, but is

-instead the result of subsequent post-initiator failures during the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months analysis mission time. The relevant accident sequences represent an unmitigated RCP seal LOCA condition. The analysis has separately modeled two initiating events that directly cause loss of RCP seal cooling, specifically loss of CCW and loss of service water. (p. 3,4-7, Figures 3.1.3-1 to 3.3.3-3, 3.1.3-5 to 3.1.3-8 of submittal) i The top five core damage sequences are presented in Table 2-7 of this report, based on information from Section 3.4.1.3 of the submittal.

32 P

L l

i Table 2-7. Top 5 Core Damage Sequences initiating Event (Failures Independent CDF in 1/ year and in % of due to initiating Event)

Failures Total l

Flood in Area Containing Failure uf Operator Action to isolate 9.9E-6/ year 16.9%

l SW/ESW Valves Flood Leading to Loss of Seal Cooling (ESW/SW Valves) and Loss of all ECCS Pumps resulting in Small LOCA that cannot be Mitigated Loss of Offsite Power Loss of Onsite AC Power causing 7.0E-6/ year 12.0%

Station Blackout; Success of TD AFW; Successful Depressurization; Recovery of AC Power in 8 Hours; Failure of Charging and High Head Sl Pumps leading to Inability to Mitigate the Seal LOCA (see note 1 below)

Flooding in ESF AC Failure of Operator Action to isolate 5.6E-6/ year 9.6%

Switchgear Rooms Flood leading to Loss of all AC Power (AC Switchgear in Both (Consequential Station Blackout); Seal l

Trains)

LOCA with Loss of All Injection leads to Core Damage Loss of Offsite Power Loss of Onsite AC Power causing 4.7E-6/ year '

8.1%

Station Blackout; Failure of TD AFW; Failure to Recover AC Power in 1 Hour Small LOCA '

Successful ECCS Injection; Failure of 3.9E-6/ year 6.7%

all ECCS Recirculation, both high and low pressure l

i Notes: (1) As previously noted in subsection 2.2.2 of this report, no credit was taken for mitigating a i

station-blackout induced RCP seal LOCA with depressurization and low pressure injection, given timely.

recovery of offsite power. The licensee omitted this cooling mode from the station blackout analysis to l

simplify the event tree and reduce the number of sequences requiring quantification. While credit for j

f this mitigation activity would have reduced the frequency of this sequence, some of the events falling high pressure injection would also fall low pressure (RHR) injection. Consequently, as stated by the

)

licensee, the benefit of crediting this mitigating action "would not have been as substantial on one might j

envision." [pp.14,15 of RAI Responses)

The licensee calculated the importanco of events in the IPE model. Based on the Fussell-Vesely ranking, the following hardware failures and operator errors are most important: failure to recover offsite power, failure of diesel generators, failure to establish CCW cooling to the RHR heat exchangers, failure of the TD AFW pump, and failure to recover ESW. [ Table 3.3.8-1 of submittal]

2.7.2 Vulnerabilities.

(

i The process described in NUMARC 91-04 was used to identify potential plant-specific 1

vulnerabilities. The licensee states that two of the NUMARC groups warrant attention:

h a

33 l

l

j

,e

-o Group llA, that deals with induced RCP seal LOCAs with loss of injection', and Group Vll, internal flooding. Tne licensee concludes that group ilA is not indicative of any vulnerability since seal LOCAs are a significant contributor to the total CDF in most PWR PRAs. The licensee concludes that group Vll is not indicative of any vulnerability since the.models used for calculating the CDF from internal flooding result in a " conservatively" high CDF. [pp. 3.4-16, 3.4-17.of submittal]

The licensee concludes that no vulnerabilities were found as a result of the IPE. [p.

i 3.4-17 of submittal]

2.7.3 Prooosed imorovements and Modifications.

i The licensee identified several plant enhancements in conjunction with the IPE analysis. Summarized below are the proposed plant improvements, including their current status and CDF impact (if availaole). The status of the IPE model relative to each modification (whether or not credited) is also noted. [pp.16 to 19,22,23 of RAI Responses, pp. 6-1.to 6-5 of submittal]

Installation of high temoerature cualified RCP seal O-rinos.' Installation of these specially qualified 0-rings has been completed. The IPE took credit for this modification. Without this modification, the station blackout CDF contribution would increase by about 20% (from 1.77E-05/yr to 2.1E-05/yr), and the total

.CDF contribution would increase by about 6% (from 5.85E-05/yr to 6.2E-05/yr).

Procedural and hardware chanaes to allow feed of deoressurized steam generators from diesel-driven fire oumo. This plant modification has been completed, but was not credited in the IPE. The licensee estimates that the CDF (excluding intemal flooding) would be reduced by about 10% if credit had been taken for this plant modification. Altematively, the total CDF (including internal flooding) would decrease by about 7% (from 5.85E-05/yr to 5.4E-05/yr) with credit for this modification.

l Addition of orocedural auldance to re-establish normal service water should-gggential service water (ESW) fall. This procedural enhancement has been completed. The IPE did not take credit for this modification.

Addition of crocedural auldance for ooeratina the chargina and safety iniection oumos without CCW. Lube oil cooling for the charging and safety injection pumps is provided by the CCW system. This procedural enhancement, which has been completed, facilitates the use of charging and safety injection pumps i

in accident scenarios involving loss of CCW. The IPE took credit for this plant

)

modification.

Approximately 50% of the Group llA CDF contribution of 1.87E-05/yr is related to unmitigated RCP seat falture.

1 34

, 6

. o L

i i

t L

Addition of crocedural cuidance to verifv RHR oumo room coolina at switchover L

to ECCS recirculation chase. This modification dire. cts operators to locally start l

the RHR room coolers if they are not running at the time of ECCS switchover.

i This procedural enhancement has been completed. The IPE did not take credit for this modification.

' Addition of a black-stari combustion turbine generator (CTG). The licensee e

estimates that the CDF (excluding internal flooding) would be reduced by about l.

50% if credit had been taken for a black-start CTG. Alternatively, the total CDF

]

(including internal flooding) would decrease by about 35% (from 5.85E-05/yr to l

about 3.8E-05/yr) with the addition of the CTG. The licensee has determined

)

l that this type of plant enhancement is not cost-effective. The IPE did not take

)

credit for this proposed modification.

=

Addition of a black-start gasoline or diesel aenerator. As an alternative to the l

. CTG discussed above, a smaller generator (gasoline or diesel) could be l

installed to power a battery charger and charging pump. The licensee estimates that the CDF (excluding internal flooding) would be reduc'ed by at l

-least 25% if credit had been taken for this type of generator. Afternatively, the

]

total CDF (including internal flooding) would decrease by at least'17% (from

. 5.85E-05/yr to about 4.8E-05/yr) with'this modification. The licensee has l

determined that this type of plant enhancement is not cost-effective. The IPE l

did not take credit for this proposed modification.

Reolacement of the oositive disolacement chargina oumo (PDP) with a third a

centrifugal charoing oumo (CCP). The high cost of maintaining the PDP prompted studies for replacement of this pump with a CCP. The PDP has been l

replaced with a third CCP, the normal charging pump (NCP). Unlike the PDP, i

the NCP does not require cooling from the CCW. The NCP is powered from a j

'non-safety bus rather than an' independent, backup power supply. The CDF j

impact will be determined at a later date. The IPE did not take credit for this l

l modification.

Provide a switch to bvoass feedwater isolation in order to restore main l

feedwater. Following a reactor trip at Callaway, main feedwater is isolated. If AFW subsequently fails, procedures direct operators to attempt restoration of main feedwater. Without a special bypass switch, operators have to manually lift leads and install jumpers, a relatively time-consuming process. This plant modification is currently scheduled for the fall'of 1996. It appears that the IPE did not take credit for this modification. The expected CDF reduction is not provided.

3 Procedural and hardware chanaes to reduce the core damaae risk due to j

internal flooding. The licensee has formed a task team to evaluate methods for j

reducing the CDF due the internal flooding. This team has determined that 35

+

n a

n w

installation of the normal charging pump (NCP) discussed above could provide mitigation of flooding events involving loss of CCW. The team is also considering other options to reduce flooding-related CDF, including flood detection, improved drainage, and response procedures. The improvements under consideration were not credited in the IPE. At the present time, the licensee has not generated estimates of CDF reductions related to possible flood-related improvements.

Plant changes specifically due to the Station Blackout Rule were not included in the IPE model. - However, the IPE did take credit for a plant modificabon that reduces the station blackout CDF, namely the installation of high temperatura qualified RCP seal O-rings. As discussed above, the installation of these new O-rings has been completed. Without this modification, the station blackout CDF contribution would l

increase by about 20% (from 1.77E-05/yr to 2.1E-05/yr), and the total CDF contribution would increase by about 6% (from 5.8vE-05/yr to 6.2E-05/yr). [pp.15,16 of RAI Responses) i I

l l

I I

t i

36 I

l i

i

.l l

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS This section of the report provides our overall evaluation of the quality of the front-end portion of the IPE based on this review. Strengths and shortcomings of the IPE are i

summarized. !mpodant assumptions of the model are summarized. Major insights from the IPE are presented.

3 i

Strengths of the IPE are as follows. The internal flooding analysis appears to be more l-thorough in comparison to the flooding analyses in some other IPE/PRA studies.

No major weaknesses of the IPE were identified.

4-J Based on our review, the following aspects of the modeling process have an impact on the overall CDF:

4 i

Deoressurization and use of RHR can mitigate a small LOCA or a smal.1 j

2 j

medium LOCA for which hiah head iniection has failed. This element of the i

success criteria lowers the CDF from small and medium LOCAs by' crediting an option for mitigation of the LOCAs if high pressure injection is lost.

i Use of the Westinohouse RCP seal LOCA model. The use of this model lowers the CDF from a seal LOCA compared to IPEs that have used the NUREG 1150 i

l' model for a seal LOCA.

J Credit for coerator action to block automatic actuation of hiah head iniaction oumos during a small LOCA caused by loss of CCW. This aspect of the modeling process lowers the CDF from a seal LOCA caused by loss of CCW by crediting use of high pressure injection pumps after recovery of CCW.

No reouirement for HVAC for AC switchaear. This plant feature lowers the CDF by not requiring operation of HVAC to support operation of AC electrical switchgear.

4 l

Relativelv low values for orobability of non-recoverv of AC oower. This aspect of the modeling process lowers the CDF from station blackout by using a higher probability for recovery of AC power than reflected by average industry data.

Significant level-one IPE findings are as follows:

)

internal floodino is the most dominant accident clase contributor to CDF. The e

most impodant flooding sequence involves a flood in the control building that i

disables all service water and leads directly to core damage. Operator recovery actions in this sequence are made difficult due to possible submergence of isolation valves. Two other important sequences involve floods in the control j

building that disable vital AC or DC electrical equipment.

37

o a

4. DATA

SUMMARY

SHEETS This section of the report provides a surnmary of information from our review.

Initiatino Event Freauencies initiating Event Frequency per Year LOSP 4.6E-02 Transient w/MFW initially availt':le 3.0E+00 Transient with loss of MFW 2.1 E-01 Steamline break inside containment 8.7E-05 Steamline break outside containment 1.8E-04 Main feedline break upstream of feedline check 2.1 E-04 valve Main feedline break downstream of feedline check 2.3E-05 valve Totalloss of CCW 6.42E 05-Loss of DC Bus 1.81 E-03/per vital bus Totalloss of SW 4.69E-05 Excessive LOCA 3.0E-07 Large LOCA (6*-29')

5.0E-04 Medium LOCA (2"-6')

1.0E-03 Small LOCA (1/2"-2')

1.0E-03 Very Small LOCA (<1/2')

1.3E-02 SGTR 1.2E-02 RHR suction line ISLOCA 1.68E-06 l

RHR accum. line ISLOCA 1.49E-05 RHR hot leg injection line ISLOCA 3.18E-09 Si cold leg injection line ISLOCA 1.49E-05 Si hot leg injection line ISLOCA 6.36E-09 Overall CDF i

The total CDF from internal initiating events was calculated to be 4.06E-5/ year, and i

the total CDF from internal flooding was calculated to be 1.78E-5/ year.

l l

l 38

5 Dominant initiating Events Contributino to CDF LOSP 30.5%

ESW Flood in Control Bldg. Elev.1974 16.9%

Transient-induced RCP Seal LOCA 8.1%

ESW Flood in Control Blgd. Elev. 2000 8.0%

Intermediate LOCA 7.4%

Small LOCA.

7.3%

Loss of All Service Water 6.5%

Large LOCA 3.7%

Firewater Flood in Control Blgd. Elev. 2016 3.5%

Firewater Flood in Control Bigd. Elev. 2000 1.6%

SGTR 1.4%

Loss of All Component Cooling Water 0.9%

Dominant Hardware Failures and Ooerator Errors Contributino to CDF Based on the Fussell-Vesely ranking, the following hardware failures and operator errors are most impor1 ant: failure to recover offsite power, failure of DGs, failure to establish CCW cooling to the RHR heat exchangers, failure of the TD AFW pump, and failure to recover ESW.

Dominant Accident Classes Contributino to C&E Internal Flood 30.5 %

- Station Blackout 30.3%

LOCAs 19.0%

Transient 17.7%

SGTR 1.4%

ATWS 0.7%

ISLOCA 0.3%

Design Characteristics imoortant for CDF Ability to oerform feed and bleed once-through coolino. This design feature e

lowers the CDF by providing an alternative method of core cooling given unavailability of feedwater.

Service water system flexibility and redundanev. The plant has dedicated standby essential service water (ESW) pumps that are available to provide backup flow to the ESW headers. During normal operation, non-essential service water pumps provide flow to the ESW headers. This design feature tends to decrease the CDF.

A complete set of initiating event CDF contributors is provided in Table 2-6 of this report.

39

~. - -

- - - -. - -. - -. ~,

.,o Ability to use the ESW system as a source of backuo water sucolv for the

[

auxiliarv feedwater (AFW) system. The ESW system can provide a backup source of AFW suction water supply in the event water from the condensate storage tank (CST) becomes unavailable. This design feature tends to 4

decrease the CDF.-

Eight hour batterv lifetime for turbine-driven AFW oumo. Battery power for i

control of the AFW turbine-driven pump can be sustained for 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , apparently without load shedding. This 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime tends to lower i

j the CDF from station blackout, as this time is longer than that available at many

)

j

' other plants.

Semi-automatic ECCS 'switchover. The switchover of RHR pumps from injection to sump recirculation is fully automated. - However, the establishment of high pressure recirculation requires manual operator actions to align the-suction of the safety injection and/or charging pumps to the discharge of the RHR pumps. This design feature tent te increase the CDF over what it would otherwise be with a fully automatic system.

New high temoerature aualified reactor coolant oumo (RCP) O-rinas. These new RCP O-rings tend to lower the CDF because of the increased ability of the RCP seals to withstand loss of cooling.

Ability to feed deoressurized steam aenerators from diesel-driven fire oumo.

This design feature tends to lower the CDF, though it was not credited in the IPE.

Modifications The licensee identified several plant enhancements in conjunction with the IPE analysis. Summarized below are the proposed plant improvements, including their current status and CDF impact (if available). The status of the IPE model relative to each modification (amount of credit taken) is also noted.

Installation of hiah temoerature aualified RCP seal O-rinas. Installation of these specially qualified 0-rings has been completed, and was credited in the IPE.

Without th_is mredification, the station blackout CDF contribution would increase

~

by about 20% (from 1.77E-05/yr to 2.1E-05/yr), and the total CDF contribution would increase by about 6% (from 5.85E-05/yr to 6.2E-05/yr).

i Procedural and hardware changes to allow feed of deoressurized steam e

generators from diesel-driven fire oumo. This plant modification has been completed, but was not credited in the IPE. The total CDF (including internal i

flooding) would decrease by about 7% (from 5.85E-05/yr to 5.4E-05/yr) with credit for this modification.

40

]

i Addition of crocedural cuidance to re-establish normal service water shou _id essential service water (ESW) fail. This procedural enhancement has been I

completed. The IPE did not take credit for this modification.

Addition of crocedural cuidance for coeratina the chargina and safety inigglign oumos without CCW. Lube oil cooling for the charging and safety injection pumps is provided by the CCW system. This procedural enhancement, which has been completed, facilitates the use of charging and safety injection pumps in accident scenarios involving loss of CCW. The IPE took credit for this plant modification.

I Addition of crocedural guidance to verifv RHR oumo room coolina at switchover to ECCS recirculation chase. This modification directs operators to locally start the RHR room coolers if they are not running at the time of ECCS switchover.

This procedural enhancement has been completed. The IPE did not take credit foi this modification.

Addition of a black-start combustion turbine cenerator (CTG). The total CDF (including internal flooding) would decrease by about 35% (from 5.85E-05/yr to about 3.8E-05/yr) with this modification. The licensee has determined that this type of plant enhancement is not cost-effective. No credit was taken in the IPE.

Addition of a black-start asoline or diesel aenerator. As an alternative to the l

CTG discussed above, a smaller generator (gasoline or diesel) could be l

installed to power a battery charger and charging pump. The total CDF l

(including internal flooding) would decrease by at least 17% (from 5.85E-05/yr to about 4.8E-05/yr) with this modification. The licensee has determined that this type of plant enhancement is not cost-effective. No credit was taken in the IPE.

l Reolacement of the oositive disolacement charaina oumo (PDP) with a third centrifuaal charaina cumo (CCP). The PDP has been replaced with a third CCP, the normal charging pump (NCP). Unlike the PDP, the NCP does not require cooling from the CCW. The NCP is powered from a non-safety bus rather than an independent, backup power supply. The IPE did not take credit for this modification.

Provide a switch to bvoass feedwater isolation in order to restore main feedwater. Following a reactor trip at Callaway, main feedwater is isolated. If l

AFW subsequently fails, procedures direct operators to attempt restoration of l

main feedwater. Without a special bypass switch, operators have to manually lift leads and install jumpers, a relatively time-consuming process. This plant modification is currently scheduled for the fall of 1996. It appears that the IPE i

did not take credit for this modification.

j 41

Procedural and hardware chances to reduce the core damaae risk due to

~

internal floodina. The licensee has formed a task team to evaluate methods for reducing the CDF due the internal flooding. The team is considering various options to reduce flooding-related CDF, including flood detection, improved drainage, and response procedures. The improvements under consideration were not credited in the IPE.

Plant changes specifically due to the Station Blackout Rule were n'ot included in the IPE model. However, the IPE did take credit for a plant modification that reduces the station blackout CDF, namely the installation of high temperature qualified RCP seal O-rings described above.

Other USI/GSis Addressed The submittal states that the utility considers USI A-17, " Systems Interactions" to be resolved.

Sionificant PRA Findinas Significant level-one IPE findings are as follows:

Internal floodina is the most dominant accident class contributor to CDF. The most important flooding sequence involves a flood in the control building that disables all service water and leads directly to core damage. Operator recovery actions in this sequence are made difficult due to possible submergence of isolation valves. Two other important sequences involve floods in the control building that disable vital AC or DC electrical equipment.

l 42

+

l REFERENCES l

[ EGG SSRE 8875)-

Generic Component Failure Data Base for Light Water and Liquid Sodium Reactor PRAs, EGG-SSRE-8875, February 1990.

[EPRI 2628)

PWR Safety and Relief Valve Test Program, EPRI NP-2628-SR.

[EPRI 4306)

Safety and Relief Valves in Light Water Reactors, EPRI NP-4306 SR.

[GL 88-20]

" Individual Plant Examination For Severe Accident l_

Vulnerabilities - 10 CFR 50.54 (f)", Generic Letter

'~

- 88.20, U.S. Nuclear Regulatory Commission, November 23,1988

[lPE Submittal)

Callaway IPE Submittal, September 29,1992

- [ Letter 9/19/92)

Letter from Donald Schnell, Union Electric, to NRC l

September 29,1992

[ Letter 1/8/93)

Letter from Donald Schnell, Union Electric, to NRC January 8,1993

[NSAC 147]

Losses of Offsite-Power at U. S. Nuclear Power Plants Through 1989, EPRI (Nuclear Safety Analysis Center), NSAC-147, March 1990.

[NUPEG-1335)

" Individual Plant Examination Submittal Guidance",

l NUREG-1335, U. S. Nuclear Regulatory i

Commission, August,1989 i

[NUS 5272)

Modeling of Recovery Actions in PRAs, NUS-5272, l

January 1991.

l

[RAI Responses]

Responses to NRC RAI Letter on Callaway IPE, letter from D. F. Schnell, Union Electric, to NRC, ULNRC-03271, September 28,1995; also follow-up

]

letter from D. F. Schnell, Union Electric, to' NRC, j

ULNRC-03294, November 22,1995.

\\

~

[RP 3000-34]

Faulted Systems Recovery Experience, RP 3000-34.

1 i

43 4

e

.. +.

--n 2

...-..a.

e -

u

-.a-

+

.a..

a....

r 8

d i

l l

1 l

i i

t APPENDIX B 1

i CALLAWAY PLANT UNIT 1.

INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT l

(BACK-END) i l

l l

N i

i

-.

ML20117J291

Contents

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20117J291

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search