Text

Pilgrim,Technical Evaluation Rept on IPE Front End Analysis
	ML20128K187
Person / Time
Site:	Pilgrim
Issue date:	04/09/1996
From:	Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20128K194	List: ML20128K187; ML20128K206; ML20128K213; ML20129H377; ML20129H390;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-93-553-13-A, SEA-93-553-13-A:4, NUDOCS 9610100298
	Download: ML20128K187 (41)
	v • d • e

.

- . . . . - - . . - - . ~ . _ . . - . . . . . _ . ~ . - - - . . - . . . . - . . . . . . - . . . . . ~ . . . . - .

i i

t i

APPENDIX A i PILGRIM NUCLEAR POWER STATION INDIVIDUAL PLANT EXAMTNATION !

TECHNICAL EVALUATION REPORT ,

I (FRONT-END) ;

i

\

l i

l s i 4

i i

i f

i l

i i

l I

l l

1 f

f (f _ _

a i SEA 93 55313 A:4 j April 9,1996 i

Pilgrim 1

Technical Evaluation Report l i en the Individual Plant Examination i

Front End Analysis NRC-04 91066, Task 13 ,

1 J

I Willard Thomas i

John Derby )

i Clint Shaffer i

I i,

1 J

i i Science and Enginaring Anociates, Inc.

Prepared for the Nuclear Regulatory Conmssion (OO 1 'll yp.

. . . _ - . . _ - = .- - -- -- ._ -.. - - - - - . - . . . -- - -- - - _ _ -

)

TABLE OF CONTENTS 1

l E. EXECUTIVE

SUMMARY

i . . . ....................................... 1 E.1 Plant Characterization..

1 E.2 Licensee's IPE Process . . . . . . . . . ......................... . . . . . . . 2 E.3 Front End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 E.4 Generic lasues . . . . . . . . . ....................................... 4 i

E.5 Vulnerabilities and Plant improvements ................................. 4 i

E.6 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 l

i

1. IN TR O D U C TIO N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.1 Revie v Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 l

. 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 l 4

i 2. TECHNIC AL R EVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4'

2.1 Licensee's IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 I 2.1.1 Consleteness and Methodoloav . . . . . . . . . . . . . . . . . . . . . , . . . . . . . . 9 2 2.1.2 Multi Unit Effects and As Built. As Ooorsted Status . . . . . . . . . . . . . . . . . . . 9 I

2.1.3 Licenses _Particination and Peer Revisw . . . . . . . . . . . . . . . . . . . . . . . . . 10 I 2.2 Accident Sequence D'shnostion and System Analysis . . . . . . . . . . . . . . . . . . . . . . . . 10

' 11 2.2.1 Initiatina Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

< 2.2.2 Event Trees . . . ....................................... 13

2.2.3 Systems Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.4 System Decondences .................................... 16 j

a 2.3 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.3.1 Cs .GGi iies of Accident Seouence ic% . . . . . . . . . . . . . . . . . . . 16 1

2.3.2 Point Estimates and UncertaintvlSensitivitv Analyses . . . . . . . . . . . . . . . . . 18 19 ;

i 2.3.3 Use of Plant Soecific Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

i 2.3.4 Use of Generic Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 a

4 2.3.5 Common-Cause Quantification ............................... 23 a

2.4 Interface issues . . . . . . . ....................................... 25 I

2.4.1 Front End and Back End Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.4.2 Human Factors Interf aces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.5 Evaluation of Decay Heat Removal and Other Safety issues . . . . . . . . . . . . . . . . . . . 27 2.5.1 E x -d. i n of D H R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 2.5.2 Diverse Means of DHR ................................... 28 2.5.3 Unione Features of DHR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.5.4 Other GSIIUSIs Addressed in the Subnuttal . . . . . . . . . . . . . . . . . . . . . . . 28 2.6 Intemal Floodmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.6.1 Internal Floodina ~,,m._ __. _. ...............................

29 2.6.2 Intemal Floodina Results .................................. 30 2.7 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.7.1 Dominant Core Demane Senuances . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.7.2 Vulnerabdites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.7.3 PreeeH Imorovements and Mo&Gi Li,.e . . . . . . . . . . . . . . . . . . . . . . . 33 ii f

43 s

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . .... ......... . .......... 35

4. D ATA

SUMMARY

SHEETS . . . . . . . . . . . . . . . . . . . . . . ............. .. .. ... 37 41 R EF ER E N C E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ......

/

e W

LIST OF TABLES Table 21. Plant Experience With Recovery of Loss of Total Offsite Power .... ..... ...... 17 Table 2 2. Comparison of IPE and Average Industry LOSP Non Recovery Data .... .......... 18 Table 2 3. Plant Specific Component Failure Data ............. ................... 21 Table 2 4. HPCI and RCIC Plant Failure Data Before and After Improvement Program . . . . . . . 22 Table 2 5. Comparison of Common-Cause Failure Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Table 2 6. MGL Parameters Used if Published Data Unavailable ........................ 24 Table 2 7. Accident Types and Their Contribution to Core Damage Frequency . . . . . . . . . . . . . . . . 31 ,

Table 2 8. Initiating Events and Their Contribution to Core Damage Frequency . . . . . . . . . . . . . . . 31 Table 2 9. Top 10 Dominant Functional Core Damage Sequences . . . . . . . . . . . . . . . . . . . . . . . . 32 ,

Table 210. Summary of Plant Changes That Directly Affect Station Blackout ............... 34 l

I iv

o e 4 l 1

l

\

E. EXECUTIVE

SUMMARY

f

! This report summarizes the results of our review of the front end portion of the Individual F 4t Examination 1

(IPE) for Pilgrim. This review is based on information contained in the IPE submittal [lPE Sdnitteil along l l with the licensee's responses [RAI Responses] to a request for additional information (RAl).

i in responding to the RAI, the licenses states that the original IPE analysis, as described in the IPE submittal, !

has been updated. The licenses response to the RAI desenbes the results of the 1995 IPE model, including updated accident sequences and dominant core damage contributors. To the extent possibis, the IPE results and findings reported in this review are based on the 1995 IPE model a reported in the RAI responses. ,

E.1 Plant Charseterization Tha Pilgrim Nuclear Power Station comists of a single boiling water reactor (BWR) 3 Mark 1 unit. Design features at Pilgrim that impact the core damage iroquency (CDF) relative to other BWRs are as follows:

Fourteen hour batterv caoacity. With credit for load shedding, the batteries can prs is necessary power dunng station blackout for approximately 14 hows. The 14 hour1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months battery lifetime is longer than battery lifetimes at many other plants. This design festwo ts;.ds to lower the CDF.

Station blackout diesel oenerator. ' A station blackout diesel generator has been installed at Pilgrim.

This design featwo tends to lower the CDF.

Seariel 23 Kv offsite newer line for olant shutdown functions. Pilgrim has a special 23 Kv offsite power connection that can be used to power emergency buses in the event offsite power from the two 345 Kv sowcas is lost. The 23 Kv power line is routed through a separate switchyard into the station shutdown transformer. Plant experience has shown that the 23 Kv line is more resistant to weather related effects than the 345 Kv sowces. This design featwo tends to lower the CDF.

Ability to perform vessel iniection with fire water system. Alternate vessel injection can be accomplished with the fire water system. Because one of the fire water pumps is dieseldriven, this method of injection can be used dwing station blackout. This design feature tends to lower the CDF.

Limited vessel ers sure relief canability. Pilgrim has a more limited vessel pressure relief capability than other BWRs of similar design. This limited presswa relief capability is due to the relatively small number of relief valves (2 code safety valves and 4 safety relief valves) and the relatively small capacity of each individual valve. This design featwo tends to increase the CDF.

Hardened torus vent. The availability of a hardened torus vent provides an additional means of providing containment presswa control and decay heat removal. This design featwo tends to lower the CDF.

1

Portable diessi-driven air comoressor. A pcrtable dieseldriven air compressor can be manually j connected to the compressed air system. This additional source of compressed air uds to reduce j the CDF.

!

Diveras instrument nitronen sunolies. Diverse means are available for supping nitrogen to support important functions, for example the automatic depressurization system (ADS) valves. Sources of j nitrogen include banks of bottled nitrogen and a trailer mounted set of liquid nitrogen tanks. This i design feature tends to reduce the CDF.

)

bdeoendence of 6+=8 nonerators from external coolina water sources. The diesel genwators

(includeg the station blackout diesel generator) are self cooled. This design feature lowers the CDF.

E.2 Licensee's IPE Prosess

)

! The licenses developed a Level 2 probabilistic risk assessment (PRA)in response to the requests of Genwic !

letter 88 20. The freeze date for the original IPE analysis reported in the submittal was'Dr.anbar 31, l

)

l 1991. The freeze date for the updated (1995) IPE was not provided. .' l 4

The licenses provided the ovmal technical management of the IPE and was involved in al aspects of the ;

! analysis, it appears that the bcenses performed the majority of the front-end analysis. Tenstra, L. P. j

! assisted the licenses in the front-end accident sequence evaluation. l 1

! Plant walkdowns were used to support the IPE analysis. Major documentation used in the IPE included j engineering drawings, system desenptions, the Updated Final Safety Analysis Report (UFSAR), Technical ;

Specifications, and plant procedures. l t !

Thwe were sevwal levels of review performed on the IPE, including an external peer review. The external i

)

i review team consisted of 5 outside individuals with backgrounds in PRA, operations, reactor engmeenng, and

thermal hydraulics analysis, i

The licenses states that the IPE is a living model that is updated to reflect changes to plant configuration and performerca.

f

\

E.3 Front EnJ Analysis j The methodology chosen for the Pilgrim IPE front end analysis was a Level 1 PRA. The small event treellarge fault tree technique with fault tres linking was used to quantify core damage sequences l

l Coro damage was defined to occw when the water level remamed below 2/3 of the core height for 10

! minutes. It appens that the front end system success criteria wwe largely based on Modular Accident l Analysis Program (MAAP) calculations. General Electric appwently generated some pations of the 4

anticipated transient without scram (ATWS) success criteria with a 'TRAGG" analysis. The Pilgrim IPE i success criteria are genwelly consistent with success criteria typmally used in other BWR IPEIPRA studies.

l I

1 1

. . _ . _ _ . . ~ _ . _ _ _ _ _ _ _ _ . . __ .. _._ _ _ _ _ . _ . . _ _ _ _ _ _ _ .

4 1

1

.The IPE analyzed typical generic and transient initiating events, as well as 6 special initiatiw events represer.4mg support system failures. Plant data and plant specific logic models were used = support the quantification of initiating events.

Plant specific data wwe used where possible for component failure rates and testimaintenance l

j unavailabilities. Component unavailability estimates were derived for the period between 01/01/81 and l 09130I89 with one major exception. The data used to quantify the high pressure coolant hjection (HPCI) and reactor core isolation cooling (RCIC) systems came from a five year moving avwage data base for the period i between 03/31187 and 03I31/92. These two systems wwe quantified with the more recent data to refisct their improved avadability since 1990. The data collection period of 01/01/81 to 09/30189 was used to l i

! ensure the equivalent of 5 full yews of plant operation. Pdgnm was shutdown for most of 1988 and all of

1987 and 1988 for reliability and safety enhancements. l

! The multiple Greek Isttu (MGL) method was used to model common cause failures. The common cause data used in the IPE are genwally consistent with generic values typically used in other IPEIPRA studies.

l 2 i The point estimate CDF from the updated (1995) IPE is 2.84E 05/yr', including intamal floodng. The CDF l contribution from flooding is 6.1E 08lyr. The internal initiating events that contribute most to the CDF and 2 l their pacent contribution are listed below :

Partial loss of offsite power (LOSP) 30%

Manual shutdown 19%

Full LOSP (345 & 23 Kv) 10%

Turbine trip and reactor trip 10%

Loss of feedwatw 8%

Medium lou of coolant accident (LOCA) 8%

Loss of condenser vacuum 4%

Loss of DC Bus B 3%

Main steam isolation valve (MSIV) closure 3%

Coro damage contributions by accident type are listed below:

Transient 70%

Anticipated Transient Without Scram (ATWS) 16%

LOCA: 10%

Station Blackout 3%

intwfacing systems LOCA 0.4%

Internal Flood 0.2%

The front and back end analyses were coupled by linking core damage cut sets directly into containment system event trees (CSETs). The output of the CSET: was used to genwate a set of plant damage states

' As used here and in other portions of this report. the term *yr* refers to a reacter year.

8 A complete set of initiatine event CDF contributors is prended in Table 2 8 of this report.

3

o . .

i J

(PDSs). The PDSs wwe subsequently evaluated by containment phenomenological event trees (CPETs) to genwate source twm frequencies. The process used to couple the front and back end analgt appears to be

comparable with similar processes used in other PRAllPE studies.

E.4 Gn.oric issues i

! The licenses specifically addresses decay host removal (DHR) and its contribution to CDF. The IPE DHR

analysis was based on a narrow DHR definition, namely removal of decay heat from contamment. This definition does not address core cooling aspects of DHR. Using qualitative discussions, the licenses concluded that the contamment DHR reliabihty is high due to the availability of multiple containment systems.

l Even if all these containment DHR systems were to fail, a significant amount of time is available for repair l and recovery efforts. SpecificaHy,34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months would be available before containment design limits are exceeded, and 47 hours5.439815e-4 days 0.0131 hours 7.771164e-5 weeks 1.78835e-5 months would be avadable before the ultimate containment capacity is reached. No DHR-l related vulnwebilities wwe identified by the licenses j

i No generic safety issues (GSis) or unresolved safety issues (USIs) othw than A 45 are addre".,sd by the IPE.

f l E.5 Vulnerabilities and Plant leprovements i

The licenses used the folowing criteria to search for vulnwabilities:

J

Are there any new or unusual means by which core damage or containment failures occur as j j

l compared to those identified in othw PRAs?

l

Do the results suggest that the Pilgrim core damage frequency would not be able to meet the NRC's f safety goal for core damage (IE 04/yr)? l Based on the above criteria, the Econses concluded that there we no vulnerabilities at Pilgrim.

l It appears that the following two plant improvements wwe identified as a result of the IPE:

Modify loss of DC procedures to allow opwater judgment for load shedding of AC buses associated with failed DC supplies (completed)

Modify procedures to allow operators to use fire water for drywel sprays The DC procedure enhancement has been completed. The statt

Abe drywell spray enhancement is not known.

E.8 Observations The licenses appears to have analyzed the design and opwations of Pilgrim to discovw instances of particular vulnwability to core damage. It also appears that the Econses has: developed an ovnau appreciation of severs accident behavior; gained an undwstand'mg of the most likely sevne accidents at Pilgrim; gained a quantitative undwstanding of the ovuol frequency of core damage; and implemented changes to the plant to help prevent and mitigate sevwe accidents.

4

____. .. ~. .- -- - , - - . . .-- -- . . . - - - - -

4 j

Strengths of the IPE are as follows: The IPE goes beyond the bounds of some othw BWR PElPRA studies by

considering and modeling common cause failures between the HPCI and RCIC systems.

2 No major weaknesses of the IPE wwe identified.

One weakness of the submittel was identified, namely that the licensee's DHR analysis was limited to I removal of decay heat from containment. This narrow definition of DHR does not address core cooling j aspects of DHR. In order to resolve USI A 45, keensees wwe requested to examine DHR for its capability during both core cooling and containn.ent heat removal phases and for all accidents except large LOCAs,

, ATWS events, and ISLOCAs. While the lit.ensee's narrow definition of DHR is judged to be a weakness of

the ghnuttal. both core and contamment cooling has been accounted for in the ovwall IPE analysis process.

In our judgment, the IPE models are capable of identify *mg DHR related vulnerabilities.

i Significant levelone IPE findings are as follows:

!

The Pilgrim plant is located in a region of the country that is prone to more frequen' occurrences of

< severs weathw than many other nuclear plant sites. Consequently, LOSP frequencies and non-recovery probabilities are higher at Pilgrim compared to average industry data. Even so, station blackout contributes only about 3% of the total CDF st Pilgrim. The relatively low CDF contribution i

j of station blackout at Pilgrim is due to: (1) a 14 hour1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months battery capacity (with credit for load i shedding), (2) the availability of a station blackout diesel genwator, (3) the availability of a separate j 23 Kv offsite poww source for plant shutdown functions, (4) the availability of an ACindependent source of vessel injection (fire water), and (5) credit for recovery of failed diesel genwaters.

3 i

ATWS sequences contribute 18% to the total CDF. About 55% of the ATWS contribution is due to j opwater failure to initiate standby liquid control (SLC) injection. Anothw 20% of the ATWS l contribution is related to inadequate pressure relief caused by failure of sufficient safety

) valves / safety relief valves to open.

i i

Common cause failures of safety relief valves (SRVs) are important contributors in sequences where high pressure injection is unavailable and depressurization fails. As previously noted in the discussion

! on plant features, Pilgrim has a more limited vessel pressure relief capability than othw BWR of similar design.

i l

i 4

I 5 l

i

i i

i i 1. INTRODUCTION

) 1.1 Review Process This report summarizes the results of ow review of the front-end portion of the IPE for Pilgrim. This review i is based on information contained in the IPE subrettal [lPE Submittal) along with the licantee's responses

! [RAI Responses) to a request for additional information (RAD.

In responding to the RAI, the licenses states that the original IPE analysis, as described in tim IPE submittal, j has been updated. The hcenses response to the RAI describes the results of the 1995 IPE model, including

! updated accident sequences and domment core damage contributors. To the extent possible, the IPE results

! and findings reported in this review are based on the 1995 IPE model as reported in the RAI responses.

l

, 1.2 Plant Characterization The Pilgrim Nuclear Pown Station consists of a single BWR 3 Mwk I unit located on Ca'pe 'dd Bay in Massachusetts. Bechtet was the architect engineer and constructor. Pilgrim began commercial opwation in l

j Decembw 1972. The plant was shutdown for most of 1986 and aR of 1987 and 1988 for reliability and i safety enhancements. The Monticello plant is similw to Pilgrim. [p. A 2 of subnuttal, pp. 1.12, 2.21 of UFSAR] 4 j Design features at Pilgrim that impact the core damage frequency (CDF) relative to other BWRs are as follows: [pp.1.14 to 1.16, 6.0-6, 6.0-7 of subnuttal]

Fourteen hour battery cacacity. With credit for load sheddmg, the batteries can provide necessary l

power during station blackout for approx'unately 14 hows. The 14 how battery lifetirne is longw than battery lifetimes at many other plants. This design featwo tends to lower the CDF. [pp. 2.2 6, B.111, C.216, C.217, p. 3 of Table 2.41] l

Station blacko.it diesel eenwater. A station blackout diesel genwetor has been installed at Pilgrim.

This design featwo tends to lower the CDF. [p. 2.3 29 of subnuttaQ

Special 23 Kv offsite noww line for clant shutdown fuiwi' r . Pilgrim has a special 23 Kv offsite j l

power connection that can be used to power emergency buses in the event offsite poww from the two 345 Kv sources is lost. The 23 Ky power line is routed through a sepwate switchyard into the l

station shutdown transformer. Plant expwience has shown that the 23 Kv line is more resistant to weather related effects than the 345 Kv sources. This design featwo tends to lower the CDF. [pp.

2.2 5, 2.3 27, 2.3 28, B.91, B.9 2, B.101, B.10-2, NRC memo from M. Rubin to A. ThadanQ

Ability to cerform v- I inktian with fire water system. Alternate vessel injection can be accomplished with the fire watw system. Because one of the fire water pumps is dieseldriven, this method of injection can be used during station blackout. This design featwo tends to lower the CDF. [pp. 2.2 6 of submittaQ i

6 e--

- .. _- _.. _. - . ._- .- - . - - . . - - . - . _ ~ _ . - - .. . - _ - - ._.

1 l

Limited vessel oressure relief capability. Pilgrim has a more limited vessel pressure relief capability i than other BWRs of similar design. This limited pressure relief capability is due to me relatively small number of relief valves (2 code safety valves and 4 safety relief valves) and :i relatively l small capacity of each individual valve. This design feature tends to increase the (fJ.

Hardened torus vent. The availability of a hardened torus vent provides an additional means of l providing contamment presswo control and decay heat removal. This design featwo tends to lower the CDF. [pp.2.2 6, 3.612, B.6 8, B.6 9 of submittal]

j

Portable id divw, air compressor. A portable dieseldriven air compressor can be manually connected to the compressed air system. This additional source of compressed air tends to reduce the CDF. [pp. 2.2 7,3.3 5, Al 5 of submittal]

Diverse instrument nitronen sunolies. Diverse means are available for supping nitrogen to support 8

important functions, for example the automatic depressurization system (ADS) vaves. Sources of l

a nitrogen include banks af bottled nitrogen and a trailer mounted set of liquid nitrogen ianks. This design featwo tank to reduce the CDF. [pp. 22. 7, B.13 2, B.13 3 of submittal) -

4

!

Iridedence of 4W nonerators from extemal coolina water sources. The diesel generator

! (including the station blackout diesel generator) are self cooled. This design feature lowers the CDF.

4

[p. 9 of Table 2.4-2 of submittal]'

1 h

1 f

i

l t \

l l

i t

4 1

e i

7 3

L 4

. 2. TECHNICAL REVIEW 2.1 Licensee's IPE Preess:

We reviewed the process used by the licenses with respect to: completeness and methodology; multiunit effects and as built, as opwated status; and bconses participation and poor review.

2.1.1 Completeness and Methodoloav.

The submittal is complete with respect to the type of information requested by Generic lettw 88 20 and NUREG 1335. No omissions wwe noted.

The Pilgrim IPE is a level 2 PRA. The IPE used the smal event treellarge fault tres methodology with fault tres linking to perform the level 1 analysis. The Cut Set and Fault Tres Analysis (CAFTA) computer code was used to quantify accident sequences The licenses had performed an earlier Industry Degraded Core .

Rulemaking Program (IDCOR) Individual Plant Evaluation Methodology (IPEM) study in 1988 t, support a safety enhancement program, and this earher study was used as the starting point for the !PE. [transattal letter, p. 2.11 of submittall Intersystem dependencies are dim =M and tables of system dependencies are provided. Data for quantification of the models are provided, including common cause events and human recovery actions. The application of the techmque for modeling intomal flooding is desenbod in the subattel. Results of an importance analysis of key common cause and human event CDF contributors are presented. Two types of sensitivity analysis wwe performed on the IPE results.

2.1.2 MultiUnit Effects and As Built. As-0 oersted Status.

The Pilgrim plant is a single unit site; therefore, multi-unit considerations do not apply to this plant. 1 The licenses performed walkdowns and used various sources of plant specific information to support the analysis, for example engineering drawings, system desenptions, the UFSAR, Technical Specifications, and plant procedures. Plant records were reviewed to develop plant specific behavioral characteristics such as component failure rates and initiating event frequenen (pp. 2.15 to 2.1-9 of submittall i

The freeze date of the ongmal IPE analysis reported in the subnuttal was December 31,1991. The freeze date for the updated (1995) IPE was not provided. [pp. 2.2 2 of submittal]

The licenses states that the IPE is a living model that is updated to reflect changes to plant configuration and performance. [p.1 of RAI Responses]

2.1.3 1.icensee Particiaetion and Peer Review.

The licenses provided the overaR technical management of the IPE and was involved in sR aspects of the analysis. It appears that the licenses performed the mejority of the front end analysis. Tenerra, L P.

8

O i

i assisted the licensee in the accident sequence evaluation. Gabor, Konton, and Assoc., Inc., and Fauske and l:

Assoc, Inc. assisted with the back end analysis. [pp. 2.14,2.119,2.120 of submitts0 i

j Licenses pusonnel asegned to the IPE project included individuals with PRA expatise and honsed senior

! reactor opwators (SR0s). Othw expwience areas represented by the licenses IPE personnel included operator

! training, thermal hydraulics, opastions, quality assurance, and system engineering. [pp. 2.118,2.119,2.1 j j 27 to 2.129 of submittaQ f There were several levels of review performed on the IPE. Initially, the hcenses reviewed the consistency i and correctness of assumptions and results, with minor contributions by consultants. This first level of l l review was done to answo a complete transfw of technology to the licensee [p. 2.120 of submittaQ j i

i j An independent intwnal peer review was performed to ensure the accuracy of the documentation contained in

the report and to validate the IPE process and results. This peer review team consisted of 7 individuals with j backgrounds in PRA, engineering, operations, training, licenseg and management. [pp. 2.p28,2.129 of

/ !

submittaQ l

An external peer review was also performed on the IPE. The external review team consisted of 5 outside ;

i individuals with backgrounds in PRA, operations, reactor engineenng, and thermal hydraulics analysis. Thess j individuals wwe associated with the following organizations: Yankee Atomic Electric, Northeast Utilities, New l

i Hampshire Yankee, Tenerra, and Gabor, Kanton, and Assoc. [pp. 2.14,2.123,2.130 of subrmttal]

1 The submittal provides examples of review comments gensated by the internal and independent external l review teams. Resolutions to some of these comments are also provided. [pp. 2.121 to 2.124 of j l submittal] l

" 2.2 ' Accident Sequence Colineation and System Analysis l i

This section of the report documents ow review of both the acculent sequence delineation and the evaluation i of system performance and system dependences provided in the submittal.

i

[ 2.2.1 Initiatina Events.

initiating events were identified from reviews of operating histories fw Pilgrim and other plants, reviews of previous risk analyses, plant specific system analyses, and reviews of generic initiating event lists (for l

example, EPRI NP 2230). The initiating events included in the acadent sequence analysis are listed below: ,

l

[p. 22 of RAI Responses, pp. 2.18,2.19,3.11 to 3.113, Tables 3.11 and 3.13 of submittaQ l

I Generic Transants:

! Reactor and twb'me trip

!' Lou of feedwater j Lou of feedwatu (unrecovreble) l Lou of condensa vacuum MSIV closure il Inadvertent open relief ve!ve (10RV) i i

1 9 1

l i

i f

! Manual shutdown Loss of 345 Kv poww l Loss of all offsite power (345 Kv and 23 Kv)

Spscial Initiators:

f Loss of DC Bus A j Loss of DC Bus B Loss of salt service water (SSW)

Loss of reactor building cooling water (RBCCW)

Lou of turbine building cooling water (TBCCW)

I Loss of instrument air LOCAs:

Small LOCA (mitigable by RCIC)

. Medium LOCA large LOCA

' Reactor vessel rupture Reference line break Large LOCA outside containment (main steam line break)

Interfacing systems LOCA (ISLOCA):

Core spray interfacing systems ISLOCA Low pressure coolant injection (LPCI) ISLOCA Internal Flooding:

(Number of initiating events not specified)

The manual shutdown category includes all those events in which a manual scram or manual shutdown was performed for either a planned or forced outage and for which none of the othw transient categories was appropriate. [p.14 of RAI Responses]

Twr, separate initiating events were used to model loss of normal power, specifically loss of all offsite power (345 Kv and 23 Kv), and lou of 345 Kv. Pilgrim is connected to the power grid via the 345 Kv connection.

A separate 23 Kv source is available to provide power to th6 station shutdown transformer. The shutdown transformer in turn can provide power to the essential 4,180 VAC buses. [pp. 2.3 27, 2.3 28, B.91, B.9-2, B.10-1, B.10-2]

Neither loss of an AC bus or loss of heating, ventilating, and air conditioning (HVAC) was modeled as an initiating event. The submittel does not indicate a reason for omitting these potential initiating event categories. It is noted that HVAC is used to support equipment operation in a number of plant locations.

Plant data used to support the quantification of initiating events were generally based on a collection period from 01/01175 to 9I30!89. The data collection start date of 01l01175 excludes Pilgrim's first year of operation to eliminate effects of the plant startup learning curve and equipment breakin. Where initiating event frequencies have been influenced by changes to plant design and operation (for example, LOSP),

adjustments have been made. [p. A 2 of submittal]

Transient events were quantified where possible with plant date via the process described above. The main sources of plant specific transient data were scram reports and Pilgrim Monthly Reports to the NRC. Small, 10 i

O e modem, and large LOCA initiating events wws apparently quantified from an IDCOR BWR rrsthodology study f [lPE BWR Methodl. This IDCOR study is in turn at least partially based on EPRI data [EPFi! 138]. The ISLOCA and LOCA outside containment events wwe based on NUREGICR 2129, BWR Ownert Group guidance (no reference provided), and plant specific considerations. (p. 7 of RAI Responses, pp. 2.122,3.14 to 3.1-l 10, Tables 3.11,3.13, A 7 of submittal] [

i j Fault tres logic models was used to quantify the foRowing plant specific initiating events: loss of salt j service watw (SSW), loss of reactor buddag coolmg water (RBCCW), loss of turbine buddmg cooling water (TBCCW), and loss of instrument air. Plant specific data wwe used where possible to support the quantification of these logic models. [p.11 of RAI Responses, pp. A 8 to A 10, Table 3.13 of submittel)

The IPE used a frequency of 3.89/yr for manual shutdowns, based on 47 events over about 12 yea: of i reactor opwation. This value reflects a relatively high level of plant shutdowns exponenced during 1975-1989, though recent plant history indicates far fewer shutdowns. [pp.14,15 of RAI Responses)

A frequency of 0.142/yr was used for total LOSP (345 Kv and 23 Kv) in the origmal IPE rer[rted in the submittal, and appwently was also used in the 1995 IPE. If more recent plant exponence tsough August 31,1995 is accounted for, the total LOSP frequency becomes 0.135/yr, based on 4 LOSP events over 20.7 years of reactor opwation. For partial loss of poww (345 Kv), the IPE used a frequency of 0.475/yr. If plant expwience through August 31,1995 is included, the loss of 345 Kv has an initiating frequency of 0.643fyr. [p.12 of RAI Responses]

The avwage frequency of total LOSP ovw at plants as reported in an Electric Poww Research Institute (EPRI) publication [NSAC 147) is about 0.06/yr, compwed to the IPE value of 0.142/yr. The higher value of total LOSP at Pdgrim can be attributed to severs weather activity experienced at Pdgnm.

The IPE frequency of 7E-04lyr for large LOCAs is a factor of 2 to 7 higher than correspondmg data typically used in othw BWR IPElPRA studies. On the other hand, the Pdgrim IPE used a value of 8E 03fyr for small LOCAs, whereas some other BWR IPEIPRA studies have used values that are 5 to 10 times higher. The small LOCA frequency used in the IPE is based on EPRI gudence [EPRI 438] that suggests adding a contribution for recirculation pump seal leakage to the baseline value of 8E 03/yr, depending on the plant's vulnerability to seal leakage. The licenses states that Pilgnm's seal demon is not prone to leakage, and thwefore the EPRI smau LOCA baselms frequency of 8E 03/yr was used. [p. 7 of RAI Responses)

The quantifiestion of the rememing initiating events appears to be generally consstent with other PWR IPEIPRA studies.

2.2.2 Event Trees.

The following genwel categones of event tres models wwe used in the analysis: [ Appendix C of submittal]

Transient and specul 'mitiators LOSP Station blackout and offsite power recovery Stuck open relief valve (post transient) 11 1 .

e .

l l

Inadvertent open relief valve

Refwence leg break Small LOCA Medium LOCA t large LOCA

- Reactor vessel rupture i

Large LOCA outside contamment (main steam line break) i ISLOCA (LPCI and core spray)

ATWS (with and without isolation from main condensw)

! Coro damage was defined to occw when the watw level remained below 2/3 of the core height for 10 j minutes. It appears that the front end system success criteria were largely based on Modular Accident Analysis Program (MAAP) calculations. General Electric apparently generated some portions of the ATWS l

success criteria with a "TRAGG" analysis [GE TRAGG). The MAAP code was also used to assess containment accident progression. [pp. 38,41 of RAI Responses, pp. 1.08,2.31 of submittag The IPE assumed that vessel failure would occur with a frequency of IE 05/yr, including both mitigable and non-mitigable breaks. Using the 1988 IDCOR Individual Plant Methodology (IPEM) for Pdgnm, the licenses assumed that mitigable medium or large LOCA breaks would occw 97% of the time. The remesung 3% of vessel breaks were assumed to be too Iwge for successful mitigation. Therefore, the core damage frequency for non mitigable vessel ruptwo events was 3E 07/yr. The vessel ruptwo event tres represented in Figure C.3 4 of the submitte! displays the various accident sequence paths. [pp. 3.4 9, C.310 to C.312, Figure C.34 of submittell The IPE credited use of the fire water system for alternative vessel injection during transant svents, small LOCAs, and reference line breaks. This action, which is procedwalized, requires installation of a spool piece 8

to connect the fire water system to RHR system discharge piping . The spool piece is located in a cabinet immediately adjacent to its installation point, and can be connected without special tools due to the use of quic.k snap couplings. The fire water pumps, one dieseldriven and one electric motor driven, provide water from two 250,000 gallon onsite fire water storage tanks. Each of these pumps has a rated capacity of approximately 2,000 gpm. The licenses states that operators are trained and tested in the use of the fire water system. In addition to installation of the spool piece, use of the fire water system requires that operators open two valves. The availability of DC power is also required to allow vessel depresswization via the safety relief valves (SRVs). [pp. 23, 34, 37 of RAI Responses, pp. 2.315,2.316,2.343 to 2.346, B.5 7, p. 2 of Table 2.4-1 of submittal]

The adequacy of fire water vessel injection was evaluated through MAAP calculations that account for pump developed head, system flow losses, and backpresswa inside the vessel or drywell. If the backpressure were to exceed approximately 120 psig, the fire water system would be unable to provide vessel makeup. (pp.

23,37 of RAI Responses, pp. 2.315, 2.316, 2.343 to 2.346, B.5 7 of submittal]

' The fire water system can aise be used to provide vessel inpetion via hose connections to the feedwater system.

However,it appears that the IPE did not take credit for this made of fire water cooling. [pp. 2.315,2.316 et submitt:0 12

o .

i i

j Credit was taken for vessel makeup with the control rod drive (CRD) pumps, but only for en inadvertent open

! relief valve transient or a loss of feedwater and stuck open relief valve. CRD at fuH flow rth pumps) was l assumed to be adequate in these cases, but only if other injection systems had previously ortated for at l least one hour. [pp. 2.3 41, B.5 8, C.14 of submittal]

i

The IPE credited the possibdity of successful mitigation of ISLOCA events via injection from (1) the j condensate system, with makeup to the condenew hotwell from the condensate storage tank (CST), or (2) j the fire watz system. The IPE did not credit LPCI or core spray in ISLOCA scenanos due to the adverse i environmental conditions expected inside the reactor building. The IPE credited LPCI and fire water as j injection sowcas fw large LOCA outado containment events. [pp. 2.3 43, C3.13, C3.14, Figure C.3 6, 0.3 7 of submittal]

i

The RCIC turbine exhaust trip setpoint is set at 46 psig. Because of this relatively high trip setpoint, the

IPE considered the posmbility of RCIC opwation during a loss of contairwnent cooling event. MAAP models j accounted for this trip setpoint, as won as RCIC not positive suction head (NPSH) requirrnents to determine l RCIC availability. [p.16 of RAI Responsas]

The Pilgrim emergency operating procedures (EOPs) require that al injection from outside contamment be l terminated when the torus bottom presswa cannot be maintained below 60 psig. The action precludes any

further increase in pnmery contamment water level and is authorized because the consequences of not doing i so may cause a loss of primary containment integrity. The E0Ps are based on a philosophy that l preferentiaHy chooses to meintain primary contamment integrity in order to protect against the uncontroNed release of radioactivity. [pp.16,17 of RAI Responses]

l l The existing logic models assumed no core damage if injection systems are successful and contamment 4 pressure is successfuRy controRed. No credit was taken for core coolmg after containment failws. The

MAAP models used to support the IPE failed injection systems when NPSH limits for pumps were exceeded, or when suppression pool temperstwas exceeded limits for HPCI and RCIC pump ou cooling Pilgrim has a l

j hardened containment vent, and it appears that venting was credited in the front end analysis as a means of containment pressure control [pp.1,17,18 of RAI Responses, p. B.610 of submittel)

. An operator error associated with failure to inhibit the automatic depressurization system (ADS) was not modeled in the ATWS event trees. The licenses states that inclusion of this event would unnecessarily

{

l complicate an already complex ATWS event tres, and that no core damage sequences were nussed as a j result. General Electric analyses [GE TRAGG) were used to show that uncontroHed injection with low l pressure systems during an ATWS will not result in substantial fuel damage or threaten the integrity of the

! reactor vessel. The GE analyses were not availabis for ow review and thus we cannot pass judgment on their validity. However, we do note that failwe of operators to inhibit ADS is a relatively smeN CDF l contributor in many other BWR IPE studies.

}

j Pilgrim has two safety valves and few safety relief valves (SRVs). AH four relief valves can be automaticaNy

! opened by the ADS. The number of safety valves and SRVs is less than for comparable plants. The j licenses states that the capacity of these valves is also less than for comparable plants. The IPE required

.' that 3 of the 4 SRVs open to provide successful vessel depresswization to allow use of low pressure

! injection systems during a transient, smal LOCA, or medium LOCA. For ATWS events, et least 5 of the 6 4

i 13 l

i I ~

. 4 i

J safety valves /SRVs were assumed to be required for pressure relief. [pp. 2.2 7, 2.311, B.4-1, C.5-16, Table 2.31 of submittall 2.2.3 Systems Analysis.

Systems desenptions we included in Section 2.3 and Appendix 8 of the submittal. The system desenptions provide information related to system function, system dose and opwation, and key modeling assumptions.

The system descriptions also contain simplified schematics that show major equipment items and important flow and configuration information. A total of 15 systems are desenbed, including ECCS, electrical power, cooling water, instrument air, and HVAC. j 2.2.4 System Dependencies The IPE addressed and considered the following types of dependencies: motive power, direct equipment cooing, HVAC, and instrumentation and control. Dependency metrices are provided in TaNes 2.41 through l 2.4 4 of the submittal. These tables display, respectively, the following dependency reistiont.p: [Section 2.4 of submittell l

Frontline support system dependences

Support system dependencies i

Initiating event impact on front line systems

Frontline system i;r.fz- on other frontline systems.

Room heatup analyses wwe made to identify equipment HVAC requirements.

The IPE modeled HVAC as a required dependency for RHR and core spray systems. In addition, HVAC was I

modeled as a dependency for electrical switchgear and battwy rooms, though operator compensatory actions were apparently credited for establishment of alternate ventilation in the switchgear rooms. [pp. 2.2 3, 2.2 4,2.3 38, A122 of submittal).

l it appears that the IPE has properly accounted for au component and system dependencies.

2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage i

accident sequences. It also summarizes our review of the data base, including considwation given to plant-specific data,in the IPE. The uncertainty and/or sensitivity analyses that were performed wwa also reviewed.

2.3.1 Quantification of Accident Seauence Frenencies.

The IPE used the smau event treellarge fault tree techmque with fault tres linking to quantify core damage sequences. Functional event trees are used. The cutset and Fault Tres Analysis (CAFTA) software was used to developed the fault trees and perform the acculent sequence quantification. Accident sequence cut sets were developed to the level of specific failures or basic events. The accident sequence cut set truncation limit was 1E 09/yr. [pp. 2.110 to 2.115,2.2 2,3.31 of submittal]

14

4 .

4 i

4 Non-recovery data for LOSP initiating events were based on the licensee's analysis (lognornet distribution) of l plant specific experience with recovery of total LOSP. Plant experience with total LOSP eve's is summarized below in Table 21. [pp. 8 to 10 of RAI Responses, NSAC 147] l i 1 l Table 21. Plant Experience With Recovery of Less of Total Offsite Power EventDate Comes of Total LOSP Recovery Time Used to Support Netse IPE Aeolysis?

51077 Snowstorm 2 hows,40 minutes Yes 2 6-78 Severs winds, heavy 2 hows,7 minutes Yes snow; insulators i covved with ice w:d i

salt 11 19 86 Severe storm O hows. 3 minutes Yes I 11 12 87 Sevwe winds, heavy 11 hows, O minutes No incident not consideed in IPE because I wet snow; snow, ice plant had been in cold shutdown for and salt sprey en over a year, and the 23 Kv poww l j switchyard sowce had been removed for a onst in-e lifetime plant enhancement j

(instaHation of station blackout diesel 4 generator) 10-30-91 Not provided 1 how,49 minutes Yes Table 2 2 compares the iPE LOSP non recovery data with average industry exponence reported in an Electric

) Power Research Institute (EPRI) document [NSAC 147]. (p. 9 of RAI Responses]

1 l

i i

Table 2 2. Comparisen of IPE and Average industry LOSP Non-Recovery Data Time After LOSP leitieter Cameletive Neo Recovery Prebebility

- ' Average ledestry Date 1995IPE (ESAC.147) 2 0.68 0.3 5 0.43 - 0.13 12 0.15 - 0.06 15 0.094 - 0.003 24 0.024 <0.002 15

o .

i i

i As shown in Table 2 2, the IPE non-recovery data are about a factor of 3 higher than avuage industry l experience at and beyond 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . Given Pilgrim's history with severs weather, it is apprcrnte that the IPE i

! nonrecovery factors are less optimistic than average industry experience, i

4 The IPE also took credit for the recovery of failed diesel genwators. At 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , the cumula:ive non-recovery probability is 0.90, while at 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months the cumulative non recovery probability is 0.44'. It appears

! that these diesel genwater non recovery data are based on Pilgrim plant experience. [ Figure C2.8, C.2 21 of

submittel) 2.3.2 Point Estimates and UncertaintvlSensitivity Analyses.

The IPE used point value estimates for hardware failures in cases whwe at least one actual plant failure occurred. For cases where plant specific exponence indicated zwo failures, hardware events were quantified either from (1) point estimates using an assumed value of 0.5 for the number of failures over the exposure period, or (2) mean value generic failure data. As discussed in Subsection 2.3.3 of this report, the choice of data in the zero failure case was based on the loww of the plant specific calculation or gende data.

Whwe plant specific maintenance unavailability data wwe avadable, the IPE used point estimrtes. Generic maintenance unavailability data used in the analysis represent mean values. The human error probabilities (HEPs) appear to represent point estimates. [pp. A 34, A 35, A 38, A 40 to A 46 of subnuttall The transient initiating events are point estimates genwally derived from plant expenance. it appears that point estimates were also used to quantify initiating events for LOCAs, special initiators, and intamal flooding events. [ Tables 3.11,3.13 of submitteil No statistical uncertainty analysis was performed on the original IPE results that are reported in the submittal. It is not known if a statistical uncertainty analysis was performed in conjunction with the updated 1995 IPE.

Two types of sensitivity analysis wwe reported by the licenses in one of these sensitivity analyses, an evaluation of the impact of revised lou of power initiating event frequencies was made on the original IPE model, without considwation of other performance updates and enhancements developed over the last three years. The original IPE used frequencies of .0.475/yr and 0.142/yr, respectively, for loss of preferred (345 Ky) and total LOSP. Using a revised frequency of 0.643/yr for loss of preferred power, the C0F in the original IPE increased by about 8.5% (from 5.85E 05/yr to 6.35E-05lyr). Using a revised frequency of i 0.135fyr for total LOSP, the original IPE CDF decreased by no more than about 1%. [p.12 of RAI Responses]

11 is not clear whether these date pertain te nonfocovery of an indmdual diesel generator er the nonfocevery of et least one diesel generator among eR three failed diesel generators. ,

16 l

.l

1

.e g I

i 1

l The other type of sensitivity analysis reported by the licenses vias the identification of sequences that would l exceed 1E 06tyr if HEP error rates wwe set equal to 1.0'. This sensitivity analysis was r%rted in the i

! submittel for the ongmal IPE. The RAI responses do not indicate whether a similar sensitiv:1 analysis was j pwformed for the 1995 IPE. [pp. 3.34,3.313 of subattell j q

j The subattel presents the results of a FusselVessly importance analysit of important common cause

hardware failures and human errors. It is not known whether a revised set of importance measwas ws:

also genwated for the 1995 IPE. [pp. 3.3 7 to 3.312 of subattell i

i 2.3.3 Use of Plant Soecific Data.

t j Plant specific data wwe used where possible for component failwe rates and testimaintenance unavedabdities. Component unavadabihty estimates wwe derived for the period between 01/01181 and

! 09/30189 with one major exception. The data used to quantify the HPCI and RCIC systems came from a i f five year moving avuage data base for the period between 03/31/87 and 03/31192. These two systems j wws quantified with the more recent data to reflect their improved avadabdity since 1990. v. 28 of RAI Responses, pp. 2.2-2, 2.5 2. 2.5 3, A 2 to A4 of submittal) .~

l l The data collection period of 01/01/81 to 09I30189 was used to ensure the equivalent of 5 fd years of i plant opwation. Pdgnm was shutdown for most of 1986 and aN of 1987 and 1988 for reliability and safety ;

enhancements. [pp. 2.5 2, A 1, A 2 of subnuttal) !

J S

Plant specific component failwe data wwe used as actual failure rates in the IPE (no update of generic data) if plant specific exponence indicated at least one failws. In cases where plant specific exponence indicated

zwo failwes, the loww of plant specific or genene data were used. The plant specific failure rate for a zwo F failwe case was calculated using an assumed value of 0.5 for the number of failwes ovw the exposwa pwied'. [p. 2.5 3 of submittal]

Table 2 3 of this review compwes Pdgnm plant specific failure data for selected components to values l

j typically used in PRA and IPE studies, using NUREGICR4550 data for comprison. [p.13 of RAI Responses, i pp. A4 to A 7, A 34, A 35 of subettal]

( Table 21 indicates that some IPE data for the following component failwe modes are a factor of 5 to 10 j

loww than the generic NUREGICR4550 data: HPCI pump (start), RHR pump (start), SSW pump (run), RBCCW pump (startirun), circuit breakw (open), diesel generstw (startfrun). On the other hand, IPE data for battery chargers and SSW pump start failwes are about a factor of 20 higher than the generic data. Other IPE l

component failure data listed in Table 2 2 are generauy within a factor of 3 of correspondag generic data.

l l

' NUREG 1335 requested that hcensees identify esquences that have dropped below the reporting criterie because their frequencies have been reduced more then en order of maputude for credit taken from human recovery actions. ,

{ l t

' The selection of the lower of these two types of estunates may appear to be everly optmuste. However, a Bayesien l

i enelysis using the generic estwnste es a prior and with no plant specific failures would give en estimate below the generic value.

i 1 17 l i

i i

o ,

1 l

l q

Each diesel generator has a belt-driven fuel oil booster pump to pump fuel into the diesel fud racks.

. Although a standby DC-powered fuel oil boostw pump is available to supply fuel oil should 'As belt driven pump become inoperable, the DC pump has a 20 second start time delay, and therefore is rs available to supply fuel on a diesel start. Provided the belt driven pump remains operable during the first 20 seconds of a diesel run, the DC pump would be able to provide the backup function upon lou of the belt driven pump.

While the plant has experienced failures of this belt driven system, these failures do not appear to have i adversely influenced the diesel generator startfrun failure data used in the IPE. The licenses had planned to

. replace the belt driven pumps with gear driven pumps during refueling outage 8 (April-June 1991). However, tt;.: planned modification did not take place during this period. The current status of this project is not known. [pp. A 68 to A 70 of submittaQ [NRC Memo) ll As previously noted, failure data for the HPCI and RCIC systems came from a five year moving average data base for the period between 03I31l87 and 03I31192. These two systems were quantified with the more 4

recent data to reflect their improved availability since 1990. We have attempted to estimate the level of i improvement in the HPCI and RCIC, using data provided in the submittal. The results of our usassment are displayed in Table 2 4. [pp. A 28, A 34, A 47 to A 54 of submittaQ

] -

1

i. l l

J i i i

18 4

1 i

Table 2 3. Plant Specific Component Failure Data' Camponest Feilers Niede Number of Plant Esmhet of IPE Estimate sREGICR 4550 Failures Demande er a se Value Heere Estimate HPCI Pump Start 0 76 6.49E43 3E42 Run 0 30.3 5E43 SE43 RCIC Pump Start 3 89 3.37E-02 3E42 Run 0 57 SE43 '5E43 RHR Pump Start 0 1525 3.28E44 3E43 Run 0 11093.1 3E 05 3E45 SSW Pump Start 7 635 1.10E42 3E43 4

Run 1 164582.1 6.08E46 3E45 )

RBCCW pump Start 0 666 7.51E44 3f 4 Run 0 115572 4.33E 06 JE-05 Diesel-driven fire pump Start 2 1821 4.86E43 3E42 Run O 306.51 8E44 8E44 HPCI MOV 23013 (see Open (demand) 1 77 1.30E42 3E 03 note 2)

MOV (see note 3) Openiciose (demand) 27 16330 1.65E43 3E43 j Check valve (au except Ope:Jclose (demand) 0 1852 2.70E44 1E44 (open)

SSW) 1E 03 (close) i 1E44 (open!

Check valve (SSW) Openiciose (demand) 1 635 1.57E43 1E43 (clone)

Battery charger Operate 3 153000 1.95E45 1E46 t

Circuit breaker Open (demand) 0 2258 2.21E44 3E-03 Close (demand) 2 2258 8.86E44 3E43 Diesel generator Start 4 823 4.86E43 3E42 Run 0 1413 3.54E44 2E 03 1

Notes: (1) Failures to start, open, close, operate, or transfer are probabilities of failure on demand. The other failures represent frequencies expressed per hour. (2) MOV 23013 is the HPCI pump steem admission valve; this valve is subject to significantly higher stresses than the general population of MOVs and is located in en area where maintenance access is diff: ult (3) Excludes HPCI steam admission valve (23013), core spray full flow test volves (1400 A, B), RHR inboard shutdown cooling isolation valve (1001-50), and main steam drain valves (1220-1,21 1

4 19

Q 4 Table 24. HPCI and RCIC Plant Failure Data Befers and After improvement 'regram Composest Feilere Mode 01101l81 to 09I3Ol85 03I31187 to 3]"Ill2 l Failure Prob.

Feilerse Desseds Failure Prob. Failures Demoede i

liPCI pump f ail to start 10 101 9.9E-02 0 76 6.5E 03 (see note 1) 3 107 2.8E 02 1 77 1.3E 02 ,

i HPCI MOV fail to open 1 2 190 1.1E 02 3 89 3.4E 02 RCIC pump . fail to start Notes: II) Probability calculated based on 0.5 failures.

1.

The data in Table 2-4 clearly indicate an improvement with regard to HPCI pump start failures. The l

reliability of the RCIC pump appears to have decreased during the most recent data collection period.

As previously discussed in Section 2.2.1 of this report, plant specific data wwe used to Jupp t the quantification of initiating event frequencies.

1 i l 2.3.4 Use of Generic Data.

The primary source of generic component unavailability data was NUREGICR 4550. Additional generic !

component failure rates wws extracted from lEEE 500 and the GE Technical Specification improvement Analysis for BWR RPS [TS Improv}. [pp. 2.5 3, 2.5-4 of submittaQ l Generic component failure data were used in cases where no plant specific dets were available. Also, as previously noted in Subsection 2.3.3 of this report, the lower of plant specific or generic data were used in cases where plant specific data indicated zero failures for a component. The plant specific failure rate for a zero failure case was calculated using an assumed value of 0.5 for the number of failures over the exposure period'. [p. 2.5 3 of submitteil Generic maintenance unavailabilities were used when plant specific component maintenance unavailabilities were not available. For components for which neither plant specific nor generic maintenance unavailability Uta were unavailable, maintenance unavailability was estimated using the following: [p. 2.5 4 of submittaQ

An unavailability of 3E 03 for each loop of a standby safety system, or for a standby train of a system important for continued plant operation

An unavailability of 5.0E 04 for any major component of such systems, for cases in which it is necessary to break down the maintenance unavailability to a lower level than for a complete loop.

Table A 15 of the submittel lists the NUREGICR4550 data that were used in the IPE. From inspection of this table, it appears that NUREGICR 4550 data were used whwever possible. The component types listed

' The selection of the lower of these two types of estimates may appear to be overly optimistic. However, a Bayesian analysis using the Generic estimate as a prior and with no plant specific failures would give en estimate below the generic value.

20

in submittal Table A 15 include: air operated valve (A0V), motor operated valve (MOV), sole 6od operated

)

valve, hydraulic opasted valve, explosive operated vele, check valve, safety relief valve, mort driven pump, l

i turbine-driven pump, diesel driven pump, heat exchangw, diesel genwater (TIM unavail), elect' al bus, circuit breaker, transformer, strains, transmitter, and HVAC fan. [A 11, A 40 to A 46 of submitted j

! As previously noted in Section 2.2.1 of this report, generic data were used to support the development of 4 certain initiating events.

2.3.5 Common-Cause Quantification.

The estimation of common cause failure probabilities ws: based on the MGL method. The primary sources of MGL data apreer to be the following: NUREGICR 2098, NUREGICR 2099, NUREGICR 2770, EGG EA 5623, and EPRI 3967. Foi components not included in these publications, a set of generic MGL parameters (presented later) was used. A variety of component types were modeled in the common cause analysis, including valves, circuit breakers, batteries, check valves, various pumps, diesel generatort, ventilation fans, and temperature switches. [pp. 2.5-4, 2.5-5, 3.3 2, 3.3-3, 3.3 7 to 3.310 A 10 to A 12,' A/.31 to A 143 of submittsf]

We performed a comparison of IPE common cause data with generic beta factors used in the NUREGICR-4550 methodology document. For component groups with more than two components, the IPE common cause data were used to derive equivalent fractional failures to correspond to the beta factors presented in NUREGICR 4550'. The common cause data compenson is summarized in Table 2 5.

Table 2 5. Comparises of Commen-Csese Failure Fasters Component Feilere Mode Groep Sias Equivalent IPE Bete er Frostiesel CUREGICR 4550 Mean Foster Velse Bote Fester Salt Service Water Pump Start 2 0.024 0.026 Run 2 0.1 Start 2 0.019 0.026 RBCCW Pump Start 2 0.13 0.15 Core Spray Pump Open Idemand) 2 0.079 0.088 MOV Start 3 0.0016 0.018 Diesel Generator Run 2 0.031 Run 3 0.0016 -

' Scme of the common cause parameters used in the IPE were extracted from Attachment A.14 of the submittsf. Othw IPE common cause f actors were extracted by inspectmg the quantified commen cause events listed in submittet Table 3.3-1 and comparing these date to random equipment failure date provided in subnuttet Table A.10. (pp. 3.3-2, 3.3 3. 3.3-7 to 3.3-10, A 34 A 35, A 111 to A 143 et submitteil 21 1

With the exception of the diesel generators, the IPE and NUREGICR 4550 common cause data listed in Table 2 3 we consstent. The IPE common cause data for the start failure of 3 diesel generators 9 an order of magnitude loww than the NUREGICR4550 genanc data. It is not clear how the licenses qutified the diesel generator common cause data. However, we do note that one of the three diesel genuators is a specul station blackout diesel generator that was assumed by the hcenses to be relatively independent of the other two diesel generators (and presumably would be less likely to fail from a common cause event). In particular, the station blackout diesel generator must be manually started, has independent support systems 1 (includmg a separate fuel oil supply), and is housed in a separate enclosure. [pp. B.10 4, B.10 5, C.2 3 of !

submittail Table 2 6 below lists the MGL parameters that were used for components where published data were i unavailable. The hcenses derived the parameters in this table from engmesnng judgment. These parameters appear to be comparable to common cause data used in other typical IPElPRA studies. [pp. A 10, A 11 of j submitteil Table 2-8. MGL Parameters Used if Published Data Usavailabl[ ,"

Pereenwr Feilwe se Operets er Asenets Feilere to Centese Fenstening w Spuriese Operaties Bets , 0.1 0.05 Gamma 0.5 0.5 Delts 0.9 0.9 l AR Cthers 1.0 1.0 l Finally, the IPE modeled common cause failures between HPCI and RCIC pumps and MOVs. A beta factor of l 0.018 was used to model common cause events involving the HPCI and RClc pump start and run functions. l It appears that the start and run random failure probabilities used to support the common cause event quantification represent average failure rates of the HPCI and RCIC pumps [pp. A 112, A 113 of submittal]

2.4 Interface issues This section of the report summarires our review of the interfaces between the front end and back end analyses, and the interfaces between the front end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.

2.4.1 Front End and Back End Interfaces.

The IPE credited the possdulity of successful mitigation of ISLOCA events via injection from (1) the condensate system, with makeup to the condenser hotwell from the cont' nsate storage tank (CST), or (2) the fire water system. The IPE did not credit LPCI or core spray in ISli2A scenarios due to the adverse environmental conditions expected inside the reactor buildmg The IPE credited LPCI and fire water as injection sources for large LOCA outside containment events. [pp. 2.3 43, C3.13, C3.14, Figure C.3 6, C.3 7 of submittel) 22

1 i

The RCIC turbine exhaust trip setpoint is set at 46 psig. Because of this relatively high trip setpoint, the l

! IPE considwed the possibility of RCIC operation during a loss of containment cooling event. MAAP models

! accounted for this trip setpoint, as well as RCIC not positive suction head (NPSH) requirems s to determine

! RCIC availability. [p.16 of RAI Responses]

! N Pilgrim emergency operatieg procedwas (EOPs) require that sR injection from outside containment be j twminated when the torus bottom pressure cannot be maintained below 60 psig. W action precludes any further increase in pnmary contamment watw level and is authorized because the consequences of not doing so may cause a loss of pnmary containment integrity. The E0Ps are based on a philosophy that l ~

i preferentially chooses to maintain pnmary contamment integrity in order to protect against the uncontroNed

! release of radioactivity. [pp.16,17 of RAI Responses]

}

j The existing logic models assumed no core damage if injection systems are successful and containment i pressure is successfuny controlled. No credit was taken for core cooling after containment failure. The MAAP models used to support the IPE failed injection systems when NPSH limits for pumps were escuded, or when suppression pool temperstwas exceeded limits for HPCI and RCIC pump oil cooling. dignm ha a hardened containment vent, and it appears that venting was credited in the front end analy:is as a means of containment presswo control. [pp.1,17,18 of RAI Responses]

The front and back end analyses were coupled by linking c:re damage cut sets directly into containment !

I system event trees (CSETs). The output of the CSETs was used to generate a set of plant damage states (PDS ). The PDS: wwe deaquantly evaluated by contenment phenomenological event trees (CPETs) to genwate source tem frequences. The process used to couple the front and back end analysis appears to be comparable with samlar processes used in other PRAllPE studies. [p. 49 of RAI Responses, pp. 4.0 2,4.3-14 of submittal] l 2.4.2 Human Factors Interfaces. i Based on our review of the front end analysis, the opwater actions were found to be important: [pp. 3.4 22 to 3.4 25]

Operator actions needed for reactor depressurization

Operator actions needed for use vessel injection via firewster

Operator actions needed for SLC injection Table 3.3 2 of the submittel provides importance measures for human events pertinent to the original IPE analysis. A comparable set of importance measures relevant to the updated (1995) IPE was not provided.

The licensee states that credit was taken only for proceduralized human actions. [pp. 2.24,3.311,3.312 of submittell The IPE credited use of the fire water system for alternative vessel injection during tranment events, smaR LOCAs, and refwence line breaks. This action, which is proceduralized, requires installation of a spool piece to connect the fire water system to RHR system discharge piping. The spool p' ace is located in a cabinet unmediately adjacent to its installation point, and can be connected without special tools due to the use of quick snap couplings. The licenses states that operators are trained and tested in the use of the fire water 23

l 1

system. In addition to installation of the spool piece, use of the fire water system requires that operators

' i open two valves. The availability of DC power is also required to allow vessel depressurizo n via the safety relief valves (SRVs). [pp. 23,34,37 of RAI Responses, pp. 2.315,2.316,2.3-431 2.3-46, B.5 7,

p. 2 of Table 2.41 of submittaQ General Electric analyses were used to show that uncontrolled injection with low pressure systems during an ATWS will not result in substantial fuel damage or threaten the integrity of the reactor vessel.

' Consequently, an operator error associated with failure to inhibit the automatic depressurization system (ADS) was not modeled in the ATWS event trees. [p. 41 of RAI Responses, pp. C.5 7, C.5 8 of wbmittaQ The IPE took credit for the recovery of failed diesel generators. At 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , the cumulative non recovery probabiSty is 0.90, while at 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months the cumulative non recovery probability is 0.44'. It appears that these diesel generator non-recovery data are based on Pilgrim plant experience. [ Figure C2.8, C.2 21 of l

submittaQ Pilgrim has a hardened containment vent, and it appears that venting was credited in the fro +end analysis j

as a means of containment pressure control. [pp.1,17,18 of RAI Responses, p. 3.311 cf submittay 2.5 Evaluation of Decay Heat Removal and Other Safety issues j This section of the report summarizes our ' review of the evaluation of Decay Heat Removal (DHR) provided in j

the submittal. Other GSilVSis,if they were addressed in the submittal, were also reviewed.

2.5.1 Examination of DHR.

1 l I

Tha licenses specifically addresses DHR and its contribution to CDF. The IPE DHR analysis was based on a narrow DHR definition, namely removal of decay heat from containment. This definition does not address core cooling aspects of DHR. In order to resolve USI A 45, licensees were requested to examine DHR for its capability during both core cooling and containment heet removal phases and for all accidents except large LOCAs, ATWS events, and ISLOCAs.

Using qualitative discussions, the licenses concluded that the containment DHR reliability is high due to the availability of multiple containment systems, specifically: (1) main condenser, (2) RHR in suppression pool cooling, wetwell spray, drywell spray, or shutdown cooling mode, (3) reactor water cleanup system (RWCU) either through the non regenerative heat exchanger or in a feed and bleed mode to the main condenser, (4) containment venting through the standby gas treatment system, and (5) direct torus hardened vent. Even if l all these containment DHR systems were to fail, a significant amount of time is available for repair and recovery efforts. Specifically,34 hours3.935185e-4 days 0.00944 hours 5.621693e-5 weeks 1.2937e-5 months would be available before containment design limits are exceeded, and 47 hours5.439815e-4 days 0.0131 hours 7.771164e-5 weeks 1.78835e-5 months would be available before the ultimate containment capacity is reached. The licenses notes j that the IPE did not take credit for heat removal via the RWCU system. No DHR related vulnerabilitias were identified. [pp. 3.E2,3.&3,3.&13,3.614 of submittaQ f

1 1

1

' It is not clear whether these data pertain to non<ecovery of an individual diesel genwater or the non recovwy of at least one diesel generator among all three failed diesel generators.

24 l

l

While the IPE DHR analysis was limited to removal of decay heat from containment, the licenses does identify the IPE accident classes that would pertain to the expanded (A 45) definition of DW These i accident classes are listed below: [p. 25 of RAl Responses)

Class IA: Failwe of high presswo makeup and failure to depressurize (TOUX)

Class IB: Station blackout

!

Class ID: Loss of both high and low presswa coolant injection (TOUV)

Class 11: Failwe of DHR from containment (TW)

!

Class ll18: Small or medium LDCAs for which reactor vessel cannot be depressurized (S1QUX or t S20VX)

Class lilC: Medium LDCA: for which there is inadequate vessel makeup (SIV) i

! 2.5.2 Diverse Means of DHR.

l l The IPE evaluated the divwse means for = J'? 4 DHR, meluding use of: the pown conversion system, i RCIC, HPCI, and vessel depressurization to allow injection with low pressure systems (im.ludiry fire watw).

Pilgrim has a hardened contamment vent that appears to have been credited in the IPE.

li 2.5.3 Unione Features of DER.

i j The unique featwas at Pignm that directly impact the ability to provide DHR are as foRows:

I !

i

Ability to nerform vessel iniection with fire watz svatom. Alternate vessel injection can be l accomplished with the fire watz system. Because one of the fire watw pumps is dieseldriven, this ;

i method of injection een be used during station blackout. This demgn feetwo tends to loww the !

!, CDF. [pp. 2.2 6 of subnuttal]

!

Motor driven foertwater numns. Because the feedwatw pumps are motor driven instead of turbine-j driven, they are not disabled in MSIV closwo events and may remain available for vessel injection.

j This design featwo tends to loww the CDF. [p. 2.2 6 of subnuttal]

1 i e Limited vessel oressure relief canabilitv. Pignm has a more limited vessel presswo rellaf capabilig

! than other BWR of smular damgn. This limited presswa relief capability is due to the relatively small numbw of relief valves (2 code safety valves and 4 safety relief valves) and the relatively small capacity of each individual valve. This design featwo tends to increase the CDF.

i

Hardened torus vent. The availability of a hardened torus vent provides an additional means of f providing contenment presswo control and decay heet removal. This design feature tends to loww f the CDF. [pp.2.2 6, 3.612, B.6-8, B.6-9 of subnuttal]

2.5.4 Other GSilVSis Addressed in the Submittal.

No GSIIUSts othw than A 45 are addressed by the IPE. [p. vii of transnuttal lettm]

25

i = e I !

i !

i l

- 2.8 Internal Fleeding i This section of the report summarizes our reviews of the process used to modelinternal floe'ng and of the results of the analysis of internal flooding.

2.6.1 Internal Floodina Methodoloav.

l The internal flooding analysis was based in part on previous flood-related studies of the Pilgrim plant,

! including analyses meluded in the Pilgrim UFSAR. Plant walkdowns were also used to support the analysis.

i Postulated flooding events wwe conadered to be bounded by pipe breaks of high volumstric flow rates in terms of their impact on plant systems, therefore events such as ovw filling watw tanks, hose ruptures, and l

l pump seal Isaks wwe not conadered. Fire protection system breaks wwe included in the analysis. The only safety related woes in which fire protection system floodmg is the predominate source are the switchgear

[

j rooms. Wire mesh penetsidoors prevent any accumulation in these areas. [pp. 2.16, 0.4-17 to C.4 23 of j submittal] , ,

I l

The IPE explicitly considered equipment failure from submergence, though effects from spray wwe not considwed. The licenses states that equipment damage due to flooding envelopes sprayinduced equipment

damage. The licenses further states that spray-induced effects were addressed in the Pigrim IPE External

! Events (IPEEE) study submitted to NRC in 1994. The IPEEE study concluded that plant design features pr6cluds spray related effects on equipment. For example, reactor buddag slovations 23' and 51' have barms and ramps to contain water from a watw curtain, thereby protecting important equipment. These areas also have equipment spray shields. In addition, some equipment items are surrounded by spray guards in instances where the equipment items are in close proximity to pipes (especially high energy lines). Spray guards are also used in situations where equipment items we located new or under fire sprinklers. [pp. 5,6 '

of RAI Responses, p. C.419 of subnuttell The flooding analysis methodology included consideration of the following: [p. C.4 23 of submittal]

Identification of potential flood locations

Determination of blowdown / spillage volumes !

Determination of spaces effected by each floodmg event

Determination of ares of affected spaces !

Calculation of flood levels (flood level - volumeleres) !

l Quantification of flood scenarios appears to have been based on the Level 1 logic models. It is not clear whether credit was taken for opwater mitigating actions.

2.6.2 Internal Floodino Results.

4 The IPE analysis reported in the submittal (pre 1995 IPE) identified only one initiating event that could also disable potential mitigating systems usotul in rxix.O., to the event. This 'mitiating event involves a feedwater break inside the steam tunnel that disables the feedwater system and also submerge CRD components. This scenario has a CDF contribution of 2.27E-07/yr. [p. 6 of RAI Responses, pp. C.4-19, C.4-20, C.4 22, C.4 23 of submittal) 26

~__

1 4

Result from the 1995 IPE indicate that the total internal flooding CDF contribution is 6.1EI.8/yr. The i sequence (s) associated with the 1995 IPE are not provided. [p. 22 of RAI Responses) i 2.7 Core Damage Sequence Resulte l

4

This section of the report reviews the dominant core damage sequences reported in the sulmuttal. The l reporting of core damage sequences whether systemic or functional is reviewed for consistency with the j screening criteria of NUREG 1335. The definition of vulnerability provided in the subnuttal is reviewed.

> Vulnerabilities, enhancements, and plant hardware and procedural modifications, as reported in the submittal, are reviewed.

l j 2.7.1 Domment Core Demage Seouences.

T The CDF point estimets from the 1995 IPE model (includeg internal flooding) is 2.84E-05Iyr". Acculent j types and their contributions to CDF era provided below in Table 2 7". [pp. 20 to 22 of,RAl Responses] , l

4 l

initiating events and their percent contribution, are listed below in Table 2 8. [p. 22 of RAl Responses]

! The 10 most dominant functional core damage sequences are summarized below in Table 2 9 of this report.

l [pp. 20,21 of RAI Responses, Appendix C of submittal] ,

i ,

Table 2 7. Aseident Types and Their Centribution to Core Damage Frequency I l

i Aseident Type COF Centributes (perlyr) Persest Centributes to COF j l

Trenaient 2.0E45 70 a

! ATWS 4.5E46 16 LOCA (see note 1) 2.9E46 10 Station Blackout 9.6E47 3 j ISLOCA 1.0E47 0.4 internal Flood 6.1E48 0.2 f

i Metes: 0) LOCA category mcludes IDRV (6. lE47/yr), large LOCA outado contamment H.0E47/yr), and reference ime break (2.0E-08!yr).

I k

Table 2 8. Initiating Evente and Their Centribution to Core Damage Frequency j!

1

" A C0F estimate of 5.85E 05Iyr was reported in the previous IPE analysis desenbad in the subnittel Much of the

] difference between the original and revised IPE C0F values is due to elimination of the HPCI toom cooling dependency, j

j improvements in HPCIIRCIC reliability date, and more optimistic ADS success critmia. (p.1 of RAI Responses, p. 3.4 3 of j submittell 1

5 " The date contained in this table were derived from revised Tables 3.41 and 3.4 2 included in the RAI responses. Ipp. 20 to 22 of RAI Responses) 27 1

o - l l

l l

I i laitiating Event C0F Centribution I yr. % Cent. to CDF 4

~~

Partial LOSP (345 Ky) 8.46E 06 30 Manual shutdown 5.26E 06 19 Full LOSP (345 & 23 Ky) 2.78E 06 10 Turbine trip and reacter trip 2.78E 06 10 Lou of feedwatw 2.27E 06 8.0 Medium LOCA 1.70E 06 6.0 Loss of condensa vacuum 1.00E46 3.5

. Lou of DC bus B 9.36E 07 3.3 MSly closure 8.11E47 2.9 Loss of salt service wetz (SSW) 6.82E47 2.4 Inadvwtont open relief volve 00RV) 6.14E47 2.2 Reactor vessel rupture 3.00E47 1.1 Large LOCA 1.62E47 0.6 Small LOCA 1.21E47 0.4 Loss of DC Bus A 1.09E 07 0.4 Main steam ime break 1.00E47 0.4 internal flood 6.07E48 0.2 Core spray ISLOCA 5.00E48 0.2 l I

LPCI ISLOCA 5.00E48 0.2 Reference line break 1.95E48 0.06 Loss et R8CCW 1.38E49 0.05 Table 2 9. Top 10 Dominent Functional Cers Damage Sequences l

leitiating Event Dominent Seheequent % Centribution to Feileres le Segmenos Total CDF LOSP Failure of high pressure injection, failure to depressurire 30 Transient Failure of high pressure injection, failure to depressurire 22 Transient loss of DHR (lw sequence) 12 Transient (non isolation) RPS mechanical failure, operator failure to inject SLC 6 (ATWS)

Offsite power not recovered in 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , failure of 4 LOSP containment pressure control, failure of reactor inventory control Failure of high pressure injection, failure to depressurize 4 Medium LOCA 28

. -.- ~ - . . -. - - . - - - - . - . . . - - . - - - ~ . - . - . . . . . - - ~ . - - - .

)

i 4

i Failwe of battery load shedding, effsite power not 3 LOSP recovered in 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , fail to recover diesel generater in 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (station blackout)

~

RPS mer.hanical failwe, SRVs fail to open (ATWS) 2 Transient (nonisolation)

RPS mechanical failwe, operator failwa to inject SLC 2 Transient (iseletion)

(ATWS)

Failwe of low presswa injection after successful high 2 Medium LOCA presswa inpenen The subrnittal provides the results of a FusselVessly knportance analysis of important cor.vnon cause hardware failures and human errors. Howevw, the RAI responses do not provide an updated set of these importance measures for the 1995 IPE. The most important events based on the FusselVessly measures genwated in the original IPE are listed below: [pp. 3.3 7 to 3.312 of submittail

Operator fails to depressurize (non ATWS)

Common cause failure of SRVs 203 3A, B, C, D to open ,

Common cause failwe of HPCllRCIC pumps to start

Common cause failure of 3 of 4 SRVs to open (203 3A, B, C,0, six separate events) 2.7.2 Vulnwebilities. .

The licensee used the following criteria to search for vulnerabilities:

Are there any new or unusual means by which core damage or contamment failwes occw as compared to those identified in other PRAs?

Do the results suggest that the Pilgrim core damage frequency would not be able to most the NRC's safety goal for core damage (IE-04/yr)?

Based on the above criteria, the hcenses concluded that there are no vulnesbilities at Pilgrim. [p. 5.01 of submittel]

2.7.3 Proposed Imorovements and Modifications.

It appears that two plant improvements were suggested as a result of the IPE. One improvement involved a review of procedures for DC bus loss. At the time of the original IPE analysis was performed, procedures directed opwators to trip allloads powned by AC buses associated with a failed DC bus. In the event both DC buses were lost, these procedwalized opwater actions would have resulted in the loss of all feedwatw pumps. The procedures have been revised to allow operator judgment with regard to shedding of AC bus loads following DC bus failwas. This improvement was not credited in the original IPE, and it is not clear whether it was credited in the updated (1995) IPE. These procedure revisions would have reduced the CDF reported in the submittal by about 5% (from 5.85E-05!yr to 5.55E 05Iyr). The CDF impact on the current 1995 IPE was not provided. [p. 36 of RAI Responses, pp. 3.311 of subnuttal] j l

l 29 j l

. o The other improvement suggested as a result of the IPE is a procedural change to allow operators to use fire water for drywell sprays. The current status and CDF impact of this procedure change wet lot provided. [p.

2.122 of submitteQ The licenses provided information concerning plant changes made in response to the Station Blackout Rule, and other modifications separate from the Station Blackout Rule that reduce the station blackout C0F. This information is summarized below in Table 210. The licenses does not have any analyses related to the CDF impect of these modifications. [pp. 8 to 10,12,50,51 of RAI Responses, p. 3.12 of submitta0 Table 210. Summary of Plant Changes That Directly Affect Station Blackout 4

Description of Plant Change Status Plant Change Notes Asceented for in j IPE7 Modifications Specifically Related to Station Blackout Rule Install third (station blackout) diesel generator Completed Yes Add pull-tolock switches for circuit breakers associated Unknown No

'l with RHR pumps, core spray pumps, and shutdown j transformer feeders install load shedding switches to initiate load sheddmg logic Unknown No on AC trains A and B Modifications Separate From Station Blackout Rule Application of special coating to 345 Kv switchyard Completed Yes insulators to reduce likelihood of salt builduptflashover Phase separation of 345 Kv isoder Completed Yes Switchyard betterment program to reduce probability of Completed No Completed during 1994 and salt buildup 1995 outages l

l 30

- ~.. - - - . - - . . - - - . . - - -_ - - - - - - . - . - -

! l l 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS I

i l This section of the report provides an overall evaluation of the quality of the IPE bassd on *: review. )

i Strengths and weaknesses of the IPE are summariled. Important assumptions of the model are sununarized. j j Major insights from the iPE are presented.

i s

~

Strengths of the IPE are as follows: The IPE goes beyond the bounds of some otaer BWR IPEIPRA studies f

j by considering and modelmg common cause failures between the HPCI and RCIC systems.

1 l

! No major weaknesses of the IPE wwe identified.

l One weakness of the subnuttal was identified, namely that the Ncensee's DHR analysis was Emited to

} removal of decay heat from containment. This narrow definition of DHR does not address core cooling i

aspects of DHR. In ordw to resolve USI A 45, licensees wwe requested to examine DHR for its capability l during both core cooling and containment heat removal phasas and for all accidents except large LOCAs, ATWS events, and ISLOCAs. While the licensee's narrow definition of DHR is judged to 6e r weakness of (

the subnuttet both core and containment cooling has been accounted for in the ovwall IPE snelysis process.

l i In our judgment, the IPE models are capable of identifying DHR related vulnerabilities.

l l Significant findings on the front end portion of the IPE are as follows:

!

The Pilgrim plant is located in a region of the country that is prone to more frequent occurrences of i severe weather than many other nuclear plant sites. Consequently, LOSP frequencies and non-l recovery probabilities are higher at Pilgrim compared to average industry data. Even so, station blackout contributes only about 3% of the total CDF at Pilgrim. The relatively low CDF contribution l

i of station blackout at Pdgnm is due to: (1) a 14 hour1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months battery capacity (with credit for load l shedding), (2) the availability of a station blackout diesel generator, (3) the avadabdity of a separats

23 Kv offsite power source for plant shutdown functions, (4) the availability of an AC-independent

. source of vessel injection (fire water), and (5) credit for recovery of failed diesel generators.

ATWS sequences contribute 16% to the total CDF. About 55% of the ATWS contribution is due to j operator failure to initiate standby liquid control (SLC) injection. Another 20% of the ATWS 1 i contribution is related to inadequate pressure relief caused by failure of sufficient safety i valves / safety relief valves to open.

Common cause failures of safety relief valves (SRVs) are important contributors in sequences where high pressure injection is unavailable and depressurization fails. As previously noted in the discussion on plant features, Pilgrim has a more limited vessel pressure relief capability than other BWRs of 3

similar design.

l i 31 d

1

(

i a

4. DATA

SUMMARY

SHEETS This section of the report provides e summary of information from our review, i Initiatino Event Frecuencies j 4

laitiating Event Fregeeney per year 2.07 l Turbine and Reactor Trip Lou of Feedwetw 4.14E 01 Lou of Feedwater (unrecoverable) 1.90E 01 !

Loss of Condenser Vacuum 5.00E41 MSIV Closure 4.14E41 Inadvwtont Opening Relisi Velve (10RV) 3.00E41 j Loss ei Offsite Poww (345 Kv + 23 Ky) 1,2E41 Lou of 345 Kv Pown Only 4.75E OI Manual Shutdown 3.89 l

LOCA:Inside Containment Small LOCA 8.0E 03 3.0E43 !

Medium LOCA Large 10CA 7.0E44 RPV Ruptwo 1.0E-05 LOCAs Outside Containment LPCIintwfacing Systems LOCA 5.0E47 CS Interfacing Systems LOCA 5.0E47 Large LOCA 1.4E 07 intwnal Floods 8.2E43 4 Single DC Bus Failure (50% Recovery) 3.0E 03 Reactor Watw Level Reference Line Brooks 4.0E 02 Loss of Service Watw 2.7E44 Loss of Reactor Building Cooling Watw 1.9E44 Loss of Turbine Building Cooling Wetw 1.4E43 Loss of instrument Air 2.LE44 Overell C0F The point estimate CDF for Pilgrim is 2.84E 05fyr, including internel flooding. The CDF contribution from flooding is 6.1E 08/yr.

32

Dominant initiatino Events Contributino to CDF l

30% !

Partial LOSP Manual shutdown 19%

Full LOSP (345 & 23 Ky) 10%

Turbine trip and reactor trip 10%

Loss of feedwater 8%

Medium LOCA 6%

Loss of condenser vacuum 4%

l Lou of DC Bus B 3%

MSlV closure 3%

Dominant Hardware Failures and Ooorstor Errors Contributina to CDF Dominant hardware failures contributing to CDF include:

Common cause failure of SRVs 203 3A, B, C, D to open ,

Common cause failure of HPCllRCIC pumps to start l Common cause failure of 3 of 4 SRVs to open (203 3A, B, C, D, six separate events)

Dominant human errors and recovery factors cuntributing to CDF include:

Failures to depressurize (non ATWS)

Failure to inject SLC before heat capacity temperature limit Dominant Accident Classes Contributino to CDF Transient 70%

Anticipated Transient Without Scram (ATWS) 18%

LOCAs 10%

Station Blackout 3%

ISLOCA 0.4%

Internal Flood 0.2%

Desion Characteristics Imoortant for CDF The following design features impact the CDF:

Fourtean hour batterv caoscity. With credit for load shedding, the batteries can provide necessary power during station blackout for approximately 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months . The 14 hour1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months battery lifetime is longer than battery lifetimes at many other plants. This design feature tends to lower the CDF.

Station bisekout diesel oenerator. A station blackout diesel generator has been installed at Pilgrim.

This design feature tends to lower the CDF.

33

Soecial 23 Kv offsite noww line for olant shutdown functions. Pilgrim has a special 23 Kv offsite power connection that can be used to poww emergency buses in the event offsite sawer from the two 345 Kv sources is lost. The 23 Kv power line is routed through a separate sv'chyard into the station shutdown transformer. Plant expwience has shown that the 23 Kv line is mire resistant to weathw-related effects than the 345 Ky sources. This design feature tends to lower the CDF.

Ability to perform v==?# iniection with fire watw system. Attornate vessel injection can be accomplished with the fire watz system. Because one of the fire watu pumps is diesel driven, this method of injection can be used during station blackout. This design feature tends to lower the CDF.

Limited ves?# oressure relief canability. Pilgrim has a more limited vessel pressure relief capability than other BWR of similar assign. This limited pressure relief capability is due to the relatively small numbw of relief valves (2 code safety valves and 4 safety relief valves) and the relatively small capacity of each individual valve. This design fs:ture tends to increase the CDF.

Hardened torus vent. The availability of a hardened torus vent provides an additioca' means of providing containment pressure control and decay heat removal. This design feature tends to lower the CDF.

Portable 6 # driven air comoressor. A portable dieseldriven air compressor can be manually connected to the compressed air system. This additional source of compressed air tends to reduce ;

l the CDF.

\

Diverse instrument nitronen sunolies. Divwse means are available for supping nitrogen to support important functions, for example the automatic depressurization system (ADS) valves. Sources of nitrogen include banks of bottled nitrogen and a trailer mounted set of liquid nitrogen tanks. This design feature tends to reduce the CDF.

Independence of 6e # oenerators from extemal coolina water sources. The diesel generators i

(including the station blackout diesel genwator) are self cooled. This design feature lowers the CDF.

Modifications it appears that the following two plant improvements were identified as a result of the IPE:

Modify loss of DC procedures to allow operator judgment for load shedding of AC buses associated with failed DC supplies (completed)

Modify procedures te allow operators to use fire water for drywell sprays Other USIIGSfs Addressed No generic safety issues (GSis)lUSis othw than A 45 are addressed by the IPE.

Sionificant PRA Findinas 34

1 i

a

Significant findings on the front end portion of the IPE are as follows:

The Pilgrim plant is located in a region of the country that is prone to more frequer occurrences of sevwe weather than many other nuclear plant sites. Consequently, LOSP frequencies and non-recovery probabilities are higher at Pilgrim compared to average industry data. Even so, station

' blackout contributes only about 3% of the total CDF at Pilgrim. The relatively low CDF contribution

, of station blackout at Pilgrim is due to: (1) a 14 hour1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months bettery capacity (with credit for load j shedding), (2) the availability of a station blackout diesel generator, (3) the availability of an AC-independent sowce of vessel injection (fire watw), and (4) credit for recovery of friled diesel

{

j generators.

ATWS sequences contribute 16% to the total CDF. About 55% of the ATWS contribution is due to operator failwe to initiate standby liquid control (SLC) injection. Another 20% of the ATWS

' contribution is related to inadequate pressure relief caused by failure of suffrient safety valvestsafety relief valves to open.

l i l

Common cause failwes of safety relief valves (SRVs) are important contributors in acquences where !

l

high pressure injection is unavailable and depressurization fails. As previously noted in the discussion ,

on plant featwas, Pilgrim has a more limited vessel pressure relief capability than other BWR of l l

l similar design.

i 1 1

l i

35

REFERENCES

[ EGG EA 5623] Common Cause Fault Rates for instrumentation and Control Assenblies, EGG 'J 5623, Rev.1.

[EPRI 438] Characteristics of Pipe System Failures in Light Watw Reactors, EPRI report NP438, August 1977.

[EPRI 3967] Classification and Analysis of Reactor Operating Expwience involving Dependect Events, EPRI NP 3967, interim draft 1990 document.

[GE TRAGG) TRAGG Analysis Results (draft), presented by Genwel Electric for Pilgrim ATWS events, Septembw and Octobw 1987.

[lEEE 500] Guide to the Collection and Presentation of Electrical, Electronic, Sensing, Conponent, and

Mechanical Equipment Reliability Data for Nuclear Poww Genwating Stations, IEEE Std. 500 484, December ,

i 1983.

i i [lPE BWR Methodl IPE Methodology for BWRs, Appendix D.10,10COR Technical Repart 86.381, Delian l Corp.,1987.

, [lPE Submittall Pilgrim Nuclear Pown Station IPE Submittal, Septembw 1992.

l [NRC Memo] insights on Pilgrim toss of Offsite Poww Events and Decembw 13,1992 Partial LOOP Event, Memorandum to A. C. Thadani, NRC, from M. P. Rubin, NRC, Docket No. 50-293, October 5,1993.

- [NSAC 147] Losses of Offsite Poww at U. S. Nuclear Poww Plants Through 1989, EPRI (Nuclear Safety Analysis Center), NSAC 147, March 1990.

[NUREGICR 2098] Common Cause Fault Rates for Pumps, NUREGICR 2098, February 1983.

[NUREGICR 2099] Common Cause Fault Rates for Diesel Generators, NUREGICR 2099.

[NUREGICR 2770] Common Cause Fault Ratas for Valves, NUREGiCR 2770, February 1983.

. [RAI Responses] Response to the RAI Regarding the Pilgrim IPE Submittal, TAC No. M74451.

) [TS Improv] Technical Specification improvement Analysis for BWR Reactor Protection System, NEDC-30851P A, GE Nuclear Enwgy,1988.

I 1

36 i

ML20128K187

Contents

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20128K187

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search