ML20129D821
| ML20129D821 | |
| Person / Time | |
|---|---|
| Site: | Davis Besse  |
| Issue date: | 02/23/1996 |
| From: | Musicki Z BROOKHAVEN NATIONAL LABORATORY |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML20128L299 | List: |
| References | |
| NUDOCS 9609300203 | |
| Download: ML20129D821 (83) | |
Text
.
) .
j .
TECHNICAL REPORT i FIN W-6449 2/23/96 j
l
! ' TECHNICAL EVALUATION REPORT 1 -
l OF THE IPE SUBMITTAL AND j RAI RESPONSES FOR THE i DAVIS-BESSE NUCLEAR POWER STATION i
4 l
1 l Zoran Musicki -
l C. C. Lin -
1 John Forester i
, Department of Advanced Technology, Brookhaven National Laboratory Upton, New York 11973 >
i Prepared for the U.S. Nuclear Regulatory Commission 1 Offee of Nuclear Regulatory Research Contract No. DE-AC02-76CH00016 i -
i 4
h
d CONTENTS Page Execu tive Su mmary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Nomencl atu re . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . xviii 1.
Introd uctio n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . ........ .............I 1.2
' Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... 1 2.
Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... .......
2.1 Licensee's IPE Process . . . . . . . . . . . . . . . . . . . . ..5. . . . . . . .
2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . . .. . . . 5 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status . . . . . . ....,.. 6 2.1.3 Licensee Participation and Peer Review .......... .. . .. .7 2.2 Front End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . .. ... 7 2.2.1 Accident Sequence Delineation and System Analysis . . . . 7 2.2.2 Quantitative Process . . . . . . . . . . . . . . . . . . ........ . 12 2.2.3 Interface lssues . . . . . . . . . . . . . ... ........ ...... . 20 2.2.4 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2.5 Core Damage Sequence Results . . . ...... .... .... . . . 23 2.3 Human Reliability Analysis Technical Review . . . . . . . . . . . . . . . . . . . . . .26 2.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.3.2 Post-Initiator Human Actions . . . . . . . ...... .... .......... . 29 2.4 Back End Technical Review .............. ...... ... ......... 36 2.4.1 Containment Analysis / Characterization . . . . . . . .. -
............ 36 2.4.2 Quantitative Assessment of Accident Progression and Containment Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.5 Evaluation of Decay Heat Removal and Other Safety Issues . . . . . . . . . . . . . 50 2.5.1 Evaluation of Decay Heat Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.5.2 Other GSIs/USIs Addressed in the Submittal . . . . . . . . . . . . . . . . . . 52 2.5.3 Response to CPI Program Recommendations . . . . . . . . . . . . . . . . 55 2.6 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . 56
- 3. Contractor Observations ar.d Conclusions . . . . . . . . . . . . . . . . . ........ . . . 60
- 4. References . . . . . . . . . . . . .... ....... . . . . . . ....... ..... ....... . 63 til
TABLES Page i
i Table E-1 Accident Types and Their Contribution to the CDF . . . . . . . . . . . . . . . . . . . . ix Table E-2 Dominant Initiating Events and Their Contribution to the CDF . . . . . . . . . . . ix Table E-3 Containment Failure as a Percentage of Total CDF . . . . . . . . . . . . . : ....... M - - -
Table 1 Plant and Containment Characteristics for Davis-Besse Nuclesr Station . . . . . . 4 Table 2 Comparison of Failure Data . . . . . . . . ...... .. ..... .. . . 14 Table 3 Comparison of Common-Cause Failure Factors . . . . . . . . . . . . . . .. . .... 17 Table 4 Initiating Event Frequencies for Davis-Besse IPE . . . . . . . . . . . . . . . . . . . . . 19 Table 5 Accident Types and Their Contribution to the CDF . . . . . . . . . . . . . . . . . . 23 Table 6 Dominant Initiating Events and Their Contribution to the CDF . ...... . 24 Table 7 Dominant Core Damage Sequences . . . . . . . . . . . . , . . . . . . . . . . . 24 Table 8 Important Human Actions . ....... . ... .. ...... . ....35 Table 9 Containment Failure as a Percentage of Total CDF . . . . . . . . . . . . . .... 47 l
I iv
,. f i !
4 l
EXECUTIVE
SUMMARY
g This Technical Evaluation Report (TER) documents the findings from a review of the Individual Plant ,
! Examination (IPE) for the Davis-Besse Nuclear Power Station. The primary purpose of the review
- is to ascertain whether or not, and to what extent, the IPE submittal satisfies the major intent of ,
- Generic Letter (GL) 88-20 and achieves the four IPE sub-objectives. The review utilized both the !
j information provided in the IPE submittal and additional information provided by the licensee, the i Toledo Edi, son company, in the response (RAI. Responses) to an NRC request for additional j information (RAI).
i E.1 Plant Characterization
)- ,
i i
The Davis Besse Nuclear Power Plant is a 906 MWe Babcock and Wilcox pressurized water reactor l (PWR). The reactor coolant system (RCS) consists of the reactor vessel, two vedical once-through i
- steam generators, 4 shaft-scaled reactor coolant pumps, an electrically heated pressurizer and j interconnected piping. The RCS is a " raised loop design" with the steam generators above the reactor .
! core in order to allow an inven*ory ofRCS coolant to ficw back into the core in the event of a LOCA .
{ and to promote natural circulation of reactor coolant. Davis Besse has a large, dry containment. The I 1
containment consists of a steel containment vessel with a reinforced concrete shield building. Relative ,
y to the thermal power (2772 MWt), the containment free volume of Davis-Besse (2.83E6 cubic feet) 1 is greater than that of most of the other PWR plants with large dry containments. The plant is
} operated by Toledo Edison (TE), and started commercial operation in July 1978. There are no other <
) units on site. !
f Design features at Davis Besse that impact the core damage frequency (CDF) ar.e as follows: i i
i
! The turbine driven main feedwater pumps will continue to run for most transients, as the l
j pump flow output is automatically matched to the decay heat level.
1 j
- l The two turbine driven AFW pumps can be manually controlled locally in station blackout i i
conditions, even after depletion of the batteries. However, with the usual configuration of
- the system, failure to control one pump will lead to failure of both due to water carryover into the steam lines. The TDAFW pumps are automatically started, as needed, and automatically j controlled, as long as power is available.
The motor driven AFW pump has to be started manually, by the operators, if needed. If l offsite power is lost, this pump derives power from the station blackout diesel generator ,
(SBODG) only. '
The normal AFW suction source is the 250,000 gallon inventory in the two condensate storage tanks (CSTs). However, if this is unavailable, the AFW can be aligned to the service water system.
{
i v i l
i S
. .-- . .- --- . - - - - . . - . . - - - . - . - - . _ . - _ - .~. -.
L- .
! One pressurizer PORV and two safety valves can be utilized for makeup /HPI cooling (i.e.
feed and bleed). This gives Davis Besse a diversity of options for makeup /HPI cooling. The j PORV block valve is usually open. The makeup pumps can be used with either the PORV l' or the safety valves, while the HPI pumps can only be used in conjunction with the PORV.
CCW is a required support for both makeup and HPI systems, for cooling of bearing lube oil.
In addition, the HPI pumps are located in two separate ECCS rooms, which also house the respective DHR (i.e. LPI) and CS pumps. These two rooms require cooling, which is ,_
supported by the service water (and safety grade power). The makeup pump room also requires cooling under certain conditions (supported by a non-safety bus); however, adequate l
cooling.of the makeup pump room can be effected by opening the door, t
There are three 100% capacity CCW pumps, providing a high level of redundancy. CCW requires dedicated safety grade room cooling for its pumps.
The service water system also requires dedicated safety grade room cooling in its pump room.
Under accident conditions (i.e., with nonessential load ise!ation) there are three 100% service water pumps, providing a high level of redundancy. In addition, a fourth pump, the dilution pump, can be used as a backup.
If the PORV is used for makeup /HPI cooling, at least one containment air cooler (CAC) train must operate to provide the suitable environment.
The emergency power system at Davis-Besse consists of three emergency diesel generators.
Recirculation switchover is accomplished manually.
The RCP seals used are Byron-Jackson N-9000 RCP seals. These seals have shown no appreciable leakage in tests when all seal cooling was lost, provided that the RCPs are tripped. Therefore, RCP seal failure occurs only if the operators fail to trip the RCPs following failure of all seal cooling, or following isolation of seal return. Failure of all seal cooling will occur upon loss of all CCW, due to the dependency of the makeup pumps on CCW cooling ofbearing lube oil.
The following plant-specific features are important for accident progression in the Davis-Besse plant:
The Davis-Besse containment arrangement is such that all levels drain to the reactor cavity / normal sump region. The reactor vessel is submerged for any sequence with significant injection. As a result, external cooling of the corium inside the vessel is considered as one of the top events in the containment event tree used in the IPE. However, it is assumed in the IPE base case that vessel bottom failure is not prevented by this external cooling.
vi
r i >
1 A reasonably large arca is available under the reactor vessel for corium spreading. This results in a corium thickness of about 10 inches, at nominal corium density, if the entire available corium mass is spread in the reactor cavity.
) .
The steel containment used at Davis Besse could be vulnerable to direct attack by the ,
dispersed core debris. However, the containment shell is protected by a 1.5 ft wide by 2.5 :
i
" ft high curb at the elevation corresponding to the annular / lower compartment floor (i.e., the basement floor). This curb offers some protection for the steel shell from direct contact with tne conum relocated to'the loiver con ~ tainment. -
4 E.2 Licensee's IPE Process i
)
The licensee initiated work on a probabilistic risk assessment (PRA) for Davis Besse in response to j Generic Letter 88-20. The freeze date for the analysis was mid-1990, at the end of the seventh j
refueling outage. i
- - To support the TPE process, a review was made of, and models were built upon, a previous PRA of Davis Besse, completed in 1988. Attention was also focused on other PRAs for other plants similar j to Davis Besse.
- Licensee personnel were involved in all aspects of the analysis. Toledo Edison staff managed the IPE and participated in all aspects of the analysis. The main consultant, Safety and Reliability i Optimization Services provided technical expertise for analysis ofinternal flooding, human reliability analysis (HRA) and containment analysis.
4 Utility personnel were involved in the HRA. Procedure reviews, discussions with o'perations and tiaining staff, and observations of simulator training sessions helped assure that the IPE HRA i represented the as-built, as-operated plant. Independent in-house technical reviews of the HRA were '
) perfonned, as was an extemal review of the level 1 and level 2 analyses, which presumably included
- i the HRA. Both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post- !
initiator actions (performed as part of the response to an accident) were addressed in the IPE. ;
! Important human actions and potential human performance related enhancements / improvements were ;
identified and discussed. i i
The IPE analysis was reviewed at several levels. An independent review (by plant personnel) was
- also performed. Additionally, Duke Power Company was contracted to perform an outside review. '
Comments from these reviews were responded to and resolved by the IPE team.
t
- The submittal does not explicitly indicate whether the licensee intends to maintain a "living" PRA,
- although it is implied that the IPE will be periodically updated.
b 4
4 f Vii
-. _ . __ -. _- _ _ _ - - - ~ - _ . - - - - -
E.3 IPE Analysis E.3.1 Front-End Analysis The methodology chosen for the front-end analysis was a Level 1 PRA; the small event tree-large fault tree with fault tree linking approach was used. The computer code used for modeling and quantification was CAFTA.
The IPE quantified the following initiating event categories: 9 LOCAs,19 transients and 6 flooding initiators. The IPE developed 6 event trees to model the plant response to these initiating events.
The flooding artalysis utilized the existing transient event tree.
Success criteria were based on existing infonnation (e.g. UFSAR) supplemented by RELAPS, MAAP and other calculations, as needed.
- Like some other PWR IPEs, the Davis Besse IPE assumes (calculates) that core flood tanks are not needed in large and medium LOCAs. Likewise containment heat removal systems are not needed.
These assumptions reduce the CDF from large and medium LOCAs.
The RCP seal cooling model assumes that both CCW and seal injection must fail and the operators must fail to trip the RCPs in order for the seals to fail. This element of the success criteria is less conservative than the Westinghouse model. However it is based on the design and tests with the Byron-Jackson N-9000 seals used at Davis-Besse. Since CCW is used for cooling of the makeup pumps, as well as for the RCP seal thermal barrier cooling, the operators have about 25 ndnutes fro'n loss ofCCW to trip the RCPs (15 minutes minimum until the makeup pumps fail, and an additions!
10 minutes to seal failure).
The data collection process period was through mid-1990. Plant specific component failure data were used to update generic data with the use of Bayesian tect'niques. Plant specific data were used exclusively for unavailabilities due to test and maintenance activities. Generic data were used for the turbine driven AFW pumps, due to extensive modifications since the 1985 outage and lack of any -
failure data.
Davis Besse data are generally consistent with the NUREG/CR-4550 data.
The multiple Greek letter (MGL) approach was used to ch ::ac:cdze common cause failures. The CCF parameters used are generally consistent with the NUREG/CR-4550 recommended values, except for the diesel generator failure to start, which was much lower compared to NUREG/CR-4550. The process used to arrive at these values follows established procedures, specializing the generic occurrences to the plant specific design and configuration. A sensitivity study was done to j include all generic diesel generator common cause failure to start as applicable to Davis Besse, though j the resulting diesel generator failure to start p factors were still not within range of the NUREG/CR- l 4550 p factors. The resulting CDF increase was negligible, showing a lack of sensitivity to this viii 1
l
. ___m.____ -- -_ .m _ _ _- - __ ,, , ._ , . _ ,. .
parameter, within the range of variation of this parameter that the licensee had chosen. l The internal core damage frequency is 6.6E-5/yr. Of this, flooding contributes 2.0U-6/yr, or about ,
3%. The internal accident types and initiating events that contribute most to the COF and their percent co..tributions are listed below in Tables E-1 and E-2:
Table E-1 Accident Types and Their Contribution to the CDF u.
j Initiating Event Group Contribution to CDF (/yr) % l Transients 5.7E-5 86.4 ;
LOCAs 5.7E-6 8.6 ,
Intemal Flooding 2.0E-6 3.0 Interfacing System LOCA 8.8E-7 1.3 Steam Generator Tube Rupture 4.6E-7 0.7 TOTAL CDF 6.6E-5 100.0 Table E-2 Dominant Initiating Events and Their Contribution to the CDF3 Initiating Event Contribution to CDF (/yr) %
Various I. asses of SW and CCW (not 1.4E-5 ,21.2 flood induced)
Loss of Offsite Power 1.2E-5 17.7 Loss ofMain Feedwater 7.9E-6 11.9 Reactorffurbine Trip 5.lE-6 7.8 Loss of 4kV bus D1 4.4E-6 6.7
' The IPE assigned a Core Damage Bin to the end of each Level 1 event sequence as the interface between Level 1 and Level 2 portions of the analysis.
E.3.2 Human Reliability Analysis The HRA process for the Davis-Besse IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). The analysis of pre-initiator actions included both miscalibrations and restoration faults.
ix
1 Pre-initiator human actions surviving screening were quantified using the guidance provided in the Accident Sequence Evaluation Program Human Reliability Analysis procedure (ASEP HRA)
[NUREG/CR-4772]. Twenty-three pre-initiator restoration related events received detailed analysis I with the ASEP HRA procedure. None of the miscalibration events were found to be important and therefore were left at their screening values. Post-initiator human actions modeled included both response-type and recovery-type actions. In the post-initiator screening analysis, all human actions included in the logic models (response actions) were initially assigned a failure probability of 1.0. The submittal notes that this was done to ensure that inter-dependencies between multiple events in .a cut set were appropriately considered. Post-initiator response type human actions were quantified using the method described in EPRI report TR-100259 and referred to as a cause-based approach. The method used to. quantify the recovery type actions was different from that used for the response type actions. The approach used is documented in a draft report developed for EPRI by NUS (NUS-5272) and specifically addresses the modeling of recovery actions in PRAs. Plant-specific performance shaping factors and dependencies (such as those among multiple actions in a sequence) were apparently thoroughly considered for both response and recovery actions. Human errors were identified as important contdbutors in accident sequences leading to core damage and several potential human performance related enhancements were identified.
E.3.3 Back-End Analysis i
The methodology employed in the Davis-Besse IPE submittal for the back-end evaluation is clearly I desedbed. Plant Damage States (PDSs) are used as the initial conditions for the Level 2 analysis. The PDSs are defined based on front-end results, grouped into Core-Damage Bins (CDBs), and bridge trees (i.e., event trees) that define the status of the containment systems. A total of 64 PDSs are i developed from 16 CDBs and used for the back-end analysis. Quantification of the accident progression involves the development of a small containment event tree (CET), ivith 12 top events, i and fault tree logic for the determination of CET top events. The CET and its supporti,ng fault trees addressed all the containment failure modes discussed in NUREG-1335. The results of the CET analyses lead to an extensive number of CET end states. Results of the CET analyses are reported in the submittal in terms of both containment failure modes and release categories. N'me release categories are defined in the IPE. The MAAP 3.0B computer code was used to calculate severe accident event timing, source terms, and containment loads for representative sequences.
The submittal reports a core damage frequency (CDF) of 6.6E-5 per reactor year. The leading contributor to the CDF is a transient initiated event with the loss of secondary cooling and core injection. This is followed by small LOCAs with the loss of core injection. The leading PDS is obtained from a transient initiated CDB with no RCS depressurization, failure of containment heat removal and containment spray, and with the Borated Water Storage Tank (BWST) not injected (24% ofCDF). This PDS results almost entirely from station blackout (SBO). This is followed by a PDS with the same CDB but with RCS depressudzation and all containment systems available (20%
ofCDF).
Table E-3 shows the probabilities of containment failure modes as percentages of the total CDF.
X
~
1 l
Results from both the original IPE and those from the licensee's response to the RAI are presented ;
in Table E-3. Results from the NUREG-1150 analyses for Surry and Zion are also presented for >
comparison.
l Table E-3 Containment Failure as a Percentage of Total CDF j Davis-Besse Davis-Besse Surry Zion ,
Conteiame.at hilure Mode Revised' IPE NUREG-1150 NUREG-1150 !
Early Failure 0.6* 6.3 ** 0.7 1.4 Late Failure 9.1 7.5 5.9 24.0
{
Bypass 2.6 2.6 12.2 0.7 Isolation Failure +++ +++ * "
1 Intact 87.7 83.6 81.2 73.0 i CDF (1/yr) 6.6E-5 6.6E-5 4.0E-5 3.4E-4
Includes 0.32% from side-wall failure Includes 5.9% from side-wall failure
- Negligible ifisolation failure of the small containment sump drain line is ignored .
j
,, Included in Early Failure, approximr 'y 0.02% i Included in Early Failure, approxime.ely 0.5%
A containment failure mode identified for Davis-Besse that is unusual for large dry containments is that associated with side wall failure. This failure mode accounts for the potential of containment i shell failure due to direct contact with core debris, which is possible for Davis-Besse because ofits steel containment and the proximity of the incore instrument tunnel to the containment vessel. The probability of this failure mode is included in the early failure mode in Table E-3. !
As shown in Table E-3, the containment failure profile for Davis-Besse (based on revised values) is in general consistent with those obtained in the NUREG-1150 analyses. The early failure probability for Davis-Besse is less than that for Surry and Zion. This is primarily due to the treatment 'of the phenomena that threaten containment integrity at vessel breach, such as DCH and steam explosion.
For example, the probability of alpha mode failure for low RCS pressure is assigned a value of 0.001 (or 0.1%) in the Davis-Besse IPE while the value used in NUREG-1150 is 0.008 (or 0.8%), and the estimate of the containment pressure loads at vessel breach which is based on MAAP calculation in the Davis-Besse IPE, is less than the corresponding parts used in NUREG-1150. Additionally, the probability of RCS depressurization before vessel breach may also contribute to the difference.
Containment bypass for Davis-Besse is primarily due to ISLOCA and SGTR as initiating events. The contribution from induced SGTR (ISGTR) for Davis-Besse is about 30% of the total bypass Xi
probability (or less than 1% of CDF). The probability ofISGTR is small despite the fact that the effect of restarting the RCPs is considered in the Davis-Besse IPE. The restart of the RCPs, in compliance with the procedures invoked for inadequate core cooling (ICC) conditions, would clear the water collected in the bowls of the RCPs and cause a forced circulation of the hot gases to the steam generators. Induced SGTR is therefore more likely. However, it is assumed in the IPE that it is more likely that the RCPs would operate only for a short period and the probability ofISGTR is therefore not significant. The probability value used for this case (0.01) is close to that used in NUREG-1150 (with a mean value of 0.018).
The conditional probability oflate containment failure for Davis-Besse presented in Table E-3 includes contributions from both containment overpressure failure and basemat melt-through. In the Davis-Besse IPE, basemat melt-through is assigned to the release categories for no containment failure. This, according to the IPE submittiJ, is due to the expected small airborne release within the 48-hour release duration.
Containment isolation is a PDS parameterin the Davis-Besse IPE. According to the PDS definition, the PDSs of about 1.4% of total CDF involve small isolation failure, due to the failure to isolate the sump drain lines. However, this isolation failure is neglected in the IPE source term quantification because of the small release associated with these lines.
The signi6 cant higher probability for early containment failure in the original Davis-Besse IPE is due to the high probability of side wall failure (5.9%). The large side wall failure in the original IPE, which requires RPV failure at high pressure, is due to an underestimate of RCS depressurization via hot leg creep rupture. Comparison of the results from the original IPE (in effect no hot leg rupture) and the revised results (with hot leg rupture) show the sensitivity of containment failure to hot leg creep rupture. -
~
Release fractions for the Davis-Besse IPE are obtained from MAAP calculations. According to the submittal, over thirty sequences involving a spectrum of LOCAs, transients, and SGTRs were analyzed using MAAP, and, in addition, several sensitivity runs were performed to further define the potential impact of uncertainties in release categories associated with phenomenological modeling in MAAP. Among the nine release categories, three involve the release of volatile fission product fractions greater than or equal to 0.1. Their contribution to total CDF is about 10%.
E.4 Generic Issues and Containment Performance Improvements The IPE addresses decay heat removal (DHR). CDF contributions were estimated for the following DHR methods: auxiliary feedwater, primary feed and bleed (" makeup /HPI cooling"), safety injection and high pressure recirculation cooling. Failures of the AFW and makeup /HPI cooling were found to make a major contribution to the total CDF. The AFW failures in the most important sequences are dominated by operator failures to control the TDAFW pumps in station blackout scenarios, hardware failures in turbine driven pumps, and failure of the operator to start the MDAFW pump.
A major contributor to makeup /HPI cooling failure is operator error. The licensee has significantly xii
+
i I
modified the makeup system and operating procedures and training in response to the June 9,1985 i loss of feedwater event. l The licensee states that no unique plant features contribute to the DHR contributions to the CDF, i which are due to many components. Therefore, this generic issue is considered resolved.
The following generic issues,are also discussed in the submittal and considered resolved:
~
- 1) USI A-17, bystems Interactions, i
- 2) GI-23, Reactor Coolant Pump Seal Failures, !
- 4) GI-77, Flooding of Safety Companments by Backflow through Floor Drains,
- 5) GI-128, Electric Power Reliability and Related Issues, i
- 6) GI-143, Availability of Chilled Water Systems and Room Cooling,
- 7) GI-153, Loss of Essential Service Water in LWRs,
- 8) GI-65, Probability of Core Melt due to Component Cooling Water System Failures. !
One of the recommendations of the CPI program penaining to PWRs with large dry containments was that the utility should evaluate their containment and equipment vulnerabilities to local hydrogen ,
combustion as part of their IPE analyses and identify needs for procedural and equipment l improvements. This issue is discussed in Section 2.2.5 ofPart 4 of the IPE submittal. The issue is i addressed in the Davis-Besse IPE by refening to the analysis results obtained in NUREG-4803 for !
' the Bellefonte Nuclear Power Plant. The analysis for Bellefonte was performed using the method discussed in NUREG/CR-5275, which, according to Generic Letter 88-20 Supplement 3, provides !
one method for the evaluation oflocal hydrogen detonations. The Davis-Besse IPE submittal states that, in general, the Davis-Besse containment appears to be even more open than the Bellefonte containment. The IPE also identified two portions of the Davis-Besse containment that have a j geometry that may be conducive to hydrogen detonation. The first is the in-core instrument tunnel !
which extends from the reactor vessel cavity to the room containing the containment emergency sump. The second is the region which contains the opening of the incore instmment tunnel and the !
emergency sump, and exits into the open building. Based on some qualitative argument, it is ,
concluded in the IPE that hydrogen detonations are judged not possible for these locations. In '
general, the CPI recommendations can be considered as having been addressed by the licensee.
i iYli
- . - - - - _. - - - - - . - -- - .._._ - - -. - . - . ~ - - - --
5.
l E.5 Vulnerabilities and Plant Improvements The licensee defined a vulnerability as either an extremely high CDF (substantially greater than 1.E-4/yr) or a plant feature (or a few features) which causes a disproportionately high contribution to the CDF. No vulnerabilities were found.
The IPE only took credit for plant modifications and improvements that were completed at the time of the study. The exception is the BWST refill, which was not proceduralized at the time of the .
analysis. The following three modifications were made subsequent to, and as a result of, the IPE process and have now been completed:
- 1) Shedding of de loads. At the time of IPE analysis, procedural guidance was given only in cases when ac power is unavailable to both divisions and their chargers. The proposed procedure would also give guidance when only one ac division was lost.
- 2) BWST refill options. These were considered beneficial for certain SGTR sequences where BWST depletion occurs prior to completion of sufficient depressurization.
- 3) Fuel oil for the station blackout diesel generator. The SBODG usefulness is somewhat limited due to the amount of fuel oil available to supply it (currently 4 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of mn time).
Operational procedures for the SBODG have been revised to include direction for monitoring the level and consumption rate of fuel oil during emergency operations. Specific direction is provided to initiate refill effons for the supply tank upon reaching a predetermined level.
No quantitative impact of these subsequent changes on the CDF is available at this time but the licensee intends to incorporate modeling of the changes into their next PSA update (RAI responses).
Other modifications are under consideration.
The term vulnerability, as used in the back end portion of the Davis-Besse IPE submittal, refers to those components, systems, operator actions, and/or plant design configurations that contribute significantly to an unacceptable high severe accident risk. According to the submittal, the general criterion suggested in Generic Letter 88-20 and NUREG-1335 that licensees should look for " cost-effective safety improvements that reduce or eliminate the important vulnerabilities" as well as the guidance provided in NUMARC Report 91-04 were applied in deciding on actions that might need to be taken to address the results and insights from the IPE. The basic finding of the IPE is that there are no fundamental weaknesses or vulnerabilities with regard to severe accidents at Davis-Besse.
Potential improvements suggested by the insights gained frorn the back-end analysis include:
Reduce the BWST level for switch-over to sump recirculation to optimize use of available water, Optimize operator actions for inadequate core cooling (ICC) related to RCS depressurization xiv t
and restarting the RCPs, e
Re-examine the current emergency plan evaluation criteria using more r.alistic accident source terms, and Monitor carbon monoxide levels, in addition to hydrogen levels, in the containment for incorporation into the emergency plan evaluation criteria or severe accident management i criteria.
These potential plant improvements from the insights have not been evaluated in detail and no specific resolutions have been identide~ d or evaluated. As a result, they are not modifications or improvements ;
that will necessarily be implemented.
E.6 Observations Based on the level 1 review of the Davis-Besse IPE the licensee appears to have analyzed the design and operations ofDavis Besse to discover instances of panicular vulnerability to core damage. It also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at Davis Besse; gained a quantitative understanding of the overall frequency ofcore damage; and implemented changes to the plant to help prevent and mitigate severe accidents.
Strengths of the level I part of the IPE are as follows: Thorough analysis ofinitiating events and their impact, descriptions of the plant responses, generally reasonable failure data and common cause factors employed, and usage of plant specific data where possible to support the quantification of initiating events and component unavailabilities. The effort seems to have been evenly distributed ;
across the various areas of the analysis.
No major weaknesses of the IPE were identified, other than in the documentation of DHR components contribution to core damage. '
The IPE determined that failures in the Auxiliany Feedwater system (dominated by hardware TDAFW l pump failures and operator en ors to control the TDAFW pumps manually when needed, and to start l the MDAFW pump) and in the makeup /HPI cooling (or feed and bleed) (dominated by operator l failures) are the primary contributors to core damage.
l l
As was noted previously, several improvements have been completed as a result ofinsights from the IPE. The CDF impact of these improvements is not known.
l The HRA review of the Davis-Besse IPE submittal did not identify any significant problems or errors.
A viable approach was used in performing the HRA and nothing in the licensees submittal indicated l that it failed to meet the intent of Generic Letter 88-20 in regards to the HRA Important elements
]
pertinent to this determination include the following:
- 1) The submittal indicates that utility personnel were involved in the HRA and that the xv 1
walkdowns, documentation reviews and simulator obseivations represented a viable process for confirming ' hat the HRA portions of the IPE represent the as-built-as operated plant.
- 2) The analysis of pre-initiator human actions included both miscalibrations and restoration faults.' A reasonable screening analysis was performed and pre-initiator human cetions surviving screening were quantified using the guidance provided in the Accident Sequence Evaluation Program Human Reliability Analysis procedure (ASEP HRA) [NUREG/CR-4772). A thorough analysis of pre-initiator events was conducted.
- 3) Post-initiator human actions modeled included both response-type and recovery-type actions.
In the post-initiator screening analysis, all human actions included in the logic models
' (response actions) were initiasy assigned a failure probability of 1.0. The submittal notes that this was done to ensure that inter-dependencies between multiple events in a cut set were appropriately considered. Post-iri :ator t response type human actions were quanti 6ed using the method described in EPRI report TR-100259 and referred to as a cause-based approach.
While a complete listing of the PSFs applied in the analysis of response type actions was not provided in the submittal, a licensee response to an NRC RAI indicted that plant-specific PSFs were considered and appropiately applied. The HRA method used resulted in a thorough and reasonable analysis of tiie post-initiator events. The method used to quantify the recovery type actions was different from that used for the response type actions. The approach used is documented in a draft report developed for EPRI by NUS (NUS-5272) and specifically addresses the modeling of recovery actions in PRAs. While the licensee apparently took credit for some recovery actions that would not be considered thoroughly proceduralized, a reasonable rationale was provided and the associated HEPs would not be considered unreasonable.
- 4) The licensee did not identify important human actions through the use ofin portance measures in the submittal. In a response to the NRC RAI, Fussel-Vesely measures were provided for events relevant to important transients (e.g., total loss of feedwater), values for the events contritmtion to total CDF were not provided. The submittal did provide a good discussion of operator actions in dominant sequences and a sensitivity analysis for human action events in ,
truncated sequences was performed and the results were discussed. Thus, information regarding important human actions was provided. Several potentially important human actions related enhancements were proposed.
The assessment of the level 2 review is that the Davis-Besse IPE submittal documentation, and the responses to the RAI, contain substantial back-end information regarding the severe accident vulnerability issues for the Davis-Besse plant.
The following are the major accident progression findings of the Davis-Besse submittal:
i The containment analyses indicate that there is a 13% conditional probability of containment failure. The conditional probability of containment bypass is 2.6%, and the conditional xvi
_ - . , -_ _ _ . . n - _ . . ._
l probabdity ofearly containment failure is 0.6%. This is made up of 0.32% from direct attack of debris on the containment steel shell and 0.28% from containment failure at HPME.
The back-end portion of the IPE supplies a substantial amount ofinformation with regards to the subject areas identified in Generic Letter 88-20.
The Davis-Besse IPE provides an evaluation of all phenomena ofimportance to severe accident progression in accordance with Appendix I of the Generic Letter.
The licensee has addressed the recommendation of the CPI program.
The strengths of the level 2 analysis in the IPE include the following:
The CET is well stmetured and easy to understand. Plant-specific containmnt failure modes are identified in the IPE process. The attack of core debris on the cc:aainment steel shell is identified as a potential containment failure mode. The poter.:'41 ofinduced SGTR due to
{
i restart of the RCPs is also addressed in the IPE. '
The weaknesses of the level 2 analysis include the following:
There is a logic error in the CET structure that prevents hot leg creep rupture from occurring.
l This error causes an overestimate of the probability of side wall failure and an overestimate of the probability of early failure. Revised containment failure probabilities are provided in t the licensee's response to the RAI.
~
Also, the release categories defined in the Davis-Besse IPE are based on the magnitudes of the fission products released, irrespective of the release timing (or the containment failure modes). As a result, a release category may include CET sequences with different ,
containment failure modes of different release tmungs. '
=
Finally, the sensitivity analysis provided in the IPE is very limited. It involves the evaluation !
of the changes in the probabilities of the containment failure modes due to changes in the probability values of some CET base events. However, the values of the basic events used i
in the' sensitivity studies seem arbitra.y. For example, there is no discussion of why a value ;
of 0.1 is used for HPME failure in the sensitivity study. It seems the value is arbitrarily ;
selected, not based on the uncertainty ofcontainment pressure loads at HPME. Furthermore, '
the sensitivity analyses presented in the IPE submittal are based on the base case results with '
the above-mentioned logic error. The sensitivity to some parameters will change as this error, l and thus the result of the base case, is corrected. For example, the sensitivity of side wall !
failure to debris coolability seems likely to change. 1 i
xvii
{
NOMENCLATURE AFW Auxiliary Feed Water ASEP Accident Sequence Evaluation Program BWST Borated Water Storage Tank ,
CAC Containment AirCooler i CBI Chicago Bridge and Iron Company i
CCF Common Cause Failure '
CCI Core-Concrete Interaction i
CCW Component Cooling Water CDB :
CoreDamage Bins CDF Core Damage Frequency CET Containment Event Tree CPI Containment Performance Improvement CS Containment Spray !
CST Condensate Storage Tank DHR Decay Heat Removal ECCS Emergency Core Cooling System EOP {'
Emergency Operating Procedures EPRI Electric Power Research Institute FMEA Failure Modes and Effects Analysis !
FTC Failure to Close i FTO Failure to Open i FTR Failure to Run i
FTS Failure to Start GSI Generic Safety Issue !
HEP Human Error Probability j
HPI High Pressure Injection HPME High Pressure Melt Ejection HRA Human Reliability Analysis ICC Inadequate Core Cooling ISGTR Induced Steam Generator Tube Rupture '
ISLOCA Interfacing System LOCA IPE Individual Plant Examination LCO Limiting Conditions for Operation LER Licensee Event Report LPI Low Pressure Injection MDAFW Motor Driven AFW MGL Mo!!iple Greek Letter PDS Plant Damage State PORV Power Operated Relief Valve PRA Probabilistic Risk Assessment PSF Performance Shaping Factor Xviii
PWR Pressurized Water Reactor RAI Request for AdditionalInformation RAV Risk Achievement Value RC Release Category RCP Reactor Coolant Pump RCS Reactor Coolant System RWST Refueling Water Storage Tank SAROS Safety and Reliability Optimization Services SBO Station Bladoui - '
SBODG Station Blackout Diesel Generator SFAS Safe,ty Features Actuation System SGTR Steam Generator Tube Rupture TAP Transient Assessment Program TDAFW TurbineDriven AFW TE Toledo Edison TER Technical Evaluation Report UFSAR Updated Final Safety Analysis Report USI Unresolved Safety Issue L
XIX m o
- 1. INTRODUCTION 1.1 , Review Process This technical evaluation report (TER) documents the results of the BNL review of the Davis-Besse Nuclear Power Station Individual Plant Examination (IPE) submittal [IPE submittal, RAI Responses].
This technical evaluation report adopts the NRC review objectives, which include the following:
To assess if the IPE submittal meets the intent of Generic Letter 88-20, and To determine if the IPE submittal provides the level ofdetail requested in the " Submittal Guidance Document," NUREG-1335.
A Request of Additional Information (RAI), which resulted from a preliminary review of the IPE submittal, was prepared by BNL and discussed with the NRC on April 3-5,1995. Based on this discussion, the NRC staff submitted an RAI to Toledo Edison Company on June 22,1995. Toledo Edison company responded to the RAI (RAI Responses) in a document dated September 11,1995.
This TER is based on the original submittal and the response to the RAI.
1.2 Plant Characterization The Davis Besse Nuclear Power Plant is a 906 MWe Babcock and Wilcox pressurized water reactor (PWR). The reactor coolant system (RCS) consists of the reactor vessel, two vertical once-through steam generators, 4 shaft-sealed reactor coolant pumps, an electrically heated pressurizer and interconnected piping. The RCS is a " raised loop design" with the steam generators above the reactor core in order to allow an inventory ofRCS coolant to flow back into the core in the event of a LOCA and to promote natural circulation of reactor coolant. This raised loop reactor coolant system for Davis-Besse is unique in that all other B&W plants are lower loop. The plant is operated by Toledo Edison (TE), and started commercial operation in July 1978. There are no other units on site.
Design features at Davis Besse that impact the core damage frequency (CDF) relative to other PWRs are as follows:
The turbine driven main feedwater pumps will continue to run for most transients, as the pump flow output is automatically matched to the decay heat level.
The two turbine driven AFW pumps can be manually controlled locally in station blackout conditions, even after depletion of the batteries. However, with the usual configuration of the system, failure to control one pump will lead to failure of both due to water carryover into the steam lines. The TDAFW pumps are automatically started, as needed, and automatically controlled, as long as power is available.
The motor driven AFW pump has to be started manually, by the operators, if needed. If I
r .
b .
i l offsite power is lost, this pump derives power from the station blackout diesel generator (SBODG) only.
The normal AFW suction source is the 250,000 gallon inventory in the two condensate j
storage tanks (CSTs). However, if this is unavailable, the AFW can be aligned to the service l water system.
! =
One pressurizer PORV and,two safety valves can be utilized for makeup /HPI cooling (i.e. .
feed and bleed). This gives Davis Besse a diversity of options for makeup /HPI cooling. The PORV block valve is usually open. The makeup pumps can be used with either the PORV l
or safety valves, while the HPI pumps can only be used in conjunction with the PORV.
=
CCW is a required support for both makeup and HPI systems, for cooling of bearing lube oil.
j In addition, the HPI pumps are located in two separate ECCS rooms, which also house the respective DHR (i.e. LPI) and CS pumps. These two rooms require cooling, which is supported by the service water (and safety grade power). The makeup pump room also requires cooling under certain conditions (supported by a non-safety bus); however, adequate cooling of the makeup pump room can be effected by opening the door.
=
There are three 100% capacity CCW pumps, providing a high level of redundancy. CCW requires dedicated safety grade room cooling for its pumps.
=
The service water system also requires dedicated safety grade room cooling for its pump room. Under accident conditions (i.e. with nonessential load isolation) there are three 100%
service water pumps, providing a high level of redundancy. In addition, a fourth pump, the dilution pump, can be used as a backup.
Ifthe PORV is used for makeup /HP1 cooling, at least one CAC (containment air cooler) train must operate to provide the suitable environment.
The emergency power system at Davis-Besse consists of three emergency diesel generators, including the subsequently installed SBODG.
=
Recirculation switchover is accomplished manually.
=
RCP seals used are Byron-Jackson N-9000 RCP seals. These seals have shown no appreciable leakage in tests when all seal cooling was lost, provided that the RCPs are tripped. Therefore, RCP seal failure occurs only if the operators fail to trip the RCPs following failure of all seal cooling, or following isolation of seal retuin. Failure of all seal cooling will occur upon loss of all CCW, due to the dependency of the makeup pumps on CCW cooling ofbearing lube oil.
2
The Davis-Besse Nuclear Power Station has a large, dry containment which consists of three basic structures: a steel containment vessel, a reinforced concrete shield building, and the internal structures. A detailed description of the Davis-Besse containment and plant data are provided in Section 16f Pan 4 of the IPE submittal. Figures 1-1 through 1-4 of the submittal show the general arrangement of the major components of the Davis-Besse Nuclear Power Station and Figures 1-12 through 1-16 show containment internal structures, including various' views of the reactor pit and incore instrumentation tunnel.
The Davis-Besse containment vessel is a cylindrical steel pressure vessel with hemispherical dome and ellipsoidal bottom. It is completely enclosed by a reinforced concrete shield building. The containment vessel and shield building are supported on a concrete foundation, i.e. the basemat. The i
minimum depth of concrete between the bottom of the normal sump and the base of the shield building is approximately 5.7 feet, and about 4.5 feet of this total is the shield building foundation below the embedded steel bottom of the containment building. The total concrete thickness of the Davis-Besse basemat is less than that of most PWR plants with concrete containments (usually about ,
ten feet). Because of the steel containment and the smaller basemat thickness, containment failure due to melt-through caused by ex-vessel core materials is a more significant concern for Davis-Besse.
Some of the plant chvacteristics important to the back-end analysis are summarized in Table 1 of this repon. I As shown in Table 1, the reactor thermal power for Davis-Besse is between that for Zion and Eurry.
Despite having a smaller thermal power, the containment free volume of Davis-Besse is comparable to that of Zion. In general, relative to thermal power, the containment free volume of Davis-Besse is greater than that of other PWR plants with large dry containments. This is reflected in the large containment free volume to thermal power ratio shown in Table 1. Because ofits large volume, the design pressure for the containment is relatively low - the design pressure of 40 psig is lower than the 60 psig for Zion and the 45 psig for Suny (a subatmospheric plant). As shown in Table 1, the median.
containment failure pressure used in the IPE for Davis-Besse is also lower than that for Zion and j
Surry. On the other hand, the ratios ofZircalloy and reactor fuel mass to containment volume, which '
serve to indicate the amount of hydrogen production and the magnitude of hydrogen combustion load are comparable to that ofZion and Surry.
Other plant characteristics important to the back-end analysis are:
=
The Davis-Besse containment arrangement is such that all levels drain to the reactor cavity / normal sump region. The reactor vessel is submerged for any sequence with significant l injection. As a result, external cooling of the corium inside the vessel is considered as one of l
the top events in the containment event tree used in the IPE. However, it is assumed in the l IPE base case that vessel bottom failure is not prevented by this external cooling. I A reasonably large area is available under the reactor vessel for corium spreading. This results in a corium thickness of about 10 inches, at nominal corium density. if the entire available corium mass is spread in the reactor cavity.
3
1 The steel containment vessel is vulnerable to direct attack by core debris. However, the l containment shell is protected by a 1.5 R wide by 2.5 fl high curb at the elevation corresponding to the annular / lower corapartment floor (i.e., the basement floor). This curb protects the steel shell from direct contact with the corium relocated to the lower containment.
I The basemat material is limestone concrete. )
Table 1. Plant and Conts.inment Cha~racteristics for Davis-Besse Nuclear Station
- l Characteristic Davis-Besse Zion Surry l Thermal Power, MW(t) 2772 3236 2441 RCS Water Volume, ft' 11,200 12,700 9200 Containment Free volume, ft' 2,830,000 2,860,000 1,800,000 Mass of Fuel, Ibm 207,000 216,000 175,000 Mass ofZircalloy, Ibm 51,700 44,500 36,200 Containment Design Pressure, psig 40 60 45 j Median Containment Failure Pressure, psig 95 135 126 RCS Water Volume / Power, ft2/MW(t) 4.0 3.9 3.8 Containment Volume /Fower, ft'/MW(t) 1,021 884 737 Zr Mass / Containment Volume, Ibm / ft' O.018 0.016 . 0.020 Fuel Mass / Containment Volume, Ibm / ft' O.073 0.076 0.097 l
4
- j
- 2. TECIINICAL REVIEW 2.1 Licensee's IPE Process 2.1.1 Completeness and Methodology '
The licensee has provided the type ofinformation requested by Generic Letter 88-20 and NUREG I 1335.
The front-end ponion of the IPE is a Level 1 PRA. The specific technique used for the Level 1 PRA was a small eveht tree /large fault tree, and it is clearly described in the submittal. '
Internal initiating event and internal flooding were considered. Event trees were developed for all clas:cs ofinitiating events. An uncertainty analysis was performed that provided a probability distnbution for the plant damage state bins. A sensitivity analysis ritised all human error probabilities (HEPs) to 0.1 to find any potentially important accident sequences.
To support the IPE process, the licensee made a review of, and built the model upon, a previous probabilistic study ofDavis Besse, the 1988 Davis-Besse Nuclear Power Station Level 1 Probabilistic Risk Assessment. Model updates reflect the plant modifications since 1988. Other PRA studies for similar plants were also reviewed, for instance the ones for Oconee and Crystal River. The NUREG-1150 studies were also used as reference for this work.
The submittal information on tho!cIRA Process was generally complete in scope. Some additional information/ clarification was obtained from the licensee through an NRC request for additional information. The HRA process for the Davis-Besse IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). The analysis of pre-initiator actions included both miscalibrations and restoration faults. Pre-initiator human actions surviving screening were quantified using the guidance provided in the Accident Sequence Evaluation Program Human Reliability Analysis procedure (ASEP HRA) [NUREG/CR-4772]. Twenty-three pre-initiator restoration related events received detailed analysis with the ASEP HRA procedure. None of the miscalibration wents were found to be imponant and therefore were left at their screening values. Post-initiator human actions modeled included both response-type and recovery-type actions. Post-initiator response type human actions were quantified using the method described in EPRI report TR-100259 and referred to as a cause-based approach. The method used to quantify the recovery type cctions was different from that used for the response type actions. The approach used is documented in a draft report developed for EPRI ,
by NUS (NUS-5272) and specifically addresses the modeling of recovery actions in PRAs. Plant- l specific performance shaping factors and dependencies (such as those among multiple actions in a !
sequence) were thoroughly considered for both response and recovery actions. However, a listing of the PSFs applied in the decision tr::es used in the analysis of response type actions would have made the submittar documentation more complete Human errors were identified as imponant contributors 5
in accident sequences leading to core damage and several potential human performance related enhancements were identified.
The methodology employed in the Davis-Besse IPE submittal for the back-end evaluation is clearly described. Plant Damage States (PDSs) are used as the initia' conditions for the Level 2 analysis. The PDSs are defined based on front-end results, grouped into Core-Damage Bins, and bridge trees (i.e.,
event trees) that define the status of the containment systems. Quantification of the accident progression involves the development of a small containment event tree (CET), with 12 top events, and fault tree logic for the determination of CET top events. The CET and its supponing fr. ult trees addressed all the containment failure modes discussed in NUREG-1335. The results of the CET analyses lead to an extensive number of CET end states. Results of the CET analyses are reponed in the submittal in tenns of both containment failure modes and release catedories. The MAAP 3.0B computer code was used to calculate severe accident event timing, source term, and containment loads for representative sequences.
2.1.2 Multi-Unit Effects and As-Built, As-Operated Status There are no other units on site.
A wide variety of up-to-date information sources were used to develop the IPE, for example the Updated Final Safety Analysis Repon (UFSAR), current Technical Specifications, current operator ;
training drills, a listing of plant modifications implemented since the June 9,1985 outage, plant !
drawings, operator logs for cycles 5 and 6, operating procedures, etc. The freeze date of the analysis was June 30,1990 (RAI Responses). Plant walkdowns were performed for considerations such as support system requirements and spatial interactions for internal flooding effects.
Plant specific data were collected between July 1979 and June 1990. There are two exceptions to the data collection start date. One is the reliability data for the AFW system. Generic data were used for the turbine driven AFW pumps due to a limited experience since the June 1985 event (loss of all feedwater) which resulted in substantial modifications to the AFW system. The test and maintenance unavailability data were also collected after the June 1985 outage because of substantial changes in procedures resulting from that event.
Procedure reviews, discussions with operations and training staff, and observations of simulator trauung sessions helped assure that the IPE HRA represented the as-built, as-operated plant. While no credit was taken for any future human performance related enhancements, it was noted that since the PRA was completed, more detailed procedures have been developed for at least one of the human recovery actions credited in the IPE.
The submittal states that a cut-offdate of June 1990 was chosen for the IPE to represent the current plant design and to support the plant-specific data collection effort. However, because of the relatively few plant modifications made after June 1990, those implemented during the subsequent outage (the seventh refueling outage) were also incorporated into the models. Therefore, the PRA 6
models reflect the as-built configuration of the plant as of the end of the seventh refueling outage.
According to the submittal, the eighth refueling outage was scheduled to be performed on March 1993. Insofar as the back-end analyses are concemed, it appears that all the Davis-Besse containment specific features are modeled.
The submittal does not explicitly indicate whether the licensee intends to maintain a "living" PRA, although reference is made to maintaining the in-house PRA expertise for future use of the Davis Besse IPE models. "The models were developed and documented in a manner to accommodate possible future updating to reflect plant changes, emerging information on severe accident behavior, or to address safety and regulatory issues as they arise" (letter accompanying the submittal).
2.1.3 Licensee Participation and Peer Review Licensee participation in the IPE process and review activities are discussed briefly in Section 2 of Part 5 of the IPE submittal. The group responsible for all PRA-related activities at Davis-Besse is the Safety Analysis Unit in the Nuclear Engineering Department of the Toledo Edison Company (TE). Licensee personnel were involved in all aspects of the analysis. In-plant expertise was already existent due to the previous Davis Besse PRA study. Specifically, TE staff were involved in fault-tree modeling and analysis, transient analysis, thermal-hydraulic analysis, systems analysis and various plant procedures and operations. An outside consultant, SAROS (Safety and Reliability Optimization Services), provided technical expertise in such areas as assessment ofinternal flooding, human reliability analysis and containment event analysis. The front-end analysis was primarily performed by two full time engineers with a:sistance from other licensee personnel as needed.
The reviews performed for the IPE included both independent in-house reviews and external reviews.
According to the submittal, the independent in-house reviews involved the various engineering I departments, as well as licensing engineers, training personnel, operations and . maintenance organization personnel, and previously licensed senior reactor operators. Extemal peer review was performed by Duke Engineering & Services, Inc., and the Duke Power Company. This review was done in accordance with a procedure developed by EPRI. The results of this review were !
documented in a separate report and are referred to in the submittal as being very positive overall. I From the description provided in the IFE submittal it seems that the intent of Generic Letter 88-20 is satisfied. l 2.2 Front End Technical Review 2.2.1 Accident Sequence Delineation and System Analysis 2.2.1.1 Initiating Events The identification ofinitiating events proceeded in a three-stage approach: 1) review of existing sources, including other PRAs of similar plants, documents such as EPRI's NP-2230 for transient 7 l 1
l 1
1 initiators, a review of events that have been identified as potential precursors to more severe accidents, etc.; 2) a thorough review of each system at Davis Besse to identify events that could be of a unique nature or that would not be well characterized by analyses or operating experience of other plants; 3) examination of the opersting experience for Davis Besse to determine ifit suggested any additional types of events that were not identified elsewhere.
As a result, a total of 34 initiating events (including 6 floods) were identified. These were:
~
Large LOCA Medium IACA Small LOCA Steam Generator Tube Rupture Interfacing systems LOCA via HPI line Interfacing systems LOCA via LPI line Interfacing systems LOCA via DHR letdown isolation failure Interfacing systems LOCA via premature opening of DHR letdown Reactor vessel rupture Transients:
Reactor / turbine trip Loss of main feedwater Loss ofoffsite power Spurious safety features actuation Steam generator I unavailable due to break in FW or steam line Loss of makeup to the RCS Loss ofPower from bus YAt3 Loss ofpower from bus YBU Loss ofDC power supply for NNI-X Loss ofprimary loop ofservice water Loss ofsecondary loop ofservice water Totalloss of service water Loss of operating train of component cooling water Total loss of component cooling water Loss ofpower from 4160 V AC bus Cl ;
less of power from 4160 V AC bus D1 Loss of DC power from bus DIP Loss ofDC power from bus D2P Loss ofinstrument air Internal floods:
Flood from aux. bldg. drainage to ECCS pump room for train 1 Flood ofECCS pump rooms due to a failure of a line from BWST Flood of ECCS pump rooms due to aux. bldg. drainage Flood in service water pump room 8
l l
3
Flood from service water valve room !
Flood in component cooling water pump and heat exchanger room l The initiating event list seems to be complete and comparable to events considered in other PRAs. ;
2.2.1.2 Event Tnes The IPE developed 6 event trees to model the plant responses to internal initiating events: large, medium and small LOCA event trees, SGTR event tree, transient event tree ~ ' ATWS event tree. ;
No event trees were developed for interfacing systems LOCAs, as the probability of a random ECCS failure (i.e., other than the one caused by the initiating event) following an ISLOCA was deemed negligibly low; the only question asked would be that ofisolation, which is described in the submittal for each of the four ISLOCA categories. No event tree was developed for the reactor vessel ruptun e event as it is assumed to lead directly to core damage. No separate event trees were developed for flooding scenarios, the transient event tree was used with additional flood-caused failures flagged in the appropriate fault trees.
The event trees are functional. The mission time used in the core damage analysis was 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unless shorter time is indicated (e.g., LOC A injection phase).
The event tree end states are divided into two possible outcomes: success or core damage (which is then put into the appropriate plant damage bin). j No definition of core damage is given explicitly, but it appears the analysts used the traditional mixture ofcore uncovery for most events and the peak cladding temperature for medium and large LOCAs. .
Success criteria were based on existing information (e.g., UFSAR) supplemented by RELAP5, MAAP and other calculations, as needed.
Like some other PWR IPEs, the Davis Besse IPE assumes (calculates) that core flood tanks are not needed in large and medium LOCAs. RELAP5 calculations were used to confirm this. Likewise l containment heat removal systems are not needed (this was the result of an " informal calculation"). '
The calculations show that even if the containment were to be over pressurized by the continued !
buildup of steam, sufficient subcooled water would remain in the sump to support continued recirculation (which includes cooling by the DHR heat exchangers). In the long term, it would eventually be necessary to add some water to make up for evaporative losses (or to establish normal shutdown cooling). It wasjudged that the likelihood of failure to accomplish such long term actions was negligible compared to other failure modes, provided that the DHR system functioned in both the injection and the recirculation phase.
These assumptions reduce the CDF from large and medium LOCAs.
9
For medium LOCAs, due to insufficient voiding in the core to produce an immediate shutdown, the need for reactivity control via reactor trip is considered. The success of this function is accomplished by insertion of two of seven rod groups by actuation of the reactor protection system or the diverse scram system. Because of the slower rate of depressurization compared to a large LOCA, the short term core heat removal is accomplished if at least one train each of the HPI and the DHR system inject from the BWST. In the longer term, DHR recirculation is required. Core flood tanks are not needed, as for large LOCA, unless the break is the complete rupture of the core flood /LPI line to the reactor vessel. In that case, success criteria specify flow from the HPI system and the remaining core .
flood tank in order to prevent core damage. This case was not analyzed separately, but was folded into the rest of the medium LOCAs, with their slightly more conservative success criteria.
For small LOCAs, the reactor trip function is required, with insertion of two of seven rod groups constituting success. As the break sizes in this range are insufficient for decay heat removal, the operators would use the AFW system (one of the three AFW pumps) in conjunction with at least one turbine bypass valve or the atmospheric vent valve for decay heat removal and to cool down to DHR entry conditions. The DHR would then be used for long term decay heat removal. While the cooldown via the secondary system is in progress, the core inventory would be maintained by either one train of HPI or both trains of makeup pumps. Alternatively, if SG cooling is unavailable, the operators could use the makeup /HP1 cooling for inventory control and decay heat removal. The success criteria for the makeup /HPI cooling is either one train of HPI or one train of makeur Dking suction from the BWST in conjunction with the PORV for pressure relief, or both trains ur nu keup pumps taking suction from the BWST in conjunction with at least one pressurizer safety valve. In the long term and if AFW is not available, high pressure recirculation would need to be established, by piggy'xt.ing the HPl or makeup pumps onto the DHR pumps taking suction from the containment sump.
For small LOCAs, no credit is given to continued operation of the turbine driven MFW pumps (unlike the treatment in transients) due to unceitainty regarding these pumps' operation in the boiler-condenser mode. With reduced inventory in the RCS and the loss offorced circulation brought about by tripping the RCPs, the steam generators would become decoupled until high pressure makeup succeeded in restoring inventory. When this occurs, it is possible for the drop in steam production to cause the loss of the turbine driven MFW pumps. In contrast, the AFW system feeds the steam generator through a header that is higher than the point at which the MFW is admitted. The combination of the AFW spray higher on the steam generator tubes, higher level-control setpoint, and the colder water (relative to MFW) creates an effectively higher thermal cene in the steam generators that promotes natural circulation and, if needed, boiler-condenser cooling. (RAI Responses).
For the SGTR in which depressurizing the RCS below 1000 psig was successful, MAAP calculations indicate that with continuing cooldown, the BWST inventory would not be depleted (for at least two days) even with failure to isolate the affected steam generator. This is due to decreasing leakage through this steam generator with decreasing RCS pressure.
10
If the unaffected steam generator were not available for cooldown to 1000 psig in an SGTR, the operators could use the generator with the ruptured tube. Below 1000 psig, makeup /HPI cooling 3 would be used. The affected generator would be isolated. However, BWST inventory might be l depleted prior to reaching cold shutdown conditions. In that case, sufficient inventory would exist i
in the containment emergency sump to support recirculation for long term heat removal.
If cooling were not initially available via either steam generator in an SGTR, HPI/ makeup cooling !
could be used only as a short-term solution until feedwater could be restored. Without restoration ofsteam generator cooling, the RCS would remain at high pressure, the BWST would eventually be depleted and there would be insuflicient inventory in the containment sump for recirculation.
j The RCP seal cooling model assumes that both CCW and seal injection must fail and the operators must fail to trip the RCPs in order for the seals to fail. This element of the success criteria is less conservative than the Westinghouse model, however it is based on the design and tests with the Byron-Jackson N-9000 seals used at Davis-Besse. Since CCW is used for cooling of the makeup pumps, as well as for the RCP seal thermal barrier cooling, the operators have about 25 minutes from loss of CCW to trip the RCPs (15 minutes minimum until the makeup pumps fail, and an additional 10 minutes to seal failure).
For interfacing systems LOCAs, credit is given to non-proceduralized operator actions to find and isolate the break. In one of the scenarios, only one hour would be available until core uncovery, whereas in the other three scenarios, several hours would be available for isolation. The possibility is considered that the break may occur in an unisolable portion of the piping. There is no discussior of consideration of failure of the isolation valves to close against the reverse differential pressure.
4 2.2.1.3 Systems Analysis A total of 17 systems / functions are described in Section 3.2 of the Submittal. includr3 are descriptions of the following systems: electrical power (AC and DC), ECCS, safeguards act.iation, service water, component cooling water, instrument air, power conversion, makeup, reae.or trip, ECCS toom coolers, RCS, containment systems, and AFW Each system description includes a discussion of the system design and operation, dependencies, and role in sequence models.
Also included for many systems are simplified schematics that show major equipment i. ems and important flow and configuration information.
Success criteria are described in the event tree description portion of the report. Systea dependencies are summarized in a matrix form.
Section 1.2 of this TER contains a description ofimportant plant features.
I1
2.2.1.4 System Dependencies The IPE addressed and considered the following types of dependencies: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, areas requiring IWAC, operator actions and environmental effects. IWAC was determined to be important in the ECCS rooms 105 and 115 (containing the HPI, DHR and CS pumps), makeup pump room, service water pump room, and component cooling water pump room (RAI Responses). In other rooms, temperature limits would not be exceeded in the accident scenarios ofinterest (RAI Responses).
Containment air cooling (one of three trains)li necessary to t rovide i- environmental conditions for PORV operation.
Table 2-2 of the submittal contains the overall system dependency matrix, including both support-on-support and frontline-on-support dependencies.
2.2.2 Quantitative Process 2.2.2.1 Quantification of Accident Sequence Frequencies The IPE used a small event tree /large fault tree technique with fault tree linking to quantify core damage sequences. Fault tree models were developed for top events depicted in the event trees.
These high level fault trees are shown in the submittal. The systems in these fault trees were also modeled by fault trees, as were their support systems. The event trees were functional. The CAFTA software package was used for development and quantification of top event probabilities and accident frequencies.
The cut set truncation limit used was 1.E-9/yr, except for the sequence involving a transient with loss of all feedwater and failure of makeup /HPI cooling, where there was such a large number of cut sets, that it was necessary to use a limit of 1.E-8/yr. Tests were performed to insure that n'on-negligible contributions to the sequence frequencies were not missed due to the application of the truncation limits.
The IPE took credit for various recovery activities, including the recovery of offsite power. The IPE power recovery curve is consistent with average industry data cited in an Electric Power Research Institute (EPRI)-sponsored study (NSAC-147).
2.2.2.2 Point Estimates and Uncertainty / Sensitivity Analyses Mean values were used for the point estimate initiator frequencies and all other basic events. A formal mathematical uncertainty analysis was performed on the results, using Monte Carlo simulations and employing the UNCERT computer code which is a module of the CAFTA workstation.
However, the submittal reports only the point estimates for the total core damage frequency and the frequencies ofimportant sequences. The uncertainty distribution is given only for the core damage bins. No importance measures are given in the submittal. Importance measures (Fussell-Veseiy and risk achievement worth) ofinitiating events and basic events for the most important sequence (which 5
12
i l
i contributes 55% to the total CDF) were provided as part of the RAI responses.
One sensitivity analysis was also performed. This raised all HEPs to 0.1 to find potentially important 4 4 sequences which would have been above 10 /yr (10 /yr for containment bypass sequences)if th human interaction included in them were postulated to be less reliable than was assessed in the bam ,
case. Four such sequences and three containment bypass bins were found and discussed. l 2.2.2.3 Use of Plant Specific Data The data collection process period was through June 30,1990, for ruost important components. The exception to this are the various valves, for which data was taken until the June 9,1985 outage. A decision was made that extending this data until 1990 would not be cost effective, especially since j it was felt that reliability of these components had improved since the June 9,1985 event, due to various programs put into place. Likewise, data for the plant specific initiating events were collected only through June 9,1985; since then, the annual number of trips has been decreasing. No plant !
specdic data were collected for the two turbine-driven AFW pumps because substantial modifications ;
were made to these pumps following the June 9,1985 outage (which lasted through December 1986).
Therefore, it was felt that prior experience did not accurately reflect the new pumps. There was insuflicient experience since that time to use for developing plant specific data for these pumps (no failures to start or to run). Hence, generic data are used for these pumps. In case of the newly installed station blackout diesel generator (SBODG), there was very little, if any data available.
Therefore, failure and maintenance data for the other two diesel generators was used here as well, since the design and function of the SBODG is substantially similar.
Both demand and time related failures were addressed The sources of plant specific failure data were-maintenance work orders, TAP (transient assessment program) reports and LERs. For test and maintenance unavailability data, operator logs and tag-out logs were consulted. ,
The plant specific component failure data were used to update generic data with the use of Bayesian techniques. Plant specific data were used exclusively for unavailabilities due to test and maintenance activities. l The submittal shows both the generic data and plant specific data used for a component, along with the plant specific experience (e.g. number of failures and total running time in hours) for that l component. The generic data were compiled from several sources and aggregated into composite estimates for each component type and failure mode.
Table 2 of this review compares the plant specific failure data for selected components from the IPE l to values typically used in PRA and IPE studies, using the NUREG/CR-4550 data for comparison
[NUREG/CR 4550, Methodology). i 13 l
l
Table 2. Comparison of Failure Data Component Davis-Besse 4550 MDAFW Pump fail to stan 6.2E-3 3.0E-3 fail to mn 2.4E-5 3.0E-5 IFI Pump fail to start 4.1E-3 ~ ~ ~ 3.0E-3 fail to mn 2.4E-5 3.0E-5 LPI Pump' i fail to start 5.6E-3 3.0E-3 fail to mn l 2.5E-5 3.0E-5 SWS Pump fail to start 5.9E-3 3.0E-3 l
fail to mn 1.4E-5 3.0E-5 '
CCW Pump fail to start 6.9E-3 3.0E-3 fail to run 1.3 E-5 3.0E-5 l IAS Compressor fail to start 5.3E-5 8.0E-2 fail to mn 2.2E-4 2.0E-4 Battery Charger Failure 2.0E-5 1.0E-6 Battery Failure 7.1E-7 1.0E-6 Circuit Breaker (13.8kV) fail to remain closed (spurious open) 3.7E-6 1.0E-6 Circuit Breaker (4160V) fail to remain closed 2.8E-6 1.0E-6 AC Bus Fault (480V to 13.8kV) 4.6E-7 to 9.9E-7 1.0E-7 Check Valve fail to open 4.0E-5 1.0E-4 fail to close 7.6E-4 1.0E-3 MOV Fail on Demand 7.6E-3 3.0E-3 Air Operated Valve fail to open/close 4.4E-3 2.0E-3 14
Component Davis-Besse 4550 Pressurizer PORV ,
fails to open 5.9E-3 2.0E-3 fails to reclose, steam rif 1.2E-2 2.0E-3 Emergency Diesel Generator fails to start 1.4E-2 3.0E-2 fails to run 6.6E-3 2.0E-3 Notes: (1) 4550 are mean values taken from NUREG/CR-4550, i.e., from the NUREG-1150 study of five U.S. nuclear power plants.
(2) Demand failures are probabilities per demand. Failures to run or operate are frequencies expressed in number of failures per hour.
Dasis-Besse data are generally in agreement with the NUREG/CR-4550 data, except for the instrument air compressor failure to start, which is three orders of magnitude below the NUREG value. However, the Davis-Besse value seems to be supported by their plant specific experience (11 failures in 2.lE+5 demands).
2.2.2.4 Use of Generic Data As discussed in Section 2.2.2.3 above, several sources ofgeneric data were consulted to arrive at a composite generic value for each component and failure mode. The generic data used are tabulated.
The only major compor.ent for which the final failure data used in the IPE were the generic data were the turbine driven AFW pumps. Since they have been substantially modified during the 1985-1986 outage, and there has beca insufficient plant experience with them since then (no failu'res to run or 1 to start), generic data were used instead. The generic data for these pumps is 2.lE-2/ demand for failure to start and 1.3E-3/hr t'or failure to run. This is consistent with the NUREG/CR-4550 values of 3.E-2/ demand for failure to start and 5.E-3/hr for failure to run.
2.2.2.5 Common-Cause Quantification Redundant components were systematically examined to address potential common-cause failures.
The approach used was the multiple Greek letter approach (MGL). The p and (if applicable) the y and the 6 factors are reported in the submittal, with discrimination based on failure modes (e.g., in general, different values ofMGL parameters are given to failure to start as opposed to failure to run).
Also, for convenience, common cause multipliers for various combinations of component failure are also given alongside (e.g.,2 of 3 failure,3 of 3 failure).
The methodology followed that described in NUREG/CR-4780 (" Procedure for Treating Common Cause Failures in Safety and Reliability Studies"). The data base used was the EPRI data base. The events in this data base were reviewed for applicability to Davis Besse, and the applicable common 15 l
. l 5
i 1
cause factors calculated.
- 1 A number of categories of components were modeled in the common cause analysis, including: all i kinds of pumps, all kinds of valves (also including pressurizer safety valves and SG atmosphericj valves), strainers, containment air coolers, room cooling units, air compressors, emergency diesel !
generators, batteries, battery chargers, breakers, logic modules, transmitters, actuation channels and bistables. !
l!
A comparison of Offective p factors in the submittal vs. those suggested in NdREG/CR-4550 i
(" reference p factor") is presented in Table 3. NUREG/CR-4550 reports only failure to start p l factors. .
i The " effective" p factor means the p factor, calculated from the MGL parameters, which would be used in a p factor method to arrive at the same conditional probability ofcommon cause failure as !
that calculated from the MGL factors. In this way, comparison can be made between the two' '
different methodologies, since NUREG/CR-4550 used the factor method whereas the submittal used the MGL approach. For example, the " effective" p factor for failure of three components would ;
be calculated by multiplying the p and the y factors in the MGL method.
i The table shows general consistency between the Davis Besse CCF data and that recommended in l
NUREG/CR-4550. In addition, the common cause tactors for the turbine driven AFW pumps seem
]
reasonable, with a failure to stan p of 0.057 and a failure to run of 0.018. This is consistent with t the EPRI ALWR requirements document. However, no common cause failure of all three AFW !
pumps was considered, e.g., due to steam binding. '
The only question with regard to the common cause failure parameters used is' with respect to the :
diesel generator failuie to start, where the Davis-Besse data implies a much smaller probability of !
common cause failure. The RAI Responses explained the process used to arrive at these data. For the failure to start, four of the seven potential common cause events, described in the EPRI Repon i TR-100382, were deemed inapplicable to the Davis Besse EDGs.
l I
l l
16
Table 3. Comparison of Common-Cause Failure Factors Failure Submittal p Reference p Component Mode factor factor SWS pump, CCF of FTS 0,099 0.026 2 pumps FTR 0.021 SWS pump, CCF of FTS 0.051 0.014 3 pumps FTR 0.016 CCW pump, CCF of FTS 0.10 0.026 2 pumps FTR 0.050 CCW pump, CCF of FTS 0.050 0.014 3 pumps FTR 0.025 i
LPI pump FTS 0.10 0.15 FTR 0.013 HPI pump, CCF of 2 FTS 0.060 0.21 pumps FTR 0.020 Containment Spray FTS 0.19 0.11 pump FTR 0.050 l l
MOV, CCF of 2 FTO/FTC 0.029 0.088 . I valves Diesel Generator, FTS 0.0056 0.038 CCF of 2 EDGs FTR 0.021 Diesel Generator, FTS 0.00078 0.018 CCF of 3 EDGs FTR 0.012 Pressurizer Safety FTO 0.05 0.07 Valves j In response to the RAls, an analysis was performed, in which these four events were admitted, thus !
raising the effective p for a system of 2 diesel generators to 0.014, and for a system of three diesel j generators to 0.0053 (RAI Responses). ;
The postulated error factor for the NUREG/CR-4550 common cause parameters was 3, so these new values from this limited sensitivity analysis are at about the 5% level of the NUREG/CR-4550 probability distribution of the CCF parameters (i.e., the ps).
17
9 When these new CCF parameters were incorporated into the quantification of the core damage sequences, there was a very small increase in the core damage frequency (from 6.59E-5/yr to 6.61E-5/yr)(RAI Responses). Thus the results are not very sensitive to the choice of the diesel generator failure to start CCF parameters, at least not in the range that the licensee has chosen to cover for these parameters. What the effect would be of raising these CCF parameter values to the NUREG/CR-4550 levels was not shown.
The general observation is that the common cause failure parameters seem consistent with -
NUREG/CR-4550, overall. The only question is the diesel generator failure to start, to which the :
results are not very sensitive (at least not to within a small variation in these parameters' values). The licensee was following NUREG/CR-4780 guidance in arriving at the common cause parameters.
J It should also be noted that there have been ongoing efforts to improve reliability of components at nuclear power plants since NUREG/CR-4550 was published. This includes attention being paid by ;
the industry to occurrences of common cause failures, and necessary steps, if applicable and practicable, are taken to prevent reoccurrence. Thus common cause conditional probabilities may ;
have gone down since NUREG/CR-4550 publication.
2.2.2.6 Initiating Event Frequency Quantification '
For initiating event frequencies of the following transients plant specific data was used:
reactor / turbine trip, loss of main feedwater, loss of bus YAU/YBU, and the loss ofinstrument air.
It should be noted that the yearly number of trips has been declining since the June 1985 outage, i however earlier events were retained for frequency calculations due to insufficient number ofcycles !
with the improved experience. (The June 1985 outage was caused by a loss of all feedwater event which resulted in substantial plant modifications, including the procedures). Th'e generic database l information was then updated with this plant specific information using the Bayesian methodology.
For large and medium LOCAs, generic experience with no events was used in a x2 approach to !
determine the frequencies, using experts' opinion that the breakdown in frequency between the i medium and the large LOCA was 3 to 1. For small LOCAs, steam generator tube ruptures, and !
feedwater and steamline breaks, industry experience was reviewed and applicable events used to arrive at a generic frequency to be applied at Davis Besse. For the frequency of reactor vessel rupture, frequencies from several PRA studies of this initiator were aggregated in a similar manner described for generic data below. The loss of offsite power was calculated by reviewing industry wide experience and applying it to Davis Besse, if appropriate. The initiating event frequency for the spurious safety feature actuation was based on a review of trips that have occurred at Babcock and Wilcox PWRs The initiating event frequencies used in the IPE are presented in Table 4.
The initiating event frequencies seem reasonable and are comparable to other PRA studies.
1 f
18
{
1 i
Table 4. Initiating Event Frequencies for Davis Besse FPE Initiating Event Frequency (/yr)
Large LOCA 1.0E-4 Medium LOCA 3.0E-4 Small LOCA 3.6E-3 Steam Generator Tube Rupture 9.0E-3 ISLOCA via HPI line 1.8E-6 ISLOCA via LPI line 2.9E-6 ISLOCA via DHR letdown isolation failure 3.2E-7 ISLOCA via premature opening of DHR 1.7E-5 letdown Reactor vessel rupture 5.0E-7 Reactor / turbine trip 6.0 Loss of main feedwater 1.7 Loss of offsite power 3.5E-2 Spurious safety feature actuation 1.3E-2 Steam generator I unavailable due to break in 3.6E-3' FW or steam line Loss of makeup to the RCS 5.8E-2 Loss of power from bus YAU 0.17 Loss of power from bus YBU .0.17 Loss ofDC power supply for NNI-X 1.8E-2 Loss of primary loop of service water 0.16
-~
Loss of secondary loop of service water 0.16 Totalloss of service water 6.5E-4 Loss of operating train of component cooling 0.34 water ,
19
Initiating Event Frequency (/yr)
Total loss of component cooling water 5.2E-4 Loss of power from 4160 V AC bus Cl 8.6E-3 Loss of power from 4160 V AC bus D1 8.6E-3 Loss of DC power from bus DIP 1. lE-2 Loss of DC power from hus D2P 1.lE-2 Loss ofinstrument air 0.11 Flood from aux. bldg drainage to ECCS 4.lE-3 pump room for train 1 Flood of ECCS pump rooms due to failure of 8.6E-5 a line fror'n BWST 1
Flood ofECCS pump rooms due to aux. bldg 1.3E-3 drainage.
Flood in service water pump room 7.5E-4 Flood from service water valve room 3.8E-5 Flood in component cooling water pump and 3.5E-4
_ heat exchanger room 2.2.3 Interface Issues 2.2.3.1 Front-End and Back-End Inte faces Davis Besse has both containment air coolers (CAC) and containment spray (CS) systems to provide containment cooling functions.
During the early phases of an accident, containment spray would be provided from the BWST via 2 dedicated containment spray pumps. These pumps would switch suction to the containment sump for recirculation, on receipt of BWST low level signal (8 ft of borated water remaining in the BWST).
The same sump would be utilized as suction source for the DHR pumps which would provide core
. inventory recirculation through the DHR heat exchangers (and possibly through the HPI pumps if the RCS pressure was high enough). Therefore, the recirculation spray function would be depe., dent on the core coolant recirculation function for cooling of the sump coolant.
Suction for recirculation is through valves DH9A and DH9B. Failures associated with these valves would prevent recirculation through DHR pumps, HPI pumps and containment spray pumps.
20
Contrary to the UFSAR, containment cooling by either CAC or CS systems is not deemed necessary in order to prevent core damage after a large LOCA. (However, these systems are included in the bridge trees that link the front-end and the back-end analyses). Calculations indicate that even if the containment were to be over pressured due to the continued buildup of steam, sufficient subcooled water would remam in the sump to support recirculation. In the long term, it would be necessary to add some water to make up for evaporative losses (or to establish normal shutdown cooling). Failure to do so wasjudged negligible compared to other failure modes, provided the DHR functioned in both the injection and the recirculation modes.
However, operation of at least one out of three CAC trains is necessary to maintain an environment that is suitable for long term operation of the PORV during makeup /HPI cooling (e.g., after a small LOCA, or a transient). Note that failure of the PORV does not preclude this type of cooling, as the two pressurizer safety valves can be used also, in conjunction with the makeup pumps. The safety valves do not need any support systems.
Accident sequences are grouped into core damage bins. These bins reflect characteristics of the accident sequences, up to the point of core damage, that could be important in determining differences in containment response. Each core damage bin is comprised of the following elements:
Type ofinitiating event, i.e., the size of breach in the RCS, and whether or not the event implies bypassing of the containment; Status ofemergency core cooling, i.e., whether the core cooling functioned in the injection or recirculation modes; Availability of steam generator cooling, i.e., whether the inventory of fission products that could be released to the environment might be reduced by the presence of cool surfaces or scrubbing in the steam generators.
The core damage bins panially define the plant damage states, used in the l'evel 2 analysis. The following 8 attributes are used to define the plant damage states: timing of core damage, rate of leakage from the RCS, RCS pressure prior to vessel breach, heat removal via the steam generators, presence of water in the reactor cavity, status of containment pressure boundary, status of containment heat removal and status of fission product spray removal.
Section 2.4 of this TER presents more information on Level 2 considerations.
2.2.3.2 Human Factors Interfaces Since the most important accident sequence, contributing 55% to core damage, involves failures in decay heat removal via steam generators and failure of makeup /HPI cooling, the most important l operator errors will usually involve failures in controlling TDAFW pumps, starting the MDAFW
. pump and initiating makeup /HPl cooling.
i Section 2.3.2.5 of this report contains the detailed information on important operator actions. 4 1
21 l l
l l
2.2.4 -Internal Flooding -
2.2.4.1 Internal Flooding Methodology The methodology used to perform the flooding analysis consisted of three major steps:
- 1) Identification of potential floods and areas affected (flood zones),
- 2) Identification and initial screening of flooding scenarios, and
- 3) Quantification ofimportant flooding scenarios.
The development of flooding scenarios was supported by extensive plant walkdowns.
The existing transient event tree was used to quantify important flooding scenarios. System failures due to flooding scenarios were flagged in the fault trees. Propagation of flooding to other areas (including back propagation through the drains) and isolation of the floods were considered.
Component failures considered which could cause flooding were pipe and valve ruptures and floods induced byuman errors (such as errors in maintenance), and combination of equipment failures and operations staff errors. Spray effects from sprinklers, eye wash wrions, etc. were considered during the plant walkdowns. Flooding from the fire suppression systems was considered to a certain extent. I With respect to spray effects, the RAI responses are somewhat ambiguous. It is stated that a detailed investigation of spray effects was judged to be beyond the scope of the IPE. However, sprays were given limited consideration during walkdowns and it was noted that equipment such as electrical panels and motor control centers are protected against spray effects and no vulne'rable equipment was identified. The issue of the potential effects ofinadvertent actuation of the fire suppression system is being considered more extensively in the context of the IPEEE. (RAI Responses). Once the failure modes were identified, they were quantified using appropriate equipment failure data developed for the internal events, as well as the human reliability analysis. Generic industry data regarding flooding events was also reviewed and found to be helpful in estimating the overall frequency of maintenance-related floods. 2.2.4.2 Internal Flooding Results Six potentially significant flooding scenarios identified from the screening analysis were further analyzed in the transient event tree and a formal accident sequence analysis. The total contribution ofintemal flooding to the point estimate core damage frequency was estimated to be 2.0E-6/yr, which is about 3% of the total core damage frequency (from internal events and internal flooding). Three pump scenarios account for a 1.9E-6/yr core damage frequency, or 95% of the internal flooding CDF contribution. All three scenarios make up the functional sequence FQUr, which is a flood causing 22
l loss ofall service water or CCW, and in turn causing a LOCA due to failure of RCP seals, followed by failure to provide adequate safety injection. These three scenarios are due to floods postulated to occur in four rooms. The floods are:
- 1) A service water or fire-suppression flood in the CCW pump room (room 328),
- 2) A service water, fire-suppression or cooling tower makeup system flood in the service water pump area (room 52);
- 3) A fire-suppression system flood in the room housing the diesel-driven fire suppression pump (room 51), adjacent to the service water pump room;
- 4) A service water supply or return line rupture or a cooling tower makeup system line rupture in the service water valve room (room 53).
2.2.5 Core Damage Sequence Results i 2.2.5.1 Dominant Core Damage Sequences ' The results of the IPE analysis are in the form of functional sequences, therefore NUREG-1335 screening criteria for reporting of such sequences are used. The point estimate for the core damage frequency from intemal events and internal flooding is 6.6E-5/yr Accident types and their percent contribution to the CDF, are listed in Table 5. The most importan? Miators are given in Table 6. Nine dominant sequences and two containment bypass bins were described in detail (four transient, one medium LOCA, one small LOCA, two interfacing LOCA, and one flood sequence, and two SGTP bins). Each of these important sequences has a frequency greater than 1.E-6/yr, except for the two interfacing LOCA sequences bypassing the containment and the two SGTR bin's, all of which have a frequency greater than 1.E-7/yr. The important sequences are summarized below in Table 7. Table 5. Accident Types and Their Contribution to the CDF Initintina Event Groun Contrihntion to CDF Uyr) % Transients 5.7E-5 86.4 LOCAs 5.7E-6 8.6 Internal Flooding 2.0E-6 3.0 Interfacing System LOCA 8.8E-7 1.3 Steam Generator Tube Rupture 4.6E-7 0.7 TOT AI . CDF 6 6FA 100 0 Table 6. Dominant Initiating Events and Their Contribution to the CDF8 23 l
Initiating Event Contribution to CDF (/yr) % Various Losses of SW and CCW (not 1.4E-5 21.2 j flood induced) l Loss of Offsite Power 1.2E-5 17.7 Loss ofMain Feedwater - 7.9E-6 11.9 Reactor /furbine Trip 5.1E-6 7.8 Loss of 4kV bus D1 4.4E-6 6.7 l Table 7. Dominant Core Damage Sequences Initiating Event Dominant Subsequent Failures in % of Sequence CDF Transient,: Dominant contributors are Auxiliary Feedwater Fails (mainly due 53.0 Loss of Offsite Power, Loss ofMain to TDAFW pump hardware failures Feedwater, Reactor /furbine Trip and with failure of the operator to start the Loss of 4kV Bus D1 MDAFW pump, or failure of the operator to n '"sily control the i TDAFW pump t station blackout) l coupled with failu.es in makeup /HPI cooling (usually caused by operator error or station blackout conditions) Transient, contributions from total or RCP Seal LOCA, due to failure of 21.2 partialloss or SW or total or partial operators to trip the RCPs after loss of l loss ofCCW all seal cooling or loss of seal return; and failure of the makeup / injection systems due to CCW failure Transient, mainly loss ofinstrument RCP seal failure, caused by seal return 6.5 air, loss ofDC bus D2P or loss of seal isolation and failure of operators to trip return RCPs; failure oflong term cooling (caused by operator error or hardware failures in conjunction with initiator -- effects in case ofloss of DC bus); or failure in high pressure recirculation (mostly by operator error)
'Only the most dominant initiating event contributors to the CDF are listed here.
24
Initiating Event Dominant Subsequent FaUures in % of ; Sequence CDF 1 Transient, mainly loss ofDC bus D2P RCP seal failure due to operator failure 4.4 or loss ofinstrument air to trip RCPs following loss of seal return; failure of decay heat removal via steam generators (due to initiator induced loss of main feedwater, coupled with hardware and/or operator faults ' with TDAFW pumps and failure of operators to start MDAFW pump);
- failure in makeup /HPI cooling (due to initiatorinduced loss of one train coupled with hardware failures in the l other, or failure of operators to initiate makeup /HPI cooling) L Flooding induced loss of all service RCP seal LOCA caused by loss of all 2.9 ,
water or all component cooling water CCW and failure of operators to trip RCPs; failure of all makeup / injection cooling due to failure of CCW Medium LOCA ' low pressure recirculation failure, 2.4 dominated by operator error to initiate recirculation Small LOCA failure oflong term cooling via DHR 2.3 i (dominated by common cause failure of DHR pumps or failure of the ECCS room coolers), or failure of recirculation . (caused by DHR pump failures or HPI pump failures or failure of the ECCS room coolers) , B Interfacing LOCA, containment interfacing system LOCA caused by 0.8 bypass error of commission of prematurely opening DHR suction valves during
~
plant cooldown; and failure to isolate by ; closing one of the suction valves before BWST depletion t 25
Initiating Event Dominant Subsequent Failures in % of Sequence CDF Various SGTR sequences, failure of the operators to cool down 0.3 containment bypass bin and isolate the damaged steam generator; or, failure to cool down via the intact steam generator; or, loss of Redwater to the intact steam generator Interfacing LOCA, containment caused by failure of two check valves in 0.3 bypass series that form the pressure boundary between the DHR and the RCS; failure ofoperators to isolate Various SGTR sequences, loss of feedwater to both steam 0.2 containment bypass bin generators (due to hardware failures in MFW, AFW or supporting systems) with eventual depletion of the BWST after successful operation of makeup /HPI injection No importance analysis was performed on the total CDF. Importance measures were given for three initiators that were the dominant contributors to sequence TBr Ur-2.3 Human Reliability Analysis Technical Review 2.3.1 Pre-Initiator Human Actions ' Errors in the performance of pre-initiator human actions (such as failure to restore or properly align equipment after testing or maintenance, or miscalibration of system logic instrumentation), may cause components, trains, or entire systems to be unavailable on demand during an initiating event. The review of the human reliability analysis (HRA) portion of the IPE examines the licensee's HRA process to determine the extent to which pre-initiator human events were considered, how potential events were identified, the effectiveness of any quantitative and/or qualitative screening processes used, and the processes used to account for plant-specific performance shaping factors (PSFs), recovery factors, and dependencies among multiple actions. 2.3.1.1 Types of Pre-Initiator Human Actions Considered
. The Davis-Besse IPE considered both of the traditional types of pre-initiator human actions: failures to restore systems after test, maintenance, or surveillance activities and instrument miscalibrations.
A detailed discussion of the modeling and analysis of restoration events was provided. While the extent to which instmment miscalibrations were examined was not well documented in the submittal, 26
the licensee's response to an NRC request for additional information (RAI) indicated that multiple miscalibration evets were modeled, but that none of the events survived the screening analysis. ! Instrument miscalibration events modeled included, but was not limited to, reactor and containment i pressure, RWST level, temperature, and SFAS related instmmentation. 2.3.t.1 Process for Identification and Selection of Pre-Initiator Human Actions l According to the Davis-Besse IPE, the overall approach taken in the assessment of human actions is consistent with the SHARP [EPRI NP-3583) framework and SHARP provides guidance for the identification and selection of pre-initiator human actions. However, the actual process described in the submittal for identifying and selecting pre-initiator human actions seemt at least initially to be based on a screening approach. The submittal notes that due to the large number of credible pre-initiator human actions, the modeling effort was performed in two stages. The Crst stage involved examining each train or other majc,r portion of a system that would be in standby e.ir to an iii n t ating event and assigning it a " general" pre-initiator human action. The general events were supposed to
" encompass all pre-initiator interactions that could leave one train of a system unavailable." In addition, when a human action could leave multiple trains of a system unavailable, a general common cause event was also identified. The general actions were then assigned screening values (discussed below in segtion 2.3.1.3) and only those actions surviving initial quantification were analyzed in detail.
The detailed analysis involved a careful examination of administrative controls, procedures, and plant practices relevant to the surviving human actions and associated systems. In addition, it appeared that appropriate discussions were held with plant personnel regarding interpretation and implementation of the procedures. Thus, although reviews procedures and discussions with plant personnel may not have been directly involved in the initial identification and selection of the pre-initiator actions, they were used in the analysis of the events surviving screening. Therefore, relevant information sources were examined and factors which could influence the probability of human error in pre-initiator actio., were considered. 2.3.t.3 Screening Process for Pre-Initiator Human Actions As noted above, screening values were assigned to the " general" interactions. A screening value of 0.01 was assigned to events related to single trains and a value of 0.001 was assigned to the common causeinteractions. The use of a 0.01 screening value was defended on the grounds that a survey of other HRAs indicted a range ofvalues from 0.003 to 0.03 and that 0.01 was " adequately bounding." A factor of 10 reduction for the common-cause events was deemed appropriate. After initial quantification, pre-initiator events found in cut sets that contributed to the frequency of a sequence, were considered potentially important and were then modeled (quite thoroughly) in terms of the 27
.. - ..- - -- - - - .- - . - . - = - - - - - - .-___- ___- i t I specific types of failures that could occur. Since none of the miscalibration events were found to be ' imponant, they were left at their screening values. t 2.3.1.4 Qu. tirication orpr -InitiatorHumian Actions All pre-initiator events that survived the screening process were subjected to detailed quantification using the guidance provided in the Accident Sequence Evaluation Program Human Reliability - l Analysis procedure (ASEP HRA) [NUREG/CR-4772]. A minor addition to the basic ASEP methodology was developed to take appropriate recovery credit for a unique " locked-valve" ' procedure operative at Davis-Besse. The HRA analysts argued convincingly that the level of control and verification at Davis-Besse for locked-valves goes beyond the " independent verification" described in the ASEP methodology, but falls short of the level of verification (that a system or j component has been restored properly) that would be provided by a positive test. Thus, a reasonable, i intermediate value was applied as a recovery factor for restoration errors on locked-valves. In obtaining the basic pre-initiator HEPs, the documentation revealed that a thorough and l conscientious application of the ASEP methodology was conducted, with appropriate plant-specific factors, recoveries, and dependencies taken into account. l The only somewhat unique aspect of the quantification of the pre-initiator events involved the use of : time-dependent unavailability equations from THERP [NUREG/CR-1278] to take credit for i recovering a component over time. The use of this approach is allowed in ASEP ifit is felt that the recovery credit allowed for daily or shiftly checks of relevant components is conservative and if a detailed analysis regarding opponunities for recovery is conducted. While the analysts' justification ' for the assumption of conservatism was not provided, the overall pre-initiator analysis appeared comprehensive and reasonable. This judgment is based on the example calculations provided in the ; report. Twenty-three pre initiator events received detailed analysis and they arc listed along with their I HEPs in Table 3-7 of the IPE report. All the listed events address failures to rest' ore. As noted above, ; miscalibrations were not found to be important and were left at their screening values. The HEPs l obtained for the restoration events appeared in general to be comparable to values obtained for { similar events in other IPEs using similar methods. However, in a few cases the values were lower than normally found, but were justifiable on the basis of a thorough analysis. While there was no indication that any of the pre initiator events were found to be important contributors to core damage frequency, two pre-irutiator events did have some importance in terms of risk achievement worth for particular sequences. The operators failing to restore component cooling water (CCW) train B after i maintenance had a moderately high risk achievement value (20) for the loss of offsite power initiating event and misalignment of both TDAFW pump trains after test or maintenance had a relatiwly high risk achievement value (RAW) of 296 for the loss of main feedwater initiating evert. N ;r s.:t tb RAW values provided were provided in response to an NRC RAI and were related to the CDF for the specific sequences only and not to total CDF. However, much of the total CDF was related to these specific sequences in the Davis -Besse IPE.
. \
. i
)
28
1 2.3.2 Post-Initiator Human Actions i Post-initiator human actions are those required in response to initiating events or related system failures. Although different labels are often applied, there are two important types of post-initiator . human actions that are usually addressed in PRAs: response actions and recovery actions. Response actions are generally distinguished from recovery actions in that response actions are uaually explicitly directed by emergency operating procedures (EOPs). Alternatively, recovery actions are usually performed in order to recover a specific system in time to prevent undesired consequences. Recovery actions may entail going beyond EOP directives and using systems in rela;ively unusual ways. Credit for recovery actions is normally not taken unless at least some procedural guidance is available. The review of the human reliability analysis (HRA) portion of the IPE determines the types of post-initiator human actions considered by the licensee and evaluates the processes used to identify and select, screen, and quantify the post-initiator actions. The licensees treatment of operator action timing, dependencies among human actions, consideration of accident context, and consideration of plant-specific PSFs is also examined. 2.3.2.1 Types of Post-Initiator Human Actions Considered l 1 The Davis-Besse IPE addressed both response and recovery type post-initiator human actions. The submittals definition of response type human actions (referred to as type CP actions) was consistent I with that described above. However, the description of recovery type actions (type CR) indicates a i willingness to give credit for actions that are not necessarily covered by procedures. The knowledge base of the operators and additional support from entities such as the technical support center were assumed to justify the position.. However, in response to an NRC RAI, the licensee indicated that there was only one quantified recovery action for which there was no procedural guidance. The remaining recovery actions had soine 'evel of procedural guidance and most involved generally long time frames with substantial technical support available. The response from the licensee indicated that recovery actions were classified as such generally because they involved events with "a less direct progression through the post-trip procedures," events that would require "further integration of plant conditions to arrive at proper understanding of the event", or events with conditions that would almost certainly entail input from the technical support center. The only recovery action modeled that had no procedural guidance was the establishment of alternate cooling for the service water pump room when there was partial, but inadequate cooling. The case involved a loss of one train of cooling for the service water pump room when the outside temperature was mild and room temperature was below 86' F (i.e., credit was taken only when initial roor< temperature would be expected to be below 86"F). Credit was taken because plant "walkarounds" every four hours entail status checks on ventilation and room conditions. Operator interviews indicated that doors would be opened and portable fans used if needed. Without credit for this event, core damage frequency would have increased from approximately 6.6E-5 to 6.8E-5. Recovery actions are discussed in more detail below in section 2.3.2.3. The submittal signified that response type actions appeared in the logic models "at the highest level 29
- i consistent with their effects." Thus, they could occur at the event or fault tree level. Recovery actions were not included 6..m logic models. They were appended to the cut sets on a case-by-case basis I during the sequence quantification process.
2.3.2.2 Process for Identification and Selection of Post-Initiator iluman Actions ! The submittal asserts that in defining the sequence delineation for particular initiating events, a careful review of operating procedures, emergency procedures, and various abnormal procedures was ; conducted. Current and former operators were interviewed and asked to review the sequence logic and system fault trees. Accident scenarios were discussed and simulator exercises were observed. The importance of understanding the relevant cues and the likely and expected responses of the operating crews was clearly manifest in the submittal. The identified response type actions usually involved changing the mode of a system at the appropriate time or manual initiation of systems. { Determination of the recovery type actions was based on a careful review of the minimal cut sets i dominating each core-damage sequence. After the appropriate context for a cut set was understood, l operating procedures were examined and discussions with operators were conducted to determine i the course of action they expected would most likely be followed. Time available, execution demands, and the impact of other failures were considered in determining the feasibility of the action. The impact of a successful or unsuccessful attempt on other sequences was also considered. These events I usually involved the use ofremaining equipment or restoration of failed equipment (e.g., by opening a valve). 2.3.2.3 Screening Process for Post-Initiator Response Actions All of the post-initiator human actions included in the logic models (response actions) were initially l assigned a failure probability of 1.0. The submittal notes that this was done to ensure that inter-dependencies between multiple events in a cut set were appropriately cortsidered. After initial quanti 6 cation, detailed quantification was performed for all response type human action events found in sequence cut sets above the cut-off frequencies used. Recovery actions were applied only after initial quantification. 2.3.2.4 Quantification of Post-Initiatorlluman Actions Post-initiator response type human actions were quantified using the method described in EPRI report TR-100259 and referred to as a cause-based approach. The actual report was not available to the reviewer and while a reasonably extensive documentation of the method was included in the IPE submittal, it was not complete. Nevertheless, as documented in the report, the method provides one of the more detailed approaches for quantifying the detection, diagnosis, and decision making aspects ofoperator actions (referred to as pJ. The basic approach identifies eight different potential failure
, mechanisms and develops decision trees for each of the failure mechanisms. The trees apparently contain branch points which assess the potential for various factors (e.g., number and quality of cues , available, ease of use of procedures, etc.) to cause the failure mechanism to lead to failure of the action. For each outcome in the decision trees, a nominal probability is suggested. Depending on the 30
1 failure mechanism, certain recovery actions come into play for branches with non-negligible failure probabilities. Once recoveries and recovery related dependencies (e.g., time available and number of j opportunities for detecting errors) are considered and applied, the resulting probabilities of the failure ! mechanisms are summed to obtain the total probability for the detection, diagnosis, and decision l making portion of the HEP. A probability for the execution portion of the task (p,) is calculated using guidance and probabilities from THERP (NUREG/CR-1278} and the two (p, and p ) are then summed to obtain the total HEP > for the event. Recovery credit for the execution portion of the task is also given. The essence of the 1 recovery approach for both phases of the action is that addhional time allows additional control room cues or cues from reviewing procedures to become available, which in turn facilitates self-review and i review by other crew members and technical advisors. 2.3.2.4.1 Esamates and Consideradon ofOperator Response Time I The submittal notes that opportunities for recovery are largely a function of time. Therefore before i applying the various recovery failure probabilities noted above, the submittal states that time lines l were drawn for each response type interaction. The time lines were based on thermal-hydraulic i calculation,s, observations of simulator exercises, " simple hand calculations", and estimates from operators. The submittal notes that the times required for actual implementation of the actions were i estunated on the basis ofwalkdowns or operator interviews. The discussion of timing provided in the submittal suggests that timing considerations were structured appropriately. That is, total available time, time to perform the task, and time to diagnose and recover errors were appropriately. ! partitioned. Moreover, although the extent to which " estimates" had to be used to obtain relevant timing is not discussed, it would appear that the analysts tried to provide as accurate a representation ; of timing as possible. l Nevertheless, based on the description of the quantification method as provided in the submittal, the extent to which available time was considered in determining the base probabilities for the different failure mechanisms was not clear. As described in the submittal, the impact of time is treated only in ; terms ofits impact on the ability of the control room to recover any initial errors. Depending on the ; amount of time available, different levels ofrecovery credit are given. For short time frame scenarios, I recovery credit may not be allowed. While this approach clearly allows the availability of time to have i an impact on the resulting HEPs , it was not made clear as to whether the baseprobabilities (which are apparently obtained independent of time) are sufficiently high to provide an accurate estimate of I error for the short time frame events. In other words, even if no credit is given for recovery as ) functica of time, would the sum of the base probabilities for the assorted failure mechanisms be high ;
. enough to reflect operator performance in a very short time frame? In response to an NRC RAI on this issue, the licensee indicated that this potential problem was addressed. While all events with such short time frames were initially found to have HEPs above 1.0E-2, in some instances the sums of the base probabilities were raised by a factor of two to prevent underestimation of the failure ;
probabilit.es. 1 i f I i 31 i
, .- -m -- -. -. ---
2.3.2.4.2 Other Performance Shaping Factors Considered
- The discussion of the consideration of performance shaping factors (PSFs)in determining HEPs in the IPE submittal was brief. It appeared that assorted PSFs were considered in addressing the decision trees for the various failure mechanisms, but neither a discussion nor a listing of the PSFs considered was provided. In response to an NRC RAI, the licensee indicated that several imponant PSFs were considered and their impact was incorporated using the guidance provided in the EPRI methodology. PSFs modeled included accuracy ofindicators, workload, clarity of procedures, and monitoring ofindications over time. The impact of time as a PSF was clearly considered, as was the impact ofmultiple crew members and additional technical staff. In determining the failure probabilities for the execution portion of the tasks (p,), it is noted that a factor tc account for stress level was also included. Thus, plant-specific factors which could influence human reliability were app ~ently addressed. -
2.3.2.4.3 Consideration ofDependencies As discussed above, dependencies related to the impact of time on within-person and within-crew performance was addressed in determining recovery credit for initially failed actions. Time dependence focuses on the fact that the time available for diagnosis is dependent on the total time available and the time needed to perform the action. Similarly, opportunities for recovery will clearly be dependent on the amount of time remaining. Thus, time dependence appeared to be appropriately treated in the submittal. Another type ofdependence concerns the extent to which the failure probabilities of multiple human , actions within a sequence are related. There are clearly cases where the contexi ot the accident and ' the pattern ofsuccesses and failure can influence the probability of human error. Thus, in many cases it would clearly be inappropriate to assume that multiple human actions in a sequence or cut set would be independent. Furthermore, context effects should be examined even'for single actions in a cut set. While the same basic action can be asked in a number of different sequences, different contexts can obviously lead to different likelihoods of success. Dependence among multiple human actions and context effects on single human actions were straightforwardly handled in the Davis-Besse IPE. The use of a screening value of 1.0 and treatment at the cut set level, not only ensured that combinations ofhuman actions would not be inappropriately assessed as independent and possibly lost through truncation, but also allowed for each HEP to be derived in the appropriate context. Once initial sequence quantification was complete, each of the operator actions were examined at the cut set level and dependencies and context effects were considered. A thorough and reasonable set of qualitative factors ~re us~1 ta assess the degree of inter-event dependence and these factors were discussed in the IPE. Factors included proximity in time, similarity or commonality of cues, and sequential location (i.e., last action in a sequence or action interceding between two others, etc). Once a judgment about the degree of dependence between events was made, the dependency formulae from NUREG/CR-1278 were used to determine the HEP value for a dependent event. The IPE also noted that the total HEP for a combination of 32
I events in a cut set was held to a lower bound of 1.0E-5. A lower bound for single human actions was set at 1.0E-4. f It should be noted that the IPE lists all the independent response type human actions and their HEPs in Table 3-11. In response to a question from the NRC RAI, the licensee indicated that an additional 120 combination events were also quantified. That is, when multiple events occurred in a cut set, the individual HEPs were left at the screening value of 1.0 and a new combination event representing the total failure probability for the multiple events was appended to the cut set. While a list of the combination events and their HEPs was not provided, a detailed example of the quantification process for one of the combination events was presented. 23.2.4.4 Quantification ofRecovery TypeActions The method used to quantify the recovery type actions was different from that used for the response type actions. The position taken by the licensee was that the recovery actions were better charactenzed as " knowledge-based" as opposed to mie- or skiil-based human actions and therefore l demanded a different quantification approach. The approach used is documented in a draft report developed for EPRI by NUS (NUS-5272) and specifically addresses the mou: ling of recovery actions in PRAs. The approach considers factors such as time available, relevant training, degree of procedural guidance, complexity of the actions, and relevant environmental factors which impede recovery. The various combinations of these factors determine the non-recovery probabilities which range form 0.01 to 1.0. As discussed in section 2.3.2.4 and indicated in responses to questions from the NRC RAI, not all of the recovery actions for which credit was taken could be considered thoroughly proceduralized and it is the case that not all IPEs have taken credit for such events. While the licensee failed to provide an indication of the total impact of these events on CDF, they apparently did perform a thorough and model-based analysis tojustify the credit taken. A review of the 14 recovery events did not identify any events that would likely fall ido the " extraordinary" category. The recovery events and their HEPs are presented in Table 3-12 of the submittal. 23.2.4.5 Human Actions in the Flooding Analysis In the Davis-Besse IPE, flooding was apparently treated simply as another initiator and a special discussion of the role of humans in flooding scenarios was not provided. In a discussion of the system modeling conducted for flooding events, it was stated that basic events representing failures to I terminate the flooding prior to failure of additional equipment was included in the fault trees. In section 3.1.5 of the IF2 submittal it is stated that some failure modes were quantified using the human reliability methodology described in section 3.2 of part 3 of the submittal. The reader is referred to another document for details on the flooding analysis. In response to an NRC RAI on the HRA for
. flooding, the licensee stated that several flood related human actions were quantified with the EPRI recovery model. They included actions to isolate the flood, trip relevant pumps, or open doorways within 20 to 30 minutes after the flood began. The HEP values for these events ranged from 0.05 to 0.3. In addition, in discussing core damage sequences with HRA sensitivity, the submittal notes that l
33
operator actions to control the AFW pumps when the flow control valves failed open and to start the ' motor driven feed pumps in response to the loss of both MFW and AFW were important to floodin scenarios. 23.2.4.6 Human Adions in the Level 2 Analysis The submittal indicated that some human actions were credited in the level 2 analysis (RCS depressurization and containment heat removal) and that the method described in the level I HRA section (3.2 ofpart 3) was used for quantification. One event found in the CET supporting logic had an HEP of 0.05, but no specific list oflevel 2 related human actions was provided. In the plant improvement section of the IPE related to the back-end analysis, it was noted that an overall review ofoperator actions related to inadequate core cooling may be prudent; panicularly those related to RCS depressurization and restarting the RCPs. Apparently different timing of operator inadequate core cooling actions would have delayed the onset of serious core damage. Thus, it would seem that operator actions were imponant to the back-end analysis.
. 2.3.2.5 hnportantHuman Actions The IPE did not provide a simple listing of the most important human actions. However, in discussin the dominant sequences and in a summary of core damage sequences whose frequencies would have been above 1.0E-6 if the human interactions included in them were less reliable (i.e., set to 0.1), l several imponant operator actions were discussed. In addition, in response to an NRC RAI, the licensee did provide a listing of the most imponant human actions (based on the Fussell-Vesely importance analysis) for the three top initiating events contributing to functional sequence TBU. This sequence involves failures in decay heat removal via steam generators and failure of makeup /HPI cooling and accounts for about 55% of the total CDF. On the basis of the listing in the response to the NRC !W, the discussions of the dominant sequences, and the discussion of the human action sensitivity study,11 of the most important human actions and their HEPs are presented below in Table 8. Note that several of the listed events are " combination events", the nature of which are discussed in section 2'.3.2.4.3 above.
i Since the most important accident sequence, contributing 55% to core damage, involves failures in decay heat removal via steam generators and failure of makeup /HPI cooling, the most imponant operator errors will usually involve failures in controlling TDAFW pumps, starting the MDAFW ! pump and initiating makeup /HPI cooling. i k 34
l
\
Table 8. Important Human Actions
~
Human Error ! Event Description Probability (HEP) Failure to start MDFP 2.4E-3 Operators fail to start MDFP and fail to initiate makeup /HPI cooling 1.2E-3 combination event (loss ofmain feedwater) Operators fail to control TDAFW pump 1-1 (or 1-2) locally to prevent 2.8E-2 (or 1.9E-1) SG overfill l Failure to initiate cooldown via makeup /HPI cooling with unaffected SG 3.3E-4 i Operators fail to initiate makeup /HPI cooling (loss of main feedwater) 1.6E-2 Operators fail to start SBODG and fail to control TDAFW combination 5.9E-3 event (LOOP) Operators, fail to control TDAFW flow after loss ofone train of DC 1.4E-4 power, fail to start SBODG, and fail to initiate makeup /HPI cooling combination event (LOOP) Operator failure to switch over to high pressure recirculation after the 5.0E-4 BWST lo-lo level reached (medium LOCA and SGTR) Operator failure to switch over to low pressure recirculation after 7.4E-3 BWST lo-lo level reached (large LOCA) Operator failure to trip the RCPs after a failure of the RCP seal return ~ 4.9E-3 Operator failure to depressurize the steam generators in order to 1.2E-3 cooldown RCS and isolate ruptured steam generator (SGTR) Based on the Fussell-Vesely importance analysis of the most important accident sequence, the following are the most important operator errors: failure to control either turbine-driven AFW pump , locally in a station blackout (this will cause failure of the other turbine driven pump due to water l carryover); failure to restore offsite power; operators fail to start SBODG and fail to control TDAFW pump; operators fail to start the motor driven auxiliary feedwater pump and fail to nutsate ; makeup /HPI cooling; operators fail to initiate makeup /HPI cooling. ' It should be noted that at Davis-Besse, the motor driven auxiliary feedwater pump doesn't start automatically (unlike ihe turbine driven auxiliary feedwater pumps), but has to be manually started upon loss ofTDAFW pump. Also, as noted previously, the TDAFW pump can be controlled locally, even after the batteries are exhapsted in a station blackout scenario. "The actions that would be 35
required have been performed both in training exercises and in past transients, in which automatic ' i pump control failed (although not due to total loss of power)." ' i ; Based on the risk achievement ratio analysis of the most important accident sequence, the following I - + are the most important operator errors (these would be the errors to which the CDF is most sensitive j ifguaranteed failure is assumed): operators fail to control TDAFW flow after loss of one train of dc l power, fail to start SBODG, and fail to open makeup pump room door or initiate makeup /HPI j t coohng; failure to restore offsite power; operators fail to control TDAFW flow after loss of dc power and fail to open makeup pump room doors; operators fail to control TDAFW flow after loss of dc { ! power, fail to start motor driven feed pump, and fail to initiate makeup /HPI cooling or fail to open i i makeup pump room doors; operators fail to start MDAFW pump and fail to initiate makeup /HPI ;
- j. cooling; both TDAFW pump trains misaligned after test or maintenance; operators fail to initiate 4 j makeup /HPI cooling; MDAFW pump unavailable following test or maintenance. j J
j Another potentially important operator action is tripping the RCPs upon loss of all RCP seal cooling j or upon loss of seal return flow, in order to avoid a RCP seal LOCA. The sequences which contain l l RCP seal failure contribute about 35% to the total core damage frequency from internal events and i internal floods. I i
. i For a loss of all RCP seal cooling, the operators have only about 10 minutes to diagnose and :
, accomplish this action. If the loss of all seal cooling is a result of CCW failure (which seems to be j j assumed by the licensee to be the dominant mechanism for loss of all RCP seal cooling), the time ,
- window is 25 minutes. This is because the makeup pumps (which provide seal injection) will continue !
} to run fcr 15 minutes without CCW cooling their bearing lube oil. j 1 . i For the other case where tripping the RCPs is important to avert seal failure, the operators are j assumed to have 30 minutes to accomplish the action. The RCP seals are instru,mented, and alarmed in the control room if critical parameters are out of bounds. 2.4 Back End Technical Review 2.4.1 Containment AnalysisiCharacterization 2.4.1.1 Front-end Back-end Dependencies The interface between the front-end and back-end analyses consists of a set of 64 plant damage states (PDSs). PDSs are defined by the core damage bins (CDBs) and the Bridge Trees. The CDBs are groups offront-end results and the bridge trees define ilm status ofiiie c'ontainment systems that are ofinterest to the back-end analyses. Core Damage Bins (CDBs) are defined based on the following attributes: '
. Type ofinitiating event, 36 l
Timing of failure of core cooling, and Availability of steam generator cooling. There are 16 CDBs used in the IPE (Table 3-1 of the submittal). i Bridge trees are small event trees. There are eight different bridge trees used for the sixteen CDBs. The number of top events for the bridge trees vary from 2 for some SGTR CDBs to 8 for some transient and small LOCA CDBs. The top events of the bridge trees include:
- a. Containment isolation,
- b. Containment heat removal via containrnent air coolers (CACs)
- c. Containment spray operates in injection,
- d. Containment spray operates in recir culation.
- e. Depressurization of RCS
- f. Availability ofinjection after depressurization of RCS, and
- g. Containment heat removal via low r assure recirculation.
The containment system states de6ned by the bridge trees for the various CDBs are designated in the IPE by the following five elements:
- a. Status of containment isolation,
- b. Status of containment heat removal, 2
- c. Status of containment spray,
- d. Availability of borated water storage tank (BWST) injection to reactor vessel or containment, and !
- e. Availability of PORV for RCS depressurization.
Table 3.2 of the IPE submittallists all of the end states from the bridge trees defmed by the above five elements. The above attributes for the definition of CDBs and the top events for the bridge trees de6ne the characteristics that are considered important to accident progression in the Davis-Besse IPE: timing
.of core damage, rate ofleakage from the RCS, RCS pressure prior to vessel breach, heat removal via the steam generators, presence ofwater in reactor cavity, status of containment pressure boundary, status of containment heat removal, and status of fission-product spray removal. They are of sufficient detail to properly account for the front-end and back-end dependencies and to provide adequate information for back-end accident progression analysis.
.i In the IPE submittal, Section 3 of Part 4 discusses the definition of the PDSs and Section 7 of Part l 4 gives PDS frequencies. However, the submittal does not describe the distribution of the front-end sequences among the PDSs. The correspondence between functional core-damage sequences and core damage bins and the breakdown of the bins into PDSs are provided in Table 11 of the Licensee's l
37
! i i 2 response to the RAI . According to the IPE, the leading CDB is CDB TIN (53% of the CDF), a - [ transient initiated event with the loss ofsecondary cooling and core injection. It is followed by CDB SIY (24% of CDF), a small LOCA with the loss of core injection but with secondary cooling available. According to Table 11, the primary contributor to this CDB is transient induced LOCA due to failure of the RCP seals. The CDBs that lead to containment bypass, SGTRs and interfacing system LOCA, contribute approximately 2% ofCDF. After splitting the CDBs using the bridge trees, the leading PDS is PDS TINYNINN (27% of CDF), which is obtained from CDB TIN with no RCS depressurization, failure ofcontainment heat removal and containment spray, and BWST not injected. This PDS results almost entirely from station blackout (SBO). This is followed by PDS TINYFYCD i (20% of CDF), which is obtained from the same CDB but with RCS depressurization and with all l containment systems available. 2.4.1.2 Containment Event Tree Development Probability quantification of severe accident progression is performed using an event tree / fault tree methodology, where the fault trees are used to quantify the top events of the CET. The construction of the CET and the supporting fault trees are discussed in Section 5 of Part 4 of the IPE submittal. The CET includes the following top events:
- 1. Event A: Arrest of core damage in-vessel,
- 2. Event R: Submerged-vessel cooling of core debris
- 3. Event V: Containment not bypassed,
- 4. Event B : i Containment Isolated,
- 5. Event B 2: Isolation failure is small,
- 6. Event E: Early containment failure prevented,
- 7. Event C: Ex-vessel cooling of core debris,
- 8. Event D:- No failute of containment side wall,
- 9. Event L:
Late containment failure prevented,
- 10. Event F: No late revaporization release,
- 11. Event S: Fission product scrubbing.
The overall development of the event tree and its top events are described in Section 5.1 ofPart 4 of the submittal. The CET is well structured and easy to understand. The top events of the CET cover the important issues that determine the RCS integrity, containment response, and eventual releases from the containment, and they are in general similar to those considered in other IPEs. However, Event D is unique for Davis-Besse and Event R, although considered in some IPEs, is not included in most of ti em. Event D, No Failure of Containment Side Wall, is considered in the Davis-Besse IPE because of the use of a steel e~eh~e.e vessel and the proximity of the incore instrument tunnel to the contahunent vessel. It is included in the CET to account for the possibility that corium which relocated to the lower containment elevation might interact with and eventually fall th-
. 2 Table 11 lists 15 CDBs and 62 PDSs. CDB ARX, a large LOCA with failure of recirculation, and the two PDSs associated with ARX, are missing in this table.
38
4 containment vessel. Event R, Submerged-Ve sel Cooling of Core Debris, is included in the CET to account for the probability of preventing reactor vessel failure via cooling by the water around the exterior of the vessel. The fault trees and the probabilistic treatment of applicable phenomena for the CET top events are discussed in Sections 5.2.1 through 5.2.10 ofPart 4 of the submittal. Section 5.2.11 discusses the logic fault trees of two events that affect more than one of the CET top events: RCS Pressure Pdor to Vessel Breach and Dispersal of Core Debris Beyond Reactor Cavity. In the Davis-Besse IPE, the supporting logic for each of the CET events is developed down to the level of basic events. For some ofthe basic events, which are identified as " house" event, the values are set to true or false to allow relevant portions ofthe CET logic to be used or discarded according to the plant damage state. For the.other basic events, probabilities are estimated by a variety of methods, including sensitivity studies, reference to other studies, and the application of analystjudgment. Where analyst judgment was applied to characterize the probability of an uncertain phenomenon, the relevant event was first assessed qualitatively, and then assigned a probability value according to this qualitative assessment. For example, an event assessed as "very likely" was assigned a probability value of 0.99. The quantification process of the CET is systematic and traceable. As discussed above, some of the i probability. values of the basic events used ir. the quantification are from qualitative assessment by the ; analyst based on available data, such as those from NUREG-1150, and plant-specific analyses. l Although the values assigned in the IPE are in general adequate, their adequacy cannot be verified ! because of the limited scope of this technical evaluation. However, some items that are ofinterest are discussed in the following. ! RCSDepressurization RCS depressurization is discussed in 5.2.11 of Part 4, Common Supporting Logic for Top Events, of the submittal. It affects more than one CET top event. It is included in the evaluation of Event A for in-vessel recovery, Event V for induced SGTR, Event E for early containment failure, and Event F for revaporization release. In addition to its effect in the above CET top events, it also affects the dispersal ofcore debris, which in tum affects Event D for containment side wall failure and Event L for late containment failure. Similar to NUREG-1150, four RCS pressure ranges are considered in the Davis-Besse IPE: very high pressure, at about the pressurizer relief valve setpoint pressure or about 2,500 psig; moderately high pressure, about 1,500 to 2,000 psig; intermediate pressure, about 1,000 psig; and low pressure, less than 300 psig. The depressurization mechanisms considered in the IPE include: (1) depressurizing the steam generators to reduce RCS pressure, (2) failure of the RCS pressure - boundary due to creep mpture, and (3) opening the PORV for certain types of accidents. The effectiveness of the various mechanisms on RCS depressurization depends on the accident sequence (or PDS). For example, with respect to reducing the RCS pressure sufficiently to correspond to low pressure prior to vessel failure, steam generator depressurization is relevant only for medium and I small LOCAs.' The types of accidents that fall into each of the four pressure ranges and their 39
i implications with respect to the containment event tree are summarized in Table 5-2 ofPart 4 of the -
. submittal.
Of the three depressurization mechanisms considered in the IPE, two of them involve operator actions , and will be discussed in Section 2.4.1.5, System / Human Responses, of this technical evaluation l report. For the remaining one, failure of the RCS pressure boundary due to creep rupture, the them== ion provided in the IPE is about the potential ofRCS depressurization due to hot leg failure. { In the IPE, the probability of hot leg creep rupture isjudged to be "very likely" (0.99 probability) at 4 i very high pressure and "likely"(0.90 probability) at moderately high pressure. The mean value used l l in the Surry analysis is 0.72 at setpoint pressure and only 0.034 for moderately high pressure. The i higher probability values used in the Davis-Besse IPE lead to higher probability of RCS , depressurization, and consequently, less severe challenges to containment integrity due to high j- pressure meh ejection (HPME). In the Davis-Besse IPE, the challenges associated with HPME include those associated with containment pressurization at vessel breach (e.g., DCH) and those associated with direct contact of core debris with the steel containment shell (i.e., side wall failure). It should be noted that there is a logic error in the fault tree structure used in the IPE to determine RCS depressurization. In the IPE, an AND gate is erroneously used for CEPRL22 (Creep Rupture Causes Failure ofHot Leg, in the third page ofFigure 5-14 of the submittal). This gate should be an OR gate. The direct impact of this error on the quantification is that gate CEPRL22 would never be satisfied! This is because gates CEPRL23 (Creep Rupture Due To Exposure at Moderately High Pressure) and CEPRL24 (Creep Rupture Due To Exposure at Very High Pressure) are mutually exclusive due to the respective plant damage states relevant to each of them. Consequently, RCS depressurization due to hot leg creep rupture would not occur. According to the Licensee's response j to the RAI (Question 22), the correction of this error has both positive and negative impacts on the l probabilities for the potential outcomes of the CET. On the one hand, the error prevented l depressurization for many core damage scenarios that proceeded at high pressure, such that the p**id for high pressure melt ejection (HPME) was overstated. On the other hand, the failure of the RCS hot legs prior to vessel breach would increase the number of scenarios in which there could be early, large releases of hydrogen from the RCS. However, because of the dominant effect of the ; challenges associated with HPME, the net effect of this error is an overestimate of the probability of HPME, and consequently, an overestimate ofthe probability ofearly containment failure and side wall ; failure. To investigate the effect of this error, the CET was requantified by the licensee to take into account the corrected logic. Results ofcontainment failure nx<les obtained from this requantification were presented in the response to the RAI and wi5 be disoissed later in this report. Submerged-Vessel Cooling of Core Debris The cooling of the core debris by the water surroundir.3 the reactor vessel such that vessel failure is ' prevented is considered in the IPE as one of the CET top mts. Although this cooling mode may prevent vessel failure, it is argued in the submittal that the benefits for preventing containment failure , for Davis-Besse could be somewhat limited. The core would still be sufficiently damaged that much ! of the fission products could be released from the fuel matrix. The primary benefits would be the 40
ehmination of any potential for failure of containment due to the phenomena associated with HPME or as a consequence of core-concrete interaction (CCI). Neither of these was found to be an ; important source ofcontainment failure for Davis-Besse. In the base-case analyses, it was assumed i to be"certain"(1.0 probability) that this mode of cooling would not be adequate. A sensitivity study was made in the IPE to examine the impact of this assessment. InducedSGTR Direct release offission products from the RCS to the environment, bypassing the containment, may i result from a SGTR induced by creep rupture of the steam generator tubes during core degradation. In the Davis-Besse IPE, induced SGTR (ISGTR) is considered both with and without the operation { I of the RCPs. The case without the operation of the RCPs is similar to that considered in NUREG-1150. With6ut forced recirculation, hot leg failure is more likely to occur before steam gewator tube failure, and, as a result, a very small probability is assigned to ISGTR in the Davis-Besse IPE (0.001, remotely possible). This is less than the mean value used in the NUREG-1150 Surry analysis (0.018). The approach used in the Davis-Besse IPE is also different than that used in the Surry analysis in that the above probability is applied to cases with RCS at both very high and moderately high pressure in the Davis-Besse IPE, while, in the NUREG-1150 Suny analysis, it is applied only to cases with RCS at very high pressure. The operation of the RCPs would clear the water collected in the bowls of the RCPs and cause a forced circulation of the hot gases through the steam generators. Induced SGTR is therefore more likely. The need to consider the operation of the RCPs during a severe accident arises from the ; requirement of the insufficient core cooling (ICC) guidelines, which call for the RCPs to be restarted I as a last resort to get some amount of coolant to the core. Because of the substantial uncertainty with respect to whether the RCPs would continue to operate for an extended period, extended operation i> assigned a probability value of 0.1 (unlikely) in the IPE for cases where RCPs are available. Correspondingly, the probability of RCP operating for a short period is 0.9 (likely). The probability ' ofISGTR is assigned a value of 0.99 (very likely) for cases with RCPs operating for an extended period, and is assigned a value of 0.01 (very unlikely) for cases with RCPs operating for a short period. According to the data presented in the Table on page 140 of Part 4 of the IPE submittal, RCPs are available in most of the sequences. Since it is likely (0.9 probability) that the RCPs would only operate for a short period, the average ISGTR probability for all high pressure sequences would be closer to the ISGTR probability for the case with short RCS operation (i.e., 0.01). This probability value is close to the mean value used in NUREG-1150 for Surry (0.018) Early Containment Failure Early containment failures are defined in the Davis Besse submittal as those failures occurring before or early after reactor vessel breach. The early containment failure mechanisms assessed in the Davis-Besse IPE include hydrogen bums before and after vessel breach, in-vessel steam explosion (alpha 41
i mode), ex-vessel steam explosion, relocation of reactor vessel at vessel breach (rocket mode), and ' pressure loading at vessel breach (including DCH and hydrogen burns). These include all the early containment failure modes discussed in NUREG-1335. Because the hydrogen concentration in the containment would be only about 13% even with 100% zirconium reacted, the probability of hydrogen detonation is mled out in the Davis-Besse IPE. The containment loading from hydrogen burns and that from containment pressurization at vessel breach are based on MAAP calculation results. The probability of containment failure from pressure loading at vessel breach is estimated to be "very unlikely" (0.01) for HPME with significant debris dispersal and " remotely possible" (0.001) for vessel breach without significant debris dispersal. The probability ofin-vessel steam explosion is characterized in the IPE as " remotely possible" (0.001) for the RCS at lo.w pressure and " impossible" for the RCS at intermediate or higher pressure. These values are lower than the corresponding values used in NUREG-1150 (0.008 for low pressure and 0.0008 for high pressure). The probability of the rocket mode failure has an effective value of 0.00013 in the Davis-Besse IPE. This is also less than that used in NUREG-1150 for Suny (0.001). Although the probability yalues used in the IPE are lower than those used in NUREG-1150 by about an order of magnitude, they are still within reasonable ranges because of the significant uncertainties associated with these phenomena. Ex-VesselCooling ofCore Debris The potential that the debris may be cooled is important with respect to long-term containment response and containment side wall failure. The probability of failure to form a coolable debris bed in the reactor cavity is characterized as "very unlikely" (0.01) and "unlikely" (0.1) for a deeply (with injection ofBWST contents) and a partially (with water originally in the RCS and core flood tanks) flooded cavity, respectively. The above qualitative assessments are used in the Davis-Besse IPE because the spread area for the cavity is relatively large at Davis-Besse and the nominal depth of debris in the cavity is expected to be about 10 inches (or 25 cm, the value mentioned in NUREG-1335). In Davis-Besse, some of the core debris may be dispersed to the lower elevation of the containment through the incore instrument tunnel. If the BWST has been injected to the containment, the reactor cavity would be deeply flooded, and the lower elevation of the containment would also be flooded to a depth of a few feet. The probability of failure to form a coolable debris bed in the lower cor.ipartment is therefore assessed in the IPE as "very unlikely" (0.01) if the cavity is deeply flooded and ' indeterminate" (0.5) if the debris bed is dry. An " indeterminate" probability is used for a dry debris bed because the debris bed is thin and convective cooling and radiative heat transfer may be sufficient to prevent ch! den of the concrete floor in the lower elevation. ContainmentSide WallFailure Ifcore debris were dispersed from the reactor cavity into the lower elevation of the containment, it would be possible for sufficient debris to come into contact with the containment pressure boundary 42
4 to cause failure. At Davis-Besse, the lower elevation of the containment which would receive much of the dispersed debris is near the wall of the containment vessel. The containment emergency sump is also located in this area. The steel containment vessel is protected by a concrete curb (1.5 ft thick and 2.5 ft high) at the basemat floor. If a coolable debris bed failed to form, the concrete curb could be ablated, and the containment vessel would then be exposed to direct attack by the molten debris. Another possibility for failure due to contact with core debris that is considered in the IPE is that due to a failure within the emergency sump. This possibility is assessed in the IPE as "r2notely possible" (0.001). The conditional probability of side wall failure derived from the CET quantification presented in the IPE submittal is 5.9% of total CDF. This is reduced to 0.32% after the error in the logic used to determine the probability ofhot leg creep failure is coirected. This reflects the sensidvity of side wall failure to RCS depressurization due to hot leg failure (and the consequent reduction in debris dispersal). Late ContainmentFailure The mechanisms considered in the IPE for late containment failure include containment over-pressurization, the degradation of penetration seals due to long-term exposure at high temperatures, and basemat melt-through. Late containment over-pressure failure occurs either due to the loss of containment heat removal capability or a late burn of combustible gases. It is assumed in the IPE ! that, ifcontainment heat removal is available but the core debns is not coolable, basemat melt-through would occur before containment failure due to pressurization by non-condensable gases released from core-concrete interaction. The probability of seal failure due to thermal effects is dismissed in the IPE. This is based on an investigation of the durability of sealing materials under elevated temperature conditions. 2.4.1.3 Containment Failure Modes and Tu' ning The Davis-Besse containment failure characterization is described in Sec; ion 4 ofPart 4 of the IPE ; submittal. The evaluation of the pressure capacity for the containment vessel was based on an assessment performed for St. Lucie (NUREG/CR-2442). St. Lucie data were believed to be applicable to Davis-Besse because both plants use large, dry containments that are free standing steel , cylinders with hemispherical top heads and ellipsoidal bottom heads and, in addition, both vessels ; were built by the same company, the Chicago Bridge and Iron Company (CBI). Consistent with the approach used for St. Lucie, the analysis of pressure capacity was based on the estimate of the minimum yield pressure for the containment vessel. The cr.tcir.r.cnt capacity was evaluated for both low and high temperatures. The effects of penetrations or other discontinuities on the containment pressure capacity is also addressed in the IPE. These include the piping penetrations, ! equipment hatch and emergency escape lock, personnel lock, electrical penetration assemblies, bellowed penetration assemblies, recirculation line guard pipe enclosure assembly, and containment vessel wall embedment, and they were found to have higher pressure capaciti.es than the vessel itself. The mean failure pressure obtained for Davis-Besse is 95.3 psig at normal room temperature and 43 :
O
=
l l 85.2 psig at a high temperature. Since it is expected that the failure of a steel vessel may be more - catastrophic than that of a concrete containment, a rupture, rather than leak-before-break failure size is assumed in the Davis-Besse IPE. l The thermal effects on sealing materials are addressed in the IPE. The penetrations investigated for seal failure include the emergency, equipment, and personnel hatches, electrical penetrations, and the , containment purge and exhaust isolation valves. It was concluded from this investigation that containment failure resulting from degradation ofpenct;adon seals due to long-term exposure to high temperature is not a limiting failure mechanism for the containment. 2.4.1.4 Containment Isolation Failure The discussion of the containment isolation system is provided in Section 2.2.10 of Part 3 of the IPE submittal l The evaluation of containment isolation failure in the IPE shows that this failure is dominated by failure to isolate either of two types of lines: the drain line from the normal containment sump, which is normally open with isolation provided by two motor-operated valves, and the eight lines containing the containment vacuum breakers (with check valves and a normally open MOV). Details on the evaluation ofisolation failure are not provided in the IPE submittal. However, a more detailed discussion can be found in the licensee's response to the RAI. According to the response to Question 19 of the RAI, the probability of containment isolation failure was quantified in the Davis-Besse IPE by developing fault trees for each of the pathways that could present a potential release path, including the two noted above. Support system dependencies, l including actuation signals and power supplies, were explicitly modeled in the fault tree models. In the Davis-Besse IPE, containment isolation is a PDS parameter, not determined in the CET. Containment isolation failure is characterized in the Davis-Besse IPE as either small or large. Small isolation failures are caused primarily by the failure to isolate the drain line from the normal contaimnent sump, and large isolation failures are caused primarily by the failure to isolate containment vacuum breakers. PDS quantification results show that 3 of the 62 PDSs involve small isolation failures, with a frequency of 9.5E-7 (or 1.4% of total CDF), and none of the PDSs involve large isolation failure.
. I The release of fission products through the containment sump drain line is assumed to be negligible in the Davis-Besse IPE, and, as a result, the treatment of the PDSs that involve small isolation failure (e.g., TINININN) are the same as those with the. containment successfully isolated (e.g.,
TINYNINN) According to the licensee's response to the RAI, the neglect of the containment sump drain line as a release path is due to its small effective flow area, the flooding of the flow path, and the manual is9 +ie c="ed for by the procedures. 2.4.1.5 Systeen/ Human Responses The human recovery actions that are considered in the IPE include those related to RCS depressurization and recovery of containment heat removal. The RCS depressurization event considered refers to actions in response to instructions in the emergency procedure for inadequate 44
i core cooling (ICC). These actions include those rsociated with depressurizing the steam generators }! and those associated with opening the PORV. In the IPE, a probability of 0.05 is used for failure to
- depressurize the steam generator and a probability of 0.1 (unlikely) is used for failure to open the
'4 PORV. According to the IPE submittal, these probabilities are based on the availability ofICC condition indicators and emergency procedure instructions. Furthermore, the effect of credit taken ! for similar operator actions to maintain or recover core cooling during the Level 1 analysis is also
- considered. According to the IPE submittal, the method used for the assessment of human interactions, as described in Section 3.2 of Part 3 of the submittal, is used as the basis for the j derivation of the above probability values. However, details of the derivation are not provided in the
- IPE submittal.
j ! e Recovery ofcontainment heat removal (CHR), which is required to prevent late containment failure, is also considered. In the IPE it is deemed unlikely (0.1) that heat removal would not be recovered j in time to preserve containment integrity during long-term heatup. This is based on the long time, on
- the order of tens ofhours, available for recovery. However, details on how this value was obtained j are not provided in the IPE submittal. The probability of CHR recovery has a significant effect on j the probability oflate containment failure. The sensitivity study shows that the probability oflate i containment failure would increase from 3% to 33% if no credit was given to recovery of '
l containment heat removal. i
- 2A.I.6 .Radionuclide Release Characterization 8
i Section 7 ofPart 4 of the IPE submittal deals with source term characterization. The major factors j considered in release category classificann include: 4 l . The fraction ofradioactivity released from the fuel to the RCS and then to the containment and
- other buildings, l = The systems available for removal of radioactivity, such as containment s' prays and CACs, and !
j natural removal processes, such as deposition and plate-out on surfaces, and - l
- Availability of the containment and/or the containment failure mode.
l
- The definition of the release classes in the Davis-Besse IPE is different from those used in the other 4 IPEs in that no logic structure (e.g., an event tree structure) with parameters relevant to fission l product release (e.g., containment failure mode and timing) is used for release category definition. 1
! The release categories in the Davis-Besse IPE are based on the magnitude of the total fission products l released, irrespective of their relative timing for cpplicable sequences. As a result, a release category j may include sequences with different containment failure modes and failure times. For example, RC-2, , i which is characterized by releases due to a containment isolation faib cr cr. cr.rly containment j failure, is also considered in the IPE as applicable to sequences involving late containment failures ! and revaporization ofiodine from the RCS surfaces. According to the Davis-Besse IPE. this source ; categorization methd is appropriate because a full Level 3 study was not performed, and further
- refinement of source term definition is required before it can be used to calculate offsite j - consequences.
I 1 I 45 i l 1 l~ i 5
. Nine release categories (RCs) are defined in the IPE The assignment of the release categories to the -
CET end states are shown in Figure 5-2 ofPart 4 of the submittal. Two of the RCs are characterized in the IPE as related to no containment failure. According to this figure, basemat melt-through is assigned to the no containment failure release categories. The expected small airbome release within - the 48 hours of the release duration for basemat melt-through is the justification provided by the licensee in response to the RAI for this release category assignment. Results ofCET quantification for the frequencies of rc!ca:e categories are presented in a C-Matrix. , The C-Matrix showing the conditional probabilities of the release categories for the PDSs is presented , in Table 7-10 of Part 4 of the submittal. In addition to the C-Matrix, results of CET quantification are also presented in terms ofcontainment failure modes (e.g., bypass, early failure, etc.). Table 6-1 ofPart 4 of the submittal provides the conditional probabilities of the containment failure modes for 1 all plant damage states with frequencies greater than 1.E-7 per year. The release fractions offission products for the releases categories are presented in Tables 7-1 to 7-1 ofPart 4 of the submittal. Reler.= 0 actions are obtained from MAAP calculations. According to the IPE submittal, over thirty sequences involving a spectrum of LOCAs, transients, and SGTRs were analyzed using MAAP, and, in addition, several sensitivity runs were performed to further define the potential impact of uncertainties in release categories associated with phenomenological modeling in MAAP. However, description of these sequences and the corresponding MAAP calculation results are not provided in the IPE submittal. The IPE results show that among the nine release categories three involve the release of volatile fission product fractions greater than or equal to 0.1. Their contribution to total CDF is about 10%. Generic letter 88-20 states that "any functional sequence that has a core damage frequency greater than or equal to IE-6 per reactor year and that leads to containment failure which can result in a radioactive release magnitude greater than or equal to BWR-3 or PWR-4 release categories of
~
WASH-1400," should be reported by the IPEs. The IPE submittal appears to fulfill this request. 2.4.2 Quantitative Assessment of Accident Progression and Containment Performance 2.4.2.1 Severe Accident Progression MAAP version 3.0B, revision 18, was used to evaluate the integrated containment response and the severe accident source terms. According to the IPE submittal, this revision of MAAP 3.0B includes improvements made specifically for B&W PWRs, in part due to the request of Toledo Edison. The MAAP model for Davis-Besse is discussed in Section 2 of Part 4 of the IPE submittal. Analyses of representative accident sequences are discussed in Section 6 of Part 4 of the submittal. According to the IPE submittal, it is sufficient to divide the entire set of sequences into five general i categories to provide representative containnient responses. The five categories are those initiated by large LOCAs, medium LOCAs, small LOCAs, Transients, and SGTRs. The sequences selected for MAAP analysis are obtained from the plant damage states defined in the IPE. for example, PDS ARXYFRYX was selected for the analysis oflarge LOCAs. 46
I In the discussion ofradionuclide release characterization (Section 7 of Part 4), the submittal mentions that over thirty sequences involving a spectrum of LOCAs, transients, and SGTRs were analyzed using MAAP, and in addition, several sensitivity runs were performed to further define the potential impact ofuncertainties in release categories associated with phenomenological modeling in MAAP , However, description of these sequences and their MAAP calculation results are not provided in the ! IPE submittal. l 2.4.2.2 Dominant Contributors to Containment Failure 1 Containment failure modes and their frequencies obtained from the Davis-Besse CET quantification are discussed in Section 6.3 of Part 4 of the submittal. Table 9, below, shows a comparison of the conditional probabilities for the various containment failure modes obtained from the Davis-Besse IPE with those obtained from the Suny and Zion NUREG-1150 analyses. As discussed previously, there is a logic error in the original Davis-Besse CET structure. Revised results were provided by the licensee as part of the response to the RAI (question 22). Table 9 includes results from both the I original IPE and the response to the RAI. Table 9. Containment Failure as a Percentage of Total CDF Davis-Besse Davis-Besse Surry Zion ! Containment Failure Mode Revised' IPE NUREG-1150 NUREG-1150 l Early Failure 0.6* 6. 3 ** 0.7 1.4 i Late Failure 9.I 7.5 5.9 24.0 Bypass 2.6 2.6 12.2 0.7 Isolation Failure +++ +++ *~ ** 1 Intact 87.7 83.6 81.2 73.0 ' CDF (1/yr) 6.6E-5 6.6E-5 4.0E-5 3.4E-4 8 Revised values after correction of a logic error in CET quantification in response to RAI Includes 032% from side-wall failure Includes 5.9% from side-wall failure Negligible ifisolation failure of the small containment sump drain line is ignored Included in Early Failure, approximately 0.02% 1 Included in Early Failure, approximately 0.5% The signi6 cant higher probability for early containment failure in the original Davis-Besse IPE is due to the high probability of side wall failure (5.9%). The side wall failure is included in early failure because it is classified as a Release Category 4 in the CET, which is characterized as early containment failure in the submittal. The large side wall failure obtained from the original IPE is due to an underestimate of RCS depressurization by hot leg creep rupture. Comparison of the results 47 I
from the original IPE (in effect no hot leg rupture) and the revised results (with hot leg rupture) show , the sensitivity of containment failure to hot leg creep rupture. The most significant contributor to early containment failure (excluding side wall f@ure) is a transient initiated event without heat removal via steam generators and with failure of containment heat removal and containment sprays (37%). This contributor results almost entirely from station black out (SBO). This is followed by a transient initiated event with containment heat removal available (25%). Dominant contributors to containment bypass are sequences that are initiated by interfacing-system LOCAs and SGTRs. Approximately half of the bypass failure (2.6% of total CDF) is due to interfacing-systems LOCAs and another 20% results from sequences initiated bv an SGTR. The remaining 30%'is due to creep ruptures of steam generator tubes during other sequences. The probability of late containment failure for Davis-Besse presented in Table 7 includes the contributions from both containment overpressure failure and basemat melt-through. About 65% of late over-pressurization failure results from transient initiated sequences without heat removal via steam generators and with failure of containment heat removal and containment sprays (primarily SBO). The primary contributors to basemat melt-through are transient (primarily SBO) and small LOCA initiated events. 2.4.2.3 Characterization of Containment Performance , 1 A containment event tree is used in the Davis-Besse IPE to characterize the containment performance. Results of CET quantification are presented in the submittal both in terms of containment failure modes and release categories. l As shown in Table 7, the containment failure profile for Davis-Besse (based on Tevised values) is in general consistent with those obtained in the NUREG-1150 analyses. The early failure probability for Davis-Besse is less than that for Surry and Zion. This is primarily due to the treatment of the phenomena that threaten containment integrity at vessel breach, such as DCH and steam explosion. It was noted earlier, that the probability of alpha mode failure for low RCS pressure is assigned a value of 0.001 (or 0.1%) in the Davis-Besse IPE while the value used in NUREG-1150 is 0.008 (or 0.8%). Furthermore, in the Davis-Besse IPE, the estimate of the containment pressure loads at vessel breach is based on MAAP calculations, which usually predict lower pressures than the corresponding i loads used in NUREG-1150. The probability of RCS depressurization before vessel breach may also contribute to the difference.
~ As shown in Table 7, the conditional probability of containment bypass for Davis-Besse is between those obtained for Zion a M Surry. Containment bypass is primarily due to ISLOCA and SGTR as - initiating events. The contribution from ISGTR is small in all three plants. Although the effect of restarting the RCPs is considered in the Davis-Besse IPE, the contribution ofISGTR is still small (less than 1% ofCDF). Part of this is due to the probability of RCS depressurization and part of this is due to the assumed high probability of only a short operation period for the RCPs after they have 48
, been started (0.9). The probability value ofISGTR used in the IPE for a short operation period
, (0.01)is significantly less than that used for a long operation period (0.99).
The conditional probability oflate containment failure is also between those from Surry and Zion. j The contribution of basemat melt-through is 4.1% (of total CDF) from the original IPE and 5.1% i from the revised data. The remaining part comes from containment overpressurization. The , availability of containment heat removal has a significant effect on late overpressurization failure. L 2A.2A hapact on Equipment Belsavior The possibility that the effects of a severe accident could cause failure of the containment air coolers (CACs) was considered in the IPE. The effect of a global hydrogen burn and the buildup of i noncondensible gases on the operation of the CACs are addressed in the IPE. Potential adverse effects of harsh environmental conditions on containment spray (CS) and decay heat removal systems . (DHR) are discussed in the licensee's response to the RAI, where the effect of harsh environmental l condition on valve operation and the effect of core debris on pump intake blockage are discussed. 2A.2.5 Uncertainties and Sensitivity Analysis Sensitivity'of CET results to some containment events are discussed in Section 6.3 of Part 4 of the < IPE submittal where CET results are presented. It should be noted that the sensitivity results i discussed in the IPE submittal are based on the CET model used in the original IPE. The logic error ! in the original IPE in effect results in the omission of hot leg failure. The results can therefore be i
- viewed as those obtained from accident progression analyses with no credit taken for RCS
- depressurization due to hog leg failure. The parameters that are considered for sensitivity '
investigation include: I The time period of RCP . operation - An extended period of RCP operation increases the pichsuity of temperature-induce SGTR. The probability of bypass failure would increase from 2.6% of total CDF to 8.2% of total CDF ifit is assumed likely that the pumps would operate a sufficient period of time to permit creep mpture of the SG tubes. (It is assumed in the base case that there is a 10% probability that the RCPs will operate for an extended period of time.) l The probability of containment failure given HPME (from 0.01 to 0.1) - The conditional j probability of early failure increase from 0.4% to 2.5%. The probability ofdebris coolability in the presence of overlying water (from 0.01 or 0.1 to 0.2)
- The probability ofside wall failure increases frqn).5 9% to 8% and the probability of basemat meltthrough increases from 4% to 13%.
Recovery of containment heat removal (from 90% to 0%) - The probability oflate containment failure increases from 3% to 33%. J
) 49 a
.- - -r,, -
. Submerged vessel cooling of the debris in the bottom head (from 0% to 99%) - The probability ,
of no vessel failure increases from 8% to 21%. It should be noted that the parameter values selected for the sensitivity study seem to be arbitrary. No technical bases are provided for the selection of these values. For example, there is no discussion on why a value of 0.1 was selected for the sensitivity ofHPME. No discussion is provided in the IPE submittal relating this value to the uncertainty in containment pressure load for HPME. In some IPEs a mission time (of 24 or 48 hours) is used to determine the probability of containment failure. Containn e,nt failure is assumed not to occur if the time to containment failure exceeds the assumed mission d ne. A mission time is not used in the Davis Besse IPE. If a mission time were nsed in the IPE, the probability oflate containment failure (including basemat melt-through) would be less than thht reponed in the IPE submittal and its sensitivity to the assumptions used for CHR recovery and ex-vessel debds coolability would not be significant as is indicated above. 2.5 Evaluation of Decay Heat Removal and Other Safety Issues His section of the repon summarizes the review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSIs/USIs addressed in the submittal were also reviewed.
~
2.5.1 Evaluation of Decay Heat Removal 2.5.1.1 Examination of DHR The IPE addresses decay heat removal (DHR). Several methods of DHR are mentioned, including secondary cooldown and depressudzation (using either AFW or main feedwater), feed and bleed (i.e. makeup /HPI cooling), safety injection, and recirculation cooling. CDF contributions were estimated for each of the following DHR methods: auxiliary feedwater cooling (57% contribution to the CDF), feed and bleed (57%), safety injection (23%) and high pressure recirculation cooling (14%). Failures ofthe AFW system and makeup /HPI cooling each contributed a major fraction to the total CDF. However, the licensee states that there are many individual component failures contributing to failures of these systems and that no single unique plant feature is responsible for these contributions. Therefore, there are no vulnerabilities associated with the DHR function and the genericissue is considered closed. Major contributors to failure of auxiliary feedwater and feed and bleed are not explicitly calculated .. . 4n the submittal. The RAI responses provide the component Fussell-Vesely imponance ranking for the three highest contributing initiators to the functional sequence TBrUr (transient with total loss of feedwater and failure of makeup /HPI cooling). This transient sequence contributes 53% to the total CDF. The three most imponant initiators contributing to this sequence are loss of offsite power (33.4% contribution to TB U 7 ), T loss of main feedwater (22.5%) and reactor / turbine trip (14.7%). , 50
t j' In terms of failures in the auxiliary feedwater system for loss of offsite power (as part of this j sequence) the most important contributors are failure of the operators to control either of the l TDAFW pump in station blackout (F-V importance of 0.42), and start faults for TDAFW pump 1-1 ! (0.034). For loss of main feedwater in this context, the main contributors to this sequence due to 2 ' AFW failure are: operators fail to start MDFP and fail to initiate makeup /HPI cooling (0.56), CCF j ofTDAFW pumps to start (038), start faults for either TDAFW pump (0.31), operators fail to start i MDFP and fail to initiate makeup /HPI cooling upon delayed failure of TDAFW (0.22), failure of ! either TDAFW pump to mn (0.13-0.15) and maintenance unavailabilities of MD and TDAFW pumps l (0.08 to 0.11). For reactor / turbine trip the AFW failure contributors are: operators fail to control j either TDAFW pump locally in station blackout (0.32), CCF of TDAFW pumps to start (0.18), y operators fail to start MDFP and fail to initiate makeup /HPI cooling (0.14). l In terms of failures in the makeup /HPI cooling (other than support system failures) the major
- contributor is the operator failure to initiate makeup /HPI cooling either alone or in combination with j other actions (connected to the AFW system as seen above). In the loss of offsite power event the
- importance of this action alone is 0.015; in the loss of main feedwater event it is ^.17 and in the j reactor / turbine trip event it is 0.11.
i ! 2.5.t.2 Diverse Means of DHR j The IPE evaluated the diverse means for DHR, including: use of the power conversion system, feed and bleed, auxiliary feedwater, and ECCS. Depressurization using the secondary system was considered for the SGTR, small LOCA and transient event trees. Cooling for the RCP seals was taken into account. In addition, containment cooling was addressed. 1 4 2.5.1.3 Unique Features of DHR i i The unique features of Davis Besse that pertain to the DHR function are as follows:
- 1) The turbine driven main feedwater pumps will continue to run for most transients, as the j pump flow output is automatically matched to the decay heat level.
However, the main feedwater system depends on offsite power, thus it is lost in an event i where power is unavailable. It also depends on other support systems (instrument air,480V ac non-essential power, service water or circulating water, etc.) Also, following a reactor /turbe trip there is an 8.3% chance that the MFW will fail to continue to run (as per plant specific data) and this is incorporated in the model as a basic event.
- 2) At Davis Besse, the two TDAFW humps depend on both ac and de power for valve control and instrumentation; however provisions are in place for the operator to manually control the pumps locally, in which case neither ac nor de is needed. The TDAFW pumps are automatically started, as needed, and automatically controlled, as long as power is available.
- 3) The motor driven AFW pump has to be started manually by the operators, if needed. If 51
. ., .- - . - _ = - - - - _ .. - . . . - . _ - . _ _ - . .- -
offsite power is lost, this pump derives power from the SBODG only (4160V ac). It also , needs 480V ac, and de power.
- 4) The normal AFW suction source is the 250,000 gal inventory in the two condensate storage tanks (CSTs). However,if this is unavailable, the AFW can be aligned to the service water system.
i
- 5) One pressurizer PORV and two safety valves can be utilized for makeup /HPI cooling (i.e.
i feed and bleed). This gives Davis-Besse a diversity of options for makeup /HPI cooling. The PORV block valve is closed only about 10% of the time (RAI Responses). Since the safety j valves lift at high pressure (2500 psig) , only the makeup pumps can be used in conjunction with the safety valves. There are two makeup pumps and two HPI pumps. The makeup pumps also supply RCP seal injection. i l'
- 6) CCW is a required support for both makeup and HPI systems, for cooling of bearing lube oil.
In addition, the HPI pumps are located in two separate ECCS rooms, which also house the respective DHR and CS pumps. These two rooms require cooling, which is supported by the j service water (and safety grade power). The makeup pump room also requires cooling under certain conditions (provided via a non-safety bus); however, adequate coolina Jt u.e makeup i pump room can be effected by opening the door. CCW requires dedicated safety grade room cooling for its pumps. There are three 100% , capacity CCW pumps, providing a high level of redundancy. The CCW system is cooled by l the service water system, which also requires dedicated safety grade room cooling in its pump l room. Under accident conditions (i.e. with nonessential load isolation) there are three 100% ' service water pumps, providing a high level of redundancy. In addition, a fourth pump, the dilution pump, can be used as a backup. . If the PORV is used for makeup /HPI cooling, at least one CAC (containment air cooler) train 7) must operate to provide the suitable environment.
- 8) The licensee has completed "significant" modifications to the makeup system, operating procedures and traming to enhance makeup /HPI cooling in response to the June 9,1985 total loss of feedwater event.
2.5.2 Other GSIs/USIs Addressed in the Submittal .
- In addition to USI A-45 (DHR Evaluation) the following USIs and GIs are addressed in the submittal:
- 1) USI A-17, Systems Interactions in Nuclear Power Plants. NRC has determined that the licensee needs to take two actions to resolve this issue: a) consider insights from the appendix of NUREG-1174 in implementing the IPE requirement for an internal flooding assessment, l
52 . 9
- - . . ~ _ - . - - - . - . - - -~_- - .- - . - . - . . _ - - - - - - O and b) continue to review information on events at operating nuclear power plants. The licensee states that a) above was answered by an extensive analysis ofinternal flooding and water intmsion. After incorporating the flooding scenarios into the plant model and quantifying the results, the internal flooding was a relatively small contributor to the overall frequency of core damage (about > 3% of the total). In addition, a procedure has been developed to heighten operator awareness and ) to give general direction in coping with this type of event. As for part b), the utility has an established program for reviewing sources ofinformation on industry experien..e If the information is evaluated to be relevant to Davis Besse, it is distributed to various groups for resolution. The licensee considers this issue resolved.
- 2) GI-23, Reactor Coolant Pump Seal Failures. The RCP seals used at Davis Besse are the Byron Jackson type N-9000. The RCP seal LOCA model relies on the test data for these :
seals. The seal design incorporates three stages, each of which can accommodate full RCS pressure, should the other! fail. Testing for eight hours under realistic conditions confirms that the seal will not leak signifier.iJy following loss of all injection t.nd cooling, as long as the RCPs are not rotating. Therefore, a RCP seal LOCA is assumed to occur within ten minutes ofloss of all seal cooling and injection, unless the RCPs are tripped, as per procedure. The operators are also instructed to trip the j
' RCPs should the RCP seal return flow be isolated (the model assumes an RCP seal LOCA if they fail -
to do so). Davis Besse has installed a computer based data collection and diagnostic system,to monitor the seals and diagnose any problems. It will generate alarms to alert the operators of any critical parameter exceeding prescribed limits, as well as logging and trending data. The thermal barriers in the RCP seals are cooled by the CCW system. 'lhe injection to the seals is provided by the makeup pumps, which also need CCW for bearing cooling. It is estimated that a i makeup pump will continue to run for 15 minutes following a loss ofits CCW train, therefore, upon ; loss of all CCW, the operators have a maximum of 25 minutes to trip the RCPs (15 minutes till failure of the makeup pumps and 10 minutes after that for seal failure). Normally, the CCW pump providing RCP seal cooling and the operating makeup pump are powered from the opposite 4160 V ac divisions, to prevent a loss of one 4160 V bus causing a loss of all RCP seal cooling and injection. While one CCWpmr.y is normally operating, the other pump will start automatically iflow flow is sensed at the discharge of the operating pump, such that makeup pump cooling will continue to be provided through the non-essential header. In case of an emergency, both CCW pumps would ; operate.
. The licensee has installed a third diesel generator on site, the SBODG, which is capable of powering ;
53 l t
both types of seal cooling (CCW and makeup seal injection) in ca e ofloss of offsite power and ' failure of both of the other diesel generators. i The RCP seal failure was among the important contributors to the core damage frequency (35% contribution), but it was not dominant, and no vulnerabilities are implied. The licensee considers this issue resolved.
- 3) GI-105, Interfacing Systems LOCA in PWRs. Toledo Edison has analyzed interfacing systems LOCAs as part of the IPE, utilizing insights from an earlier NRC study which used Davis Besse as a model (described in NUREG/CR-5604).
The. total frequency of core damage from ISLOCAs is estimated to be 8.8E-7/yr. This is not an important contribotor to core damage, although it is more important from the Level 2 standpoint, as the containment would be bypassed. The dominant sequence involves a postulated human error of commission in prematurely openmg DHR suction valves while the RCS pressure was still high in the process of cooling down to cold shutdown. This would involve a conscious decision to violate significant administrative procedures and install a jumper cable to permit opening of one of the suction valves. l TheISLOdA issue has been evaluated and found not to contribute significantly to core damage. In l addition, the operating staff has been made aware of the potential hazards through additional training. Therefore, the licensee considers the issue closed.
- 4) GI-77, Flooding of Compartments by Backflow through Floor Drains. The concerns expressed in this issue have been addressed in the flooding analysis, by specifically including backflow and other mechanisms of flood propagation. In addition, internal flooding was not found to be a significant contributor to core damage. Therefore this issue is considered closed by the licensee.
5) GI-128, Electric Power Reliability, and Related Issues. Subsumed under this issue are several earlier issues dealing with electric power reliability: loss of 125 V de bus (GI-46), LCOs for class 1E vital instrument buses in operating reactors (GI-48), interlocks and LCOs for redundant class IE tie-breakers (GI-49), instrumentation and control power interactions (GI-
- 76) and adequacy of safety related de power supplies (USI A-30).
Toledo Edison had previously closed GI-48 and GI-49. The rest of the issues all deal with reliability of de power and systems interactions due to failurcs. A failure modes and effects analysis (FMEA) has been completed for the entire de power system. The recommendations from this FMEA study have been incorporated into the plant procedures.
- Operators have immediate access to this information and consequently, the impact oflosing any d bus can be quickly assessed by the operators and any compensatory actions taken. This is particul of value for maintenance activities. The plant specific simulator has been used to validate the 54
- 1 1
procedures. Also, electrical system transient simulations have been incorporated into training. Potential plant improvements have been identified by the FMEA and are in the process of resolution. The IPE included a model of the electrical system. Various ac and dc bus failures were treated as initiating events, as well as in plant response following an initiating event. Based on the actions completed, the utility considers issues USI A-30, GI-46 and GI-76 resolved, and therefore GI-128 as resolved.
- 6) GI-143, Availability of Chilled Water Systems and Room Coolers. This issue considers dependency of plant systems on the HVAC systems. Industry experience shows an increasing sensitivity to HVAC failures due to increased compartmentalization to address fire safety issues'and use of sensitive electronics.
The IPE has addressed HVAC failures and their effect on plant systems. At Davis Besse, HVAC is a distributed system, with individual areas being served by dedicated room coolers. For some rooms (e.g. AFW room) although HVAC is provided for cooling, it is not required (as shown by heat up calculations referred to in the submittal and the RAI Responses), and is not modeled. For the other areas it is modeled, or simple operator actions (such as opening the makeup pump room door) are credited in the model. Modeling of the HVAC extends to consideration ofinitiating events (as in the case ofCCW pump room or SW pump room) and as a failure subsequent to an initiating event. For the control room, the HVAC system is not explicitly modeled, due to continuous presence of operators and procedural direction fcr the operators to cope with failures in this system. Based on these items, TE considers this issue resolved.
- 7) GI-153, Loss ofEssential Service Water in LWRs. The IPE PRA models included the service water and associated support system, in a plant specific manner. The PRA has identified the level of plant vulnerability associated with loss of service water. No serious weaknesses in the system were identified. Therefore the licensee considers this issue resolved.
- 8) GI-65, Probability of Core Melt due to Component Cooling Water System Failures. The IPE model has addressed dependencies of frontline systems and RCP seal cooling on the CCW system in its models, as well as modeling CCW support systems. The IPE considered loss of multiple RCP seal support systems (as in station blackout). There is sufficient redundancy and operator direction to protect the RCP seals in the event of a loss of CCW.
& Wa.J Glnerabilities to CCW failures have been identified and TE considers this issue resolved.
2.5.3 Response to CPI Program Recommendations One of the recommendations of the CPI program pertaining to PWRs with large dry containments was that the utility should evaluate their containment and equipment vulnerabilities to local hydrogen 55
. .j combustion as part of their IPE analyses and identify any need for procedural and equipment ,
improvements. This issue is discussed in Section 2.2.5 of Pan 4 of the IPE submittal. The issue is [ addressed in the IPE by referring to the analysis results obtained in [NUREG-4803] for Bellefonte ! Nuclear Power Plant. The analysis for Bellefonte was performed using the method discussed in [NUREG/CR-5275], which according to Generic i,etter 88-20 Supplement 3 provides one method for the evaluation oflocal hydrogen detonations. According to the IPE submittal, in general the Davis-Besse containment appears to be even more open than the Bellefonte containment. The Davis-Besse IPE also identified two portions of the containment that contain a geometry that may be conducive to hydrogen detonation. The first is the in-core instrument tunnel which extends from the reactor vessel cavity to the room containing the containment emergency sump. The second is the region which contains the opening of the incore instrument tunnel and the emergency sump, and exits into.the open area of the building. Based on some qualitative arguments, it is concluded in the IPE that hydrogen detonations are judged not possible for these locations. In general, the CPI ; recommendations can be considered as addressed by the licensee. l 2.6 Vulnerabilities and Plant Improvements l A vulnerability is defined in the submittal to be a plant feature that compels action on the pan of the utility to reduce risk, irrespective of regulatory pressures. In terms of CDF one of the following conditions must exist for a vulnerability;
- 1) A CDF significantly higher than 1.E-4/yr with one or a few aspects of the plant design or operating practices contributing to such a high frequency,
- 2) A single plant feature (or a very few of them) having a substantially higher contribution to the CDF than all the other contributors. This would not apply if the CDF were extremely low; i
- 3) A CDF that is very sensitive to a highly uncertain aspect of plant responsef In this case, more evaluation to reduce the uncertainty might be a more important response than to consider this ;
feature a vulnerability. The term vulnerability, as used in the Davis-Besse IPE submittal, refers to those components, systems, operator actions, and/or plant design configurations that contribute significantly to an unacceptable high severe accident risk. According to the submittal, the general criterion suggested in Generic Letter 88-20 and NUREG-1335 that licensees should look for " cost-effective safety improvements that reduce or eliminate the important vulnerabilities" as well as the guidance provided ! in NUMARC Report 91-04 were applied in deciding on actions that might need to be taken to -
- address the results and insights from the IPE. The basic finding of the IPE is that there are no fundamental weaknesses or vulnerabilities with regard to severe accident at the Davis-Besse Nuclear Power Station.
Based on this definition, Davis-Besse does not have a vulnerability. The CDF is comparable to other ' i PWR CDFs. While only a few functional sequences contribute to the core damage frequency, the 56
- , - - - . . - -,- .n,. .m- - - -
sequence failures are due to many individual components' failures. There are no extrr Tely uncertain ! aspects of the analysis. Thelicensee states that while no vulnerability exists, as a result of the IPE consideration is given to I possible enhancements to reduce the risk. Several enhancements were being considered, but none were considered as a result of a compelling need for change, and thus, a vulnerability. j The IPE took credit for plant modifications and improvements that are complete. The exception is i BWST refdl, for which credit was taken as 4 knowledge based action. Plant improvements that are ; being evaluated as a result ofinsights gained through performance of the IPE are discussed in Section ; 3 of Part 5 of the IPE submittal. The potential improvements focus on plant administrative and procedural enhancements. The following potential improvements have been identified in the IPE and their status noted in the IPE and the RAI responses:
- 1) Enhaisinent to power supplies for feedwater and makeup /HPI cooling. Currently, dc power for the MDAFW pump, the PORV and one makeup pump, is supplied by 4kV bus DI. Loss of power from bus D1 could lead to eventual depletion of the batteries supplying power to the affected de buses. On loss of this de power, the AFW flow control valve to one of the steam generators would fail open. This in turn could cause failure of both TDAFW pumps, due to water carryover, unless operator action is attempted. Various options for changing procedural guidance or taking other steps to enhance redundancy in this de power supply were being considered. Status: a more detailed review, including timing considerations vs.
the minimum equipment mission times following a loss of MFW transient, has shown that no enhancements are necessary.
- 2) Shedding of de loads. At the time ofIPE, procedural guidance is given only in cases when ac power is unavadable to both divisions and their chargers. The proposed procedure would also give guidance when only one ac division was lost. Status: EOP modifications are complete.
- 3) BWST refill options. These were considered beneficial for certain SGTR sequences where BWST depletion occurs prior to completion of sufficient depressurization. Status: EOP modifications are complete.
- 4) Sump recirculation using makeup pumps. Currently, EOPs prohibit usage of makeup pumps for high pressure recirculation from the sump. Thus, although the makeup system can be used as backup to HPI for injection, it cannot continue to be used after switchover to recirculation.
. . Modifying or removing the prohibition may reduce the potential for some high pressure core j i damage sequences. Status: overall task is about 75% complete. Initial research/ evaluation has been completed. Final resolution is expected to be completed prior to the next update of the site PRA, following completion of the IPEEE. 0 57
i ! i l
- 5) Isolation ofRCP seal retum following loss of seal cooling. Potential for leakage is expected to be reduced if seal return is isolated after tripping of the pumps. This option will be evaluated / resolved following completion of the IPEEE.
l j 6) Service water room ventilation. Current SW system procedures require that two fans in both ! ventilation trains be operable when outside temperature exceeds 86*F. Thus, failure of one fan would mean t.navailability of one train of service water. Consideration will be given to j opening the service water pump room doors or, failing this, to steps for preserving essential 3 service water flow. Status: calculations indicate that fewer fans need to be operating for service water to remain functional, i.e. the ventilation success criteria were too conservative i j- These changes will be included in the next update of the PRA, following IPEEE completio ! 7) Fuel oil for the station blackout diesel generator. The SBODG usefulness is somewhat i limited due to the amount of fuel oil available to supply it (currently 4 to 8 hours of mn time). ,
- Provisions to replenish the fuel oil will be considered. Status: operational procedures for the
! SBODG have been revised to include direction for monitoring the level and consumption rate offuel oil during emergency operations. Specific direction is provided to initiate refill efforts i for the supply tank upon reaching a predetermined level. ! No quantitative impact of these changes on the CDF is available at this time. The RAI responses l provided the quantitative impact of SBODG installation, which was done.in response to the station i blackout rule, i.e. prior to the IPE (and was credited in the IPE). Without credit for the SBODG, the CDF would rise to 7.9E-5/yr,i.e. the installation of the SBODG reduced the CDF by approximately l I 20%. j a l As the above description of potential improvements indicates, they include a number of items under j the category of human actions: - 4' l
- enhancing procedures or training to provide makeup to the BWST in SGTR scenarios where j the BWST is depleted by injection before the RCS is depressurized, j - changing EOP guidance to allow use of the makeup pumps to perform high pressure
! recirculation from the sump (not only from the BWST), , i 8 1 l 1
- adding an EOP step to direct operators to reduce RCP seal leakage by isolating the seal return l j
) after tripping the pumps, 1 i l .
- giving procedural guidance for establishing an altemate means of room cooling for the service i water pump room, e.g., opening the service water pump room door, j - - providing procedures for shedding DC loads when only one division is lacking AC power to
!, its charger, and 1
- 58 4
1 r j l
improving tim'mg of operator actions related to inadequate core cooling, { In the plant improvement section of the IPE related to the back-end analysis, it was noted that an , overall review of operator actions related to inadequate core cooling may be prudent; particularly i those related to RCS depressurization and restarting the RCPs. Apparently.different timing of operator actions related to inadequate core cooling would have delayed the onset of serious core
- damage.
J Other potential improvements suggested by the insights gained from the back-end analysis include: ]
-* Reducing the BWST level for switch-over to sump recirculation to optimize use~of available i water, i
- Re-exgmination of current emergency plan evaluation criteria using more realistic accident source terms, and
- Monitoring of carbon monoxide levels, in addition to hydrogen levels, in the containment for incorporation into the emergency plan evaluation criteria or severe accident management
- criteria.
~
According to the IPE submittal, potential plant improvements from the back end insights have not been evaluated in detail and no specific resolutions have been identified or evaluated. As a result, these are not modifications or improvements that will necessarily be implemented. 4 il I j j S 59
4 3; CONTRACTOR OBSERVATIONS AND CONCLUSIONS , ( Based on the level I review of the Davis-Besse IPE the licensee appears to have analyzed the desige and operations of Davis Besse to discover instances of particular vulnerability to core damage. It also appears that the licensee has: developed an overall appreciation of severe accident behavior; gimed an understanding of the most likely severe accidents at Davis Besse; r hed a quantitative understanding of the overall frequency of core damage; and implemented chans to the plant to help i prevent and mitigate severe accidents. Strengths of the level 1 part of the IPE are as follows: Thorough analysis ofinitiating events and i their impact, descriptions of the plant responses, reasonable failure dsta and common cause fa~ctors employed and usage of plant specific data where possible to support the quantificatica ofinitiating events and com;ionent unavailabilities. The effort seems to have been evenly distriouted across the various areas of the analysis. , No major weaknesses of the IPE were identified, other than in the documentation of DHR components contribution to core damage. The IPE determined that failures in the AuxiliarfFeedwater system (dominated by TDAFW hardware pump failures, and operator failures to manually control these pumps when needed, and operator failure to start the MDAFW pump when needed) and in the makeup /HPI cooling (dominated by operator failures) are the primary contributors to core damage. As was noted previously, severalimprovements have been completed as a result ofinsights from the IPE. The CDF impact of these improvements is not known. The HRA review of the Davis-Besse IPE submittal did not identify any significant problems or errors. A viable approach was used in performing the HRA and nothing in the licensees submittal indicated that it failed to meet the intent of Generic Letter 88-20 in regards to the HRA. Important elements pertinent to this detemsnation include the following: The submittal indicates that utility personnel were involved in the HRA and that the 1) walkdowns, documentation reviews and simulator observations represented a viable process for confirming that the HRA portions of the IPE represent the as-built-as operated plant.
- 2) The analysis of pre-initiator human actions included both miscalibrations and restoration
' faults. A reasonable screening analysis was performed and pre-initiator human actions
~~
- surviving screening were quantified using the guidance provided in the Accident Sequence Evaluation Program Human Reliability Analysis procedure (ASEP HRA) [NUREG/CR-4772]. A thorough analysis of pre-initiator events was conducted.
Post-initiator human actions modeled included both response-type and recovery-type actions. 3) i
- In the post-initiator screening analysis, all human actions included in the logic models t 60
e I (response actions) were initially assigned a failure probability of 1.0. The submittal notes that
~
this was done to ensure that inter-dependencies between multiple events in a cut set were appropriately considered. Post-initiator response type human actions were quantified using ; the method described in EPRI repon TR-100259 and referred to as a cause-based approach. i While a complete listing of the PSFs applied in the analysis of response type actions was not l provided in the submittal, a licensee response to an NRC RAI indicted that plant-specific ; PSFs were considered and appropriately applied. The HRA method used resulted in a thorough and reasonaMe analysis of the post-initiator events. The method used to quantify i the recovery type actions was different from that used for the response type actions. The ! approach used is documented in a draft repon developed for EPRI by NUS (NUS-5272) and ; specifically addresses the modeling ofrecovery actions in PRAs. While the licensee apparently took credit for some recovery actions that would not be considered thoroughly proceduralized, a reasonable rationale was provided and the associated HEPs would not be considered unreasonable.
- 4) The licensee did not identify important human actions through the use ofimponance measures in the submittal. In a response to the NRC RAI, Fussel-Vesely measures were provided for i events relevant to important transients (e.g., total loss of feedwater), values for the events confrilxition to total CDF were not provided. The submittal did provide a good discussion of operator actions in dominant sequences and a sensitivity analysis for human action events in truncated sequences was performed and the results were discussed. Thus, information regarding imponant human' actions was provided. Several potentially important human actions related enhancements were proposed.
The IPE tses a small event tree /large fault tree methodology to perform the back-end analyses, and j the MAAP code to perform the deterministic accident analyses. The interface between the front-end : and back-end analyses is accomplished via the development of a set of PDSs, which are defined by the front-end core damage sequences and the status of the containment systems. 'The PDS definition ' scheme is adequate. The CET is well structured and easy to understand, and the quantification l process of the CET is systematic and traceable. l A special feature of the Davis-Besse containment design is the use of a free-standing steel shell containment. Unlike most of the other large dry containments that use concrete containments, direct i attack of the steel shell by the core debris is a concern at Davis-Besse. j The important points of the technical evaluation of the Davis-Besse IPE back-end analysis are summarized below: The back-end portion of the IPE supplies a substantial amount ofinformation with regard to the subject areas identified in Generic Letter 88-20. The Davis-Besse IPE provides an evaluation of all phenomena ofimportance to severe
, accident progression in accordance with Appendix I of the Generic Letter.
61
4 The submittal has identified a plant-specific containment failure mode that involves attack ' core debris on the containment steel shell (identified in the IPE as sid assumed in the IPE that side wall failure occurs when there is a substantial dispersal of f debris during high pressure melt ejection (HPME) and that the debris bed is not coolable. There is a lose error in the CET structure that prevents hot leg creep rupture from This error causes a significant over-estimate of the probability of side wall failure and a substantial over-estimate of the probability of early failure. Revised containment failure pr:babilities are provided in the licensee's response to the RAI. The release categories defined in the Davis-Besse IPE are based on the magnitudes of the i j fission products released, irrespective of the release timing (or the containment failure i modes). As a result, a release category may include CET sequences with different containment failure modes and/or different release timing. Further refinement ofsource term definition is required before calculation of offsite consequences could be carried out. 1 The sensitivity analyses provided in the IPE is very limited. It is discussed in that part of th submittal where the containment failure modes are discussed. The analysis involves the evaluation of the changes in the probabilities of the containment failure modes due to the changes of the probability values of some CET base event. However, the values of the basic events used in the sensitivity studies seem arbitrary. For example, there is no discussion of yhy a value of 0.1 is used for HPME failure in the sensitivity study. It seems the value is arbitrarily selected, not based on the uncertainty of containment pressure loads at HPME. Furthermore, the sensitivity analyses presented in tl e IPE submittal are based on the base case results with the above-mentioned logic error. The sensitivity to some parameters will chan as this error, and thus the results of the base case, are corrected. For example, the sen of side wall failure to debds coolability seems likely to be changed. , One issue that may nave a significant impact on the fission product release identified in the IPE is the potential ofinduced SGTR (ISGTO by the operation of the RCPs. The procedure calls for the restart of the RCPs as a last r' sort to get some amount eiroolant to the core. The operation of the RCPs may significantly increase the pctential ofISGTR. According to the Davis-Besse IPE, this issue may best be conducted iri conjunction with the B&W Owners Group severe accident management activities. The licensee has addressed the recommendations of the CPI program. 8 4 62
.. I
- 4. REFERENCES
[GL 88-20} Cmtchfield, D.M., Individual Plant Examination for Severe Accident Vulnerabilities, November 23,1988. U.S. Nuclear Regulatory Commission Generic [NUREG-1335} IndividualPlant Examination: Submittal Guidance, U.S. Nuclea Commission Report NUREG-1335, August 1989. [IPE Submittal} IndividualPlant Examinationfor the Davis-Besse Nuclear Power S Toledo Edison Company, Febmary,1993. [RAIResponses} Re.sponse to Requestfor AdditionalInformationfor the JPEProgram, Besse Nuclear Power Station, the Toledo Edison Company, Septe\ 1 [NUREGICR-4550] i Ericson, D.M., Editor, et al., Analysis of Core Damage Frequency: I! Events Methodology, NUREGICR-4550, Vol.1, Rev.1, Sandia National Laboratory, January 1990. i i [NUREGICR-4803] Sherman, M.P., and Berman, M., The Possibility of Loca During Degraded-Core Accidents in the Bellefonte Nuclear Poweri ; NUREGICR-4803, January 1987. ' 1 [NUREGICR-5275) Sherman, M.P., et al., FLAME Facility - The Effect of Ob Transwrse Venting on Flame Acceleration and Transition to Deton Hydrogen-AirMixtures at Large Scale, NUREGICR-5275, April 1989. ' [EPRI NP-3583) G.W. Hannaman and A.J. Spurgin, Systematic Humbn Action Rel Procedure (SHARP), EPRI-3583, Palo Alto, CA: Electric Power Research l Institute,1984. ' i [NUREGICR-4772] A.D. Swain, Accident Sequence Evaluation Program Human Relia Analysis Procedure, NUREG/CR-4772, U.S. \ Nuclear Regulatory Commission, Washington, D.C., February,1987. 8 [NUREGICR-1278) A.D. Swain and H.E. Guttman, Handbook ofHuman Reliability Analysis w Emphasis on Nuclear Puer Applications : Techniquefor Human Error Rate Prediction, Washington D.C.,1983. NUREG .:R-1278, U.S. Nuclear Regulatory Commission,) ' [EPRI TR-100259] G.W. Pany, et al., An Approach to the Analysis ofOperator Actions in P Electric Power Research Institute Report TR-100259 (Draft), Palo Alto, November 1991. - l I l i 63
4 [NUS-5272] P. Moleni, et al., Modeling ofRecovery Actions in PRAs, Report APG #15
, (NUS-5272) for Electric Power Research Institute (Draft), April 1991.
O e e e ee
- 4 6
64 _ . _ _ _ _ _ _ _ _ _}}