ML20129H300
| ML20129H300 | |
| Person / Time | |
|---|---|
| Site: | Beaver Valley |
| Issue date: | 08/31/1995 |
| From: | Darby J, Sciacca F, Thomas W SCIENCE & ENGINEERING ASSOCIATES, INC. |
| To: | NRC |
| Shared Package | |
| ML20128F445 | List: |
| References | |
| CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-92-553-031, SEA-92-553-031-A:3, SEA-92-553-31, SEA-92-553-31-A:3, NUDOCS 9610080067 | |
| Download: ML20129H300 (50) | |
Text
.-
SEA-92-553-031-A:3 August 31,1995 I
]
i
)
l
)
Beaver Valley 1 j
4 Technical Evaluation Report i
on the Individual Plant Examination i
Front End Analysis I
NRC-04 91-066, Task 31 j
i 9
i 1
John L. Darby, Analyst Willard R. Thomas, Editor Frank W. Sciacca, Editor 4
i Science and Engineering Associates, Inc.
J i
j i
)
Prepared for the Nuclear Regulatory Commission i
9610000067 960930
'l PDR ADOCK 05000334 P
PDR l
TABLE OF CONTENTS 1
E. Executive Summary E.1 Plant Characterization..
1 E.2 Licensee's IPE Process 2
E.3 Front-End Analysis 2
6 E.4 Generic issues E.5 Vulnerabilities and Plant Improvements.
6 E.6 Observations 8
- 1. I NTR O D U CTI O N..................
9 1.1 Review Process..
9 1.2 Plant Characterization 9
- 2. TECHNICAL REVIEW 10 2.1 Licensee's IPE Process..........
10 2.1.1 Comoteteness and Methodotoov..........
10 2.1.2 Multi-Unit Effects and As-Built. As-Ocerated Status........ 10 2.1.3 Licensee Particioation and Peer Review..........
11 1
r-.
_2.2_AccidenLSeguence Delineation and System Analysis............. 12 l
~~
2.2.1 Initiatin a E ve nt s..........T. T..~...................
12 2.2.2 Event Trees 14 2.2.3 Svstems Analvsis...
19 2.2.4 Svstem Decendencies..............
23 2.3 Quantitative Process.................................... 23 2.3.1 Quantification of Accident Seauence Freauencies 23 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses....... 24 2.3.3 U se of Plant-Soecific Data.......................... 24 2.3.4 U se of G ene ric Data.............................. 25 2.3.5 Common-Cause Quantification.....
25 2.4 I rte rf ace iss u e s........................................ 26 2.4.1 Front-End and Back-End Interfaces 26 2.4.2 Human Factors Interfaces 27 2.5 Evaluation of Decay Heat Removal and Other Safety issues........ 27 27 2.5.1 Examination of DHR 28 2.5.2 Diverse Means of DHR 2.5.3 U niau e Feature s of DH R........................... 28 2.5.4 Other GSI/USIs Addressed in the Submittal.............. 28 29 2.6 Inte rnal Flooding.......................................
2.6.1 Internal Flooding Methodoloav....................... 29 2.6.2 Internal Floodina Results........................... 29 30 2.7 Core Damage Sequence Results...........................
2.7.1 Dominant Core Damage Seouences................... 30 2.7.2 Vuln e rabilitie s................................... 36 il 1
i
I 2.7.3 Prooosed imorovements and Modifications..
36
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS 40 i
- 4. DATA
SUMMARY
SHEETS.
42 1
REFERENCES..............
45 i
E 4
4 i
3 i
I h
i I
l l
iii
LIST OF FIGURES 32 Figure 2-1. CDF by initiating Event...
33 Figure 2-2. CDF by Accident Category.
IV l
1 i
i
I LIST OF TABLES Table 2-1. Groups of Initiating Events.....
13 Table 2-2. Component Failure Data 25 Table 2-3. Comparison of Beta Factors for 2 of 2 Components 26 Table 2-4. Important Flood Locations 30 Table 2-5. Top Five Systemic Core Damage Sequences 34 Table 2-6. Sensitivity Analysis Results 35 j
Table 2-7. Enhancements...
37 4
f V
E. Executive Summary This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for Beaver Valley Unit 1. This review is based on information contained in the IPE submittal along with the licensee's responses to Requests for Additional Information (RAl).
E.1 Plant Characterization The Beaver Valley site contains two units; two separate IPEs, one for each unit, were performed. This report summarizes our review of the IPE for Unit 1. Unit 1 is a three loop Pressurized Water Reactor (PWR), and the site is located on the Ohio River in Pennsylvania. Unit 1 has a steel lined, pre-stressed, post-tensioned concrete, subatmospheric containment. Westinghouse was the Nuclear Steam System Supplier (NSSS), and Duquesne Light Company (DLC), with assistance from Stone and Webster (SW), was the architect engineer (AE) and constructor. Unit 1 achieved commercial operation in 1976. The rated power is 2,660 megawatts thermal (MWt),
835 net megawatts electric (MWe), for unit 1. Similar units in operation are: North Anna and Surry.
Design features.at Beaver Valley 1 that impact the core damage frequency (CDF)'are as follows:
Dedicated feedwater cumo oowered off the emergency resoonse facilitv diesel generator (DG) as an Accendix R backuo for auxiliary feedwater. This feature tends to reduce the CDF by reducing the probability of loss of all feedwater.
Automatic switchover of Emergency Core Coolino Svstem (ECCS) from iniection to recirculation. This feature tends to reduce the CDF by not requiring operator action in response to a large Loss of Coolant Accident (LOCA) to provide timely switchover of the ECCS from the Refueling Water Storage Tank (RWST) to the containment sump.
Ooeration with 2 of 3 PORV block valves closed. This feature tends to increase the CDF by reducing the pressure relief capability in response to an Anticipated Transient Without Scram (ATWS).
Reauirement to orovide ventilation to the emeroencv switchoear rooms. This feature tends to increase CDF by requiring switchgear ventilation to support 1E power operation.
1
1 E.2 Licensee's IPE Process The IPE is a level 2 Probabilistic Risk Assessment (PRA). The PRA was initiated in response to Generic Letter 88-20. The freeze date for the IPE model was early 1988.
No planned modifications beyond the freeze date were considered in the PRA model.
Utility personnel were involved in all facets of the total IPE effort. The licensee performed a PRA-based IPE for Beaver Valley Unit 2 prior to performing the IPE for Beaver Valley Unit 1. The utility assumed the lead role in completing the PRA for unit 1, based on the experience gained in performing the PRA for unit 2.
Major j
contractors for the front-end PRA were Pickard, Lowe and Garrick, Inc. (PLG) and Stone and Webster.
Plant walkdowns were performed to verify that the PRA model represented the as-built condition. Wa!kdowns were conducted for the internal flooding analysis and for the back-end analysis. The walkdown for the internal flooding analysis was completed in one two day time frame, while two separate walkdowns were performed for the back-end analysis.
Major documentation used in the IPE included: the Updated Final Safety Analysis, Report (UFSAR), design basis documents, Piping and Instrument Diagrams (P&lD),
electrical drawings, procedures, and operating crew surveys. Other PRAs were reviewed, primarily NUREG/CR 4550 for Surry, and PRAs for Zion, Indian Point, and Millstone. Insights from these PRAs were incorporated into the Beaver Valley 1 IPE, mainly for component failures and the determination of success criteria.
The IPE was internally reviewed by members of the PRA team. An independent review was performed by DLC staff from: licensing, operations, engineering, training, plant performance, radiological engineering, and the independent safety engineering group. The submittal provides a table that delineates the review responsibility of each member of the independent review team. Comments from the independent review team were documented and resolved in accordance with PLG Quality Assurance (OA) procedures.
The submittal does not state that a "living" PRA will be maintained, however, the submittal states: "DLC now recognizes the benefits of a PRA and the capability that has been developed will be maintained. This capability will support a comprehensive risk management program."
E.3 Front End Analys!
The methodology chosen for the Beaver Valley Unit 1 IPE front-end analysis was a Level l PRA; the large event tree /small fault tree technique with event tree linking was used and quantification was performed with RISKMAN.
2
The IPE quantified 45 categories of initiating events, comprising 4 groups as follows:
Initiating Event Group Number of initiating Event Categories in Initiating Event Group LOCAs 7
Transients (Generic) 16 Plant Specific Support System Failures 13' (Plant Specific Transients)
Internal Floods 9
' The licensee includes Loss of Offsite Power in this category; we have included this event in the Transient Category, as is the standard practice in most IPE/PRAs.
j The licensee developed systemic event trees for frontline systems, to model the plant response to each class of initiating event. All relevant frontline systems were modeled in the event trees; support systems were modeled in a support system fault tree.
Special event trees were developed for Anticipated Transient Without Scram (ATWS),
i interfacing systems Loss of Coolant Accidents (LOCA), and Steam Generator Tube Rupture (SGTR).
Plant specific initiating events were evaluated by examining all support systems.
Failures in support systems that result in reactor trip and affect safety systems were retained as plant specific initiating events if they were not already considered in other generic initiating event categories. The IPE modeled 13 plant specific initiating events.
The IPE evaluated loss of Heating, Ventilating, and Air Conditioning (HVAC) systems as initiating eventw and retained loss of HVAC in the emergency switchgear rooms as an initiating event. i.oss of both station instrument air and containment instrument air were modeled as plant specific initiating events.
Core damage was assumed to occur when the loss of heat removal progressed past the point of core uncovery, and core exit temperatures exceeded 1,200 deg. F.
The NUREG/CR 4550 PRA for Surry was used in the development of system level success criteria. The success criteria for adequate pressure relief following an A1WS were based on Westinghouse analyses.
Support system dependencies were modeled in a support system event tree; this support system event tree was linked with the frontline system event trees during quantification. Support system states were not used in the quantification. The submittal contained tables summarizing the inter-system dependencies considered in the models.
3
The IPE useo plant specific data from January 1,1980 through December 31,1988 to bayesian update generic data. The IPE used plant specific data for system unavailability for testing and maintenance to Bayesian update generic data.
The Multiple Greek Letter (MGL) method was used to model common cause failures.
The data for common cause failures were taken from standard sources as discussed in Section 11.2.6 of this report, and the values used were comparable to values used in typical PRA/IPEs. Common cause failures were modeled within systems. Common cause failures were not major contributors to the CDF in this IPE.
The submittal summarizes the technique used to evaluate internal flooding. The tasks were as follows. (1) Plant Familiarization. Key plant design information was reviewed.
(2) Flood Experience Review. Flood data from Nuclear Power experience through 1987 were reviewed and used in the quantification of flood initiating event frequencies.
(3) Flood and Equipment Location. Flood sources, locations, and flood propagation were studied. (4) Plant Walkthrough. The plant was walked down to confirm details of the flooding effects. (5) Scenario Quantification. Flood scenarios were postulated, evaluated, and quantified.
Flooding events from river water and fire water survived initial gereening and were quantified. The quantification used the PRA event trees developed for internal initiating events to quantify the offects of additional randorn failures, given the failures as a direct result of the flood.
The total CDF from internal initiating events and from internal flooding was estimated to have a mean value of 2.14E-4/ year. Internal flooding contributed 1.4% to this total CDF; the CDF from internal flooding was 3.02E-6/ year.
Internal initiating events that contribute the most to CDF, and their percent contribution, are as follows:
Loss of Emergency AC Train 19%
Partial Loss of Main Feedwater 12%
Loss of River Water 11%.
Section 2 / of this report provides a more complete listing of the contribution of initiating events to core damage.
The submittal summarizes the contribution to overall CDF by accident category, as follows. Note that the accident category results do not represent absolute contributions to CDF.
Station Blackout 30 %
4 i
l l
Containment Bypass / Isolation Failures 21%
Loss of switchgear HVAC 16%
ATWS 20 %
These accident categories are not mutually excluslve; for example, station blackout and loss of switchgear ventilation both contribute significantly to a Reactor Coolant Pump (RCP) seal LOCA. The high contribution of RCP seal LOCA and station blackout to CDF is consistent with the findings of many other IPE/PRAs for PWRs.
The high contribution of cantainment bypass / isolation failure is notable; this is due to loss of emergency switchgear ventilation with resultant loss of electrical power leading to the inability to provide core cooling accompanied by inability to isolate containment.
The high contribution of ATWS is notable; this is due to the condition that Beaver Valley 1 is allowed to operate with two of the three Power Operated Relief Valve (PORV) block valves closed which reduces the capability of the pressure relief system on the reactor coolant system (RCS) to mitigate an ATWS with loss of main feedwater.
The high impact of loss of switchgear HVAC is a plant specific feature, in that 1E power is lost without HVAC for the switchgear.
Hardware failures contributing significantly to the total CDF are: failure of AC train A, failure of RCS pressure relief in response to an ATWS, failure of the river water system, and failure to trip the reactor.
Operator actions contributing significantly to reducing CDF are: recovery of ventilation for the emergency switchgear rooms, and recovery of AC power for the 1E buses.
The licensee has updated the PRA since the submittal; section E.5 of this report st mmarizes the results of the update and section 2.7.3 provides a discussion of the updated PRA.
The IPE did not use Plant Damage States (PDS) to perform the back end analysis.
The front and back end analyses were automatically linked together. That is, the level 1 event trees were directly linked to the containment event tree. Level 1 end state bins were used for the purposes of presentation and understanding. Core damage sequences were binned based on four parameters: RCS pressure at core damage, containment isolation status, the size of the opening if not isolated, and the status of j
containment heat removal.
j Based on our review, the following modeling assumptions have an impact on the overall CDF:
(a) the RCP seal LOCA.model used, (b) no requirement for containment heat removal to support core cooling, (c) the ability of operators to provide compensatory ventilation for the emergency switchgear rooms, and 4
5
J 1
(d) two of three PORV block valves normally closed and unavailable for pressure relief for ATWS event.
l The NUREG 1150 RCP seal LOCA model was used; this tends to increase the CDF in comparison with IPEs that used the Westinghouse seal LOCA model. The IPE assumed that containment spray and heat removal are not required to support core cooling; most IPE/PRAs assume that the ability to cool the core is either lost or 4
degraded if containment cooling is not provided during accidents in which mass / energy are released into containment, lhis assumption tends to decrease the CDF. The l
credit for operator action to provide ventilation to the emergency switchgear rooms by opening doors and using portable fans tends to reduce the CDF.
E.4 Generic issues j
The IPE specifically addressed loss of Decay Heat Removal (DHR). The submittal
{
1 summarizes the importance of systems and options contributing to decay heat removal, these being:
Main Feedwater Auxiliary Feedwater Feed and Bleed Cooling Depressurization with Steam Generators (SGs)
The submittal discusses the relative importance of these five systems and functions, and the failures contributing to loss of them. The licensee concludes that there are no i
vulnerabilities in these systems and options used for decay heat removal.
l The submittal does not propose to resolve any other generic issues directly with the IPE.
E.5 Vulnerabilities and Plant improvements i.
The licensee defined vulnerabilities as "the fundamental contributors to risk" in the important scenarios.
The IPE identified eight vulnerabilities and enhancements for these eight vulnerabilities are proposed and discussed.
3-The submittal addresses potential enhancements that are being implemented or that are under review. The enhancements are discussed relative to each vulnerability, and m
the status of each enhancement is provided. These vulnerabilities and associated enhancements are shown in the table on the following page.
4 6
i
l Vulnerabilities and Related improvements identified in Beaver Valley 1 iPE Vulnerability Enhancement impact of CDF importance Status of Enhancement Enhancement
%CDF' Risk Reduction Worth
- AC Power Crosstie Capability Allows Unit 1(2) 30.4 0.86 Implemented; Generation Between Units 1 and DGs to power Unit credited in revised Capability 2
2(1)if both Unit IPE 1(2) DGs work l
Reactor Trip Enhance Procedures Enhanced 19.9 0.79 Dropped from Breaker Failure to De Power Bus Recovery for consideration; not ATWS credited in IPE
(
Pressurizer Parc.'e with all Block Increase Pressure 15.6 0.89 Revised model PORV Block Valves Open or Relief Capacity for indicated greater Valve Alignment Provide Procedure to ATWS capacity for each Open Block Valves PORV and that i
on Loss of Main single PORV Feedwater generally adequate; new model credited l
in revised IPE Loss of Enhanced Prevent 15.5
- 0.87.
Completed; not Emergency Procedures Overheating of credited in IPE Switchgear Room Switchgear HVAC RCP Seal Cooling Use of improved seal Reduce Likelihood 13.8 New seals will be for Station materials of RCP Seal installed as existing Blackout LOCA in Station spare stock is Blackout expended; not credited in IPE Battery Capacity Enhanced Extend tims'oiSG 10.7 0.89 Dropped from for SG Level Procedures for Load Level Indication consideration; not during Station Shedding and Using under Loss of AC credited in IPE Blackout Portable Battery Power Chargers Pressurizer Eliminate Challenge Reduce Frequency 2.0 0.98 Dropped from PORV Sticking by Defeating 100%
of PORV consideration; not after Loss of Load Rejection Openings credited in IPE Offsite Power Capability Fast 4160 V Bus Enhanced Reduce Frequency 1.5 0.98 Implemented; Transfer Procedures and that Breaker i
credited in IPE Training Failures will Challenge DGs
- Percent of Sequences containing Vulnerability
- Fraction of Original CDF Remaining if Failure Probability of Affected System Reduced to 0.0
~ Included in Risk Reduction for AC Power Generation Capability 7
The licensee pravided additional information stating that two changes have been made since completion of the iPE, these being: installation of the station crosstie and reanalysis of ATWS with more optimistic assumptions. The licensee states that the net effect of these changes results in a 44% reduction in the total CDF, resulting in a new CDF of 1.2E-4/ year.
E.6 Observations The licensee appears to have analyzed the plant design and operations of Beaver Valley 1 to discover instances of particular vulnerability to core damage. It also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained a quantitative understanding of the overall frequency of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.
Strengths of the IPE are as follows. The consideration of plant specific initiating events in the IPE is thorough compared to some other IPE/PRA studies.
Significant level-one IPE findings are as follows:
RCP seal LOCAs after station blackout are an important contributor to the total CDF the CDF t.ssociated with core damage accompanied by failure to isolate containment is relatively high j
the CDF from internal flooding is small.
One reason that RCP seal LOCAs during station blackout are an important contributor to CDF is because the NUREG 1150 model for seal LOCAs was used. IPEs that have used the Westinghouse seal LOCA model typically predict less of a contribution from seal LOCAs to the total CDF. The CDF associated with core damage events
. accompanied by failure to isolate containment is relatively high due to loss of ventilation for electrical switchgear causing loss of electrical power and the inability to provide core cooling and to isolate containment. The CDF from internal flooding is small due to the layout of the plant.
l 8
- 1. INTRODUCTION i
1.1 Review Process This report summarizes the results of our review of the front-end portion of the IPE for Beaver Valley Unit 1. This review is based on information contained in the IPE submittal along with the licensee's responses to RAl. [lPE) [lPE Fax) [lPE Responses]
1.2 Plant Characterization The Beaver Valley site contains two units; two separate IPEs, one for each unit, were performed. This report summarizes our review of the IPE for Unit 1. Unit 1 is a three loop Pressurized Water Reactor (PWR), and the site is located on the Ohio River in Pennsylvania. Unit 1 has a steel lined, pre-stressed, post-tensioned concrete, subatmospheric containment. Westinghouse was the Nuclear Steam System Supplier (NSSS), and Duquesne Light Company (DLC), with assistance from Stone and Webster, was the architect engineer (AE) and constructor. Unit 1 achieved commercial operation in 1976. The rated power is 2,660 MWt,835 MWe (net), for unit 1. Similar units in operation are: North Anna and Surry.
Design features at Beaver Valley 1 that impact the core damage frequency (CDF) are as follows:
Dedicated feedwaie somo oowered off the emeroency resoonse facilitv Diesel Generator (DG) as an Accendix R backoo for auxiliarv feedwater. This feature tends to reduce the CDF by reducing the probability of loss of all feedwater.
Automatic switchover of ECCS from inlection to recirculation. This feature tends to reduce the CDF by not requiring operator action in response to a large Loss of Coolant Accident (LOCA) to provide timely switchover of the Emergency Core Cooling System (ECCS) from the Refueling Water Storage Tank (RWST) to the containment sump.
Ooeration with 2 of 3 PORV block valves closed. This feature tends to increase the CDF by reducing the pressure relief capability in response to an ATWS.
Reauirement to orovide ventilation to the emeraency switchaear rooms. This feature tends to increase CDF by requiring switchgear ventilation to support 1 E power operation.
9
- 2. TECHNICAL REVIEW 2.1 Licensee's IPE Process We reviewed the process used by the licensee with respect to: completeness and methodology; multi-unit effects and as-built, as-operated status; and licensee participation and peer review.
2.1.1 Comoleteness and Methodoloav.
The submittal contains the information requested by Generic Letter 88-20 and NUREG 1335. No obvious omissions were noted. [NUREG 1335][GL 88-20]
The front-end portion of the IPE is & ievel i PRA, which is a method that is addressed in Generic Letter 88-20. The specific technique used for the level l PRA was a large event tree /small fault tree technique, and it was clearly described in the submittal.
The submittal described the details of the technique. Internal initiating events and internal flooding were considered. Event trees were developed for all classes of initiating events. The development of component level system fault trees was summarized, and system descriptions were provided. Support systems were modeled with a support system event tree which was linked with the frontline system event trees; support system states were not generated. [lPE submittal, Section 3.3] Inter-system dependencies were discussed in the system descriptions and tables of system dependencies were provided. Data for quantification of the models were provided, including common cause and recovery data. The application of the technique for modeling internal flooding was described in the submittal. Importance and sensitivity analyses were performed. An overall uncertainty analysis of the CDF was performed.
The level 1 PRA upon which the front-end portion of the IPE is based, was initiated in response to Generic Letter 88-20.
2.1.2 Multi-Unit Effects and As-Built. As-Ocerated Status.
Beaver Valley is a two-unit site, but the submittal addresses only unit 1. Unit 2 achieved commercial operation 10 years after unit 1. Based on our review of the UFSAR for unit 1, there seems to be little sharing of systems between the two units besides sharing of offsite power and the intake structure. The UFSAR does indicate that the ability to manually crosstie DG supplied power between the two units has been implemented to address station blackout, but this capability was not present as of the freeze date of the model in the IPE submittal for unit 1. [UFSAR, Section 8.4.6]
I
[lPE submittal, Section 6.3.2.1] Therefore as of the freeze date of the submittal, there is little potential for dual unit core damage between the two units.
I I
l 1
10
M The licensee indicated that the IPE has been updated to consider the station blackout enhancement that allows for crosstie of DG supplied r,ower between the two units.
[lPE Responses] The updated IPE results reduced the overall CDF by 44% to 1.2E-4/yr.
i As discussed later this report, the impact of internal flooding on dual unit core damage
'is small.
1 Plant walkdowns were performed for.the internal flooding analysis and for the back-end analysis. [lPE submittal, Section 1.2] The walkdown for the internal flooding j
analysis was completed in one two day time frame, while two separate walkdowns were performed for the back-end analysis.
Major documentation used in the IPE included: the Updated Final Safety Analysis
)
i Report (UFSAR), design basis documents, Piping and instrumentation Diagrams (P&lD), electrical drawings. procedures, and operating crew surveys. [lPE submittal, Table 2.4-1]
j Other PRAs were reviewed, primarily NUREG/CR 4550 for Surry, and PRAs for Zion, Indian Point, and Millstone. [lPE submittal, Section 2.4.2] Insights from these PRAs were incorporated into the Beaver Valley 1 IPE, mainly for component failures and'the i
determination of success criteria.
]
The freeze date for the IPE model was early 1988. [lPE submittal, Section 1.1] The j
IPE model did not credit any plant changes planned after the freeze date. [lPE submittal, Section 1.4.1]
2.1.3 Licensee Particioation and Peer Review.
l The licensee performed a PRA based IPE for Beaver Valley Unit 2 prior to performing b
j this IPE for Beaver Valley Unit 1. [lPE submittal, Section 5.1] The utility assumed the i
lead role in completing the PRA for Unit 1, based on the experience gained in performing the PRA for unit 2. The Engineering Analysis and Assurance (EAA) group i
at Duquesne Light Company (DLC) was the lead utility organization for the PRA, and staff from this group interfaced with other DLC departments as necessary. Additional i
DLC involvement in the IPE included:
\\
technology transfer seminars were conducted with participation from DLC F
l organizations involved with conducting and reviewing the PRA DLC management, licensing, and training personnel attended a 3 day review of the results of the Beaver Valley 2 PRA work a DLC engineer worked with the PLG analysts for 3 months 1
DLC engineers performed MAAP calculations j
i 11 i
1
DLC traming and operations personnel provided input and review for the modeling if human actions DLC prepared the IPE submittal.
PL'G was the major contractor for the front-end analysis. Stone and Webster also i
provided support for the IPE.
The submittal does not state that a "living" PRA will be maintained, however, the submittal states: "DLC now recognizes the benefits of a PRA and the capability that has been developed will be maintained. This capability will support a comprehensive risk management program." [lPE submittal, Section 7)
The IPE was internally reviewed by members of the PRA team. An independent review was performed by DLC staff from: licensing, operations, engineering, training, plant performance, radiological engineering, and the independent safety engineering group. [lPE submittal, Section 5.2] The submittal provides a table that delineates the review responsibility of each member of the independent review team. [lPE submittal, l
Section 5.3)
Comments from the independent review team were documented and resolved in accordance with PLG OA procedures. [lPE submittal, Section 5.4]
i 2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies 1
provided in the submittal.
4 l
4 2.2.1 Initiatina Events.
4 The licensee defines an initiating event as an event that should lead to plant trip from an initial at-power condition; events requiring controlled shutdown are not considered as initiating events. [lPE submittal, Section 3.1.1] This is the standard definition of initiating events used in PRAs for at-power initial conditions.
The following process was used to identify initiating events. [IPE submittal, Section 3.1.1) Other studies were reviewed which evaluated initiating events in Westinghouse reactors; these studies included: the UFSAR for the unit, the Beaver Valley Unit 2 PRA, the Diablo Canyon PRA, the South Texas Project PRA, the NUREG/CR 4550 PRA for Surry, the EPRI NP-2300 report, Wash 1400, and NUREG/CR-4674. The plant operating history was reviewed for actual plant trip events. Failure Modes and Effects Analysis (FMEA) was performed to identify plant specific initiating events from failures in support systems.
12 J
A list of categories of initiating events, divided into four broad groups of initiating events, was developed. [lPE submittal, Table 3.1.1-1] The groups of initiating events and the number of constituent categories of initiating events within each group are summarized in Table 2-1 of this report.
Table 2-1. Groups of Initiating Events initiating Event Group Number of Initiating Event Categories in Initiating Event Group LOCAs 7
Transients (Generic) 16 P[ ant Specific Support System Failures 13' (Plant Specific Transients)
Internal Floods 9
- The licensee includes Loss of Offsite Power in this category; we have included this event in the Transient Category, as is the standard practice in most IPE/PRAs.
The list of General Transient initiating events appears complete. It includes such events as: spurious actuation of ECCS, main steam line breaks both upstream and downstream of an MSIV, and excessive feedwater.
The submittalincludes a summary table of the results of the FMEA performed to identify plant specific initiating events. [lPE submittal, Table 3.1.1-2) This table indicates that a systematic analysis was pedormed to identify plant specific initiating events.
Based on the FMEA, the following categories of plant specific initiating events were retained for analysis: [lPE-submittal, Table 3.1.1-1]
Loss of 125 V DC Bus 1-1 Loss of 125 V DC Bus 1-2 Loss of River Water and Auxiliary River Water Loss of Component Cooling Water (CCW)
Loss of Red Vital Bus l
Loss of White Vital Bus Loss of Blue Vital Bus Loss of Yellow Vital' Bus Loss of 4160 V AC Bus 1 AE Loss of 4160 V AC Bus 1DF Loss of Station Instrument Air Loss of Containment Instrument Air
~
13
L Loss of Emergency Switchgear Ventilation System.
Other plant specific initiating events were considered as part of previously defined general initiating event categories. For, example, loss of a non-1E 4160 V AC bus was considered as bounded by loss of offsite power both in terms of impact and frequency.
The IPE does not address the impact of spurious containment isolation. As discussed later in this report, containment isolation results in iso;ation of Component Cooling Water (CCW) to the Reactor Coolant Pumps (RCP). Given containment isolation, in our opinion, the operators should trip the RCPs to prevent a potential vibration-induced seal LOCA. (The IPE does address the need to trip the RCPs if the initiating event is loss of CCW. [lPE submittal, Table 3.1.1-2] ) However, since CCW cooling is not l
required for High Head Safety injection (HHSI) operation to provide injection to mitigate an RCP seal LOCA, omission of the initiating event is of little consequence, j
since for it to progress to core damage both operator failure to trip the RCPs and loss of HHSI injection must occur.
The IPE does model two small LOCA initiating events, one non-isolable and one isolable, and identifies the isolable small LOCA with an open PORV. [lPE submittal, I
Table 3.1.1-1]
d Breaks of size less than 3/8 inch equivalent diameter are not considered to be LOCAs, l
since they are within the capability of the normal makeup system.
i l
The frequencies of the initiating events are comparable to those used in other l
IPE/PRA studies. [lPE submittal, Table 3.3.1-4] The frequency for an interfacing j
systems LOCA is 1.61E-5/yr, which is high compared to the frequency for such an event in some other IPE/PRAs. The submittal states that this is the frequency for 4
leakage in excess of 105 gpm past two LHSI check valves, and that it is assumed that i
this causes failure of Low Head Safety injection (LHSI) piping since it exceeds the relief capacity available. [lPE submittal, Sections 3.1.3.6.4.2.3 and 3.1.3.6.4.3) One j
reason that the frequency of an interfacing systems LOCA in this IPE is higher than in
~
some other IPE/PRAs, is that some other IPE/PRAs have factored in a probability that i.
the overpressurized piping does not fail.
2.2.2 Event Trees.
Seven frontline event trees were constructed, these being: [lPE submittal, Section 3.1.3]
)
general transient /small LOCA event tree medium LOCA event tree i
large LOCA event tree excessive LOCA event tree 14 j
i SGTR event tree
' interfacing systems LOCA event tree ATWS event tree.
Also, a support system event tree and a recovery event tree were developed. The j
support system event tree was directly linked with the frontline event trees during quantification; no support state modeling was used. [lPE submittal, Section 3.3] The recovery event tree consisted of only one top event, as of the date of the submittal:
i recovery of AC power. [lPE submittal, Section 3.1.4.2]
e To assist in development of the event trees, Event Sequence Diagrams (ESDs) were developed. [lPE submittal, Section 3.1.2] These ESDs provide a time ordered i
description cf the various responses of the plant to classes of initiating events.
The submittal provides the criteria used for core damage. [lPE submittal, Section 1.4.1]
Core damage was assumed to occur when the loss of heat removal progressed past the point of core uncovery, and core exit temperatures exceeded 1200 F. (in response to RAI for the Beaver Valley 2 IPE the licensee stated that defining core damage to be core uncovery only, without consideration of core exit temperature, has essentially the same effect as the definition used.)
The submittal summarizes the system level success criteria used in the IPE. [lPE 4
submittal, Section 3.1.2 and Tables 3.1.2-2 through 3.1.2-8] The submittal provides the frontline event trees for the various classes of accident initiating events, and a i
description of the events in the trees. [lPE submittal, Section 3.1.3] We have the following comments on the success criteria and the event trees.
I j
General Transient /Small LOCA Event Tree I
The model for a general transient assumes that main feedwater flow is significantly J
reduced automatically after plant trip as a result of low primary temperature; therefore, auxiliary feedwater (AFW) is the preferred source of steam generator cooling in the
{
model. [lPE submittal, Page 3.1-56] Should, AFW fail, use of main feedwater is credited, if it is available. If both auxiliary and main feedwater are unavailable, the model credits the used of the dedicated feedwater pump. The dedicated feedwater pump is a special pump that can be powered off the Emergency Response Facility 1
The success criteria for a transient credit heat removal from the steam generators with any one AFW pump or with the dedicated feedwater pump, if a main feedwater pump is' not available. We evaluated the ability of any one of these pumps to provide for adequate heat removal, and conclude that any of these pumps can provide for adequate heat removal with steaming on the steam line safety valves, 15
The success crueria for a transient do not credit depressurization of the steam generators to allow for secondary cooling with the condensate pumps if all feedwater pumping sources are lost. [lPE submittal, Page, 3.1-60] This assumptio'1 is a less optimistic than other IPEs, which have credited this option for steam generator cooling.
The source of water for the auxiliary feedwater pumps is the plant demineralized water storage tank (PDWST) which has 140,000 gallons of inventory available for AFW.
[UFSAR, Section 10.3.5.1.2] The submittal states that this inventory is sufficient for AFW to remove decay heat for 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> without makeup. [lPE submittal, Page 3.1-56] Our calculations confirm this. Long term makeup for AFW supply is required over the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time; normal sources of makeup require offsite power, but if offsite power is lost, operators can provide water directly from the river water system to the AFW i
pumps. [lPE subrnittal, Page 3.1-57] It is possible that if makeup for AFW is not available, the operators can depressurize the primary before the normal source of AFW water is exhausted, and than use closed-loop cooling with the shutdown cooling system.
This option is not modeled in the event tree, since long term makeup is required for success of cooling with AFW. [lPE submittal, page 3.1-56]
4 The success criteria for a transient credit feed and bleed cooling with one PORV and i
one HHSl pump, if all cooling to the steam generators is lost.
]
The submittal states that normal operation is with PORV block valves closed on two of the three pressurizer PORV lines. [lPE submittal, Page 1.6-2] Therefore, to use two of the three PORVs, the motor operated PORV block valves must be onened, which requires AC power and operator action. The submittal states that the PORV block valves are powered from 1E 480 V AC power. [lPE subm!!ial, Table 3.2.3-2]
For long term feed and bleed two options are credited: either recirculation from the containment sump, with an HHSi pump in a piggyback alignment off the discharge of a LHSI pump, or continued injection from the RWST with operator action to refill the RWST.
in the IPE model, no containment cooling was required to support core cooling. The submittal states that potential problems in adequate NPSH for the recirculation spray pumps is not a concern [lPE submittal, p. 4.1-7] These pumps could be used to provide core cooling in events accompanied by containment depressurization and elevated sump temperatures. Also, the IPE inodel takes credit for continued Si injection if the containment sump water source is unavailable. The Si suction would be provided from the RWST, with makeup provided to the RWST. [lPE Responses]
Thus, Beaver Valley 1 appears to be less susceptible to any impacts of containment cooling failures on the ability to provide core cooling. However, the IPE information provided did not indicate whether or not the IPE considered equipment qualificction (EO) effects that might be experienced with containment heatup and failure, and subsequent impacts on the ability to provide core cooling. [lPE Responses] Most 16
the containment, without containment cooling the ability to provide core cooling is either lost or degraded as the containment heats up. A few IPE/PRAs have assumed that without containment cooling core systems survive with a certain probability. The Beaver Valley 1 IPE is one of the very few that have assumed that core cooling systems survive 100% of the time without any containment cooling.
The event tree accounts for a small LOCA as the initiating event by automatically setting event PR (pressurizer PORV opens and fails to reclose) to true. [lPE submittal, Page 3.1-56] The event tree considers two paths by which a transient can progress to a small LOCA: failure of a pressurizer PORV to reclose once opened, and an RCP seal LOCA.
The success criteria for transients include the need for RCP seal cooling to prevent an RCP seal LOCA. [lPE submittal, Table 3.1.2 2) The success criteria do not address the need to trip RUPs on loss of CCW cooling to the RCP motors to prevent a potential vibration induced seal LOCA; however, the event tree for a transient requires that operators trip the RCPs if CCW cooling is lost to prevent a seal LOCA. [lPE submittal, Page 3.1-62 Event SE)
The IPE did not model depressurization for LHSI as being a viable alternative to HHSI.
[lPE submittal, Page 3.1-21][lPE Fax) Some other PWR IPE/PRA studies have credited this accident mitigation strategy.
The submittal indicates that depressurization was considered as a means to limit the loss from an RCP seal LOCA following station blackout. [lPE submittal, Page 3.1-63)
The cubmittal clearly indicates the need for the use of spray or opening of PORVS in the primary in conjunction with depressurization of the secondary, to depressurize the primary sufficiently for initiation of shutdown cooling.
i The NUREG 1150 model for RCP seal LOCAs was used. [lPE Responses)
The event tree credits continued injection from the RWST with operator action to refill the RWST as an option for long term cooling if recirculation from the containment sump is not available, for scenarios requiring primary makeup with HHSI, such as feed and bleed or small LOCAs. [lPE submittal, Page 3.1-69) This option is included in the emergency operating procedures. The submittal states that 200 gpm makeup to the primary is adequate for times longer than 100 minutes post plant trip, and uses this capacity as the makeup required for the RWST.
The submittal states that for scenarios involving, significant overcooling of the primary, l
such as a main steam line break, the need to model HHSI injection of borated water to maintain shutdown margin as the primary cools below hot zero power was not considered necessary. [lPE submittal, Page 3.1-55]
4 e
17 l
l l
Medium and Larat LOCA Event Trees The success criteria for medium and large LOCAs are similar. The major difference is that the medium LOCA requires injection with HHSI in addition to injection with accumulators and LHSI, while the large LOCA event tree does not' require injectin-with HHSI. For both size LOCAs, recirculation from the containment sump does. cot require HHSI piggyback on LHSl; LHSI alone is sufficient.
As previously discussed, the IPE model assumes that no containment cooling is required to support core cooling. [lPE Responses]
The success criteria for both the medium and large LOCA event trees state that without recirculation, icng term core cooling can be provided using one HHSI pump injecting from the RWST with makeup to the RWST. (IPE submittal Tables 3.1.2-4 and 3.1.2-5] This option is addressed in plant procedures.
Other Event Trees The event tree for a steam generator tube rupture addresses the unique actions to respond to a SGTR that cannot be isolated. [lPE submittal, Page 3.1-91] The preferred response is to depressurize the primary using the secondary and primary PORVs/ spray, and to institute shutdown cooling and decrease primary pressure to low pressure to stop the loss of inventory prior to depletion of ' akeup from the RWST. A m
backup option considered is to provide makeup to the RWST to allow for continued makeup to the primary with HHSl to compensate for inventory loss out of containment.
This is the standard model used in most PWR IPEs.
The IPE uses an event tree for an excessive LOCA event. All Excessive LOCA events result in core damage, since they result in primary inventory loss in excess of that which can be mitigated with the ECCS. The event tree is used to determine the status of the plant after core damage for back-end analysis of the source term.
The IPE uses an event tree for containment bypass LOCA events. This event tree addresses interfacing system LOCA events (failure of low pressure piping due to loss of isolation); SGTR is a containment bypass LOCA event that is modeled in a separate event tree. The submittalindicates that other HELB LOCAs outside containment, such as a break in a letdown line, were screened from consideration.
[lPE submittal, Table 3.1.3-8) The dominant contributor to an interfacing systems LOCA is the LHSI system. If leakage from the primary into the LHSI low pressure piping exceeds 105 gpm, the LHSI relief valves cannot provide sufficient relief and the
)
IPE assumed that the LHSI piping will fall. [IPE submittal, Page 3.1-109) The event tree credits two options for mitigating this LOCA: operator action to close a normally open motor operated isolation valve and if that fails, injection to the primary with one HHSI pump and continued makeup to the RWST for long term injection from the RWST. [lPE submittal, Page 3.1-109) 18 l
The licensee developed a special event tree to model ATWS transients. Unless main feedwater is available, the success criteria require tripping the main turbine to prevent early steam generator dryout leading to core damage by overpressurization of the RCS. [lPE submittal, Table 3.1.2-8 and Page 3.1-147] The submittal states that no credit was given for operator action to open the two normally closed PORV block valves in time to assist in pressure relief during an ATWS sequence. [lPE submittal, j
Page 1.6-2] The submittal also states that for ATWS sequences involving partial or total loss of feedwater with failure of AMSAC to initiate AFW, the relief capacity is insufficient 70% of the time. [lPE submittal, Page 1.6-2] (The relief capacity required depends on the moderator temperature coefficient which becomes more negative throughout the operating cycb due to decreased boration.) The licensee has reevaluated ATWS and concluded that the contribution of inadequate pressure relief, following an ATWS, to the total CDF is significantly less than estimated in the IPE.
[lPE Responses] The reevaluation is discussed in Section 2.7.3 of this report.
One support system event tree was developed, addressing the impact of loss of both electrical and mechanical support systems on the frontline systems. [lPE submittal, Section 3.1.5] The following support systems are modeled in this support system event tree: offsite power,1E AC power, DC power, vital AC power, safety system instrumentation and control, non 1E AC power, river water main supply, CCW main supply, turbine component cooling water system, emergency switchgear ventilation, station air, containment air, RWST, and RCP thermal barrier moling. Note: the discussion of the support system event tree does not address event BV (emergency switchgear ventilation), but this system is modeled in the support system event tree itself. [lPE submittal Section 3.1.5 and Figure 3.1.5-1]
2.2.3 Systems Analvsis.
The submittal states that fault trees were constructed for the event tree systemic top events. [lPE submittal, Page 3.2-6] System descriptions are included in Section 3.2.1 of the submittal. The system descriptions do not contain any schematics; this made review of the system descriptions difficult.
The section on system descriptions does not address the reactor coolant system (RCS), the dedicated feedwater pump, the nitrogen supply system, or the raw water system. The RCS has loop isolation valves, a unique feature. The dedicated feedwater pump can be powered off the emergency response facility DG to provide feedwater to cool the steam generators. The nitrogen supply system can provide backup to the containment air system to maintain 2 of the 3 pressurizer PORVs open.
The raw water system is the heat sink for the chilled water servicing the emergency switchgear room normal ventilation system.
The system description for the AC power system indicates that the model assumed that during power operation, power for the plant is provided from the main generator via the unit station service transformers, and that following plant trip, automatic transfer 19
of offsite power supply to the system station service transformers is required to maintain supply of offsite power ;o plant components. [lPE submittal, Page 3.2-34]
The UFSAR indicates that the operating configuration can be either as assumed in the IPE, or such that offsite power is supplied via the system station service transformers.
[UFSAR, Section 8.4) The IPE assumption is somewhat pessimistic in that it requires operation of the automatic switchover to the system station service transformers to I
preserve supply of offsite power following unit trip. The system description does discuss the extra DG for the Emergency Response Facility (ERF) that can be used to i
l power the dedicated feedwater pump. As previously discussed in this report, as of the l
freeze data of the IPE model, the station blackout crosstie capability was not installed l
for manually powering unit 1(2) equipment with unit 2(1) DGs; the latest UFS AR states l
that this capability now exists, and that 1 DG can power both units in shutdown.
[UFSAR, Section 8.4-6] The system description does not discuss whether or not 1
power can be crosstied between the two 1E buses at unit 1; the UFSAR does not discuss the presence of such a capability. [UFSAR, Chapter 8) The listing of operator actions modeled in the IPE, indicates that intra-unit crosstie of 1E buses was not considered. [lPE submittal, Table 3.3.3-5]
A 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> battery lifetime, the UFSAR design condition, was used except for top event l
RE, recovery of AC power. [lPE Responses) For event RE, a battery lifetime of 2.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for batteries 1 and 2 was used, and a battery lifetime of 3.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> was used'for battery 3, based on more realistic considerations of battery capabilities.
The system description for river water states that river water cools the charging i
pumps. Therefore, loss of river water results in loss of seal cooling, since river water cools both CCW and the charging pumps; since the charging pumps are the HHSI pumps, the RCP seal LOCA cannot be mitigated and core damage occurs. Loss of river water is the dominant core damage sequence for the plant. [lPE submittal, Page 1.4-9) The IPE assumes that one river water pump can provide sufficient cooling; nowever, for one pump to be sufficient if phase B of containment isolation is reached, bcth river water cooling to CCW and chilled water must be isolated. (IPE submittal, Page 3.2-49]
The system description for CCW discusses CCW cooling to the RCP motors and to the RCP thermal barrier coolers. Loss of CCW results in loss of cooling to the RCP motors. In our opinion, the event requires operator action to trip the RCPs to prevent a potential vibration induced seal LOCA; however, HHSI is still available to mitigate the seal LOCA. Seal injection with the charging pumps does not require CCW, as the charging pumps are cooled by river water; therefore, loss of CCW does not result in totalloss of seal cooling.
The turbine plant component cooling water system cools the station air compressors dnd afterCoolers, and the main feedwater and condensate pumps. The heat sink for the turbine plant component cooling water system is the turbine plant river (raw) water system.
20
1 The system description for station air and containment air discusses their various compressors, power supplies, and requirements for cooling water. These air systems are not safety related, but a number of important plant componsits require air to remain open, including MSIVs, steam generator ADVs, and pressurizer PORVs. The UFSAR states that all air operated valves fail closed. [UFSAR, Section 9.8) (Two of the three PORVS can be supplied with nitrogen if air is lost.) The station air compressors require non-1E power, but the containment air compressors can be j
powered with 1E power. A diesel driven backup compressor can be used for supplying station air.
AFW can be provided by two motor driven pumps or one turbine driven pump. The SG Atmospheric Dump Valves (ADV) require both DC control power and station air motive power to open. The normal 140,000 gal supply tank for AFW is sufficient for 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> after plant shutdown; after that time, alternate sources of water can be used for AFW supply, including river water. No external cooling syctems are required to support operation of the dedicated feedwater pump. [lPE Fax)
The system description for the ECCS states that the third HHS! pump is not automatically stated on a safety injection signal. The other two HHSI pumps are each powered off a different 1E bus and automatically respond to a safety injection signal.
The system description for ECCS states that the success criteria for injection to mitigate a medium or a small LOCA requires 1 of 2 HHSI pumps. [lPE submittal, Page 3.2-88] The tables of success criteria for medium and small'LOCAs state that success is 1 of 3 HHSI pumps. [lPE submittal, Tables 3.2.1.3 and 3.2.1.4] The system description states that the third pump can be racked into the appropriate 1E bus if one or both of the two other pumps have failed; this agrees with the description of the event involving use of HHSI for the event trees, in that operator action is required for use of the swing HHSI pump.
One unique feature of the ECCS system at Beaver Valley 1 is that all three HHSI pumps feed a common header prior to injecting into the cold legs, and both LHSI pumps feed a common header prior to injecting into the cold legs. [UFSAR, Section 6.3 and Figure 6.1-1) ECCS switchover from injection from the RWST to recirculation from the containment sump is automatic, both for LHSI and HHSI pumps. The HHSI pumps operate in piggyback off the discharge of the LHSI pumps in recirculation from the containment sump.
The system description for the containment depressurization sysicm discusses the quench spray system and the recirculation spray system. The outside recirculation spray pumps can be aligned to provide for long term cooling of the core.
A system description is provided for the RHR system. This system is totally distinct from the LHSI system at Beaver Valley 1. Depressurization and use of this system is credited in the SGTR event tree for mitigating a SGTR that cannot be isolated. Also, it 21
appears that depressurization and use of the RHR system for shutdown cooling was credited as an option to mitigate an RCP seal LOCA.
4 The submittal provides a system description for the containment isolation system. A table addressing isolation for the containment mechanical penetrations is provided.
f
[lPE submittal, Table 3.2.1.16-1) This table indicates that CCW cooling for the RCPs, both for motors and the thermal barrier coolers, is isolated on phase B of containment isolation, but that seal injection with the charging pumps is not isolated. {IPE submittal, Pages 3.2-108, 3.2-109, 3.2-110, and 3.2-121)
The submittal provides a system description for the ventilation systems for the emergency switchgear rooms. Normal ventilation is provided by chilled water which i
uses raw water as a heat sink. The normal ventilation system cannot be powered with 1E power. The submittal states that if the normal ventilation system is unavailable, j
emergency ventilation can be provided with one of two normally running emergency switchgear exhaust fans, which can be powered with 1E power. The IPE also credits l
operator action to establish ventilation to the emergency switchgear rooms using portable fans if the normal and emergency ventilation systems are lost. [lPE submittal, Pages 3.3s211, 3.2-125, and 3.3-124]
The submittal also includes a summary of an evaluation of the impact of HVAC system failures for the HVAC systems serving numerous plant areas, including: IPE submittal, Section 3.3.9.1]
Control Room Area Diesel Generator Rooms Emergency Switchgear Rooms intake Structure Auxiliary Building.
The evaluation concluded that failure of HVAC systems serving the following areas causes failure of the frontline equipment in those areas: emergency switchgear rooms, DG rooms, and river water pump room A. Loss of emergency switchgear room
~
ventilation was considered both as an initiating event, and as a failure during the mitigative phase of an accident initiated by another event. Loss of DG room ventilation was only considered as a failure during the mitigative portion of an accident, since the DGs are not normally operating. The submittal states that loss of ventilation for the area containing river water pump A in the intake structure was modeled as causing loss of this pump, but the ventilation in the other areas of the intake structure is sufficiently redundant so that loss of ventilation to the areas containing the other river water pumps was screened from consideration. The evaluation concluded that loss of ventilation in the auxiliary building could overheat the charging pumps, but this was screened from consideration based on the alarms, procedures, and multiple ventilation f ans available. The evaluation screened out loss of control room cooling as 22
important based on the effectiveness of operator action to open doors to provide for natural circulation.
2.2.4 Svstem Deoendencies.
The submittal provides a table that indicate the dcpendencies of support systems on support systems and frontline systems on support systems. [lPE submittal, Tables 3.2.3-1 and 3.2.3-2]
The following types of dependencies were considered: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, area HVAC, operator actions, instrument air, and system train asymmetries.
The system dependency tables indicate partial dependencies, and numerous footnotes are provided. For example, the tables clarify that 2 of the 3 pressurizer PORVS can be supplied with nitrogen if containment air is lost. Complicated differences in power and cooling for the various air compressors are noted and explained. The requirement to rack in power to use the swing HHSI pump is clearly noted and discussed. Pump cooling requirements and equipment dependencies on ventilation are clearly indicated and described. The dedicated feedwater pump is included, with its connection to the Emergency Response Facility (ERF) DG noted and discussed.
2.3 Quantitative Process-This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences. It also summarizes our review of the data base, including consideration given to plant-specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed, if any, were reviewed.
j 2.3.1 Quantification of Accident Seouence Frecuencies.
The Beaver Valley 1 IPE used the large event tree /small fault tree technique with split fractions and event tree linking tree for quantifying core damage. Support systems were modeled with a support system fault tree, linked directly to the frontline system event trees; suppor1 system states were not used as pre-conditional states for quantification of the frontline event trees. [lPE submittal, Page 3.3-183) The event trees are systemic. Quantification was accomplished with the RISKMAN software. A truncation limit of 1E-11/yr was used in quantification of the sequences. [lPE submittal, Page 3.3-186) Recovery actions were considered in the event trees for failures of systems such as river water, RCP thermal barrier cooling, and emergency switchgear room ventilation. [lPE submittal, Pages 3.1-154, 3.1-162, and 3.3-124) A recovery event tree was developed that considered recovery of AC power. [lPE submittal, Page 3.1-150) A mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> was used.
23
2.3.2 Point Estimates and Uncertaintv/Sensitivitv Analvses.
Probability Distribution Functions (PDF) were assigned to initiating events and to component failures in the fault trees. An overall PDF for core damage was calculated by combining the separate PDFs for events comprising core damage sequences as delineated by the event trees. The mean value of the PDF for core damage is the point estimate CDF reported in the submittal; no separate point estimate was calculated using individual point estimates for all events. The submittal provides the PDF for core damage as well as the mean and the 5%,50% (median), and 95%
confidence values. [lPE submittal, Section 3.4)
Importance analyses were performed. Three importance measures were applied:
Fussell-Vesely, Risk Reduction, and Risk Achievement. [lPE submittal, Section 3.4.2)
The events determined to be of most importance are discussed later this report.
Sensitivity analyses were parformed; the results of these sensitivity analyses are discussed later in this report.
2.3.3 Use of Plant-Soecific Data.
The submittal states that plant specific data were used for important components '
based on the time period January 1,1980 through December 31,1988. [lPE submittal, Section 3.3.2) The plant specific data were used to bayesian update generic data from the PLG generic data base. Generic data was used in lieu of plant specific data for components not evaluated with plant specific data. Pant specific data for maintenance unavailabilities were collected and used to update the PLG generic maintenance unavailability data base.
i We performed a spot check of the data from Table 3.3.2-2, the listing of the updated data used in the IPE, to values used in the NUREG/CR-4550 studies; [NUREG/CR-4550, Me:hadology) The comparison is summarized in Table 2-2.
Based on this spot check, the plant specific data used to quantify component failures are comparable to data used in typical IPE/PRAs.
I The IPE modeled recovery of offsite power following a station blackout. [lPE submittal, Section 3.3.3.4) The licensee provided information about the data used for recovery of offsite power and for recovery of DGs that were used in the analysis of station blackout. [lPE Responses] These recovery values are comparable to those used in typical IPE/PRAs.
24
l Table 2-2. Component Failure Data '
Component IPE Mean Value NUREG/CR-4550 (Submittal Table 3.3.2-2)
Point Estimate Turbine driven AFW pump 2.1E-2 Fail to Start 3E 2 Fall to Start 8.8E-4 Fail to Run SE-3 Fail to Run HHSI pump 1.2E-3 Fail to Start 3E 3 Fail to Start 2.6E-5 Fail to Run 3E-5 Fail to Run LHSI pump 2.2E-3 Fail to Start 3E-3 Fail to Start 3.4E-5 Fail to Run 3E-5 Fail to Run Diesel Generator 1.8E-2 Fail to Start 3E-2 Fail to Start 5.3E-3 Fail to Run during 2E-3 Fail to Run First Hour Pressurizer PORV 4.0E-3 Fail to Open 2E-3 Fail to Open i
1.8E-2 Fai! to Reclose 3E-2 Fail to Reclose Typical MOV 1.8E-3 Fail to Open 3E-3 Fail to Open
' Failures to start or open are probabilities of failure on demand. Failures to run are frequencies in 1/hr.
2.3.4 Use of Generic Data The PLG generic data base was used for the source of generic data. We have reviewed this same generic data base numerous times as part of our review of IPEs, and found the data to be comparable to generic data typically used in PRA/IPEs.
2.3.5 Common-Cause Quantification The MGL method was used to model common cause failures. [lPE submittal Section 3.3.4] The data for common cause failures were taken from the PLG generic data base; the generic data were screened for applicability to Beaver Valley 1 by staff from PLG. The process used to model common cause failure followed the procedure specified in NUREG/CR-4780. Common cause failures were included directly in the 4
fault trees. [lPE submittal, Page 3.2-6] The submittalindicates that common cause failures were considered for components within a given system.
Table 3.3.4-5 of the submittal lists the common cause failure data MGL factors.
We compared selected beta factors from this table in the submittal to those used in the PLG South Texas PSA and those used in NUREG/CR-4550. [STP PSA)
[NUREG/CR 4550, Methodology] Table 2-3 of this report summarizes the comparison.
Air Operated Valve (AOV) commnn cause failure values were used for the PORVs.
[lPE Fax]
25
-. ~..
i Table 2-3. Comparison of Beta Factors for 2 of 2 Components Component IPE Beta Factor (from Beta Factor from Beta Factor from Table 3.3.4-5 of Submittal)
STP PSA NUREG/CR 4550 Table 6.2-1' l
l AFW Pump 0.066 Fail to Start 0.054 Fail to Stan 0.056 i
0.0062 Fail to Run 0.0065 Fail to Run i
CCW Pump 0.0082 Fail to Start 0.0096 Fail to Start 0.026 O.0054 Fall to Run 0.00098 Fall to Run LHSIPump 0.034 Fail to Start 0.042 Fail to Start 0.15 0.0062 Fail to Run 0.0081 Fall to Run i
^
HHSIPump 0.033 Fail to Start 0.062 FaIi to Start 0.21 i
0.0051 Fail to Run 0.0074 Fail to Run l
Containment 0.033 Fail to Start 0.085 Fail to Start 0.11 Spray Pump 0.0087 Fail to Operate 0.0093 Fail to Run l
MOV 0.06 0.05 0.088 Diesel 0.0075 DG Falls to Start 0.0029 Fail to Start 0.038 Generator 0.012 DG Fail to Run 0.015 Fall to Run Pressurizer Not Provided 0.01 0.07 PORV L
Air Operated 0.07 0.07 0.10 Valve
' All Beta Factors in NUREG/CR 4550 are for Fall to Start The beta factors used in the Beaver Valley 1 IPE are generally consistent with those used in other PRAs and IPEs. However, in some cases, they are a factor of 2-3 lower than the values used in other PRAs.
2.4 Interface issues This section of the report summarizes our review of the interfaces between the front-end and back-end analyses, and the interfaces between the front-end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.
2.4.1 Front-End and Back-End Interfaces.
The IPE assumed that no containment cooling is required to support core cooling.
The IPE did not consider' spurious isolation of containment as an initiating event.
Containment isolation results in loss of CCW to the RCPs, requiring operator action to 26 i
I trip the RCPs to prevent a possible RCP seal LOCA. This is of minor impact on the overall results.
The submittal states that containment bypass / isolation failure contributes 21% to the total CDF. Other information in the submittalindicates that containment bypass due to SGTR or interfacing systems LOCAs contributes about 6%; therefore, failure to isolate is associated with about 15% of the CDF.
The IPE did not require the use of plant damage states (PDS) to perform the back end analysis. The front and back end analyses were automatically linked together. [lPE submittal, Page 1.3-1, Section 3.1.1, and Section 4.3) That is, the level 1 event trees were directly linked to the containment event tree. [lPE submittal, Page 4.3-1) Level 1 end state bins were used for the purposes of presentation and understanding. [lPE submittal, Section 3.1.6) Core damage sequences were binned based on four parameters: RCS pressure at core damage, containment isolation status, the size of i
the opening if not isolated, and the status of containment heat removal 2.4.2 Human Factors Interfaces.
Based on the front-end review, the following operator actions were noted for possible consideration in the review of the human factors aspects of the IPE:
actions to provide compensatory cooling for the emergency switchgear rooms
=
actions to use alternate feedwater pump actions to trip RCPs given loss of CCW cooling to the motors
=
operator actions to refill RWST in response to SGTR that cannot be isolated, interfacing systems LOCA, or LOCA with loss of recirculation from containment sump operator actions to initiate feed and bleed operator action to provide a long term supply of water for AFW.
2.5 Evaluation of Decay H. eat Removal and Other Safety issues This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USIs, if they were addressed in the submittal, were also reviewed.
2.5.1 Examination of DHR.
The submittal summarizes the importance of systems and options contributing to decay heat removal, these being: [lPE submittal, Table 3.4.3-1]
Main Feedwater Auxiliary Feedwater Feed and Bleed Cooling 27
Depressurization with SGs Residual Heat Removal (RHR).
The submittal discusses the relative importance of these five systems and functions, and the failures contributing to loss of them. The licensee concludes that there are no vulnerabilities in these systems and options used for decay heat removal. [IPE submittal, Page 3.4-56) The licensee does identify vulnerabilities in emergency AC l
power-as discussed later in this report-but the IPE does not consider these vulnerabilities to be vulnerabilities directly associated with DHR.
I 2.5.2 Diverse Means of DHR.
j The IPE evaluated tha diverse means for DHR, including: use of the power conversion system, feed and bleed, auxiliary feedwater, the dedicated feedwater pump, depressurization, and ECCS. Cooling for RCP seals and cooldown/depressurization of the primary to reduce the impact of a seal LOCA were considered. All of these means of DHR were quantified with event trees and fault trees.
2.5.3 Uniaue Features of DHR.
Design features at Beaver Valley 1 that impact the CDF from loss of DHR are as follows:
Dedicated feedwater oumo oowered off the emeraency resoonse facility Diesel Generator (DG) as an Accendix R backuo for auxiliarv feedwater. This feature tends to reduce the CDF by reducing the probability of loss of all feedwater.
Automatic switchover of ECCS from inlection to recirculation. This feature tends to reduce the CDF by not requiring operator action in response to a large Loss of Coolant Accident (LOCA) to provide timely switchover of the Emergency Core Cooling System (ECCS) from the Refueling Water Storage Tank (RWST) i to the containment sump.
Ooeration with 2 of 3 PORV block valves closed. This feature tends to increase the CDF by reducing the pressure relief capability in response to an ATWS.
Reauirement to orovide ventilation to the emeroency switchoear rooms. This feature tends to increase CDF by requiring switchgear ventilation to support 1E power operation.
2.5.4 Other GSI/USIs Addressed in the Submittal.
The submittal does not propose to resolve any other issues besides DHR directly with the IPE.
28
2.6 Internal Flooding This section of the report summarizes our reviews of the process used to model internal flooding and of the results of the analysis of internal flooding.
2.6.1 Internal Floodina Methodoloov.
The submittal summarizes the tasks performed for the analysis of internal flooding.
[lPE submittal, Section 3.3.8) The tasks were as follows. (1) Plant Familiarization.
Key plant design information was reviewed. (2) Flood Experience Review. Flood data from Nuclear Power experience through 1987 were reviewed and used in the quantification of flood initiating event frequencies. (3) Flood and Equipment Location.
Flood sources, locations, and flood propagation were studied. (4) Plant Walkthrough.
The plant was walked down to confirm details of the flooding effects. (5) Seer *.rio Quantification. Flood scenarios were postulated, evaluated, and quantified.
Flooding events from river water and fire water survived initial screening and were quantified. The quantification used the PRA event trees developed for internal initiating events to quantify the effects of additional random failures, given the failures as a direct result of the flood.
The licensee described how spray-induced failures were considered in the IPE. As a result of the plant walkdown, spray-induced effects were judged to be localized.
Based on this conclusion, consideration of spray effects was limited to inadvertent actuations, leaks, and breaks in the fire suppression system. For most portions of the fire protection system, inadvertent actuation was not considered as significant due to the low capacity of the sprinklers and the presence of alarms to alert operators. The i
frequency for inadvertent actuation of portions of the fire suppression system in the rooms containing the CCR pumps was low. Therefore, the contribution of spray-induced failures to the total CDF from internal flooding was judged to be insignificant.
[ Licensee Responses]
2.6.2 Internal Floodino Results.
River water and fire water were identified as critical flood sources. [lPE submittal, Section 3.3.8) Flood frequencies for flood sources in critical flood locations were summarized in the submittal, as summarized in Table 2-4 of this report. Data from Nuclear Power Experience were used to quantify the frequencies of flood initiating events.
T e submittal states that the CDF from internal flooding was calculated to be 3.02E-6/ year which is 1.4% of the total CDF from internalinitiating events and internal flooding. The relative contributions from the flood locations listed in Table 2-4 of this report to the total CDF from internal flooding are as follows: [lPE submittal, Figure 3.3.8-2) 29
i i
Table 2-4. Important Flood Locations i
Flood Location Flood Source Flood Mean Frequency l
1/ year Turbine Building River Water 7.7E-3 F
Intake Structure River Water 9.8E-3
[
Auxiiiary Building River Water 3.0E-4 Control Building River Water 3.3E-6 i
All Fire Water 1.5E-3 i
Auxiliary Building 50%
Intake Structure 36%
Turbine Building 12%
Control Room 1%
Other Locations 1 %.
- Table 3.3.3-5 of the submittal lists four operator actions credited to mitigate the effects
)
of flooding.
j
{
1 The intake structure is shared by Units 1 and 2, and flooding in the intake structure is i
36% of the overall CDF from flooding at Unit 1. The licensee stated that flooding in the intact structure for Unit 1 does not pose a significant potential for dual unit CDF, because components for the two units are in separate cubicles within the intake
~
structure. [lPE Responses) j 2.7 Core Damage Sequence Results This section of the report rev;ews the dominant core damage sequences reported N the submittal. The repor1ing of coro damage sequences-whether systemic or functional-is reviewed for consistency with the screening criteria of NUREG-1335.
The definition of vulnerability provided in the submittalis reviewed. Vulnerabilities, enhancements, and plant hardware and procedural modifications, as reported in the submittal, are reviewed.
2.7.1 Dominant Core Damaae Secuences.
The IPE utilized systemic event trees, and reported results using the screening criteria from NUREG 1335 for systemic sequences. [lPE submittal, Section 3.4.1)
The total CDF from internal initiating events and from internal flooding was estimated to have a mean value of 2.14E-4/ year. [lPE submittal, Section 3.4.0) Internal flooding contributed 1.4% to this total CDF; the CDF from internal flooding was 3.02E-6/yr.
30
.y I
i The total CDF to 95% confidence was calculated to be 3.56E-4/yr and the total CDF to 5% confidence was calculated to be 1.02E-4/yr.
i Figure 2-1 of this report summarizes the major contributors to core damage by internal i
i initiating event. Definitions of the acronym.s and abbreviations used in this figure are l
as follows-1
/
l LOSP Loss of offsite power AC Train Loss of Emergency AC Train l
Partial FW Partial Loss of Main Feedwater i
River Water Loss of River Water Non-Is SLOCA Non Isolable Small LOCA l
Excess FW Excessive Main Feedwater DC Train Loss of Emergency DC Train l
SGTR Steam Generator Tube Rupture Is SLOCA lsolable Small LOCA Swgear Vent Loss of Ventilation for Emergency Switchgear 4
Other Total of all Other Initiating Events.
a i
The 'other' category is comprised of numerous initiating events. The licensee provided a detailed list of these initiating events and the CDF for each. [lPE Fax) 1 I
Figure 2-2 of this report summarizes the contribution of accident categories to overall CDF. [lPE submittal, Section 1.4) These accident categories are not mutually exclusive; for example, station blackout and loss of switchgear ventilation both
' contribute significantly to an RCP seal LOCA.
i l
About 16% of the failures associated with the containment bypass / isolation failure category are due to loss of the ability to isolate containment after loss of emergency.
switchgear ventitation. [lPE Responses) Loss of ventilation results in loss of electrical power and consequently loss of the ability to provide core cooling and to isolate j
containment.
The submittal provides the 100 highest frequency sequences; these sequences in total represent 82.7% of the total CDF. [lPE submittal, Section 3.4.1)
The top five sequences are summarized in Table 2-5 of this report.
31
Contribution of Initiating Events to CDF for Beaver Valley Unit 1
-s LOSP F
I t
Partial FW i
i i.
p River Water i
q) 1 i
Non-Is SLOCA Il Total C,DF.
uJ l
is y
Excess FW l1 2.14E-4/ year E
DC Train IJ E
I 5
SGTR l]
l Is SLOCA 3
- 6)
Swgear Vent Other s
i 0
5 10 15 20 25 Per Cent Contribution to CDF Figure 2-1. CDF by initiating Event 32
Contribution of Accident Categories to Overall CDF for Beaver Valley Unit 1 i
ATWS (20%)
, gy, p.,
j,.071;r.rj'
/-
N
[
k'rg
' dff;ti,[Yf}f, g"S g1 j
I h
Loss of Switchgear HVAC (16%)
hij(([
j i
4 is
.g!
'\\
t e
'N,,
Bypass /Failisolate (21%)
f Station Blackout (30%)
i Note: Categories not Mutually Exclusive and Do j
Not Represent Absolute Contributions to CDF.
Percentages Total to More than 100%
j Figure 2-2. CDF by Accident Category 33 Y
1 Table 2-5. Top Five Systemic Core Damage Sequences initiating Event Subsequent Sequence Frequency
[ Failures as Direct Independent 1/ year Result of Initiating Event]
Failures and % of Total CDF Loss of River Water None 2.0E-5 9.7%
[ Loss of Cooling to RCPs and to HHSI pumps resulting in RCP seal LOCA that Cannot be Mitigated)
Loss of Offsite Power Failure of Both AC Power Trains, 1.8E-5 8.7%
Failure to Recover AC Power, Result is Station Blackout and RCP Seal LOCA that Cannot be Mitigated Loss of AC Train A Failure of River Water Train B, 1.2E-5 6.0%
Result is Loss of All River Water
[ Loss of River Water which causes Loss of Cooling to Train A]
RCPs and to HHSI pumps resulting in RCP seal LOCA that Cannot be Mitigated)
Partial Loss of Main Failure to Trip Reactor, Inadequate 1.1 E-5 5.5%
Feedwater Pressure Relief from Primary leading to excessive LOCA that cannot be Mitigated Loss of Offsite Power Failure of AC Train A, Loss of 9.2E-6 4.4%
Emergency Switchgear Room Ventilation, Result is Station Blackout and RCP Seal LOCA that Cannot be Mitigated The submittal lists the split fractions which are the major contributors to CDF. [lPE submittal, Table 1-4] (The split fractions listed are the non-guaranteed-that is, independent-failure type split fractions.) These split fractions and their contribution to CDF are as follows:
Failure to Trip Reactor 19.8%
Failure of AC Train A 19.7%
Power Level > 40%- ATWS 19.0%
Failure to Recover AC Power 15%
Failure of AC Train B 13.7%
Failure of RCS Pressure Relief-AWIS 10.9%
34
Failure of River Water Train A 9.0%
Failure of River Water Train B 8.5%
Failure of Rod insertion-ATWS 6.6 %
i The submittal states that the dominant cause for loss of both AC trains following loss of offsite power is independent failure of both DGs. [lPE submittal, Table 1-7]
Common cause failure of both DGs was determined to be a minor contributor.
Sensitivity analyses were performed for six cases. [lPE submittal, Page 3.4-37] These cases and the effect on CDF are summarized in Table 2-6 of this report.
Table 2-6. Sensitivity Analysis Results Change to Base Model Per Cent Change in CDF Factor of 10 increase in all Human Error
+795 %
Probabilities (with Upper Limit of 1.0)
Factor of 10 Increase in Non-Recovery
+228 %
of Offsite Power No Common Cause Failure
-14.9 %
i All Common Cause Failures Fixed at
+7 %
95% Confidence Values for Respective PDFs No Recovery of Emergency Switchgear
+6137 %
Room Ventilation Perfect Recovery of Switchgear Room
-14 %
Ventilation These results indicate that the credit given to the recovery of ventilation for the emergency switchgear rooms in the IPE is an importard 7ntributor to reducing risk.
The base model credits operator actions to open and use portable ventilation fans. CDF is not highly sensitive to changes in cumrnon cause failure values. CDF is significantly impacted by human error and the ability to recover offsite power.
Station blackout is a high contributor to overall CDF, as is the case for many PWRs.
RCP seal LOCAs contribute significantly to overall CDF, as is the case for many PWRs.
As indicated in Figure 2-2 of this report, AW/S is a relatively high contributor to the overall CDF at Beaver Valley 1, more so than at most PWRs. The high contribution of ATWS is due to failure to provide adequate pressure relief. [lPE submittal, Page 3.4-35
41] As noted previously in this report, the plant operates with two of the three l
pressurizer PORV block valves closed. The licensee has reevaluated ATWS and i
concluded that the contribution of ATWS to the total CDF is significantly less than reported in the submittal; this is discussed in Section 2.7.3 of this report, j
Loss of emergency switchgear room ventilation is an important plant-specific contributor to overall CDF, considering both its impact as an initiating event and as a failure during the mitigative phase of accidents. This is because emergency power requires ventilation as a necessary support system.
Excessive feedwater is predicted to contribute almost 4% to overall CDF, as indicated in Figure 2-1 of this report. Based on a review of the dominant sequences, this is due j
to ATWS following this initiating event. [lPE submittal, Table 3.4.1-1 Sequence # 25)
The mean frequency for excessive feedwater is 0.235, which is high, and the event results in loss of feedwater. [lPE submittal, Tables 3.3.1-4 and 3.1.1-2) The high j
probability of failure to provide insufficient pressure relief for an ATWS with loss of main feedwater leads to core damage.
2.7.2 Vulnerabilities.
The IPE defined vulnerabilities as "the fundamental contributors to risk" in the important scenarios.
The licensee identified the following vulnerabilities: [lPE submittal, Table 6.3-2)
AC Power after Station Blackout Reactor Trip Breaker Failure j
Pressurizer PORV Block Valve Alignment Loss of Emergency Switchgear Room HVAC RCP Seal Cooling for Station Blackout Battery Capacity for SG Level during Station Blackout Pressurizer PORV Sticking after Loss of Offsite Power Fast 4160 V Bus Transfer.
2.7.3 Procosed imorovements and Modifications.
4 The submittal describes potential enhancements that are being implemented or that are under review. The enhancements are discussed relative to each, and the statt'r.
of each enhancement is provided. [lPE submittal, Table 6.3-2) Table 2-7 of this report summarizes these enhancements.
l l
36
Table 2-7. Enhancements Vulnerability Enhancement impact of CDF importance Status of l
Enhancement j
Enhancement
%CDF' Risk Reduction Worth" AC Power Crosstie Capability Allows Unit 1(2) DGs 30.4 0.86 Implemented; Generation Between Units 1 and to power Unit 2(1) if credited in revised Capability 2
both Unit 1(2) DGs IPE work Reactor Trip Enhance Procedures Enhanced Recovery 19.9 0.79 Dropped from j
Breaker Failure to De-Power Bus for ATWS consideration; not credited in IPE Pressurizer Operate with all Block increase Pressure 15.6 0.89 Revised model PORV Block Valves Open or Relief Capacity for indicated greater Valve Alignment Provide Procedure to ATWS capacity for each Open Block Valves PORV and that on Loss of Main single PORV Feedwater generally adequate; new model credited in revised IPE Loss of Enhanced Procedures Prevent Overheating 15.5 0.87 Completed; not Emergency of Switchgear credited in IPE Switchgear Room HVAC RCP Seal Use of improved seal Reduce Likelihood of 13.8 New seals will be Cooling for materials RCP Seal LOCA in installed as existing Station Blackout Station Blackout spare stock is expended; not credited in IPE Battery Capacity Enhanced Procedures Extend time of SG 10.7 0.89 Dropped from for SG Level for Load Shedding Level Indication consideration; not during Station and Using Portable under Loss of AC credited in IPE Blackout Battery Chargers Power Pressurizer Eliminate Challenge Reduce Frequency 2.0 0.98 Dropped from PORV Sticking by Defeating 100%
of PORV Openings consideration; not credited in IPE after Loss of Load Rejection Offsite Power Capability Fast 4160 V Bus Enhanced Procedures Reduce Frequency 1.5 0.98 Implemented; Transfer and Training
- Percent of Sequences containing Vulnerability
- Fraction of Original CDF Remaining if Failure Probability of Affected System Reduced to 0.0
~ included in Risk Reduction for AC Power Generation Capability 37
The licensee provided more information on the status of these enhancements. [lPE Responses)
Loss of Emeraenev Switcha_ ear Room HVAC 1
More specific response procedures have been developed to provide temporary ventilation for the emergency switchgear areas through the use of portable fans; however, the human factor modelin the IPE was not revised to account for these l
enhancements to the procedures, and thus the CDF was not affected.
Fast 4160 V Bus Transfer Procedure ECA 0.0 provides direction to operators to transfer power manually to offsite sources in the event of a failure, and procedure 1/2.36.4A provides specific direction for racking breakers in and out. These procedures were in place by the time of the IPE submittal, and thus the CDF has not changed.
4 Batterv Caoacitv for Steam Generator Instruments This item is considered resolved as a result of installation of the 4160 V station j
crosstie, since one train of the emergency battery chargers will be powered from this source. Therefore, the enhanced procedures for shedding battery loads are not needed. The reduction in CDF associated with this vulnerability is realized by the installation of the station crosstie.
Reactor Trio Breaker Failure This enhancement was identified to address ATWS. With the changes to the PORV ATWS model, as subsequently discussed, the contribution to CDF from ATWS is substantially reduced. Therefore, this enhancement was not pursued.
i AC Power Generation Caoabilitv Installation of the station crosstie connecting the 4 KV normal buses of Beaver Valley 1 and Beaver Valley 2 is now complete. The PRA model was revised to reflect this modification, which now takes credit for the Unit 2 DGs, if both are available, given the failure of both Unit 1 DGs following loss of offsite power.
RCP Seal Coolina for Station Blackout The CDF associated with seal LOCAs has been greatly reduced by installation of the 4160 V crosstie. Seal injection can be provided within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after station blackout using this crosstie. Also, DLC willinstall new RCP seal materials on a replacement basis as the stock of current spares is expended.
38
e I
Pressurizer PORV Stickina Ooen after Loss of Offsite Power i
i l
The IPE assumed Beaver Valley 1 would experience a challenge to the pressurizer PORVs following loss of offsite power. This is due to the 100% load rejection design feature which was assumed to be unsuccessful, and the resultant delayed reactor trip leads to challenges to the PORVs. The addition of the station crosstie. reduced the impact of this vulnerability on CDF to about 0.4%. Therefore, this item is no longer considered a vulnerability.
i Pressurizer PORV Block Valve Alianment I
' The IPE identified ATWS as a significant contributor to the CDF,20%,'due to operation with two of the three PORV block valves closed. The IPE made j
assumptions that were later found to be inconsistent with WCAP 11993, the j
Westinghouse analyses for ATWS. Reanalysis with the appropriate assumptions resulted in the reduction of ATWS from 20.1% of the CDF to 6% of the original CDF; i
with the contribution involving inadequate pressure relief changing from 15.6% of the CDF to 2.87% of the original CDF, 1
The two changes that affected the'CDF are: installation of the station crosstie and reanalysis of ATWS with more optimistic assumptions. The licensee states that ths i
net effect of these changes results in a 44% reduction in the total CDF, resulting in a i
j new CDF of 1.2E-4/ year.
i 1
)
t i
1 i
39
- 3. CONTRACTOR OBSLm/ATIONS AND CONCLUSIONS This section of the report provides our overall evaluation of the quality of the front-end portion of the IPE based on this review. Strengths and shortcomings of the IPE are summarized important assumptions of the model are summarized. Major insights from the IPE are presented.
Strengths of the IPE are as follows. The consideration of plant specific initiating events in the IPE is thorough compared to some other IPE/PRA studies.
Based on our review, the following modeling assumptions are somewhat unique and can have an important impact on the overall CDF:
(a) the RCP seal LOCA model used, (b) no requiremem for containment heat removal to support core cooling, and (c) the ability of operators to provide compensatory ventilation for the emergency switchgear rooms, and (d) two of three PORV block valves normally closed and unavailable for pressure relief for ATWS event.
The NUREG 1150 RCP seal LOCA model was used; this tends to increase the CDF in comparison with IPEs that used the Westinghouse seal LOCA model. The IPE i
assumed that containment spray and heat removal are not required to support core cooling; most IPE/PRAs assume that the ability to cool the core is either lost or degraded if containment ::coling is not provided during accidents in which mass / energy are released into containment. This assumption tends to decrease the CDF. The credit for operator action to provide ventilation to the emergency switchgear rooms by opening doors and using portable fans tends to reduce the CDF.
Significant level-one IPE findings are as follows:
RCP seal LOCAs after station blackout are an important contributor to the total CDF the CDF associated with f ailure to isolate containment is relatively high
=
the CDF from internal flooding is small.
=
One reason that RCP seal LOCAs during station blackout are an important contributor to CDF is because the NUREG 1150 model for seal LOCAs was used. IPEs that have used the Westinghouse seal LOCA model typically predict less of a contribution from seal LOCAs to the total CDF. The CDF associated with failure to loolate containment is relatively high due to loss of ventilation for electrical switchgear causing loss of electrical power and the inability to isolate containment. The CDF from internal flooding is small due to the layout of the plant.
i 40
- 4. DATA
SUMMARY
SHEETS This section of the report provides a summary of information from our review.
Overall CDF The total CDF from internal initiating events, including internal flooding, was 2.14E-4/ year. Internal flooding contributed 1.4% to the total CDF. (In responses to RAI, the licensee provided summary information of an updated analysis; this update is discussed in previous sections of this report.)
Dominant initiatina Events Contributino to CDF Initiating Event (IE)
IE Frequency CDF Percent of CDF (1/ year)
(1/ year)
Loss of Offsite Power 0.0664 5.10E-5 24 19 Loss of Emergency AC Train Orange Train 0.0383 3.38E-5 Purple Train 0.0383 6.10E-6 Partia: Loss of Main 0.745 2.26E-6 12 Feeowater Loss of River Water 2.38E-5 2.38E-5 11 Non-Isolable Small 4.83E-3 1.20E-5 6
LOCA Excessive Main 0.235 8.28E-6 4
Loss of Emergency DC Train Orange Train 9.37E-3 8.58E-7 Purple Train 9.37E-3 6.67E-6 SGTR 0.0132 6.14 E-6 3
Isolable Small LOCA 0.0137 5.94E-6 3
Loss of Ventilation for 4.62E-6 4.61 E-6 2
Emergency Switchgear 2.57E-5 12 Other initiating Events 41
Dominant Hardware Failures and Ooerator Errors Contributina to CDF Hardware failures contributing significantly to the total CDF are: failure of AC train A, failure of Reactor Coolant System (RCS) pressure relief in response to an ATWS, failure of the river water system, and failure to trip the reactor.
Operator actions contributing significantly to reducing CDF are: recovery of ventilation for the emergency switchgear rooms, and recovery of AC power for the 1E buses.
Dominant Accident Classes Contributina to CDF The submittal summarizes the contribution to overall CDF by accident category, as follows:
Station Blackout 30%
Containment Bypass / isolation Failures 21%
Loss of switchgear HVAC 16%
ATWS 20%.
These accident categories are not mutually exclusive, and the percentages noted do not represent absolute contributions.
Desian Characteristics Imoortant for CDF The following design features impact the CDF:
Dedicated feedwater pump powered off the emergency response facility Diesel Generator (DG) as an Appendix R backup for auxiliary feedwater.
Automatic switchover of ECCS from injection to recirculation.
Operation with 2 of 3 PORV block valves closed.
Requirement to provide ventilation to the emergency switchgear rooms.
=
The impact of these design features on the overall CDF is discussed in Section 1.2 of this report.
Modifications After completion of the IPE, two changes were made, one a change to the plant, and the other a change to the assumptions in the IPE model. These two changes were:
installation of the station crosstie and reanalysis of ATWS with more optimistic assumptions. The licensee states that the net effect of these changes results in a 44% reduction in the total CDF, resulting in a new CDF of 1.2E-4/ year.
42
Other USI/GSis Addressed j
No other GSl/USI's are directly addressed by the IPE submittal.
]
Sianificant PR A Findinas
]
Significant findings on the front-end portion of the IPE are as follows:
RCP seal LOCAs after station blackout are an important contributor to the total a
CDF the CDF associated with failure to isolate containment is relatively high
=
the CDF from internal flooding is small.
a i
l l
43 i
l l
REFERENCES
[GL 88-20]
" Individual Plant Examination For Severe' Accident Vulnerabilities - 10 CFR 50.54 (f),"
Generic Letter 88.20, U.S. Nuclear Regulatory Commission, November 23,1988.
[NUREG-1335]
" Individual Plant Examination Submitta!
Guidance," NUREG-1335, U. S. Nuclear Regulatory Commission, August 1989.
[lPE]
Beaver Valley Unit 1 IPE Submittal, October 1,1992.
[lPE Responses]
" Beaver Valley Power Station,- Unit No.1 Docket No. 50-344, License No. DPR-66 Generic Letter 88-20 (TAC No. M747378),"
letter from G.S. Thomas, DLC, to NRC, March 10,1995.
[lPE Fax)
"BV-1 Responses to Ques. During Telecon,"
Fax from E. Rodrick, NRC. to J. Darby, SEA, j
November 30,1994.
[UFSAR]
Updated Final Safety Analysis Report for Beaver Valley Unit 1.
[ Tech Specs]
Technical Specifications for Beaver Valley Unit 1.
[STP PSA)
Probabilistic Safety Analysis for South Texas Plant.
[NUREG/CR 4550, Methodology)
NUREG/CR-4550, Vol.1, Rev.1, " Analysis of Core Damage Frequency: Internal Events Methodology."
44
APPENDIX B BEAVER VALLEY 1 NUCLEAR PLANT INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT (BACK-END)
)
t I
l l
I I