Text

Draft Review of Risk Based Evaluation of Integrated Safety Assessment Program (Isap) Issues for Millstone Unit 1
	ML20133A910
Person / Time
Site:	Millstone
Issue date:	09/16/1985
From:	Atefi B, Gallagher D, Le P; SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:	; NRC
Shared Package
ML20133A909	List: ML20133A905; ML20133A910;
References
	CON-NRC-03-82-096, CON-NRC-3-82-96 NUDOCS 8510020438
	Download: ML20133A910 (131)
	v • d • e

.. .- _ _ _ _ - _ _ _ _ _ .-_

REVIEW OF RISK BASED EVALUATION OF INTEGRATED SAFETY ASSESSMENT PROGRAM (ISAP) ISSUES

) FOR MILLSTONE UNIT 1 DRAFT REPORT D

Bahman Atefi Daniel Gallagher Phuoc T. Le and 9 Paul J. Amico*

) .-

September 16, 1985

)

Prepared for U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Contract No. NRC-03-82-096 .

g ATLANTA

ANN ARBOR

BOSTON

CHICAGO

CLEVELAND

DENVER

HUNTSVILLE

LA JOLLA m LITTLE ROCK

LOS ANGELES

SAN FRANCISCO e SANTA BARBARA

TUCSON

WASHINGTON

Applied Risk Technoloav Cneporation 85100204N PDR ADOCK $ $ PDR $$45 P

J

1 TABLE OF CONTENTS Section Page List of Figures ..................... vi Li s t o f Ta bl e s . . . . . . . . . . . . . . . . . . . . . . vii 1.0 Introduction . . . . . . . . . . . . . . . . . . . . . . . 1-1 C

2.0 BRIEF REVIEW 0F THE MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY (PSS) . . . . . . . . . . . . . . . . . . . . 2-1 2.1 Initiating Events . . . . . . . . . . . . . . . . . . 2-1 9

2.1.1 LOCA Initiators ............... 2-1 2.1.2 Consideration of Interfacing System LOCA's . . 2-5 2.1.3 Transient Initiators . . . . . . . . . . . . . 2-7 9 2.1.4 Support System Transient . . . . . . . . . . . 2-13 2.2 Event Tree Analysis . . . . . . . . . . . . . . . . . 2-13 3 2.2.1 Reactor Transients Event Tree ........ 2-16 2.2.1.1 Loss of Feedwater Event Tree .... 2-17 2.2.1.2 Loss of Normal Power (LNP)

Event Tree ............ 2-17 7

2.2.1.3 Station Blackout .......... 2-18 2.2.2 Support System Initiator Event Tree ..... 2-18 2.2.3 Loss of Coolant Accident (LOCA) Event Trees ................... 2-19 2.2.3.1 Small-Small Break Event Tree .... 2-19 2.2.3.2 Sma11'and Large Break Event Trees . . 2-20 i

TABLE OF CONTENTS (Continued) l Section Page 2.2.4 ATWS Event Tree ............... 2-21 2.2.5 Inclusion of Support Systems in Event Tree Quantifications .............. 2-23 2.3 ' Component and Systems Reliability Analysis ..... 2-24 C

2.3.1 Component Failure Data . . . . . . . . . . . . 2-24 2.3.2 Plant Systems Reliability Analysis . . . . . . 2-25 2.4 Human Reliability Analysis (HRA) .......... 2-31

! 2.4.1. Cognitive Error Modeling . . . . . . . . . . . 2-33 2.4.1.1 Time-Reliability Correlation lO (TRC) Model . . . . . . . . . . . . 2-34

! 2.4.1.2 Systematic Human Action Reliability Procedure (SHARP) . . . 2-37 g . 2.4.2 Procedural Error Modeling . . . . . . . . . . . 2-44 i

j 3.0 RESULTS AND INSIGHTS INTO MAJOR CONTRIBUTORS TO THE CORE MELT FREQUENCY ................... .

3-1

@ 3.1 Comparison Between ISAP and IREP Dominant Accident l

Sequences . . . . . . . . . . . . . . . . . . . . . 3-1 3.2 Insight into Major Contributors to the Core Melt

! Frequency . . . . . . . . . . . . . . . . . . . . . 3-15 3.3 Discussion of Several Areas of Plant Vulnerability . 3-20 t

4.0 REVIEW OF THE MILLSTONE UNIT 1 ISAP TOPICS . . . . . . . . 4-1 4.1 Comments on the Utility's Method of Public Risk Quantification .................. 4-1 ii

TABLE OF CONTENTS (Continued)

Section Page 4.2 Topic 1.02: " Tornado Missile Protection" . . . . . . 4-3 4.2.1 Background . . . . . . . . . ... . . . . . . . 4-3 4.2.2 Utility Evaluation . . . . . . . . . . . . . . 4-4 4.2.3 Review of the Utility Analysis . . . . . . . . 4-5 0 4.2.4 Conclusions ................. A-6 4.3 Topic 1.16.1: " Millstone Unit 1/M111 stone Unit 2 Backfeed" . . . . . . . . . . . . . . 4-7 h

4.3.1 Background . . . . . . . . . . . . . . . . . . 4-7 4.3.2 Utility Evaluation . . . . . . . . . . . . . . 4-7 4.3.3 Review of the Utility Analysis . . . . . . . . 4-8 4.3.4 Conclusions ................. 4-9 D

4.4 Topic 1.189: "ATWS: Upgrading of the Standby Liquid Control System" . . . . . . . . 4-9 B

4.4.1 Background . . . . . . . . . . . . . . . . . . 4-9 4.4.2 Utility Evaluation . . . . . . . . . . . . . . 4-10 4.4.3, Review of the Utility Analysis . . . . . . . . 4-11 4.4.4 Conclusions ................. 4-13 D

"High Steam Flow Setpoint Increase" 4-20 4.5 Topic 2.04: ..

4.5.1 Background . . . . . . . . . . . . . . . . . . 4-20 4.5.2 Utility Evaluation . . . . . . . . . . . . . . 4-20 4.5.3 Review of the Utility Analysis . . . . . . . . 4-21 4.5.4 Conclusions ................. 4-22 iii

TABLE OF CONTENTS (Continued)

Section Page, 4.6 Topic 2.06: " Main Condenser Retube" ........ 4-22 4.6.1 Background . . . . . . . . . . . . . . . . . . 4-22 4.6.2 Utility Evaluation . . . . . . . . . . . . . . 4-23

'4.6.3 Review of the Utility Analysis . . . . . . . . 4-23 C 4.6.4 Conclusions ................. 4-26 4.7 Topic 2.07: " Sodium Hypochlorite System" . . . . . . 4-26 4.7.1 Background . . . . . . . . . . . . . . . . . . 4-26 0 4-26 4.7.2 Utility Evaluation . . . . . . . . . . . . . .

4.7.3 Review of the Utility. Analysis . . . . . . . . 4-27 4.7.4 Conclusions ................. 4-30 0 4.8 Topic 2.08: " Extraction Steam Piping Replacement" . 4-30 4.8.1 Background . . . . . . . . . . . . . . . . . . 4-30 4.8.2 Utility. Evaluation . . . . . . . . . . . . . . 4-30 g . 4.8.3 Review of the Utility Analysis . . . . . . . . 4-31 4.8.4 Conclusions ................. 4-32 4.9 Topic 2.30: "MSIV Closure Test Frequency" ..... 4-34 0 4.9.1 Background . . . . . . . . . . . . . . . . . . 4-34 4.9.2 Utility Evaluation . . . . . . . . . . . . . . 4-34 4.9.3 Review of the Utility Analysis . . . ... . . . 4-36 4.9.4 Conclusions ................. 4-37 4.10 Brief Discussion of the Remaining Topics ...... 4-37 4.10.1 Topic 1.01: " Gas Turbine Generator Start Logic" ............ 4-39 iv

~ -_ _ - __ _ ___--

TABLE OF CONTENTS (Continued)

Section Page 4.10.2 Topic 1.04: "RWCU System Pressure Interlock" .......... 4-40 4.10.3 Topic 1.06: " Seismic Qualification of Safety-Related Piping" .... 4-41 4.10.4 Topic 2.01: "LPCI Remotely Operated C- Valves 1-LP-50A and B" .... 4-42 4.10.5 Topic 2.31: "LPCI Tube Oil Cooler Test Frequency" .......... 4-42

5.0 REFERENCES

. . . . . . . . . . . . . . . . . . . . . . . . 5-1 3

D 3

v c_________.

LIST OF FIGURES Figure Page 2.1 Logic Tree to Aid in Selection of Expected Behavior Type . 2-38 3.1 Comparison Between Dominant ISAP and IREP ~ Contributors to the Core Melt Frequency . . . . . . . . . . . . . . . . 3-16

3.2 Simplified Fault Tree for the Failure of the Alternate SDC System . . . . . . . . . . . . . . . . . . . . . . . . 3-22 3.3 ATWS Event Tree with Main Condenser Available ...... 3-27 3.4a ATWS Event Tree with Main Condenser Unavailable ..... 3-28 3.4b ATWS Event Tree with Main Condenser Unavailable (Loss of Feedwater) ................... 3-29 3

3,4c ATWS Event Tree with Main Condenser Unavailable

( Lo s s o f No rma l Po we r ) . . . . . . . . . . . . . . . . . . 3-30 3 . 4.1 ATWS Event Tree with Main Condenser Unavailable (Lost of PCS - 86 gpm SLCS) ............... 4-15 4.2 ATWS Event Tree with Main Condenser Unavailable (Loss of Feedwater - 86 gpm SLCS) ............ 4-16 4.3 ATWS Event Tree with Main Condenser Unavailable (Loss of Normal Power Support State 1 - 86 gpm SLCS) . . . 4-17 vi

LIST OF TABLES Table Page

' 2.1 IREP LOCA Initiators . . . . . . . . . . . . . . . . . . .' 2-2 2.2 ISAP LOCA Initiators . . . . . . . . . . . . . . . . . . . 2-4 2.3 ISAP . Interfacing System LOCA Event Frequency . . . . . . . 2-6 C' 2.4 Comparison Between ISAP and IREP Initiator Frequencies Included in the "'cactor Transients with Power Conversion System Available" - Category 1 ..... 2-8 0 2.5 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Reactor Trip Events" - Category 3 . . . . 2-9 2.6 Comparison Between ISAP and IREP Initiator Frequencies 7

Included in the " Reactor Transients with Power

~

Conversion System Unavailable" - Category 2 ....... 2-11 2.7 Comparison Between ISAP and IREP Initiator Frequencies I'nclude in the " Loss of Feedwater O Transients" - Category 4 . . . . . . . . . . . . . . . . . 2-12 2.8 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Loss of Normal AC Power Transient" -

g Category 5 . . . . . . . . . . . . . . . . . . . . . . . . 2-12 2.9 Comparison Between ISAP and IREP Support System Initiator Frequencies .................. 2-14 2.10 Comparison of IREP and ISAP Component Failure Data . . . . 2-26 2.11 Human Errors Evaluated Using the Time Reliability Correlation ....................... 2-35 vii

LIST OF TABLES (Continued)

Table Page

' 2.12 Human Errors Evaluated Using the Systematic Human Action -

Reliability Procedure .................. 2-40 3.1 Comparison Between ISAP and IREP Dominant Accident Sequences ........................ 3-3 C 3.2 Unavailability of the Alternate Shutdown Cooling System as a Function of Different System Configurations . . . . . 3-23 3.3 Requantification of Millstone Unit 1 ATWS Event Trees .. 3-33 C

4.1 Requantified ATWS Contribution to Core Melt ....... 4-18 4.2 Public Dose By Plant Damage State From NUREG-0933 .... 4-19 0 4.3 Change in Public Dose from Installation of 86 gpm SLCS . . 4-19 4.4 Main Condenser Retube Impact Assessment ......... 4-25 0 - 4.5 Impact of Not Replacing the Extraction Steam Piping at Millstone Unit 1 . . . . . . . . . . . . . . . . . . . . .

4-3}

4.6 Public Dose By Plant Damage State from NUREG-0933 .... 4-35 i:

4.7 Change in Public Dose from Replacement of Extraction

-Steam Piping . . . . . . . . . . . . . . . . . . . . . . . 4-35 4.8 Change in Public Dose from the Elimination of Monthly MSIV Testing . . . . . . . . . . . . . . . . . . . . . . . 4-38

(

viii L_.___-__----__------_------_-----_

1.0 INTRODUCTION

The Integrated Safety Assessment Program (ISAP) was developed by NRC to examine the outstanding issues from several NRC programs that are pertinent

'to each power plant and assess the importance of each issue with respect to its impact on the risk associated with the operation of the plant. The issues that will be considered for each plant in this program are those identified by the Systematic Evaluation Program (SEP) Phase II, pending licensing requirements for the particular facility including TMI Action Plan items, pending Unresolved and Generic Safety Issues, significant events that s have occurred during the operation of the plant, and dominant contributors to plant risk based on a plant-specific Probabilistic Safety Analysis (PSA).

An initial screening of the issues required by the programs mentioned above is performed to arrive at a set of ISAP topics that are appropriate for the g specific plant under study. A detailed evaluation of these topics is per-formed by the licensee and submitted to the NRC for review. The NRC's analysis of each topic consists of a review of the licensee's submittal, comparison of the plant design and procedures with current licensing criteria, and assessment of risk significance of each topic for the plant 9 under study.

The first plant being evaluated under this program is Northeast Utilities' Millstone Unit 1, a 660 MWe boilingwater reactor. For this 9 -

plant, a level 1 Probabilistic Risk Assessment (PRA) had previously been performed as a part of the Interim Reliability Evaluation Program (IREP).

This PRA has recently been revised by Northeast Utilities by including design or procedural changes that have taken place since the original IREP g

study and by updating the appropriate initiating events, component failure rate, test and maintenance frequencies and recovery action probabilities.

In addition, the licensee has evaluated some of the topics using PRA

. techniques.

The objective of the present study is to identify and resolve the significant difference between the IREP(1) and ISAP(2) probabilistic assessments, identify the areas of plant vulnerability, and review those topics which were analyzed by the licensee using PRA techniques.

1-1

It is important to note that due to limitations in time and level of effort, the review of the ISAP study is not performed in the traditional l sense of a PRA review. Rather, it is done by comparing the results of each !

major section of this study with the results of the IREP study. Using this

' comparison, significant differences between the two studies are ide6tified, ;

and the effect of these differences on the dominant accident sequences and overall core melt frequency are analyzed.

In' the next section, a comparison between ISAP and IREP probabilistic risk assessments will be presented. This will consist of comparing the O' initiating events, event tree analyses, component and system reliability analyses and the human reliability analyses. The comparison between the results of the two studies, insights into major contributors to the core melt frequency, and areas of plant vulnerability is presented in Section g 3.0. Section 4.0 contains the results of the review of several ISAP topics analyzed by the licensee using PRA techniques. This review includes comments on the importance of each topic with respect to the overall plant risk. Finally, all the references cited in the report will be listed in Section 5.0.

O O

O 1-2

i 2.0 BRIEF REVIEW OF THE MILLSTONE UNIT 1 PROBABILISTIC SAFETY STUDY (PSS)

In this section a brief review of Millstone Unit 1 PSS will be presented. As was discussed earlier, due to limitations in time and level "of effort this review is not performed.in the same manner as a tra'ditional detailed PRA review. Rather, it is done by examining the major segments of the PSS for its accuracy in procedures, assumptions, modeling, and use of data and comparing the results of each of these major segments with the

'results found in the earlier IREP study.

$ The major segments reviewed include the initiating events, event tree analysis, component and system reliability analysis and human reliability analysis which are presented in the next few sections. Review of the results and insights into major contributors to the core melt frequency is g presented in Section 3.0.

2.1 Initiating Events The initiating events in both ISAP and IREP studies were grouped in two broad categories of LOCA's . (including interfacing system LOCA's) and transient due to anticipated initiators and support system initiators. Each of these broad groups was further divided into subgroups based on the systems required for mitigation of the initiators. A comparison between the 3 ~~

initiator categories and frequencies used in the two studies follows.

2.1.1 LOCA Initiators

g. In the IREP study the LOCA initiators were grouped into two classes of steam line breaks and liquid line breaks. Each of these classes was further categorized by three break sizes. Table 2.1 shows the LOCA classes, approximate break diameters, systems required for mitigation of these initiators, and frequencies assigned to each initiator. As seen in this table, the major reason for differentiating between the steam line and liquid line breaks is the difference in the systems required for mitigation of the same break sizes. For the small break LOCA, the mitigating systems are the same for the two classes. For the intermediate steam line break, the break would occur above the core level. This will result in an increase in the upward flow of steam, inhibiting the core spray system from providing 2-1

Table 2.1 IREP LOCA Initiators Approximate Break Diameter Systems Required -

LOCA Class (inches) for Mitigation Frequency

1. Small Steam D<5.41 Feedwater 10-3 Break (SSB) OR ADS * & LPCI OR C-ADS & Core Spray

2. Intermediate 5.41< D< 5. 90 Feedwater 10-4 Steam Break (ISB) OR LPCI OR

g. ADS & Core Spray

3. Large Steam 5. 90< D< 20.08 Feedwater 10-4 Break (LSB) OR LPCI OR O Core Spray

4. Small Liquid D<5.24 Feedwater 10-3 Break (SLB) OR LPCI OR g . ADS & Core Spray

5. Intermediate Liquid 5.24<D<6.05 Feedwater 10-4 Break (ILB) OR ADS & LPCI OR g Core Spray 6.. Large Liquid 6.05<D<32.60 LPCI 10-4 Break (LLB) OR Core Spray

Automatic Depressurization System 2-2

sufficient downward coolant flow to cover the core. Thus, the core must be depressurized before the core spray system is effective. This is not true for the Low Pressure Coolant Injection (LPCI) system which injects into the core from a low vessel level. Thus, the LPCI system can, without depres-surization, cover the core. The situation is reversed in the case of an intermediate liquid break. In this case, because the break area is below the core level, the flow out of the core is downward and the core spray function is not inhibited. However, the LPCI system cannot provide the required mitigation function due to slower vessel pressure reduction and flow diversion from the liquid break area unless the primary system is q depressurized.

In the case of large LOCA, for the large liquid break, there is too much diversion of the flow out of the break area to make the feedwater system an effective mitigating system', whereas in the case of a large steam 3 break, feedwater system is an effective mitigating system.

In the ISAP study, the steam and liquid line breaks are not separated.

The various break sizes in this study are categorized into four classes of C LOCA's as shown in Table 2.2. The most noticeable difference between the two studies is inclusion of a small-small break LOCA with equivalent diameter of greater than 2.5 gallons per minute (gpm) leak (Technical Speci-fication shutdown limit) up to 1.35 inches in diameter. The initiating g . frequency of this class of LOCA is estimated to be an order of magnitude larger than the small break LOCA. In the lower range of this new small-small break category, manual shutdown would be necessary whereas automatic trip will occur at the higher range. In addition, at the lower range of this break, automatic depressurization by the Automatic Depressurization' System (ADS) might not occur due to lack of high pressure in the drywell necessary for the initiation of ADS. Thus, manual depressurization (MD) would be necessary in these situations.

Another difference between the two studies is that the inadvertent opening of safety / relief valves study is classified in the ISAP as a LOCA initiator whereas this event was classified as a transient initiator in the IREP. This classification should not have any effect on the actual sequence of events that are delineated for this initiator.

2-3

1 Table 2.2 ISAP LOCA Initiators Approximate Break Diameter Systems Required '

LOCA Class (inches) for Mitigation Frequency

1. Small-Small 2.5gpm<D<1.35 Main Feedwater (No Trip) 10-2 OR Feedwater (Trip)

OR g ADS /MD & LPCI OR ADS /MD & Core Spray

2. Small 1.35<D<6.05 Feedwater (Break flow 10-3 3 <3500 gpm)

ADS & LPCI OR ADS & Core Spray

3. Inadvertent 1.35<D<6.05 Main Feedwater 2.02 x 10-2 Operation of Sa fety/ Relief Valve 3 . 4. Large LOCA 6.05<D LPCI 10-4 Core Spray 2-4

}

Overall, the most important difference between the two studies in the classification of LOCAs, is the creation of a small-small break LOCA in the ISAP study. This class of LOCA, with a relatively large initiation fre-quency and some unique mitigation requirements has a significant contribu-tion to the ISAP core melt frequency, as will be shown in Section 3.0 on the overall results. In the case of intermediate and large LOCA's, the major difference between the two studies is the differentiation of liquid and steam break lines. Without this differentiation, the assumptions for sys-tems required'for mitigation of a break size might be somewhat more con-p servative. Finally, in the case of inadvertent opening of safety / relief valves, the only difference between the two studies is the frequency of initiation of this event which is an order of magnitude smaller in the ISAP study due to replacement of the safety / relief valves with a new set of more reliable valves.

i 2.1.2 Consideration of Interfacing System LOCA's In the IREP study, the interfacing system LOCAs were not considered D ex pl i ci tly. The basic reason for this was that in WASH-1400 study, the interfacing system LOCA's were not found to be important to risk for BWR's.

The Millstone Unit 1 interfacing systems were compared with the Peach Bottom plant analyzed in WASH-1400, and since the systems were similar, no further p . analysis of these initiators was conducted.

In the ISAP study, five systems interfacing the primary system were considered in detail for the possibility of initiation of LOCA's. These are the Isolation Condenser, the Shutdown Cooling System, the Reactor Water Cleanup System, the Low Pressure Coolant Injection System, and the Core Spray System. Of these systems, the Shutdown Cooling System was eliminated from further consideration because only multiple catastrophic failures could create an interfacing LOCA. For the other systems, simple fault trees were used to estimate the frequency of occurrence of unmitigated LOCAs due to interfacing system failure that would lead to a core meltdown. Table 2.3 shows the unmitigated interfacing system LOCAs, their frequencies, and their contribution to the total core melt frequency. As can be seen from these results, the contribution of interfacing system LOCAs to the overall core melt frequency is negligible.

2-5

Table 2.3 ISAP Interfacing System LOCA' Event Frequencies Percentage of .

Total Core Melt Event Frequency)

(peryear Frequency

1. Unmitigated Isolation Condenser 1.5E-7 0.02

Tube Rupture

2. Unisolated LOCA in the Core 1.1E-7 0.014 Spray System C

3. Interfacing System LOCA in the 1.61E-8 0.002 LPCI System

4. Unisolated LOCA in the RWCU 1.39E-8 0.001

. System O -

0 2-6

2.1.3 Transient Initiators Two major classes of transients were considered in the ISAP study.

These are the anticipated transients and special initiators that result from support system failures. The anticipated transients in this study are grouped into the following five categories:

1. Reactor Transients with Power Conversion System Available

2. Reactor Transients with Power Conversion System Unavailable 3 .- Reactor Trip Events g 4. Loss of Feedwater Events

5. Loss of Normal Power Events.

The first category of transients in the ISAP study is similar to Category T1 "Most Transients" in the IREP study. Table 2.4 shows the list and

$ frequency of transient initiators in this category used in these studies.

The initiator frequencies in the ISAP study were calculated by performing Bayesian updating of the plant-specific data. For the prior distributions, the results of industry experience compiled in the EPRI report EPRI-NP-C 2230(3) were used. In developing the prior distributions from this source, the data on the first two years of each plant's operation were discarded so that the trips during the startup period would not be included. The data were then fit into a Gamma distribution. Having these prior distributions, 3

. the posterior distributions for each initiator were developed by updating the plant-specific initiators.

Looking at Table 2.4, it can be seen that 16 out of 18 top initiators are the same in both categories. Initiators 3 and 11 included in this ISAP category were included in the " transient with power conversion system unavailable" category in the IREP study. Also, initiators 24 to 28 in the ISAP study were included in a new category of "reactpr trip events." The mitigating systems required for this category are exactly the same as Cate-gory 1. The frequency of these initiators in the ISAP study is shown in Table 2.5. Initiators 19 through 23 and 28 included in the IREP study were not considered in the ISAP study.

To get an idea of the effect of the Bayesan updating on the initiator frequencies, we can compare the total frequency of the 19 common initiators 2-7

Tabla 2.4 Comparison Between ISAP and IREP Initiator

! Frequencias Inq1tded in the " React:r TraIsis ts .

{ With Power Corv::rslea System Available" -

Category 1 Frequencies (per year)

Initiator ISAP IREP

{ (Plant Specific) NP-801 j 1. Electrical Load Rejection 0.386 1.04 j 2. Turbine Trip 0.742 1.41

3. Pressure Regulator Falls Open 0.165 Included in Category 2; see Table ~2.5 j 4. Pressure Regulator Fails Closed 0.009 0.14

5. Turbine Bypass Valve Fails Open 0.089 0.04 j

6. Recirculation Flow Control Fails (Increasing) 0.011 0.24 j

7. Recirculation Flow Control Fails (Decreasing) 0.006 0.06 l 8. Trip on One Recirculation Pump 0.345 0.02 i

9. Trip of All Recirculation Pumps 0.093 0.06 l 10. Recirculation Pump Seizure 0.000 E-l 11. Feedwater Flow Control Failure (Increasing) 0.444 Included in Category i

2; see Table 2.5

'? 12. Feeowater Flow Control Failure (Decreasing) 0.630 0.43 m 13. Loss of a Feedwater Heater 0.004

, 14. Loss of All Feedwater Heaters 0.096 -

0.02

15. Trip of One Feedwater/ Condensate Pump 0.176 0.2

16. Inadvertent Control Rod Withdrawal 0.003 E

17. Inadvertent Control Rod Insertion 0.008 0.1

18. Partial MSIV Closure included in Category 1

2; see Table 2.5 0.04 i 19. Control Valves Fall Closed 0.51

! 20. Abnormal Startup of Idle Recirc Pump e

! 21. Low Feedwater During Startup or Shutdown 0.35 i i 22. High Feedwater During Startup or Shutdown 0.10

) 23. High Flux Due to Rod Withdrawal at Startup 0.04 i 24. Scras Due to Plant Occurrences Included in Category 3; see Table 2.5 0.35 1

25. Spurious Trip Via Instrumentation. PPS Included in Category Fault 3; see Table 2.5 1.16 -

26. Manual Scram is Out of Tolerance Included in Category Condition 3; see Table 2.5 0.27 i

4

27. Detected Faults in RPS Included in Category '

3; see Table 1.6 0.02

28. Cause Unknown 0.02

.c - _ -

Table 2.5 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Reactor Trip Events" -

Category 3 Frequencies (Peryear)

ISAP IREP Initiator (Plant-Specific) NP-801 Instrument Detected Fault in RPS 0.005 Included in Ti ;

see Table 2.4 6

Scram Due to Plant Occurrences 0.536 Included in Tl i see Table 2.4 Spurious Trip Due to RPS Instrumen- 1.298 Included in Ti l

@ tation see Table 2.4 Manual Scram (No Out-of-Tolerance 0.119 Included in T 1 ;

N.S.S.S. Condition) see Table 2.4 T Total 1.958 l

l b

i l

l l

l

't 2-9

- . - - - , . , , - , _ . ----.,--...,--,_..-..,,-_.-n---,n,--._w-,--_

in Categories 1 and 3. The total frequency of these initiators is 4.46 in the ISAP study and 5.56 in the IREP study. Thus, the ISAP initiators frequency for these categories is about 20 percent lower than IREP frequency in these categories. The total frequency of initiators in this category considered in the IREP and not considered by the ISAP in any cate, gory is 1.00 which is another 20 percent of the total ISAP frequency. Overall, the total frequency of the Categories 1 and 3 which have common mitigating systems requirements is 4.58 in the ISAP study and 6.6 in the IREP study.

Thus, the total ISAP initiators frequency for these categories is about 30 percent lower than the IREP initiators frequency.

The ISAP Category 2 transients are reactor transients with power conversion system unavailable. The frequencies of these intitiators are shown in Table 2.6. In this category, the IREP study included two initia-tors caused by support system failures. These initiators were treated

) separately by the ISAP study and are discussed in Section 2.4. Excluding these events, the total frequency for this category is 0.435 for the ISAP study and 2.02 for the IREP study. Thus, the ISAP initiators frequency is about 80 percent lower in this case.

L The ISAP Category 4 transients are the " loss of feedwater transients" which in the IREP study include two support system initiators and are shown i n Table 2.7. Excluding these two events, the loss of feedwater system 3 ,

initiator in the ISAP study is about 60 percent higher than the value in the IREP study.

The fif th ISAP transient category is the " loss of normal power transient" shown in Table 2.8. In this category, the ISAP frequency is about 40 percent lower than the IREP frequency.

Finally, as was mentioned earlier, the inadvertent opening of safety /

relief valves was treated in the ISAP study as an LOCA initiator. This event was considered as a transient initiator in the IREP study. The fre-quency of this event is 2.02 x 10-2 in the ISAP study and 0.2 in the IREP study. The primary reason for this difference is replacement of the old safety / relief valves with a newer, more reliable set of valves.

2-10

l l

Table 2.6 Comparison Between ISAP and IREP Initiator ;

! Frequenciet Included in the " Reactor Transient With Power Canversion System Unavailable" -

Category 2 Frequencies (Peryear)

ISAP IREP i Initiator (Plant-Specific) NP-801 1

Load Rejection with Turbine Bypass Fa ilure 0.002 Turbine Trip with Turbine Bypass Fa ilure 0.002 Total Closure of One or More MSIVs 0.405 0.75 Loss of Normal Condenser Vacuum 0.026 0.67 f

, Feedwater Increasing Flow Included in Category 0.31 j 1; see Table 2.4 E'

Pressure Regulator Fails Open Included in Category 0.29 1; see Table 2.4 Loss of Circulating Water System

0.06** l

. Loss of Plant Air Compressors

0.06**

)

Initiators based on support system failure

- Plant-specific data a

1 j

2-11

Table 2.7 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Loss of Feedwater Transients" - Category 4 Frequencies (Per year)

ISAP IREP Initiator (Plant-Specific) NP-801 Loss of Feedwater 0.096 0.06 Loss of Turbine Butiding Closed Cooling Water System

0.06 S

Loss of Service Water System

0.06 Total 0.096 0.18 3

Initiators based on support system failure D

3 Table 2.8 Comparison Between ISAP and IREP Initiator Frequencies Included in the " Loss of Normal AC Power Transient" - Category 5 C

Frequencies (Peryear)

ISAP IREP Initiator (Plant-Specific) NP-801 Loss of Offsite Power 0.124 0.16 Loss of Auxiliary Power 0.04, Total 0.124 0.2 2-12

In the next section, transient initiators due to support system failures will be discussed.

2.1.4 Support System Transients To identify the plant-specific transient initiators due to support system failures, the ISAP study performed system level failure mode and effect analyses on the following classes of systems:

1. Cooling Water Systems

2. Electrical Systems

3. Power Conversion Systems O 4. Auxiliary Systems.

As a result of these analyses, four plant-specific initiators were identi-fled. The frequencies of initiation of these events were calculated by a a detailed analysis of the support system responsible for their initiation.

These frequencies and the corresponding values used in the IREP study are shown in Table 2.9. The IREP initiator frequencies shown in this table are calculated using a zero failure approximation. Overall, for the support g . system initiators analyzed in both studies, the ISAP frequencies are from one to two orders of magnitude smaller than the IREP frequencies based on a more detailed support system analysis. The only exception is the service water system where change in its success criteria in the ISAP study has resulted in an increase in the short-term loss of service water system f initiating frequency.

In the next section, a discussion on' the event-tree analysis used in !

the ISAP and IREP studies will be presented. l 2.2 Event Tree Analysis The event tree analysis performed in the ISAP study has a number of i differences from that performed in the IREP study. Some of the differences i are conceptual and apply in general to all of the event trees, while others l

2-13 l

l-__-_

Table 2.9 Comparison Between ISAP and IREP Support System Initiator Frequencies Frequency (Per year) !

Initiator ISAP IREP Commenti Total Loss of Service 7.83E-3 6.0E-4* Included in T3 in Water (With Recovery) IREP, see Table 2.7 Loss of T.B.S.C.C.W. 8.05E-4 0.06 Included in T3 in IREP, see Table 2.7 C Loss of R.B.C.C.W. 4.73E-4 -

Loss of 120 V Vital 1.65E-2 -

AC Power Loss of Circulating -

0.06 Considered part of

() Water System transients with PCS in ISAP Loss of Plant Air -

0.06 Considered bounded Compressors by other transients in ISAP O

This number consists of an initiating frequency of 0.06 and a recovery factor of 1.0 x 10-2, O

e e

C l

i 1

2-14 r

are more specific to a particular tree. The conceptual differences will be discussed here, and the specific differences will be discussed in subsequent sections.

The first difference is that the ISAP study included cognitive operator errors directly on the event trees. These are errors in the decision-making process during an accident. The IREP study did not individually assess these cognitive errors, but rather included them in the assessment of procedural errors. From the standpoint of event tree analysis, this differ-ence in methodology is not significant to the final results. When these p errors are properly evaluated, it makes no difference whether they are included independently on the tree or are incorporated at the system level.

However, the method of analysis utilized for the human error rate determina-tion in the ISAP study is significantly different from that used in the IREP study. This is discussed in more detail in Section 5.0 on human 3 reliability analysis.

The ISAP study also included recovery actions (such as restoration of offsite power) as events on the event trees. In the IREP study, these D actions were evaluated separately and incorporated into the analysis at the sequence cut set level. This difference is not significant to the analysis, since (as above) either method adequately incorporates the actions evaluated.

3

The ISAP study did not make a distinction between short-term core melts with and without containment cooling. That is, no credit was given for the operation of the containment cooling system to delay containment failure given that a core melt was occurring in the early or intermediate time P frames. 1 REP did make this distinction. This does not affect the results of the ISAP study in terms of core melt frequency and timing, since the containment cooling system cannot prevent core melt in these scenarios. The only effect is in the area of plant damage states and consequences. This is an insignificant difference between the two studies, because the IREP study determined that all of these sequences would have the same consequences whether or not containment cooling was successful (i.e., the release category split fractions were the same in both cases).

2-15

The following sections discuss specific differences in the event trees in the ISAP study and those representing the equivalent initiators in the IREP study. However, before beginning those discussions, it is useful to make a general observation regarding the ISAP study event trees versus the

.IREP study event trees. Despite the differences in appearance between the two sets of trees, the phenomenologies represented are virtually identical.

That is, the functional and systemic failures leading to core melt are the same in both studies. This becomes obvious when one attempts to identify equivalent sequences from both studies. It is generally possible to select any sequence from the ISAP study and identify an equivalent sequence (or sequences) which were analyzed in the IREP study, although the details of the quantification may be different. This exercise is performed in Section 3.0 for the dominant ISAP sequences and is discussed in some detail in that section. The one major exception to this is the anticipated transients without SCRAM (ATWS), which are quantified significantly differently in the 3 two studies. This is discussed in detail in Section 2.2.4.

2.2.1 Reactor fransients Event Tree p The ISAP study event tree includes a cognitive error of the operator failing to decide to restore RPV level when the feedwater system fails to continue to operate after the trip. This error encompasses the entire decision process of attempting to restore feedwater, initiating the isola-tion condenser, or depressurizing the RCS and using low pressure safety pumps, thus creating a linkage between the actions. The IREP study evalu-ated each of these alternatives to provide cooling; however, they were considered separate actions. This is a significant difference between the two studies which can result in substantial differences in human error and 3 recovery actions, as will be discussed in Section 2.3. This difference in methodology is due in part to Millstone's change to a new type of symptom-oriented procedures and in part to advances in the methods available to analyze cognitive errors which have been developed since the IREP study.

This is discussed in more detail in Section 2.3.

l The ISAP study event tree also includes an event for restoration of AC power. This is included for the purpose of evaluating support states involving a consequential loss of power following a non-LNP event. As 2-16

discussed in Section 2.2.4 this was not analyzed in the IREP and has a measurable effect on the results.

2.2.1.1 Loss of Feedwater Event Tree The same comments as those made above apply also to this tree,' except that the cognitive error applies to those sequences where either the isola-tion condenser fails or a safety / relief valve sticks open, thus requiring the operator to decide to restore RPV level.

- 2.2.1.2 Loss of Normal Power (LNP) Event Tree The ISAP study event tree considers a cognitive error of failing to decide to restore reactor pressure vessel level as an error which is similar to the failure to manually depressurize the reactor coolant system (RCS),

3 which is evaluated in the IREP study. The difference is that in the ISAP study, this error is considered to occur prior to reaching automatic safety actuation conditions, and it includes the decisions to manually start the isolation condenser and to attempt to restore offsite power, even though the p Isolation condenser (IC) will eventually start automatically and the opera-tor has additional time to actually recover offsite power. This particular handling of this cognitive error, while different from the IREP, yields a logically identical model and thus does not affect the results.

3

The ISAP event tree includes an event for cross-connecting the 480v safety busses so that one of the emergency power supplies can pick up some loads from the opposite train. This action only affects the availability of shutdown cooling, and only in a minor way. It does not have any significant D effect on the results.

The ISAP study event tree also includes an event for the recovery of offsite power, which was adequately considered in the IREP study at the sequence cut set level. However, a notable dif ference is that the IREP study assumed that recovery of offsite power terminated the sequence successfully. The ISAP study, however, models the other actions necessary to initiate the systems required to actually terminate the sequence. This is a more detailed and accurate method than the IREP assumption, which was 1

l 2-17 l

based on the belief that these scenarios were unlikely once power was restored. This difference does have an effect on the results.

The ISAP study event tree has an event which represents the actuation

. signal required for the plant to automatically respond to the loss of normal power event. This was handled in the fault tree models in IREP study, rather than at the event tree level. Both methods are adequate if properly applied, which is the case.

2.2.1.3 Station Blackout This tree is just a specific version of the LNP tree to cover the case where all AC power is unavailable. Thus, the comments discussed above for the LNP apply similarly to this tree, with two minor modifications.

@ First, the cognitive decision process includes the additional decision to conserve DC battery power by stripping of nonessential DC loads. This was not considered in the IREP study, but did not effect the results, o Second, the tree considers sequences where the core is damaged but does not melt. This occurs in time frames where the power is not restored in time to prevent the core from briefly becoming uncovered but power is restored prior to significant uncovery. The IREP study did not make this g ,

distinction, but it is not important unless one is interested in the possi-bility of minor core damage. The time frames used for preventing core melt are similar to those used in the IREP study, whereas the time frames used for preventing damage are somewhat shorter. Thus, there is no effect on the core melt sequences.

g.

2.2.2 Support System Initiator Event Trees l

These event trees are subsets of the transient and loss of feedwater l event trees. They are designed specifically to take into account the

! changes in system capabilities due to these initiators. The differences discussed for the transient and LOF event trees therefore generally apply to these trees. Otherwise, there is nothing notable about these trees and, in fact, it would have been equally reasonable to utilize the transient and LOF trees to evaluate these initiators.

2-18

2.2.3 Loss of Coolant Accident (LOCA) Event Trees The LOCA event trees in the ISAP and IREP studies are fairly similar except for the new ISAP event tree for the small-small break LOCA which is

. discussed in the next section. ,

2.2.3.1 Small-Small Break Event Trees This ISAP event tree, which is used for the lower end of the IREP small break size, has a number of differences from the IREP small break event tree. The first difference is that automatic pressure relief does 7

not appear on the tree. ISAP concluded that these breaks are too small to result in high drywell pressure, so only operator action to depressurize is considered. This seems to be a reasonable conclusion and was missed in IREP because IREP only considered break size ranges analyzed in the FSAR, which 3 did not separately consider these break sizes. Intuitively, however, it is logical that there should exist breaks which are small enough that high drywell pressure would not occur. This difference had an effect on the results of the analysis.

D Another difference is that ISAP concluded that feedwater could not continue to run indefinitely without some operator intervention. The opera-tor is required to start a high-capacity condensate transfer pump to replenish the hotwell to provide sufficient suction water for feedwater.

g ,

This is required to replace water lost through the break. IREP concluded that sufficient water would be supplied automatically by the condensate transfer system (CTS); however, only a small capacity CTS pump will start automatically to replenish the hotwell. Thus, an additional branch appears f on the tree for the required action of manually starting a higher capacity pump (including the reliability of the CTS equipment). This difference had an effect on the results.

A third difference is the consideration of a cognitive error of falling to realize it is necessary to recover RPV level when FW is failed. This includes the same actions as the one discussed for the transient trees, and links together all actions possible to recover level. As mentioned before, this has a significant effect on the results.

2-19 l l

i i

I ISAP also considers a cognitive error of commission, that of the opera- l l tor misdiagnosing plant conditions and prematurely terminating ECCS flow. I I This type of error was not considered in IREP, and it has an effect on the I results. It is discussed in greater detail in Section 2.4 on human relia-

! .bility analysis. ;

l i l Finally, the ISAP tree has branches for successful long-term cooling f j using the main condenser or shutdown cooling (SOC) systems. IREP did not give credit for these cooling methods because they normally require that the l

) vessel be isolated so that no coolant is lost. However, it is conceivable !

j that these methods may work for the very small breaks which make up this break range. This is especially true when using the SDC system, where it is

{ reasonable to assume that the SDC system can cool water taken from the j

i vessel and return it to the vessel while the vessel level is maintained by I

j circulating torus water through the core spray or LPCI systems to make up

,C for continued coolant loss through the break. All that would be required is that adequate mixing take place in the vessel, which is a reasonable assump-tion. The use of the main condenser is somewhat more questionable. While it should be possible to remove some heat in this manner, it is not clear b how steam flow to the condenser would be maintained. Once the decay heat ;

I level was below the heat removal rate of the break, it is logical to assume :

that all steam would be dumped to the torus, since this should be the path of least resistance. The question of how long this would take and whether a i core melt would result must remain open until the basis for the ISAP I 4

S . assumption can be reviewed. However, the assumption does affect the results, and its elimination would increase the contribution of small-small

, breaks to core melt. l l

0 2.2.3.2 Small and large Break Event Tree l l

There are two major differences between the ISAP trees for these l j initiators and the equivalent IREP trees. First, both trees contain the i cognitive error of commission (premature termination of ECCS flow) mentioned :

in the previous section. For these initiators this difference does not have j any significant effect on the results.

t i The second difference is that feedwater is not considered to be a !

sufficient mitigating system in ISAP for these breaks. This is based on the j 2 20 ;

i ;

I l

inability, even with manual action, of the condensate transfer system (CTS)

{ to provide sufficient makeup flow to the condenser hotwell for breaks of these sizes. Thus, feedwater is assumed to be lost in a relatively short ti me. The IREP study assumed that CTS flow was sufficient, except for large liquid breaks, based on the Millstone FSAR. Regardless, this difference did not have a significant effect on the results, and further investigation is therefore not warranted.

2.2.4 ATWS Event Tree i

g, There are significant differences in the way each of the two studies

evaluates ATWS events. The IREP study assumed that an ATWS always resulted l

in a core melt, except for transients where the power conversion system (PCS) was available and continued to operate. Much study has been done on ATWS :;ince that time, by both the NRC and the nuclear industry, and a much greater understanding of ATWS events has been attained. This understanding l has allowed for the modification of plant design and development of new procedures to mitigate ATWS events. The present NRC position on ATWS is contained in the recently developed ATWS rule (10CFR50.62). It is more L fruitful to compare the ISAP study evaluation with the analysis in the rule as opposed to that from the IREP study, since the former represents more advanced thinking on ATWS.

l g . The !$AP study considers two general cases of ATWS: Power Conversion System (PCS) available and PCS unavailable. This is consistent with the ATWS rule. Each case will be considered separately.

For the PCS available case, the ISAP study deviates from the rule in f that it assumes that operator actions are not as complex or imperative as the rule states. It takes substantial credit for the ability of the PCS to i maintain automatically adequate heat removal for an extended period once the !

recirculation pumps are tripped. This is reasonable for the Millstone 1 plant. The need for complex operator actions in a short time frame in the '

ATWS rule is based on certain assumptions in the rule, as follows:

"It has been estimated that power will equilibriate at around 20 to 40 j

percent of full power...A BWR is typically designed to bypass up to 25 percent of steam flow to the condenser. Thus, if the ATWS transient 1

2-21 l

l

has not involved MSIV isolation or loss of condenser, a maximum of 15 percent of steam flow will be directed to the suppression pool."

It is this loss of steam to the suppression pool which is the limiting condition for the operator actions in the ATWS rule. However, Millstone 1 is not a typical BWR. Its bypass capability is 100% of steam flow; thus, there would be no loss of steam to the suppression pool. For this reason, we conclude that the ISAP event tree for ATWS with PCS available is acceptable despite its deviation from the ATWS rule.

For the PCS unavailable case, the ISAP study and the ATWS rule are in general agreement on the basis behind the mitigation of an ATWS. That is, they both consider the limiting conditions for success to be injecting boron to shut down the reaction and maintaining sufficient heat capacity in the torus (not exceeding the torus heat capacity temperature limit for the prevailing RCS pressure). Also, the operator actions in the ISAP study are the same as those described in the rule. They deviate in the capability of the standby liquid control system (SLCS) to mitigate the ATWS and in the absolute limit of 2000 torus temperature. Specifically, the ATWS rule states the following:

"For these cases where all of the reactor power is dissipated in the suppression pool, the suppression pool temperature would exceed 2000 F g ,

slightly even if the operator immadiately followed the procedures and actuated the 43 gpm SLCS, If SLCS capability is increased to 86 gpm, the operator must act within two minutes after the transient begins in order not to exceed the 2000 F suppression pool limit. Therefore, it was conservatively assumed that all isolation transients will exceed the 2000 F containment suppression pool limit with the current SLCS capacity of 43 gpm."

Thus, an event tree for Millstone 1 based on the ATWS rule would not have a success branch for SLCS because it is assumed to have insufficient capacity. However, it is important to note two things. First, the rule used the word " conservatively" to describe its assumption. Further, the analysis is apparently based on a " typical BWR." Once again, Millstone 1 is not typical. Its suppression pool is the same size as typical BWR-45, but its core power is only about 60% of a typical BWR-4. Thus, Millstone 1 has 2-22

a greater heat rejection capability (in terms of equivalent full power seconds before exceeding 2000 F). Further, the heat capacity temperature limit curve for Millstone does allow the torus temperature to exceed 2000 F if the RCS pressure is sufficiently low, although we cannot verify the

. acceptability of this curve. Therefore, it may be possible that a 43 gpm SLCS is sufficient for Millstone 1. For the present, however, we must reserve judgment until we can review thermal / hydraulic calculations of this sequence to determine if this is so and how long the operator has to initiate SLCS. If a 43 gpm SLCS is not sufficient ATWS will become a more significant contribution to core melt, assuming all other conditions remain p

the same (which they do not; see RPS analysis comments in Section 2.3.2, operator response comments in Section 2.4.2, and ATWS summary in Section 3.3).

2.2.5 Inclusion of Support Systems in Ever t Tree Quantifications 3

The ISAP study used an entirely different method from the IREP study to consider the effect of support systems on the sequences. In the IREP study the support system fault trees were merged with the front line system fault t trees to create complete fault trees for the front line systems which include all potential support system faults. In the ISAP study, the support systems were evaluated separately and a support system event tree was used to define support states. These support states define the possible combinations of support system success and failures which can exist following an initiating everit. Thus, each event tree is actually evaluated a number of times (once for each support state), and the system failure probabilities used are conditional on the support state being evaluated.

D .The review of the ISAP support states and the front line systems showed that the system interfaces modeled in the IREP study, as modified by actual plant changes, are adequately represented in the ISAP analysis.

The significant dif ference between the two support system interface models is that the ISAP study considered the subsequent loss of AC power af ter a non-LNP initiating ever,t. The IREP study did not consider this possibility. The support states that result from this subsequent loss of power on either emergency bus do contribute to three of the ISAP study dominant accident sequences, all react:,r transient initiated sequences. Two 2-23

of these sequences would not have been dominant sequences if the subsequent loss of power support states had not been considered. The total contribution of these two sequences is approximately 5% of the total core melt frequency calculated in the ISAP study.

2.3 Component and Plant Systems Reliability Analysis This section provides a brief review of both the component failure data used and the system reliability analysis performed in the Millstone 1 ISAP 4 study. The review of the component unavailability data consists of a comparison of the data used in the ISAP study with that used in the O Millstone 1 IREP study. No other attempt has been made to verify the accuracy of the plant-specific data used in the ISAP study. The review of the system reliability analysis was also primarily a comparison of the ISAP study system models to those used in the IREP study. This comparison was Q limited to a comparison of the success criteria, support system interfaces, i and system descriptions in the two studies. A detailed review of the system fault trees used in the ISAP study was not performed. However, the system unavailabilities used in the ISAP study were assessed for their reasonable-ness based on information that could be extracted from the Millstone 1 IREP study.

I 2.3.1 Component Failure Data O

The Millstone 1 ISAP study applies Bayes Theorem to a combination of generic data and plant-specific data to develop the failure rate data used in the study. WASH-1400 ..was selected as the generic date. source. The (mand failure data in WASH-1400 were assigned a Beta distribution to gene-7 ra e prior means and variances; a Gamma distribution was assigned to the hourly failure data. The means and variances were then mocified using the plant-specific data by applying Bayes Theorem.

The Millstone 1 IREP study used WASH-1400 data almost exclusively. The only failure data not taken from WASH-1400 were for components not specifi-cally identified in WASH-1400 or components where plant data justified using

a plant-specific failure probability instead of the generic data. (All of i the components found to be significant contributors to the IREP study domi-nant accident sequences were modeled using generic WASH-1400 data.)

I 2 24

Table 2.10 lists the failure data used in the two studies for signifi-cant components, i.e. those components whose failures are important contributors to the core melt sequences.

For most components, the differences between the data used in'the two studies are not significant. There are only three component failures where the differences in the data significantly impacted the quantification of the dominant accident sequences. The failure probability used for AC breakers is significantly lower in the IS AP study than in the IREP study, particularly for 4160V breakers. The ISAP study also used a significantly C smaller failure probability for the diesel generator failure (both failure to start and failure to run) and for the gas turbine generator failure to run once started. All of these reduced failure probabilities would reduce the impact of loss of normal power (LNP) accident sequences. These failure 9 probability reductio'ns are a significant reason that the LNP sequences are not as dominant in the ISAP study as they are in the IREP study.

The differences in the remaining component failure probabilities are either insignificant or affect components that do contribute significantly to dominate accident sequences.

2.3.2 Plant Systems Reliability Analysis S The review of the plant systems reliability analysis performed in the Millstone 1 ISAP study was limited to a review of major differences found between that study and the Millstone 1 IREP study. The system descriptions in the two studies were compared with particular emphasis on system success r criteria and the systems dependencies, i.e. support system interfaces.

A detailed analysis of the fault trees was not possible during the time available for the review. However, in some cases changes in the plant design which impacted this part of the analysis were identified.

Differences in the identific6 tion of systems used in each study are also noted but not necessarily discussed in detail here.

There are two systems where differences in the success criteria used in the ISAP and IREP studies have resulted in significant changes to the 2-25

i f

Table 2.10 COMPARISON OF IREP AND ISAP COMPONENT FAILURE DATA COMPONENT FAILURE ON DEMAND ,

(MEAN)

ISAP IREP*

MOV (Outside Drywell)

Fail to open 4.45E-3 1E-3+

C' Fail to close 3.00E-3 1E-3+

MOV (Inside Drywell)

Fail to open 3.79E-3 1E-3+

Fail to close 4.90E-3 1E-3+

GD ECCS check valves Fail to open 1.15E-4 IE;{

Fail to close 6.60E-4 --

Feedpump check valves Fail to close 2.29E-3 --

42 All electric motor-driven pumps Fails to start - 1E-3 Fails to run -

9E-5/hr 3D ECCS Pumps

Fail to start 7.48E-4 Fail to run '7.99E-5/hr Service Water Pumps Fail to start 7.89E-4 f4 Fall to run 3.81E-5/hr Emergency Service Water Pumps Fail to start 6.41E-3 Fail to run 7.99E-5/hr Ref. "IREP-Analysis of the Millstone Point Unit 1 NPP" Vol.1; Table 1.1 a ,b. Data given were based on monthly testing, except where noted

- 1 REP used median values, data has been converted to mean values.

- Not modeled in the IREP Study.

+ A value of 1.6E-2 was used for components tested only during refueling outages, test interval was assumed to be 12,000 hrs.

i 2 26

Table 2.10 COMPARISON OF IREP AND ISAP COMPONENT FAILURE DATA (Continued)

COMPONENT FAILURE ON DEMAND (MEAN)

ISAP IREP*

R.B.C.C.W. Pumps

.O Fail to start 9.24 E-4 Fail to run 9.71E-6/hr Shutdown Cooling Pumps Fail to start 2.84E-3 Fail to run 9.59E-6/hr O

T.B.S.C.C.W. Pumps Fail to start 9.67E-4 Fail to run 1.02E-5/hr Feedwater Pumps D Fail to start 9.48E-4 Fail to' run 1.46E-6/hr Condensate Booster Pumps Fail to start 1.66E-3 Fail to run 5.05E-5/hr Condensate Pumps Fail to start 1.07C-3 Fail to run 8.60E-7/hr Emergency Condensate Tranfer Pumps Fail to start 1.12E-3 Fail to run 7.99E-5/hr C.R.D. Pumps Fail to start 1.57E-3 Fail to run 1.58E-6/hr Ref. "IREP - Analysis of the Millstone Point Unit 1, NPP" Vol.1; Table 7.1 a ,b. Data given were based on monthly testing, except where noted IREP used median values, data has been converted to mean values.

2-27

\

Table 2.10 COMPARISON OF IREP AND ISAP COMPONENT FAILURE DATA (continued)

COMPONENT FAILURE ON DEMAND (MEAN)

ISAP IREP, Diesel-Driven Fire Pumps Fail to start 4.77 E-2 C

Fail to run 7.97E-4/hr Motor-Driven Fire Pumps Fail to start 1.13E-3 Fail to run 7.99E-5/hr

,D 4.16KV Breakers Fail . to operate 1.34E-4 1E-3+

480V Breakers Feil to operate 6.14E-4 1E-3+

D Diesel Generator Fail to start 6.71 E-3 3E-2 Fail to run 1.12E-3/hr 9E-3 Gas Turbine Generator Fail to start 4.80E-2 3E-2***

g - Fail to run 1.97E-3/hr 9E-3 Battery Charger Fails to operate 1.02E-5 --

O

+ A value of 1.6E-2 was used for components tested only during refueling outages, test interval was assumed to be 12,000 hrs.

Gas Turbine Generator failure probability was found to be similar to that of Diesel Generator - (Ref. "IREP - Millstone Point Unit 1"; Vol.

1, pg. 7-2.

2-28 l

calculated system reliabilities. The most important difference is in the success criteria for the Alternate Shutdown Cooling (SDC) System which is the Containment Cooling (CC) made of operation of the Low Pressure Coolant Injection (LPCI) system (referred to as LPCI/CC in the Millstone 1 IREP

. study). This system is one of the long-term cooling systems and uses the Emergency Service Water (ESW) system to remove decay heat. The LPCI' system is a two-train system with each train consisting of two pumps and a single heat exchanger (used only in the containment cooling mode). The ESW system consists of two trains with each train consisting of two pumps. Each ESW system train supports only one LPCI train, i.e. two ESW pumps provide flow

. to one LPCI system heat exchanger; the other two provide flow to the second heat exchanger. The success criteria used in the IREP study for these systems were one LPCI pump operating with the corresponding heat exchanger and one of two corresponding ESW pumps operating. The ISAP study success criteria for these two systems are much more stringent. The ISAP study

@ assumes that one LPCI pump in each train is required and both heat exchangers are needed. To remove the decay heat, the ISAP study uses a success criteria that requires all four ESW pumps to operate. This change in the success criteria results in a much higher alternate SDC system p failure probability in the ISAP study than in the IREP study. The system failu"re probability used in the ISAP study is nearly two orders of magnitude larger than that used in the IREP study. (No system failure probabilities were provided in the IREP study. The change in system failure probabilities is based on estimated values for the systems in the IREP study. These O .

estimates are derived from the IREP study sequence quantification.) The

' differences in the system success criteria account for nearly all of the two orders of magnitude difference in system failure probability.

l O .The second system for which different success criteria were used in the two studies is the Service Water System (SWS). In the IREP system relia-bility analysis, the success criteria for the SWS, under all conditions, require one of the four SWS pumps to be operable. In the ISAP study, the SWS success criteria are sequence dependent. For most sequences, two of four SWS pumps are required, but for the Loss of Normal Power (LNP) sequences the SWS success criteria used were either two pumps operable or

one pump operable and valve SW-9 must close. (The closure of this valve l sheds loads from the SWS.) This change in system success criteria does not l appear to have made a significant difference in the results of these two l 2-29

studies except for the frequency of initiation of a loss of service water transient. The impact on the initiator frequency is discussed in Section 2.1.4.

Some minor differences in the support system interfaces used in the two studies were also found. None of the differences would appear to make a significant difference in the results of the studies.

In the Shutdown Cooling (SDC) system, the ISAP study shows a support system interface where the loss of either DC bus (101A or 101B) would result in the loss of the SDC system. The IREP study model of the system indicated C-that failure of either DC bus would disable only half of the SDC system.

Since the support states where one DC power train is lost do not contribute significantly to the ISAP study results, this difference in support system requirements does not appear to be significant.

O The second difference in support system requirements affects the SWS.

In the ISAP study, the valve that is required to close on an LNP, SW-9, is modeled as being powered from one of the two main AC power trains. In the g IREP study, this valve is modeled as being powered from a bus that could be energized by either of the two AC power trains (a normal supply with an automatic transfer to a backup supply). This difference does not appear to significantly affect the results of either study.

O Other than these two differences, the modeling of the support system interactions in the two studies are in agreement with each other. The differences in methodologies, support states versus merged fault trees, has not resulted in differences in the results of the studies. But the dif-O ferent methodologies did result in differences in the way some support systems were modeled. In the IREP study, there was only one AC power fault tree that included vital and instrument AC, and the actuation logic for the ECCS was included in each system fault tree. In the ISAP study, separate support system fault trees were produced for vital AC, instrument AC, and the actuation logic. These differences did not impact the study results.

At least two equipment changes have been made at Millstone 1 since the IREP study that were incorporated into the ISAP study. A change in the LNP reset logic was incorporated that would reduce significantly the impact of 2-30

logic failures. These logic failures were a significant contributor to the IREP study dominant accident sequences. This modification reduces the importance of LNP initiated sequences in the ISAP study. The second

, modification was to the makeup valve (ICM-10) to the isolation condenser.

.The power supply to this valve was changed from AC power to DC power greatly increasing the reliability of the isolation condenser makeup system, especially during an LNP event. This modification would also reduce the importance of several IREP study LNP sequences.

Finally, the reactor protection system (RPS) was modeled differently in

, the two studies. The ISAP study used a demand failure probability of approximately SE-5 based on a Bayesian analysis using historical data as of 1979. This is an old analysis and is probably quite conservative. The IREP study used a value of approximately 1E-5 based on detailed fault tree analysis of the system. Common cause mechanical failure was dominant, and O

there was no contribution from electrical failures. The NRC's ATWS rule (10 CFR 50.62) agrees with the IREP study in that a 1E-5 RPS failure probability is a reasonable estimate for the mechanical failure contribution. (This excludes an additional 2E-5 contribution for electrical failure of the RPS 3 for the RPS design existing at the time of the IREP study. If a plant has alternate rod insertion (ARI), the rules state that these electrical contri-butions are eliminated. Millstone Unit I now has ARI.) It would, appear that the ISAP study used a conservative estimate for its RPS failure proba-

.bility. The impact of this and other competing factors on the ATWS frequency is discussed further in Section 3.3.

'2.4 Human Reliability Analysis (HRA)

O There are significant differences between the HRAs performed in the.

IREP study and the ISAP study. In particular, two areas are most signifi-cant. First, ISAP separately considered cognitive errors, which are errors in diagnosing and interpreting plant conditions and deciding (in a concep-tual sense) what actions are appropriate. In IREP, these types of errors were not explicitly isolated. At the time of IREP, the only useful tool for quantifying human error was the Technique for Human Error Rate Prediction (THERP) (5), a technique which allowed for detailed modeling of procedural-type errors on a step-by-step basis. It considered the concept of decision making errors only as it applied to certain steps within a procedure. Since 2-31

that time, new understanding of the cognitive errors has been gained, allow-ing for the quantification of the decision making process from an overall diagnosis of plant conditions outside of the step-by-step procedures. The consideration of cognitive errors in this manner is a major advance in HRA,

,and is generally recognized by experts as being a vast improvement over, THERP. It should be noted that THERP is still recognized as the state of th'e art for evaluating strictly procedural errors. Two useful tools have been developed for the quantification of cognitive errors: the Time-Reliability Correlation (TRC) model (6), and the Systematic Human Action Reliability Procedure (SHARP) model (7). ISAP makes use of both of these modeling techniques. The use of cognitive modeling in ISAP has a signifi-cant effect on the results when compared with IREP. We believe the IS AP methodology is more reasonable.

The second significant difference between the two studies is also O related to a change which has taken place since IREP. Millstone Unit I has converted its procedures to a new type called " symptom oriented procedures."

These procedures are'more concise, more understandable, and easier to follow than the procedures which existed at-the time of IREP. Thus, procedural errors are less likely to occur during certain key operator actions. Thi s 3

has a significant effect on the ISAP results. In most cases, ISAP has considered procedural errors in addition to cognitive errors. That is, the probability of failing to properly perform the manipulations required (pro-cedural error) was evaluated given that the operator has properly diagnosed O

the situation (cognitive success). Generally, these errors are incorporated-

~

directly into the system failure rate determinations. A significant excep-tion to this, which is discussed in more detail later, is in the ATWS analysis. For some reason, procedural error was not fully considered O despite the rapid and complex nature of the actions required.

Even with these differences, the HRA in the ISAP study is quite j unsophisticated and for the most part " screening values" are used. The l analysis performed was very simplified, and the analysts did not take full advantage of the available modeling tools. Further, there was virtually no detailed documentation of the errors analyzed, either in the summary report or in the QA calculation files at the utility's headquarters. This made~the i review of the HRA extremely difficult and, even with discussions with the analysts, full of doubts. To a large extent it was only possible to review 2-32 l

l the results of the HRA by comparing them to alternative screening i

techniques.

l l 2.4.1 Cognitive Error Modeling I l The ISAP study explicitly models cognitive errors of decision-making.

This was not done in IREP. These errors represent the incorrect decisions of the operator based on his misunderstanding of plant conditions. This results in the operator failing to enter the appropriate emergency operating i

procedure (EOP). In IREP, the only operator errors of this general type

C which were considered were whether the operator correctly read the instru-mentation. That is, if he correctly read the meter / annunciators, it was assumed that he entered the correct procedure. Cognitive error modeling accounts for the addition of the possible error that the operator could fail

to correctly interpret the instrumentation even if he reads it correctly.

8 Additionally, the cognitive error concept tends to link together actions which were formerly thought.to be relatively independent; i e., the concept .

considers ~ that if the operator fails to understand the plant conditions he may take no actions whatever. In the case of the ISAP study, this is iO particularly important because of the format of the new Millstone 1 proce-dures. The procedures in force at the time of IREP could be very complex and confusing; however, they had a certain amount of independence in that the operator might take an action to restore a system, even if he thought he g , didn't need to, just because it was unavailable. The new, symptom oriented procedures are much easier to comprehend and follow, but they are very proscriptive about what the operator should do for a particular plant symptomatic condition. Thus, if the operator fails to correctly interpret

, the plant condition, he would be set off on a series of tasks or a course of h nonaction which would fail to aid his situation. In all, the addition of explicit cognitive error modeling and the switch to symptom oriented proce-l dures has been a significant reason for differences between the IREP and i ISAP PRA results.

As mentioned previously, the .ISAP study utilized two cognitive modeling techniques for quantifying human reliability: SHARP (7) and TRC '(6). The next two sections discuss these techniques and the cognitive errors modeled by each.

f 2-33 y p- ~ -s - - - + - - - . + - - - --,,c- -..-m..-me - - --

y , , ,,---y .,------.--,.,---------y-y-__-m------ ,. --yy.---r~-,-,w.

2.4.1.1 Time-Reliability Correlation (TRC) Model A TRC model determines the probability of the operator failing to make a correct decision based on the amount of time the operator has available.

.The basic premise of the model is that the driving factor in the decision process is how long the operator has to think about it. Further, this factor is generally independent of other factors and constitutes a reasona-ble basis for selecting a screening human error probability (HEP). In order for an analyst to determine the HEP for a particular decision, he need only determine how long the operator has to take action and pull the correspond-g ing probability off of a time vs. HEP curve. Such curves have been developed by human reliability experts and are published in a number of reports. The ISAP study used a curve from NUREG/CR-3010 (6, Figure 5-2) for quantification.

3 ISAP used the TRC for evaluating cognitive errors where the amount of time for making the decision exceeded about ten minutes. Five errors were evaluated in this way. These errors are shown in Table 2.11. For those actions which were related to scenarios considered in IREP, the times used t- in the ISAP study are generally reasonable. For the actions of initiating emergency condensate tra'nsfer and conserving batteries (not considered in IREP) the basis for the time frames appear reasonable. It is worth noting, however, that the HEP values used, although taken from an NRC report, do not g . correspond with the preferred screening values from NUREG/CR-2815, the PSA Procedures Guide (8). The right hand column of Table 2.11 gives the values which would be obtained if the TRC curve from that report is used. Thbse values are significantly higher and could affect the results of the analysis.

D After careful consideration, we have determined that the NUREG/CR-3010 curve used in ISAP is inappropriate for the type of analysis performed. The screening curve from NUREG/CR-2815 should have been used. There are two major reasons for this.

> ^,

First, the NUREG/CR-3010 curve was developed by a single team of analysts from one organization. Although it is singled out in the report and used in the examples, it is actually only one of several curves discussed in the report. The NUREG/CR-2815 curve, on the other hand, is a 2-34

J Table 2.11 Human Errors Evaluated Using the Time Reliability Correlation NUREG/CR-2815 Error Description Time Avail ISAP HEP HEP Operator fails to decide 50 min. 4.5 E-4 2E-3 to restore IC makeup (ICoperating)'

C Operator fails to recognize 40 min. 7.0 E-4 3E-3 the need to initiate emergency condensate transfer 0 during small-small LOCA w/FW available

, Operator fails to recognize 10 min. 1.5E-2 0.5 the need to manually (FW operating) depressurize during a small LOCA (manual backup to auto

, actuation)

Operator fails to recognize 50 min. 4.5E-4 2E-3 the need to conserve DC O batteries by shedding non-essential loads during blackout Operator fails to recognize 20 min. 3.5E-3 0.1 the need to restore RPV level during stuck-open S/RV event 2-35

consensus curve based on multiple information sources and represents the consensus of a multi-organizational group of experts.

Second, it is apparent from the discussion in NUREG/CR-3010 that the

. curve selected for use in the ISAP study is not intended for u,se in a screening analysis. Rather, the use of this curve assumes a detailed human reliability analysis, specifically, the development of an operator action tree (OAT) to represent overall operator response. Additionally, when using this curve it is necessary to specifically evaluate the " thinking time" interval based ~on the following equation:

tT = to - t1 - ta where 3 tT = Thinking time t0 = Overall time from the initiation of an accident sequence to the point by which actions must be completed.

t1 = The time after initiation at which appropriate indications or 2 other clues are given.

v ta = The time it takes to implement the actions decided upon.

This must be done because this curve represents the HEP as a function of

~

thinking time alone. A further consideration when using this curve is the O inclusion of modifications to the HEP due to other effects, such as reluc-tance factors. The ISAP study did not perform these detailed analyses, which should accompany the use of this curve.

7 On the other hand, the NUREG/CR-2815 curve was specifically intended as a screening curve. Thus, none of the above considerations are necessary when values are used from this curve. Therefore, this curve is much more appropriate for the simplified analysis performed in the ISAP study. It should be noted, however, that the state of the art in TRC has progressed past the use of a single curve. Different curves for various behavioral types and action conditions should be used. But this would require a more detailed HRA than was performed by the ISAP study analysts.

2-36

As mentioned above and shoun in Table 2.11, the values obtained using NUREG/CR-2815 are significantly higher than used in ISAP. The use of these higher values would affect the ISAP results in two cases. These cases are the second and last human errors shown on Table 2.11. The use of an HEP of 3E-3 for the second error (instead of 7E-4) would create a new dominant sequence, described as follows:

o- Small-small LOCA o Feedwater continues operating post-trip Opera' tor fails to initiate emergency condensate transfer

~

o

.o Feedwater trips on low hotwell level The frequency of this sequence would be 3E-5 and it would fall into plant damage state SEl. This would increase the frequency of this plant damage state by a factor of 2 to 3 and would increase the frequency of 3 small-small break core melt by a factor of 1 to 2. Overall. the total plant core melt frequency would increase by less than 5%.

The use of an HEP of 0.1 for the last error (instead of 3.5E-3) would g also create a new dominant sequence, described as follows:

o Inadvertent opening of an S/RV o FW fails post trip

, o Operator fails to recognize the need to restore RPV level The frequency of this sequence would be 2E-5 and it would fall into plant damage state TEl. This would increase the frequency of this plant damage state by less than 10% and would increase the frequency of core melt due to inadvertent opening of an S/RV by a factor of less than 2. Overall, the total core melt frequency would increase by less than 5%.

2.4.1.2 Systematic Human Action Reliability Procedure (SHARP)

The SHARP method of cognitive error quantification differs from the TRC method in the selection of the driving factor behind human performance.

Whereas the TRC method considers the time available as the driving factor, the SHARP method considers the type of action and the expected behavior.

SHARP is generally a time-independent model although time-reliability curves 2-37

l can be integrated into SHARP. The screening process used in ISAP calls for generating human error probabilities based on the type of action and the expected behavior.

In this model, three human behavior categories are defined. These are:

skill-based, rule-based and knowledge-based behavior. The classification of each human action in the ISAP study into one of these categories is based on the following definitions:

i o The behavior can be. classed as skill-based if the operator is well trained, is motivated to perform the task, and has experience in C performing the task.

! o The behavior can be classed as rule-based if the operator has a clearly understood set of rules to follow in responding to a well-l 0 understood transient or situation.

o The behavior can be classed as knowledge-based if the above do not 2 apply or the operator must understand the condition of the plant, interpret some of the instrument readings, or make a difficult 9 diagnosis.

i Figure 2.1 is a reproduction of Figure 4.2-3 of the Millstone Unit 1 PSS. This figure shows the logic that was used by each analyst in O classification of different human action into one of the above categories.

This guideline was used so that the classification done by different analysts is performed in a consistent manner. It should be noted, however, that a certain amount of " analyst creativity" is required in using this c.

logic tree. For example, a nonroutine operation which is covered by a well written, understandable procedure might still be classified as knowledge-based if the amount of time available is short. In this case, the operator may not have ti:ae to access the procedure, which would make the operation equivalent to one which lacked a procedure.

Following the classification of each human action, the human error probabilities were found using the values reported in Appendix A of the SHARPreport(7). To achieve a screening value for a behavior type from the range of values given in Reference 7, a log-normal distribution was assumed 2-38

, g 0

0 w w 0 0 0 0

. au w w ue m,

.wn t U ,

L eL 0 t, L

I K

S u w n n t

o

,s n

m, E _

R _ _ _ _

U D D _ _ _ _

E E _ _

L C C O _ _ _

E I

T P R _ _

N AC N _

OM S

r i _ _

R P l - i O _ _ _ _

E L E _ _

P L S _ _ _

O E _ _

W U _ .

8 e

p 8

3 _ _ _ _ y

_ _ _ _ T T _ r S

_ _ _ _ _ o w "J L .

i U C E 0 _ _ _ _ _ v D 0 0 a E f C S 0 0

h O O R 9 _ _ _

_ e R E R _ B P 0 E P t

t _ _

U _ _ d

_ e

. _ t

_ _ _ c E N _ _ _ _ _ e p

U D LL TE _ _ _ _ x E _ E C E 7 _ _

V OW 9 8 R W _

_ f P _ _ o

_ _ _ n

_ _ o E

A

_ _ i 0 SR _ _ _ _ t 0

t E

S _ c t

C v A _

_ e 0 o C _

l 9

P C - _ e O _ S

_ n i

E o R t _ _

U D f p d E OS U p

- _ _ i C I G A O E _ _

R P

R o

_ _ t .

. t s

' u s

o u o f

e _

s A _ e -

f A

R r .

R TL P E n T E 9 O P U _ c _

O 0 T i _

4 0 00 G

_ g 0

0 0

0

_ o _

T B 0

L N t a

Ee s

a se f

te s

t t _ 1 A p R e s _ 2 T U e

r u

g i

F s o e

v n r.

o; g>

for each range of values. The mean and variance for the human error probabilities in each of these categories used in the ISAP study are shown below:

Behavior Type Mean Variance Skill-based 1.3E-3 1.08E-5 Rule-based 1.3E-2 1.08E-3 Knowledge-based 1.3E-1 1.08E-1 It should be noted that the ISAP study application of SHARP was very C simplified. SHARP is intended to be a tool for. developing a detailed model of human response, which could include such things as operator action event trees (OAET), THERP trees, and time reliability correlations (TRC). Thus, the HRA analysts did not take advantage of the true power of SHARP, and it O is questionable whether the simplified analysis was reasonable as a screening analysis. However, as discussed further in this section, the results obtained are generally (and possibly accidentally) comparable to those expected from other screening techniques and expert judgment.

O The human errors evaluated by SHARP are shown on Table 2.12. Each of these errors was evaluated using SHARP because the operator decision time was assessed to be less than about ten minutes. The most important of these errors is the first one shown on the table. This is the error of the O

operator failing to recognize that the RPV level is decreasing and that he must respond to it. This error is important for two reasons. First, it appears on virtually all of the event trees because level is the key indi-cator that there is a problem at the plant (this is true of all BWR's).

? Second, because of the concept of cognitive errors and the new Millstone procedures, if the operator fails to recognize the need to respond and thus does not enter the level control procedure, it is assumed that he will not take any actions to actuate or recover any systems which could be used to prevent core melt. The ISAP study assumed that this decision had to be made within ten minutes (or in some cases even less) because part of the response includes manually initiating the isolation condenser. If the operator does not do this within ten minutes, it will actuate automatically. We believe that it would have been more reasonable to use time frames which reflect the actual times available. By way of comparison with this alternative 2-39

h Q O O O Table 2.12 **

Human Errors Evaluated Using the Systematic Human Action'Reifability Procedure ISAP Est. Actual MUREG/CR-2815 Error Descrfption Basis HEP Time Avall. HEP Operator fatis to recognize the need to restore RPV level (transient and small-small LOCA) Rule 1.3E-2 Sequence Dependent Case A: Stuck Open S/RV Small-Saall LOCA Core uncovery-15 min 0.2 Core melt-25 min 3E-2 Case B: IC Falls Core uncovery-25 min 3E-2 Core melt-45 min 3E-3 y Case C: IC Makeup Falls g Core uncovery-70 min IE-3 l Core melt-90 min 9E-4 l

Operator falls to recognize the need to dis- small 8 small-small LOCA

, regard the Indicated level and flood the RPV Skill 1.3E-3 Initial Error when drywell temperature reaches RPV saturation large LOCA +30 min recovery 4 1E-3

! temperature (operator throttles or terminates Rule 1.3E-2 injection based on erroneous high RPV level indication due to reference leg flashing)

Operator fatis to recognize the need to reduce Rule 1.3E-2 3 min N/A core power following ATWS (W/PCS available) before loss of condenser vacuum i .

Operator falls to recognize the need to provide Rule 1.3E-2 60 min 4 1E-3 l for long term decay heat removal ( ATWS w/PCS available)

O O O G n Table 2,12 (con't.)

ISAP Est. Actual NUREG/CR-2815 Error Description Basis HEP Time Avail. HEP Operator fails to recognize the need to reduce Knowledge 1.3E-1 3 min M/A core power before torus heats up to 110 0 F ( ATWS Rule = 0.5)

( ATWS w/PCS failed)

Operator falls to recognize the need to keep Knowledge 1.3E-1 15 min 2E-1 RPV pressure below heat capacity temperature Ilmtt of the torus ( ATWS w/PCS failed)

Y O

, approach Table 2.12 shows estimated actual time frames available to the l operator for the three sequence scenarios (Cases A-C) in which this error

appears. The time frames shown are the times available for action to pre-vent core uncovery and core melt. They are taken directly from the ISAP

., study, where they were used in the station blackout analysis to evaluate '

i offsite power recovery. The core melt time frames, which are what we are l l interested in, are in general agreement with the time frames used for the !

! same scenarios in the IREP study. Using the TRC curve from NUREG/CR-2815, I we get HEPs for the three cases for preventing core melt of 0.03, 0.003, and 0.0004. The HEP used for all cases in the ISAP study is the rule-based value 0.013. Obviously, the CR-2815 values are relatively close to the ISAP

[ value in the overall sense. Further, the contribution from each of the three cases is approximately equal in the ISAP study, (i.e., the three ways I

of reaching the point where this decision is required; failure of S/RVs to reseat, failure of IC, and failure of IC makeup; have approximately the same

c probability) and thus the average of the three HEP values mentioned above (which is equal to 0.011) is a reasonable approximation of the composite

HEP. Thus, using another approach yields the same number, and we can con-clude from this that the value used for this extremely important cognitive error is reasonable.

2 The next error shown in Table 2.12 is significant in that it considers i cognitive operator error of commission. That is, the operator takes an action which is detrimental to the mitigation of an accident due to his O misinterpretation of plant conditions. This type of error is seldom con-sidered in a risk asses,sment, although it has the potential to be signifi-cant. The values used in the ISAP study are reasonable for screening

, purposes given that we expect there to be around 30 minutes after the e erroneous action for the operator to recover. From the NUREG/CR-2815 TRC curve, 30 minutes corresponds to an HEP of 0.01. This must be combined with

the HEP for initially making the error. Even if this were as high as 0.1, which is doubtful, the total expected HEP would be 0.001. Thus, we expect that the values used in ISAP are probably conservative and even being so, they do not have a significant effect on the results. Therefore, further detailed analysis is not warranted.

! The next two cognitive errors involve response to ATWS with PCS availa-bl e. The first action is somewhat complex in total, i.e., many actions are i

i !

2-42 l

a-.-- . . ,-- -----.,-._.--__-n . . , - n , __,-_,,.n__,..,,

, ,. - -,- ,,, ,, , ,,,, v _,,n ,, - n

required, but the only task which is essential in the immediate term is to trip the recirculation pumps. If the operator succeeds in doing that, the PCS will automatically maintain adequately safe conditions until the other !

actions are completed. No HEP is available from NUREG/CR-2815 for a time eframe this short, however it is our opinion that the HEP used for ISAP is a reasonable screening number. In our opinion, this is because the. action is an automatic response to observing that rod bottom lights for the control rods are not present. It is an intuitive rather than diagnostic /interpreta-tive action, and an HEP of about 1 in 100 trials seems reasonable. For the second error, the result appears conservative since the operator would have C.

a long time to provide for decay heat removal. However, this error does not contribute to core melt, and so it is sufficient to note that we do not feel it is too low.

The final two errors in Table 2.12 pertain to operator diagnosis of the need to take certain actions during an ATWS with the PCS unavailable.

While the actions are in some ways related, they are considered separately because the symptoms which direct the operator to enter a particular proce-dure are independent. That is, the procedure the operator enters to reduce C core power does not specifically direct the operator to the containment temperature control procedure. The need to perform those actions must be realized separately. Again, for the actions required within three minutes, which are very complex and in this case et

be delayed as in the PCS g . available case, no NUREG/CR-2815 values can bt iained. However, on an intuitive basis the value used is not unreasonable. We would expect that the

, operator would recognize the ATWS very quickly and have some time to decide on a proper course of action. Thus, the ISAP number is generally reasonable. For the other operator decision required (torus heat capacity),

the ISAP value used is in general agreement with the value obtained from the NUREG/CR-2815 TRC curve. We do note that the ATWS rule uses a value of 0.5 as the HEP for the operator failing to initiate the procedures in time.

This value includes both the cognitive errors discussed above. The total ISAP HEP for both errors is .26, only a factor of two smaller than the ATWS rule number. This also supports to some extent the ISAP values, since the generic value in the rule is generally recognized as being somewhat j conservative. I 2-43

]

s I

j I

i 2.4.2 Procedural Error Modeling l

In addition to cognitive errors, the ISAP study also considered proce-dural errors. These are the errors which take place after the operator has f , diagnosed the situation, has selected the proper procedure, and is actually trying to perform the required actions. These errors were evaluated at the systems level (i.e. essentially considered in the system fault trees) as was done in the IREP study.

As far as we can ascertain from the limited information available, the ISAP study used two HEP values for procedural errors. A HEP of 0.0013 was

[ used for control room actions involving simple manipulations or systems with which the operators are very familiar. An HEP of 0.013 was used for actions outside the control room or for control room actions which were complex or unfamiliar. These values are essentially identical to the suggested screen-(, ~ ing values for procedural error given in NUREG/CR-2815 (0.001 for procedural j error with recovery potential, common for control room actions, and 0.01 for procedural error without recovery potential, common for outside control room

[ actions). Thus, these values appear reasonable, and our review indicates that these errors have very little effect on the results, i

4 The one notable exception to this general conclusion is for ATWS with PCS unavailable. As noted in the previous section, the cognitive error modeling for this scenario is reasonable. However, despite the fact that O the required actions to reduce water level are complex, no consideration was '

given to procedural error. The only procedural error considered was failure to properly initiate SLCS (0.013) which is the simple part of the procedure.

The ATWS rule gives a HEP value of 0.1 in this situation for failing to

} reduce power properly while maintaining RPV water level above the top of active fuel. Thus, we believe that this procedural error could be a l

measurable contributor to ATWS core melt, and its exclusion in the ATWS

, analysis is unacceptable. In the absence of a detailed analysis, it is our opinion that a screening value of 0.13 should have been used for this error.

The significance of this conclusion is discussed in Section 3.3.

i 2-44

3.0 RESULTS AND INSIGHTS INTO MAJOR CONTRIBUTORS TO THE CORE MELT FREQUENCY ,

In this section, a comparison between the results of the ISAP and IREP studies will be presented. This is done by performing a detailed comparison

,between the ISAP and IREP dominant accident sequences to find out the major differences between similar sequences and the significance of these differ- i ences with respect to the overall core melt frequency associated with the operation of the plant. This comparison is presented in Section 3.1. The results of this analysis are used in Section 3.2 to provide overall insights into the major ~ contributors to the ISAP core melt frequency. Section 3.3 focuses on a few areas where changes to the current system configurations or procedures could conceivably result in major impacts on the plant's dominant accident sequences and overall core melt frequency.

3.1 Comparison Between ISAP and IREP Dominant Accident Sequences C ,

To better understand the major contributors to core melt frequency at the system level, a detailed analysis of the most dominant ISAP core melt sequences was performed. This was done by closely looking at the ISAP c dominant core melt sequences and comparing them with the corresponding IREP dominant core melt sequences. The comparison was done by looking at the sequence of events, the effect of methodologies on identifying the sequence of events, and the core melt frequency. With respect to core melt frequency, the ISAP calculations are'done using mean component failure data whereas the IREP calculations are done using median values. To compare the sequence frequencies in the two studies, a simple conversion factor was used to convert the IREP results based on the following argument. Most of the generic component failure probabilities have been developed by assuming that O the components have a log-normal failure rate distribution. These data in most cases have an error factor of either 3 or 10. For components with an error factor of 3, the mean value is 1.25 times the median value. For components with an error factor of 10, the mean value is 2.66 times the median value. Since the components contributing to failure of different systems are a combination of those with an error factor 3 and 10, a multi-plier of 2 was used to convert the median IREP core melt frequencies to mean values. Note that the objective of compariy similar ISAP and IREP core melt frequencies is to identify those sequences that have large (order of magnitude) differences and focus on the basic reasons for these kinds of 3-1 l

l j

l 1

difference. With the level of uncertainty associated with most component j failure data, much finer comparison does not provide any meaningful i insights. With this fact in mind Table 3.1 presents the dominant accident

sequences found in the ISAP study along with the corresponding IREP dominant

.eccident sequences. The sequences are grouped by their common initiator

where the ISAP sequence numb'ers in the first column correspond to the I

sequence numbers identified in Table 5.3-5 of the Millstone Unit 1 Proba-bilistic Safety Study (2). A brief analysis of each sequence follows.

1

! For sequence number 2, the ISAP and IREP sequences are fairly similar.

The frequency of the ISAP sequences is lower than IREP principally due to reductions in the failure probabilities of several components, namely, the diesel generator, gas turbine, and AC breakers previously shown in Table 2.10. In addition, modification to LNP logic circuits to eliminate single relay failures, and to IC makeup to remove AC dependency from the makeup C admission / control valve, also helped to reduce the sequence frequency.

The same comments are applicable to sequence number 3 except that the LNP logic modifications have no effect here. Also, changes in the emergency 0 operating procedures have reduced the chance of operator error in failing to depressurize the Reactor Pressure Vessel (RPV) and use the available low pressure pumps.

, In sequence number 8 the contribution to core melt frequency is simi-lar in both the ISAP and IREP studies. Competing differences have opposite effects. Reduction in failure rates of the gas turbine and switchgear breakers, and a modification to the IC makeup admission valve power supply tend to reduce the frequency of the ISAP sequences. However, a change in C' the alternate Shutdown Cooling (SDC) system success criteria, which requires both trains of Low Pressure Coolant Injection (LPCI) system and all four Emergency Service Water (ESW) pumps, increases the frequency of the ISAP sequence. The change in the success criteria of the alternate SDC system has substantially (by about two orders of magnitude) increased the proba-bility of failure of this system and its contribution to the total core melt frequency. This is one of the areas that will be discussed in more detail in Section 3.3.

3-2

Table 3.1 Comparison Between ISAP and IREP Dominant Accident Sequences 15AP 5equences INEP 5equences Frequency PsMure of Frequenc y Sequence

Median Seq. f Initiator Soport Systems Sequence Description (Mean) (Mean) 2 LNP Station AC Blackout o Correct cognitive decision (7.0E-5) TaLCEFG(9) 8.0E-5 (Only DC buses are to inttfate IC and restore T4KCEFG(3) (1.6E-4) energized) normal power. TgJCEFG(2) o S/R valves reclose. IC is initiated. IC makeup falls and AC power not restored before CM initiates (i.e.,

within 90 minutes).

OR 3 5/R valves riclose. IC initiation and restoration fall , and AC power not re-stored before CM inttlaes i

(i.e., within 45 minutes). l OR 5/R valve sti d s open and

AC power not restored before w CM inittstes (f.e., within b 25 minutesJ.

l 3 LMP None o Cognitive error in decision (3.7E-5) T4KCD(4) 1.3E-4 OR not to restore RPV level. T4LCD(5) (2.6E-4)

AC Bus 14E o 5/R valves reclose and auto TgJCD(1)

, IC initiation or IC makeup i failed.

OR 5/R valve stl Rs open, o Auto FWCI initiation failed.

Random failure for $5fl.

Failure given (Q = 1) for 55f3. (No other auto system is available.)

i 8 LNP AC Bus 14E o Correct cognitive dectston to (6.5E-5) Tg M (12) 2.W-5

! restore RPV level. T4LCMG(10) (5.8E-5) o S/R valves reciose and T4CMG(8) initiation and restoration -

. of IC or IC makeup falls.

OR 5/R valve stiiis open.

4 o FW falls (given),

o Manual depressurtration is

successful.

7 W T W O I

Table 3.1 Comparison Between ISAP and IllEP Dominant Accident Segsences (continued) nur segsences lir[P 5egsences Fregsency Failure of Freesency Seguence* Ndlen See, f Initiator support Systems sessence Description (mean) (nPan) 8 (cont'd) o Low pressure pumps inject.

o Off-site AC power recovery falls.

o 14E bus energfred by cross-connection to diesel generator. -

o SDC falls. (note: FIf and circulating water pumps cannot be loaded on the diesel generator. Therefore, the main condenser is not credited.

Also, both trains of the alter-nate SDC cannot be powered by the diesel.)

15 LnP AC Bus 14E o Correct cognitive decision to (8.6E-6) TgECME(12 2.9E-5 w

l restore RPV level. TetCMGl10) ) (5.8E-5) 1 o 5/R valves reclose. T4JCMG(8)

. Initiation and restoration of IC or IC makeup falls.

(Nt l S/R valve sticiis open, o Fw failed given (Q = 1.0) for 55#3 o Manual depressertration is successful.

o Low pressure pumps inject.

o Off-site AC recovery falls, o Energiring AC bus 14E by cross-connection falls.

o SDC falls. (Note: The main condenser cannot be used un-less Fu is operating. Also.

both trains of the alternate SDC cannot be peisered by the diesel generator.)

l i

Table 3.1 Comparison Between ISAP and IREP Dominant Accident Sequences (continued) ,

ISRr Sequences IREP 5equences Fregnency Failure of Frequency Sequence Median Seq. f Initiator Support Systems Sequence Description (Mean) 'Mean) 9 LNP AC Bus 14E Same as in sequence #8, except: (4.0E.5) None o Off-site AC power recovery succeeds, o Restoration of main condenser

and IC meteep falls. (The l latter is credited only la sequences where the 5/R j valves have reclosed.)

o SDC and alternate SDC fall.

LNP Total (2.20E.4) 2.39E.4 (4.78E-4) t ca 7 Smela Break None o Blowdown steam condensers (1.6E.4) (ILR)CG < E-6 Em LOCA in torus as vacuum breakers (ISB)CEG remain closed.

o FW continues to run and maintains RPV level for short time untti it trips on low hotwell level, o Correct cognitive dectsfon to ,

switch to low Pressure pumps. i o Core spray pumps inject and operator correctly maintains j RPV level.

! o Containment cooling (i.e..

torus cooling) falls. (No other system is adequate to l

(

provide long-term decay heat l removal following a small ,

break.) ;

I Loss of mone o 5/R valves reclose and auto (7.6E.5) T3tD < E.6 Feedwater ~

IC initiation falls. T3J3 DR l

S/R valve sticEs open, o Cognitive error in decision ;

3 not to restore RPY level.

J (No other auto system is available.)

i

-l 1

I

O O m O "

Table 3.1 Comparison Between ISAP and IREP Dominant Accident Sequences (continued) ,

15AP 5equences IREP Sequences Frequency Failure of Frequency Sequence Median Seq. f Initiator Support Systems Sequence Description (Mean) (Mean) 12 Loss of Mone o S/R valves reclose, auto (2.1E.5) T3mG <E.6 Feedwater initiation of IC and IC T 3LMG makeup falls. 1 3JMG OR S/R valve stids open.

O Correct cognitive decision to restore RPV level.

O Restoration of IC or IC makeup falls (credited only in sequences where S/R valves reclose).

o Restoration of FW falls, o Manual depressurizatfon is successful, o Low pressure pumps inject.

y o SDC and alternate SDC fall.

cn Loss of Feedwater Total ( 9.7E.5) <E.6 4 Reactor Mone o FW falls to run post scram. 3.SE-S TI <E.6 Transients OR Random failure for SSil. Tg*7KCD LCD AC Eus 14E Failure given (Q = 1) for T1,2JCD

,2 SSf3.

o Cognitive error in decision not to restore RPV level, o S/R valves reclose and auto IC initiation or IC makeup falls.

OR S/R valve stids open.

11 ileactor Mone o FW fatis to run post scram. (3.2E.5) TI,7tCMG (<- E.6')

Transients OR Random failure for SSil.

AC7us 14E Failure given (Q = 1) for TI.2LC"G TI ,2JU'G SSf3.

o Correct cognitive decision to recover RPV level.

o FW restoration fails.

N O O O O Table 3.1 Comparison Retween ISAP and IREP Dominant Accident Sequences (continued) ,

15AP Sequences IREP 5equences Frequency Failure of Frequency Sequence Median Seq. f Initfator Support Systems Sequence Description (Mean) (Mean) fil (cont'd) Random failure for 55fl.

Failure given (Q = 1) for 55f3 o 5/R valves reclose.

Initiation and restoration of IC and IC makeup falls.

OR 5/R valve sticTs open.

o Manual depressurization is successful.

O Low pressure pumps inject.

o AC bus 14E energized by cross-connection (credited only for 55f 3 case).

o SDC and alternate SDC fall.

16 Reactor None o fW continues to operate post (4.5E-5) 2.0E-6 y Transients scram.

T2tMG T2HLNG(21) (4.0E-6) w o The main condenser is isolated T2JMG as a heat sink due to MSIV closure post scram.

o 5/R valves reclose, initiattun and restoration of IC or IC makeup falls.

OR 5/R valve sticIs open.

o Restoration of the main condenser fails.

o SDC and alternate SDC fall.

5 Reactor AC Bus 14E and o FW falls (given). 1.4E-5 T1,2KCEFG < E-6

~

l Transients 14F. Both fall to o Correct cognitive decision Tl.2LCEFG fast transfer post to restore and stabilize RPV. TI,2JCEFG scram, t.e., station level.

AC blackout - only o S/R valves reclose and DC buses (both) inttfation and restoration energized. of IC or IC makeup fatis.

OR S/R valve sticIs open. (No

other system 15 available.)

Reactor Transients Total 1.26E-4 2.0E-6 (4.0E-6)

a W) C Ld W Table 3.1 Comparison Between 15Ap and IREP Dominant Accfdent Sequences (continued)

ISAP 5equences sutr Sequences Frequency Failure of Frequency Sequence Ndlan Seq. f Initiator Support Systems Sequence Description (Mean) (Mean) 6 Small-Saall leone o Blowdown steam condenses 6.9E.6 (58)CD -

<E-6 Break LOCA in torus as vacuum breakers remain closed.

o FW continues to run post scram, o Cognitive error in decision not to start condensate transfer pump (to replenish the hotwell) or use low pressure pumps, o FW eventually trfps on low hotwell level (given),

14 Small-Small leone o Blowdown steam condenses in 1.35E-5 (58)CD < E.6

~

Break LOCA torus as vacuum breakers remain closed.

o FW continues to run post w scram.

4 o Correct cognitive decision to start emergency condensate pump.

o Emergency condensate pump starts and transfers inventory from the CST to the hotwell, o Operator falls to disregard the indicated level when the drywell temperature reaches the RPV saturation temperature and therefore prematurely terminates or throttles injection.

18 Small-Saall None o Blowdown steam condenses in 8.3E.6 (58)ft <E-6 Break LOCA torus as vacuum breakers remain closed, o FW continues to operate post scram.

o Correct cognitive decision to start emergency condensate

transfer pump.

o Emergency condensate transfer pump starts and transfers inventory from the CST to the hotwell.

Table 3.1 Comparison Between ISAP and IREP Dominant Accident Sequences (continued) 15AP 5equences IREP Sequences Frequency Failure of Frequency Sequence Median Seq. f Initiator Support Systems Sequence Description (Mean) (Mean) 18 (cont'd) o Correct cognitive decision to disregard the indicated RPV level when the drywell heats up to RPV saturation temperature, o Restoration of the main con.

denser falls.

o SDC and alternate SDC fall.

Small-Saall i

Break LOCA Total 2.87E.5 < E-6 i

10 Loss of Ser. None o Correct cognitive decision to 3.4E.5 T3tMG <t6 vice Water except restore RPV level. T3tRG co System the 5WS o 5/R valves reclose, initta.

' T 3MG

"' tion and restoration of IC or IC makeup fa115.

OR 5/R valve stf ds open.

o Manual depressurfration is

' successful.

o Low pressure pumps inject.

o Alternate SDC fatis. (Note:

both FW and SDC are unavail.

! able due to loss of SW.)

17 Inadvertent None o FW continues to operate post 1.9E.5 T5MMG < t.6 Opening of a scree. T5"G

~~

Safety / Relief o MSIVs close post scrae due to Valve low pressure. Isolating the main condenser as a heat sink.

o Restoration of the main condenser falls.

o SDC and alternate SDC fall.

4

" O C O O Table 3.1 Comparison Between ISAP and IREP Dominant Accident Sequences (continued) ..

ISAP 5equences IREP 5equences Frequency Failure of Frequency Sequence %dian Seq. f Initiator Support Systems Sequence Description (Nean) (Nean) 13 Large Break None o Blowdown steam condenses 1.6E-5 (LLB)G <~ E-6 LOCA in torus as vacuum breakers l remain closed.

o EECS signal is generated.

l o Core spray pumps start and inject automatically, o Correct operator decision to disregard indicated high

,, level when the drywell heats up to RPV saturation condition.

o Containment cooling (i.e.,

torus cooling) falls. (No other system is adequate to provide long-tem decay teat removal following a large break.)

O o

Numbers in parentheses indicate IREP sequence core melt ranking from IREP study.

I 4

1 4

l l

Sequence number 15 is very similar to sequence number 8, so the same l comments apply.

For ISAP sequence number 9, there is no equivalent IREP sequence. This

..is due to the fact that IREP did not treat situations where LNP followed by recovery of offsite power could result in core melt. The assumption was made in IREP that recovery would successfully terminate the sequence. Con- ;

sideration of this scenario along with an increased failure rate of the alternate SDC system due to a change in its success criteria mentioned above have made this sequence dominant.

Overall the LNP sequences in the ISAP and IREP studies are fairly simil ar. When there are differences in the frequency of similar core melt sequences, they are principally due to either the lower plant-specific component failure probabilities for the diesel generator, gas turbine, and O AC circuit breakers or higher unavailability for the alternate SDC system due to the revised success criteria for this system.

The next sequence in Table 3-1 is the Small Break LOCA, sequence number

7. This ISAP break size combines the IREP intermediate breaks with the upper end of the IREP small breaks. The contribution from this sequence is dominant in the ISAP study because of the change in the success criteria for containment cooling (alternate SDC system) which was mentioned previously.

.O The next two sequences are initiated by loss of the feedwater system.

In sequence number 1 the IREP study treated recovery of feedwater and the use of manual depressurization with low pressure pumps as two distinct operator actions. The ISAP study considered the cognitive-based error of

(' the operator failing to make the correct diagnosis of the need to restore RPV level. This linked the two actions to a single root cause, which resulted in a higher combined failure probability in the ISAP study. This was somewhat counteracted by a decrease in initiating event frequency, but the combined effect was to make this sequence dominant.

It is important to note that inclusion of cognitive human error on the event trees is one of the major differences between the ISAP and IREP accident sequence development methodology. As mentioned above, this change has resulted in a larger combined human error probability with significant 3-11

i l

effect on the dominant accident sequences and overall core melt frequency.

Another important point about this sequence is the need for manual depres-surization of the RPV before any low pressure pumps can be used. The 1 automatic depressurization at Millstone Unit I requires coincident indica-

. tion of low-low RPV level, high drywell pressure, and a two minute persist-ance of the low-low water level. In addition there must be an indication j of at least one low pressure ECCS pump running. Thus, in all the non-LOCA sequences where there would be no high drywell pressure, the automatic depressurization will not be initiated. This implies that if there is an operator cognitive error in restoring the RPV level, the whole low pressure j p injection system consisting of LPCI and core spray pumps would be defeated. j This brings up the possibility of addition of automatic depressurization for non-LOCA sequences, which is another area discussed in more detail in Section 3.3.

L The progression of events in sequence number 12, which is the second loss of feedwater sequence, is very similar in the ISAP and IREP studies.

The main difference in the sequence frequencies is due to the higher failure probability of the alternate SDC system, discussed earlier.

e

~

The next four sequences are Reactor Transient Sequences. In sequence number 4, the progression of events in the ISAP and IREP sequences is similar. The major reason for the ISAP sequence being more dominant is the p . cognitive human error in failing to restore the RPV level which combines several human error failures that are considered separately in the IREP sequences. This was discussed previously for sequence number 1. The higher probability of failure assigned to this cognitive error is the prime contributor to its higher frequency.

c ,

{

In sequence number 11, the ISAP and IREP accident sequences are !

similar. The main reason for higher ISAP core melt frequency is the higher i unavailability associated with the alternate SDC system. discussed before. l I

Sequence number 16 is affected by a number of competing differences.

First, the initiating event frequency of the transient is lower in the ISAP' study. Also, the IREP study did not give credit for- recovering the main condenser due to limitations in the MSIV equalizing lines which prevented equalizing differential pressure on the valve disks within a reasonable 3-12

time. A modification to enlarge those lines has been accomplished, allowing the ISAP study to take this credit. These differences tend to reduce the contribution of these sequences. However, this is more than counteracted by the increase in alternate SDC system failure rate due to the change in the

, success criteria, which increases the overall contribution of the sequence.

The last transient sequence is sequence number 5. The main difference i between the two studies is that the IREP study did not treat the possibility of station blackout for sequences not initiated by loss of normal power, j assuming that the contribution was not significant. Consideration of this

{ possibility in the ISAP study caused this sequence to become dominant.

C' The next three sequences are small-small break LOCAs. This initiator in the ISAP study represents an approximate break size resulting in at least 2.5 gpm leakage up to an approximate diameter of 1.35 inches. This break o size represents the lower end of the IREP small break, which includes approximate break diameter up to 5.24 inches. The frequency of occurrence of the small-small break LOCA in the ISAP study is an order of magnitude I larger than the small break frequency in the IREP study. Breaks in the lower end of this range require manual initiation of depressurization because high drywell pressure does not occur. In addition, the IREP assump-tion that condensate transfer pumps (CTP) would start automatically is not entirely correct. The high flow emergency CTP is required for these breaks, and must be started manually. In sequence number 6, both of these actions O are coupled. by a cognitive-based error (similar to sequence number 1). The high initiation frequency for 151s sequence along with the need for manual depressurization and start of condensate transfer pumps, which are coupled in one cognitive human error, have resulted in a high sequence frequency C.

compared to IREP.

In sequence number 14 ISAP considered operator error of commission in misdiagnosing the plant conditions and taking an action to terminate a safety system prematurely. IREP did not adequately treat this type of error. Consideration of this type of human error along with a much higher j initiator frequency resulted in a more dominant sequence compared to IREP.

In sequence number 18. ISAP has a failure to restore the main con-l denser. As previously mentioned, the IREP study concluded that restoration 3-13

of the main condenser after isolation was not practical but credit was given for this action in the ISAP study due to a plant modification. This credit is compensated for by a higher initiating frequency and higher failure probability for the alternate SDC system, making this sequence more dominant

.than the IREP sequence. -

Overall, the higher initiating frequency, the combined cognitive error in performing depressurization and startup of condensate transfer pumps, the consideration of operator error of commission in misdiagnosing the plant' condition, and the higher alternate SDC system failure probability result in C. higher frequency small-small break LOCAs in the ISAP study compared with the IREP small break LOCA sequences.

In sequence number 10 the ISAP study gave recovery credit to Service Water (SW) only in the short term, including it in the initiator frequency.

O resulting in the complete unavailability of the SDC system for all LOSW sequences. This greatly increased this sequence's contribution over IREP, which gave substantial credit for long-term SW recovery, allowing for the SDC system to be used. Additionally, the ISAP success criteria for SW

( following a trip are more restrictive than IREP, resulting in an overall increase in the frequency of loss of service water in the short term.

Combining this with an increased alternate SDC failure rate due to a change in its success criteria made this sequence become dominant.

O In sequence number 17. several competing effects result in the ISAP sequence being more dominant. The initiating event frequency in the ISAP study is significantly lower than the IREP study due to a plant modification and installation of more reliable safety / relief valves. This reduction in initiator frequency is opposed by two factors. First, in the ISAP study, it was assumed that the main condenser would be initially lost, whereas in the IREP study. it was assumed it could continue to run post scram. Second, there is a higher failure probability of alternate SDC system in the ISAP study. The combined effect of these factors is to make the ISAP sequence more dominant than the IREP sequence. ,

l The last dominant accident sequence in Table 3.1 is sequence number 13, initiated by a large break LOCA. The sequence of events in the ISAP and IREP studies is very similar in this case. The primary reason for a more 3-14 l

i l

l l

l dominant ISAP sequence is the higher failure probability of the containment-cooling (alternate SDC system).

i In the next section a summary of the major contributors to the ISAP

. core me l t frequency will be presented. .

3.2 Insight into Major Contributors to the Core Melt Frequency.

4 i

i In the last section, a detailed comparison.between the ISAP and IREP dominant accident sequences was presented. This comparison provided some insights into changes, both systemic and procedural, that have taken place in Millstone Unit 1 since the original IREP study was performed, and the significance of these changes with respect to dominant accident sequences j and the overall core melt frequency. Figure 3.1 shows the contribution of I

major classes of initiators to the total core melt frequency in both

!O studies. The principal reasons for changes in the dominant contributors were explained in the last section during the discussion of individual

~

dominant sequences. To put the results in better perspective, a summary of these differences by the major classes of initiators identified in Figure e 3.1 is _ presented here. More detail on these differences can be found in the appropriate sections in this report.

1. Loss of Normal Power (LNP); Overall decrease in ISAP vs IREP core 4

melt contribution.

O Reasons for this decrease:

a. Reductions in failure rate data of the diesel generator, gas C turbine generator, and switchgear breakers.

b. Modification to LNP logic to eliminate single relay failures.

c. Modification to IC makeup to eliminate admission valve AC dependency.

, d. Change to symptom-oriented procedures eliminated confusing

procedure for initiating manual depressurization when required, reducing human error probability.

3-15 4

i

,,,n----- ,,..-,n- -

_m,--_,,--._,,,,nn_m,,,,,, .,nx,,,,

, ,.,,m ,-.--,,~,r,

m i

I

, . j l '

E E E M M i ll! E E M M i lll?

k d"

N 0 g

-I :

I- !

3 O $

0-0- \

e > ;

l i

L i

I

. i .!! _<.... a. M E! MHIE l.

L

~

i

Figure 3.1 Comparison Between Dominant ISAP and IREP Contributors to the Core Melt Frequency.

4 3-16 l

The 'only mitigative factor that limited the amount of decrease in the ISAP core melt contribution was an increase in the failure probability of the alternate SDC system due to changes in its success criteria.

., 2. Transients (TRANS); Overall increase in the ISAP vs IREP co,re melt contribution.

1 Reasons for this increase: ;

a. Cognitive error modeling and symptom-oriented procedures linked failure to restore FW and failure to depressurize to a C

single decision process, increasing overall probability of human error and recovery failure.

b. Consideration of the possibility of loss of normal power y following a non-LNP initiating event.

c. Increase in failure rate of alternate SDC system due to change in success criteria.

D Mitigative factors which limited amount of increase:

a. Decrease in initiating event frequency.

9 b. Modification to MSIV equalization lines allowing for recovery of main condenser for cooling.

3. Loss of Power Conversion System (LOPCS); Overall decrease in ISAP

"- vs IREP core melt contribution.

Reasons for this decrease:

a. Reduction of initiating event frequency.

b. Modification to MSIV equalization lines allows for recovery of main condenser for cooling.

1 3-17

The only. mitigating factor that limited the amount of decrease in the ISAP core melt contribution was the increase in the failure probability of the alternate SDC system due to changes in its success criteria.-

~

4. Loss of Feedwater (LOF); Overall increase in ISAP vs IREP core melt contribution.

Reasons for this increase:

a. Cognitive error linkage between recovery of FW and failure to

p depressurize.

b. Increase in alternate SDC failure rate.

The only mitigative factor that limited the increase in the ISAP core melt contribution was the reduction in the initiator frequency.

5. Loss of Service Water System (LOSW); Overall increase in ISAP vs IREP core melt contribution.

D Reasons for this increase:

a. No long term recovery credit for service water system.

O

b. Increase in alternate SDC system failure rate.

c. Increase in frequency of short-term LOSW due to change in success criteria.

6. Small Break LOCA (SB); Overall increase in ISAP vs IREP core melt contribution.

The principal reason for the increase in the ISAP core melt contribution is the increase in failure probability of the alter-nate SDC system.

7. Small-Small Break LOCA (SSB); Overall increase in ISAP vs IREP core melt contribution.

3-18 i

Reasons for this increase:

a.- Special consideration of breaks which do not actuate Automatic Pressure Relief (APR) because no high drywell

/ pressure would be present, requiring operator action to depressurize.

b. Need for operator action to start high-capacity emergency condensate transfer pumps to supply sufficient flow to the J

j hotwell.

O

c. Cognitive error modeling and symptom-oriented procedures link the above two actions to a single decision process.

d. Consideration of cognitive error of commission in prematurely l O

terminating injection due to misinterpretation of instrumentation.

e. Increase in initiating event frequency.

O The only mitigative factor that limits the amount of increase in the ISAP core melt contribution is the credit allowed for providing long-term cooling with the condenser or SDC system due to low break flow O

. rate.

8. Inadvertent Opening of Power Operated Relief Valve (PORV); No major change between ISAP and IREP core melt contribution due to several compensating effects.

C Factors Resulting in an Increase in ISAP core melt contribution:

a. Increase in alternate SDC system failure rate.

b. Automatic loss of condenser due to low pressure (pressure cannot be kept up after trip).

Factors Resulting in a Decrease in ISAP core melt contribution:

f f

3-19

I

a. Credit allowed for recovery of condenser due to equalization line modification.

b. Initiating event frequency reduced due to modification to install more reliable valves.

~

In addition to the above classes of initiators, three groups of events are also compared in Figure 3.1. The first one is the group of events leading to core melt that include Loss of Decay Heat Removal (LODHR) func-tion. In this case, the ISAP dominant sequence frequencies have increased e substantially due to the increased failure probability of the alternate SDC system as a result of the change in its success criteria.

The second group is the Station Blackout (BK0UT) sequence. In this Case the ISAP dominant sequence frequency has decreased due to:

1. Reductions in failure rate data of diesel and gas turbine genera-tors and switchgear breakers.

~

2. Modifications to LNP logic to eliminate single relay failures.

3. Modifications to IC makeup to eliminate admission valve AC dependency.

The last group of events shown in Figure 3.1 is the Anticipated Tran-I sients Without Scram (ATWS) sequences. The overall ISAP core melt contribu-tion in this case has decreased due to credit allowed for operator action to initiate the standby liquid control system (43 gpm) and take other actions lg to mitigate the event. This decrease was limited by a significant increase j in the RPS failure probability, based on a simple statistical analysis.

This event was assumed to lead to core melt in the IREP study. This assump-I tion is one of the topics that will be discussed in more detail in the next section.

l 3.3 Discussion of Several Areas of Plant Vulnerability In this section, three areas with significant contributions to the core melt frequency are discussed in detail. These areas were chosen for more 3-20

l l

detailed discussion because they are areas where changes in the system configuration or procedures can result in substantial reductions in their contribution to the core melt frequency.

, The first area is the reliability of the alternate SDC system.. Refer-ring to Figure 3.1, it can be seen that sequences involving loss of the decay heat removal system contribute to about 65% of the total core melt

frequency. This contribution is substantially higher in the ISAP study compared with the IREP study. As mentioned previously, this increase is primarily due to the higher failure probability associated with the alter-nate SDC system. The increase' in the failure probability of the alternate

[ SDC system is due to the change in its success criteria.

i In the IREP study, the success criteria for this system consist of successful operation of one LPCI pump and the associated containment cooling O heat exchanger with one Emergency Service Water (ESW) pump removing heat from the heat exchanger. Based on some new thermal hydraulic calculations, the success criteria for this system were changed in the ISAP study by requiring two LPCI containment cooling heat exchangers with one LPCI pump g per heat exchanger and all four emergency service water pumps to remove the heat from the containment cooling heat exchangers. This change has drama-tically increased the failure probability of this system.

To assess some alternatives in reducing the failure probability of this

@ system, the detailed fault tree for this system, shown in Figure 3.2.24-2 of the Millstone Unit 1 PSS, was simplified and is shown in Figure 3.2. Based on the current configuration, the failure probability of this system with no support system failure is 0.148. Three scenarios for improvement in the C reliability of this system were examined. In the first case, it was assumed that the LPCI/ containment cooling loops are made redundant. In the second

! case, it was assumed that the emergency service water loops are made redun-dant. In the third case, it was assumed that both of the above improve-

ments were incorporated. Table 3.2 shows the results of these evaluations.

, Incorporation of redundancy in the LPCI alone' resulted in the reduction of the failure robability of the alternate SDC by a factor of about 1.7. The effect of making the ESW loop redundant is a reduction in the failure proba-bility of the alternate SDC system by a factor of about 2.2. If both of

these changes are incorporated, the failure probability of this system can 3-21 i

.,_..,,,-v,--,-.,.m.,,-.-p,,-,,,yc,.um.,,_,,, ___.c c,y -.-.-.------..-.,---,--3

FAILURE OF THE ALTERNATE SDC ST5ftM I I FAILUpt 0F I FAILURE OF l E5W SYSTEM $ g 4

/

4 f

I I I I

! I i FAILUR( OF FAILURE OF t m CAUSE tm M FAILUnt Or FAILURE OF FAILURE OF

} E5W A (5W 8 LPCI TRAINS J

PLMP OR HI PUNP OR HI LPCI ptw5 LPCI PtN5 O O O 2.51E-4 O

3.50E 4 4.6?t-2 3.69E-2

I I

! w e FAttuRE OF .FAltuRC 0F RANoon y LPCI TRAIN A

LPCI TRAIN 8

VALV[

FAILURt5 f3 3.17E-2 3.17[-2 7 I I VALVE FAILURES VALVE FAILURES IN IN I

TRAIN A TRAIN 8 l

l O O 2.07[-2 2.07E-2 Figure 3.2 Simplified Fault Tree for the Failure of Alternate SDC System

Table 3.2 UNAVAILABILITY OF THE ALTERNATE SHUDTOWN COOLING SYSTEM AS A FUNCTION OF DIFFERENT SYSTEM CONFIGURATIONS -

System Alternate Shutdown Cooling Con figuration System Unavailability

1. Present 0.148 C

2. -LPCI/ Containment 0.085 Cooling Loops Redundant

3. Emergency Service Water (ESW) 0.066 Loops Redundant

4. Both LPCI and ESW 0.37x10-?

Loops Redundant O

C)

T e

3-23

be reduced by a factor of about 40. As was mentioned earlier,65% of the ISAP core melt frequency was due to failure of long-term decay heat removal.

Assuming that both the LPCI and ESW loops are made redundant, this results in a reduction in ISAP core melt frequency from 8.07x10-4 to 2.95x10-4, a

, reduction of about a factor of 3. .

Using NRC's $1000/ man-rem guidelines, the following relationship can be used to come up with an approximate level of expenditure that would be justified for any type of corrective action that could lead to a reduction in core melt frequency:

C E = A CM

MRR * $1000 *Y (3.1) man-rem where O E= The expenditure that is justified for the specific correction ACM = Change in core melt frequency as a result of the correction MRR = Man-rem release that could occur as a result of a core melt accident and containment failure at the plant under consideration.

_$1000 = $1000 per man-rem NRC guideline man-rem Y= Number of years left in the life of the plant

, For Millstone Unit 1, the utility has estimated a 3x106 man-rem release O

in case of a core melt and containment failure. Also, 25 years was used as the number of years left in the life of the plant. Based on these values and a core-melt reduction of 5.12x10-4 as a result of changes to the alternate SDC system discussed above, approximately 38 million dollars of n expenditure would be justified for these corrective actions.

The second area analyzed in more detail is the area involving those core melt sequences which require manual depressurization of the RPV.

Depressurization is required in those events where the feedwater system is either unavailable or incapable of providing sufficient water to the core and low pressure systems are needed to keep the core covered.

Millstone Unit I has an Automatic Depressurization System (ADS) which is initiated when there is a coincident indication of reactor water low-low 3-24

level for two minutes, high drywell pressure and indication that at least one low pressure pump is running. Because of the requirement of high dry-well pressure, automatic depressurization occurs only when a LOCA has occurred. In other cases, such as loss of feedwater or other types of

, transients and the lower range of small-small break LOCAs, this system is not initiated automatically. In these sequences, if there is a cognitive operator error in not restoring the RPV level, the low pressure systems such as LPCI and core spray systems will be automatically defeated since the reactor pressure has to be below about 350 PSI before the pumps in these systems can inject into the core.

L The ISAP dominant accident sequences that include this type of cogni-tive human error, i.e., failure to depressurize the reactor manually, con-tribute to about 215 of the total core melt sequences. The most dominant sequence among these is the loss of feedwater transient that contributes to 3 about 9.5% of the total core melt ' frequency. If in these sequences there is the possibility of an automatic depressurization despite the cognitive operator error, the frequency of these core melt sequences will be reduced by the failure probability of the ADS.

L The results of the analysis of the ADS in Millstone Unit 1 is given in Table 3.2.18-1 of the PSS. Based on this table, the failure probability of ADS with both DC buses available is 0.13. Currently the relay contacts in p

. this system are never tested. If a more frequent (such as monthly) test of these relay contacts is performed, the failure probability of this system can be reduced by about two orders of magnitude.

Based on the present system configuration and procedures, inclusion of l f

an automatic depressurization system in the ISAP sequences which involve human error to depressurize the RPV will result in about an order of magni-tude reduction in their contribution to the total core melt frequency. The net effect of this is a reduction of about 185 in the total ISAP core melt frequency. Using equation 3.1, an approximate expenditure of 11 million dollars would be justified for this correction.

The only negative aspect of addition of an automatic depressurization option to these sequences is the possibility of early depressurization l before all efforts in restoration of the feedwater system are exhausted.

3-25

i Thus, it is crucial that initiation of this automatic depressurization is sufficiently delayed so that any possibility of recovery of feedwater system is not defeated.

The final subject considered is the Anticipated Transients Without Scram (ATWS). Other sections of this report noted various areas related to ATWS which were believed to be deficient or to contain erroneous assumptions or conclusions. These areas were numerous enough that it'was not easy to determine what effect they would have on the overall quantification of ATWS sequences. Therefore, it was necessary to requantify the ATWS event trees to get some idea as to what the core melt contribution from ATWS would be if O these deficiencies were remedied.

One area could not be completely clarified. The PSS assumed that a 43 gpm SLCS was sufficient to mitigato an ATWS with condenser isolation (loss O of PCS). While there is some reason to believe that this may be true, no plant-specific analysis was performed to verify this. The assumption was based on engineering judgment and extrapolation from analysis performed for other plants. The NRC's ATWS rule states that 43 gpm is not sufficient for

_ this type of ATWS, based on a self-proclaimed conservative analysis. How conservative the analysis is and how plant-specific features at Millstone 1 might affect the analysis cannot be determined without a plant-specific analysis. Therefore, the ATWS trees have been requantified for two separate

, cases. Case 1 assumes that the 43 gpm SLCS is capable of mitigating an ATWS O with condenser isolation, just as was done in the PSS. Case 2 assumes that the 43 gpm SLCS is not capable of mitigating an ATWS with condenser isola-tion, and thus all such ATWS events would lead directly to core melt. It should be noted that there is no question that the 43 gpm SLCS can mitigate l C an ATWS when the condenser is not isolated (pCS available) because of )

Millstone l's 100% bypass capability.

The requantification of ATWS for Case I was performed with the following changes made from the PSS. These changes are discussed only briefly here, but generally reflect detailed comments made earlier in this report. The ATWS trees used for the requantification are shown on Figures 3.3 and 3.4.

l 3-26 l

~

ATWS1 H1 070 C1 Y1 071 H3 M1 ..

y 1 DAMAGE o.o3% ,

DMGE l

S O'"' ~

i o.39 3 TL2 7.8E-7 0.as3 4 TL2 6.6E-7

,,, o.on6 5 TE2 8.9E-7

! 5c1E-5 a o.on 6 TE2 5.2E-7 I 0 00%16 Transfer 6.6E-74 7 ATWS-2 i

i Transfer 2.4E-7-) 8 ATWS-2 i FIGURE 3.3 l

ATWS1 ATWS WITH MAIN CONDENSER

' . H1 TBV'S MAINTAIN PRESS. (AUT0)

A.T.W.S. EVENT TREE WITH MAIN CONDENSER AVAILABLE 070 OP ACTION TRIP RX AND RECIRC PP l I C1

%d FW MAINTAIN LEVEL (AUT0)

Y1

{ $ 071 SLCS WORKS (MAN) j OP ACTION FOR LONG TERM COOLING '

H3 MAIN CONDENSER (MAN)

M1 SDC l

i 1

l 1

}

4 j, .

i ,

1 I

l l

o ,

a g 4

i i

! ATWS2 V C5 072 Y1 073 I C3 1 M2 1 DAMAGE I o.3g 2 TLS 1.3E-6 3 DAMAGE i

00M I M 5 2.2E-7

\0 6 TE2 6.7E-9

. o. oo 2. 7 TE2 5.0E-7 (p.%55% \E-S M ,,g3 8 TE2 7.3E-7 i

u.g.7)+ G.LE-1) o,g 9 TE2 6.8E-7 10 TE2 5.4E-8 4 - 11 TE2 3.1E-8 5 EE-6 0 0\03 0.006 i 9' M Figure 3.4a I

A.T.W.S EVENT TREE WITH MAIN CONDENSER UNAVAILABLE

(LOSSOFPCS) ATWS2 ATWS W/0 MAIN CONDENSER i

V RECIRC PUMPS TRIP (AUTC)

C5 FW RESTORATION I 072 OP ACTION TO INJECT BORON AND CONTROL LEVEL i Y1 SKCS WORKS (MAN) AND OPERATOR CONTROLS LEVEL

! 073 OP ACTION FOR TORUS TEMP.

! I 2SRV'SOPEN(MAN) .

C3 FW RESTORED (MAN)

E 1LPCEOR1CSPUMP(MAN).

H2 -SDC i

i l

i

)

O W O @ r C3 E M2 072 C5 Y1 073 I ATWS2 V 1 1 DAMAGE

' 8 ** 2 TLS 2.1E-7 3 DAMAGE 0.o 64f I o 59 4 TE1 -

s.o 5 TE1 3.5E-8 g ,, u 6 TE2 1.1E-9 h*N N D b 0G 8 -

h 0. g 3 o.1 b 9 TE2 10 TE2 1.1E-7 1.3E-7 5,7E-9

9. 0 E-7 g,g 3 11 TE2 0.aos ATWS2 ATWS W/0 MAIN CONDENSER Figure 3.4b V RECIRC PUMPS TRIP (Auf0)

A.T.W.S EVENT TREE WITH MAIN CONDENSER UNAVAILABLE 2 0 INJECT BORON AND CONTROL LEVEL 3LOSSOFFEEDWATER) Y1 SKCS WORKS (MAN) AND OPERATOR CONTROLS LEVEL 073 OP ACTION FOR TORUS TEMP.

y . I 2SRV'SOPEN(MAN) .

O C3 FW RESTORED (MAN)

LOSS OF SERVICE WATER AND LOSS OF E 1 LPCE OR I CS PUMP (MAN)

TBSCCW LEAD DIRECTLY TO CORE MELT ,

M2 SDC FOR ATWS.

(.00783 + .000805)(IE-S) = 8.6E-8 (TE2) ,

O O O o O ATWS2 Y C5 072 Y1 073 I C3 E M2 1 1 DAMAGE

'

2 TLS 2.1E-7 3 DAMAGE

o. 6&&T O .M 4 TE1 -

g. o 5 TE1 3.6E-8 (0.c$ GE-5) (0.gug) o.og x 6 j 0.G 8 TE2 1.2E-7 o.s 6 9 TE2 1.1E-7

,*f 10 TE2 1.6E-7 o.a 1.6E-7 402E-' TE2 o.g b y 11 157E-7 o ,,o g s.o f.1E-9

/ s e. co 3 .

ATWS2 ATWS W/0 MAIN CONDENSER (e.tx4)(\E-5X.o G(3) V C5 RECIRC PUMPS TRIP (AUT0)

FW POST TRIP 072 OP ACTION TO INJECT BORON AND CONTROL LEVEL

. Figure 3.4C Y1 SKCS WORKS (MAN) AND OPERATOR CONTROLS LEVEL 073 OP ACTION FOR TORUS TEMP.

Y A.T.W.S EVENT TREE WITH MAIN CONDENSER UNAVAILABLE I 2 SRV'S OPEN (MAN) 8 (LOSS OF NORMAL POWER - SUPPORT STATE 1 AND STATE 3) C3 FW RESTORED (MAN) >

E 1LPCEORICSPUMP(MAN)

M2 SDC s

The PSS failure probability for the RPS was judged to be too conservative for the design of the Millstone 1 RPS. The probability was changed from 5.4E-5 to IE-5, which was taken from the ATWS rule. ,

The procedural HEP for initiating SLCS and lowering power by controlling RPV level was raised from 0.013 to 0.13. This increased the failure probability of event Y1 from 0.031 to 0.16.

Even#though it is assumed in this case that the 43 gpm SLCS is 7 ( capable of mitigating an ATWS with condenser isolation, it is apparent that it is probably not capable of keeping torus temperature below 176 degrees. This is the point at which the low pressure safety injection pumps lose sufficient NPSH. Thus, no credit should be allowed for these pumps and the failure

$ probability of event E should be 1.0.

The PSS assumed that both the shutdown cooling (SDC) system and torus cooling were required to prevent core melt. Torus cooling C is not actually required for an extremely long time since initiation of SDC stops torus heatup. Therefore, the assumption that both are required is overly conservative. Event M2 success has been redefined as requiring only SDC, which reduces the g

a failure probability from 0.49 to 0.39.

For the loss of feedwater (LOF) ATWS, recovery was improperly applied directly to the initiator frequency. It should have been .

applied after the cognitive decision of the operator to respond to 5

the ATWS event. The ATWS tree has been modified specifically for this case so that the cognitive ucision (072) appears before the feedwater system event (C5). Evert C5 has been redefined for this case as feedwater restoration. Credit for restoration of feed-water is applied only when the cognitive decision is successful.

The failure probabilities for these events are taken directly from the PSS.

The ATWS requantification is shown on Figures 3.3 and 3.4, with the values for each event and sequence written directly on the tree. Figure 3.3 3-31

is for non-isolation (PCS available) transients. Figure 3.4 is for isolation (loss of PCS) transients (3.4a is loss of PCS alone 3.4b is for loss of feedwater including a calculation for loss of service water and loss of TBSCCW, and 3.4c is for loss of normal power).

The requantification of ATWS case 2 assumed that the 43 gpm SLCS could no't mitigate an ATWS isolation transient. This calculation is very straightforward, since the assumption means that all ATWS isolation transients lead directly to core melt. Thus, the major contribution to core melt is equal to the total frequency of all isolation transients times the RPS failure probability. This includes isolation transients which result i from non-isolation transients which lead to subsequent consequential isolation (sequences 7 and 8 on Figure 3.3). The core-melt frequencies shown on the non-isolation tree (Figure 3.3) obviously remain unchanged.

O The overall results of the requantification of ATWS for both cases are shown in Table 3.3. The results are presented in terms of plant damage state. For both cases, the requantified values for total ATWS core melt are smaller than the ISAP study values by a factor of about 2-3. This is because the overly conservative ISAP RPS failure probability more than compensates for the other areas which are generally non-conservative. An interesting result is that the two cases presented are only about 15% apart in total core melt frequency. That is, taking credit for the 43 gpm SLCS only reduces core melt frequency by 15%. The only significant effect is at O the plant damage state level, where the "no credit" case results in a much higher percentage of carly melts. ,

C' 1

3-32

Table 3.3 REQUANTIFICATION OF MILLSTONE 1 ATWS EVENT TREES Plant Damage Frequency per Year State Case 1 - Credit for Case 2 - No Credit 43 apm SLCS for 43 apm SLCS TE2 4.5E-6 8.9E-6 TE1 4.2E-7 ------

U TL2 3.9E-6 1.4 E-6 TOTAL 8.8E-6 1.03E-5 0

(Note: No credit for 43 gpm SLCS is for isolation transients only.

O Credit is always allowed for non-isolation transients.)

O I

3-33

4.0 REVIEW OF THE MILLSTONE UNIT 1 ISAP TOPICS In this section several of the ISAP topics analyzed by the licensee will be reviewed. As was mentioned previously, only a portion of all the

,ISAP topics for the Millstone Unit I are analyzed by the licensee using PRA techniques. This report is only concerned with the review of this portion of the topics.

Some of the topics were submitted by the licensee early enough so that a detailed review of their analyses could be performed. These topics are Presented first. The rest of the topics were submitted too late for a O detailed analysis and are briefly discussed. Comments on the major assump-tions in the analyses are also provided. These topics will be analyzed in more detail for the final report.

3 In evaluating the public safety impacts of those ISAP topics which were analyzed using PRA techniques, the licensee used a direct quantification relationship based on the Millstone Unit 1 PSS results. Since this relationship is important in prioritization of the topics, some comments on validity of the assumptions used in this relationship will be provided in the next section. This will be followed by the review of the individual topics.

4.1 Comments on the Utility's Method of Public Risk Quantification 3

Public safety impacts of individual ISAP topics were evaluated using either direct quantif tiation based on the Millstone Unit 1 PSS results, engineering judgment, or quantification of equivalent radiological impacts.

p Direct quantification of public risk impacts was performed using the following equation:

A R = TK APj x Mg (4,1)

AR = total change in public risk, man-rem T = remaining plant life (25 years)

K =

3x106 man-rem / core-melt apj = change in frequency of plant damage state i Mi = a multiplier depending on the performance of the containment and consequence mitigating systems 4-1

The constant K coupled with the multiplier Mi is a measure of the accident radiological release and public health impact. Mi values of either 0.5,1.0 or 1.5 were assumed depending principally on containment failure mode and timing.

The K value of 3x106 man-rem / core-melt was based on consideration and adjustment of information in the Sandia Siting Study (9) and the Millstone Unit 3 PSS (10). However, the actual population exposure that would result from a co*e-melt at Millstone Unit 1 is highly uncertain and would depend t strongly on containment failure mode and timing. For example, man-rem values calculated in the Sandia Siting Study and reported in NUREG/CR-2723 (11) for hypothetical core-melt releases at Millstone 1 vary broadly as indicated below.

O Release Fractions Accident for I, Cs, Te Man-rem

SST1 0.5 - 0.6 3x10 7

- SST2 3x10-3 3x10-2 2x106 SST3 10 2x10-4 7x103 The release fractions assumed for SST1,2 and 3 were based on WASH-1400 0

vintage socree term methodology and therefore are likely to be somewhat conservative.

The limited containment analysis performed for Millstone Unit I as part of the IREP study concluded that the most likely core-melt releases corre-sponded to release categories BWR3 and BWR4 from WASH-1400. These categories had release fractions for I, Cs and Te of 0.1-0.3 for BWR3 and 8x10 5x10-3 for BWR4. Again, these are likely to be somewhat conservative.

Based on the information above, and our awareness of the large uncertainties involved, we feel that a " representative" estimate of 3x10 6 man-rem / core melt is reasonable. However, given the extreme variability

Total man-rem over all distances (not limited to 50 miles).

42

(orders of magnitude) due to aspects of containment performance, the assump-tion of only a limited range of Mi values (all close to 1) seems unjustified. Either a broader and more representative range should be used, or the factor should be dropped altogether. Developing a more

. representative range would require that at least a limited containment analysis be performed. However, having that analysis would allow increased confidence in translating core-melt frequency changes into changes in public health risk.

Following the calculation of the change in radiological release value in man-rem as a result of modification due to each topic, the importance of each topic was scored by the utility on a scale of -10 to +10. The scale used is linear with each unit corresponding to 400 man-rem of release. A zero score implies no change in public risk. A positive score implies an increase in public risk. Thus, a decrease in public risk of 4000 man-rem or O more as a result of a modification due to an ISAP topic is given the maximum scale of +10. Alternatively, an increase in public risk of 4000 man-rem or more that might occur as a result of a change due to an ISAP topic is given the maximum negative scale of -10.

t, As a final note, there is debate within NRC about the sole use of man-rem as a surrogate measure for evaluating accident consequences to examine risk reduction potential and cost-benefit. NRC may decide that in future

. evaluati ns, c sts associated with plant loss, cleanup, and associated O.

replacement power should also be included. Those costs are relatively independent of details of the core melt and containment performance, have much less uncertainty than corresponding " man-rem" costs, and would likely be several billion dollars.

r 4.2 Topic 1.02: " Tornado Missile Protection" l 4.2.1 Background 1

i The potential for damage to important plant systems caused by tornado

! generated missiles was addressed during the NRC's Systematic Evaluation Program (SEP). A potential weakness was found in the Millstone Unit 1 plant because of the lack of tornado hardening of several important safety-related systems. The SEP assessment found that the fire water tank and the conden-4-3

i sate storage tank were both susceptible to damage from tornado missiles.

The damage would result in a loss of the water supplies to the isolation condenser. Additionally, the switchgear rooms in the turbine building were also found to be susceptible to tornado missile damage. The power cables

.from both the gas turbine generator and the diesel generator are located in this area. During a tornado a loss of offsite power is probable and damage to the switchgear room could result in the loss of emergency power to the main condenser, shutdown cooling system and alternate shutdown cooling system. Therefore, it is possible that a tornado of sufficient magnitude could initiate's plant transient and defeat all four decay heat removal g systems.

4.2.2 Utility Evaluation Northeast Utilities proposes using city water and a portable pump to 3 provide a secondary source of makeup water to the isolation condenser. In their analysis, the utility has assumed that the probability of the tornado striking the Millstone site and the town water supply and the town pumping station is relatively small, especially compared to their estimated probability of the failure to make the manual connection between the city water supply and the makeup to the isolation condenser. The utility sees this alternate source of isolation condenser makeup as being useful during ;

all station blackout situations and has calculated the benefit associated

. with the improved reliability of the makeup system for all blackout situations.

Based on the tornado missile risk analysis performed for Millstone Unit 3, the frequency of a tornado of sufficient magnitude to damage the water !

! storage tanks striking the Millstone site is 1.0E-5/yr. (The required wind speed used was 165 mph. This was based on the analysis performed for Connecticut Yankee as part of the SEP Tornado Missile Topic.) In the analysis for Millstone Unit 1. Northeast Utilities has assumed that if a tornado of this magnitude does strike the site, the condensate and fire water tanks will be struck by a tornado missile, as will the switchgear room and the tornado will cause a loss of offsite power. These assumptions result in a core melt frequency, from tornado initiated events, of IE-5/yr.

44

The use of city water to supply makeup to the isolation condenser provides an alternate source of' water to remove decay heat under these conditions. The utility has assigned a 0.2 failure probability for the failure of the use of city water as makeup to the isolation condenser. Hal f

,of this value is due to an assumed failure of the town water supply; the remainder is due to pump failures and operator errors (failure to start the pump or connect the water supply). This alternate source of isolation condenser makeup reduces the core melt frequency from tornado-induced transients by nearly SE-6/yr. Using the utility supplied consequence model, this results in 300 man-rem exposure reduction over the remaining plant lifetime.

O Northeast Utilities sees more benefit from this modification for other loss of normal power events that result in station blackout. During a station blackout the loss of the fire water system and consequently the O isolation condenser makeup system results in a core melt since the blackout disables the other three decay heat removal systems. The core melt fre-quency from loss of normal power sequences resulting in a station blackout with the failure of the fire water system as calculated from data in the o Millstone Unit 1 P55 is 4.1E-5/yr. The addition of the redundant makeup supply from city water reduces this frequency by a factor of 0.2 to 8.2E-6/yr. This reduction of 3.3E-5/yr corresponds to a 1230 man-rem reduction in exposure to the public when using the utility's consequence model.

O 4.2.3 Review of the Utility Evaluation The utility has used information from two other studies to evaluate the importance of tornado initiated events that result in a core melt. An C analysis performed for Connecticut Yankee provided the information used to calculate the required wind speed (165 mph) necessary to generate missiles capable of penetrating the water tanks. It seems reasonable to assume that the water storage tanks at Millstone Unit 1 and Connecticut Yankee would be similar enough in design to warrant using the same wind speed value in the simplified analysis performed for this issue. Given this required wind speed the frequency of the tornados of this size corresponds to values used in other studies for the Connecticut area (12). However, the assumptio'n that once a tornado has struck the Millstone site the water tanks will be damaged seems to be overly conservative. Several studies have shown that 4-5

the frequency of a tornado missile striking a plant structure is one to two orders of magnitude lower than the frequency of a tornado hitting the site.

Although the utility has calculated the probability of a failure to

, supply city water to the makeup side of the ' isolation condenser the values

'used for some failures appear to be estimates with large uncertainty-bounds.

(This applies primarity ta the unavailability of city water which was estimated to be 0.1.) Under normal condit' ions this would appear to be a conservative (high) estimate and the arguments used by the utility to justify independence of the city water supply and the Millstone site in the event of a tornado appear to be reasonable. A bounding analysis, assuming C the city water supply is always available, would use a value of approximately 0.1 for the probability of the failure to connect the city water to the isolation condenser makeup. Modifying the loss of normal power events (followed by station blackout and fire water system failures) by this

'O value would result in a change in the core melt frequency of:

4.1E-5/yr - (4.1E-5/yr)(0.1) = 3.7E-5/yr This value is only approximately 10% greater than that calculated by the utility and results in a reduction in the exposure to the public of :

approximately 1400 man-rem (using the utility's consequence model).

4.2.4 Conclusions O '

l The core melt frequency attributed to tornado-initiated events by the ,

utility appears to be conservative by at least an order of magnitude. This _

is due to the assumption used by the utility that if a tornado strikes the C site, .it will generate missiles that will do the required damage. The benefit from the proposed modification for loss of normal power events also appears to be slightly conservative but not significantly different from the l maximum achievable reduction from a redundant isolation condenser makeup supply. Using the utilities consequence model the benefit from the proposed modification appears to be approximately a 1200 to 1400 man-rem reduction J over the life of the plant. This reduction is due almost entirely to the reduction in the frequency of loss of normal power induced station blackout core melts, not tornado induced events.

4-6

4 i 4.3 Topic 1.16.1: " Millstone Unit 1/M111 stone Unit 2 Backfeed" 4 4.3.1 Background During a station blackout, the only means available to remove heat from the Millstone Unit 1 core is the isolation condenser system. If minor

, reactor coolant leaks exist for an extended period, a means to restore the i

RPV level may be needed, but the isolation condenser system cannot replace coolant to restore losses. One cause of an extended loss of all AC power would be a fire in the switchgear room. Such a fire would disable all lC existing means of replacing lost coolant.

This project addresses the issue of being able to provide power to the Control Rod Drive (CRD) pumps from Millstone Unit 2 through a connection p .that does not pass through the Millstone Unit I switchgear room. Such a connection could also be designed to provide a secondary on-site emergency power supply for Millstone Unit 1. Therefore, this modification would provide a means to makeup lost primary coolant during a switchgear room fire

. using the CRD pumps and a redundant power supply for use during all station blackout events.

4.3.2 Utility Evaluation

.0

The utility evaluation addressed the two benefits of the proposed modification separately. The benefits from mitigating the effects of a fire in the switchgear room'were estimated to be significantly lower than the benefits from the mitigation of a station blackout. From a previous fire O analysis, Northeast Utilities estimated a frequency.of 3.5 E-5/yr for a fire i in the switchgear room that would disable both AC power trains. This number was then compared to the frequency of a station blackout, 2.2 E-3/yr, due to a loss of normal power and a failure of the gas turbine emergency power train and either the failure of the diesel generator emergency power train or the failure of the service water system (support states 7 and 4 in the Millstone Unit 1 PSS). The utility simply states that the benefit of the proposed modification will be dominated by the reduction in the station blackout frequency and does not quantify the benefits from the reduction in the frequency of switchgear room fire initiated events.

4 4

4-7 e

The benefits from reducing the station blackout events were calculated by reevaluating the support state split fractions to account for the reduc-tion in the probability that power would not be available on both emergency AC power trains. (A final design for this modification has not been formu-

' lated but in their analysis the utility assumed that power could be supplied to either Millstone Unit 1 emergency AC train). The 0.2 probability of failure to successfully transfer power was primarily the sum of four fac-tors: operator error in making the transfer at Unit 1 or at Unit 2, assigned a val.ue of 0.05, and the failure of either of the Unit 2 diesel generators; assigned a value of 0.054 (based on WASH-1400 data) for each C diesel generator. Using this probability of failure to transfer power to Unit 1 effectively reduces the split fraction for and the frequency of station blackouts by 80%. The core melt frequency is therefore reduced by approximately 7%, or 5.5 E-5/yr. Using the utility'sconsequence model, this results in approximately a 2000 man rem reduction over the remainder of the O plant life.

4.3.3 Review of the Utility Evaluation 9 The fire frequency of 3.5 x 10-5/ year used for the switchgear room is

~

in general agreement with the fire frequencies used in other safety studies for similar areas. Although these frequencies are plant specific, with the information currently available the value used in the utility's assessment O , w uld appear to be proper. However, the analysis does not address the propogation of the fire initiator to the core damage that could result fromto a drop in reactor pressure vessel level, due to leakage and inventory shrinkage. This was justified on the basis that the fire frequency was much smaller than the 1.NP-initiated station blackout frequency. But the PSS O'

considered proper operation of the isolation condenser and makeup to preclude a core melt. The probability of a core melt following a switchgear room fire would depend on, among other things, the size of any leakage and the amount of time it would require to perform sufficient repairs to regain the capability to add inventory to the primary coolant. If the probability of the primary coolant leakage is large enough, the public risk due to a fire in the switchgear area could be higher than that assumed in the utility analysis.

4-8

The benefit calculated for the LNP-initiated station blackout sequences is nearly 80% of the maximum achievable reduction that can be obtained by eliminating all station blackout contributors to the core melt sequences.

The si:e of the reduction is limited by the reliability of the Millstone Unit 2 diesel generators and the probability of operator error in transferring power from one unit to the other. Since no procedures exist for this operation, the value of 0.1 used in the utility analysis is an effective screening value. Any attempt to refine this error probability would not be justifiable. WASH-1400 data was used for the Unit 2 diesel generators.

C 4.3.4 Conclusions The benefit to be derived from this modification may be larger than that calculated by the utility. The fire in the switchgear room could be a more serious event than the analysis indicates. Several factors should be evaluated before it is assessed as being much less significant than the LNP initiated station blackout events.

O The benefits in the station blackout scenarios are dependent upon the design of the backfeed and the procedures initiated to perform the backfeed.

Obviously, the design must include provisions to eliminate the downside of connecting two nuclear power plants (fault propogation, etc.) and for the c . maximum benefit for both plants should allow for the transfer of power from either emergency power train in one unit to either power train in the second unit. From the utility analysis it appears that their conceptual design is intended to have this capability. With the proper design, it should be possible to reduce the station blackout frequency by the amount calculated by the utility and to achieve the corresponding reduction in public risk.

4.4 Topic 1.18: "ATWS: Upgrading of the Standby Liquid Control System" 4.4.1 Background The NRC ATWS rule (10CFR50.62) recommends that all boiling water reactors have installed and operational a number of ATWS mitigating features. Presently, Millstone 1 has all of these features except that the standby liquid control system (SLCS) does not meet the recommended 4-9

capability level. The rule recommends a SLCS capability of 86 gpm of a 13 weight percent sodium pentaborate solution. The Millstone 1 SLCS only has a !

capability of 43 gpm. The purpose of this issue is to evaluate the effect '

of upgrading the Millstone 1 SLCS, by presently unspecified means, to meet

'the capability recommended in the ATWS rule. '

4.4.2 Utility Evaluation In the utility's evaluation of this issue there were two major effects identified with the upgrading of the SLCS. These are 1) a more rapid 1 I reduction in core power and 2) a reduction in the amount of heat rejected to the torus, hence a lower peak torus temperature. No plant-specific analysis was performed, but an analysis of the Browns Ferry plant (13) showed that increasing SLCS flow rate from 50 to 86 gpm results in a reduction of peak g torus temperature from 195 degrees to 173 degrees. The utility felt, how-ever, that the benefits of this effect could not be quantified using PRA techniques. The more rapid reduction of core power means that hot shutdown can be reached earlier if the operator follows procedures and lowers RPV water level. However, the more significant benefit is the elimination of O the need to perform this action. With a 43 gpm SLCS, level must be reduced in order to mitigate the ATWS. A simplified torus heatup calculation was used to demonstrate that with an 86 gpm SLCS, this action is not required.

That is, the power reduction obtained from the 86 gpm SLCS alone is 0

comparable to the power reduction obtained from the 43 gpm SLCS in conjunc-tion with reduction of the RPV water level.

This benefit was evaluated by requantifying the ATWS contribution to c re melt given that the operator action to lower water level is not C

required. It was only necessary to evaluate ATWS events with condenser' isolation (loss of PCS) since only those events would be affected by up-grading the SLCS (see Section 3.3). The requantification was performed using a simplified equation (i.e., the ATWS event trees were not requantified) which compared the two cases. The 43 gpm case was modeled

.such that the core melt was assumed to occur if the operator failed to take action. The 86 gpm case was modeled such that the core melt was assumed to occur if the operator failed to take action to control the level and the SLCS failed. The result of this requantification was a reduction in the frequency of plant damage state TE2 by 6E-6/yr. This is equivalent to a 4-10

risk reduction of about 450 man-rem over the life of the plant and a prioritization score of 1 out of 10.

4.4.3 Review of the Utility Evaluation There are two major problem areas with the utility evaluation of this issue. The first is the obvious' problem that we do not agree with the utility evaluation of ATWS events in the PSS. This is discussed in detail in. Section 3.3 of this report, and that section presents our requantification of ATWS for two different base cases. Because of this, it c is necessary to perform our own analysis of this issue starting with the base cases presented in Section 3.3.

The other problem is with the assumptions used in the utility evaluation of this issue. That is, it is not sufficient to simply take the O

new base cases and apply the same technique used by the utility to develop a new result. Specifically, the following areas are significant:

We do not agree that it is not possible to evaluate the effects of C' a lower peak torus temperature using PRA techniques. There are two notable potential benefits of a lower peak torus temperature.

First, if the peak torus temperature is below 176 degrees, the-operability of the low pressure injection pumps will not be com-O . promised by a loss of sufficient NPSH. Second, if the peak torus temperature is below about 164 degrees, the operator will not have ,

to take action to depressurize the RPV because the torus heat capacity temperature limit will not be exceeded. The latter effect will eliminate the core melt contribution from the operator failing to recognize the need to depressurize and the former I

effect will reduce the failure rate of the low pressure system.

The calculation used for the analysis is overly simple. For the 86 gpm case, as previously stated, core melt was assumed if the operator failed to take action and the SLCS failed. This implies that the action of initiating SLCS and that of controlling level are unrelated, and ttat the probability of the operator failing to initiate SLCS is essentially zero. In actuality, the decision to respond is unaffected by the upgraded SLCS, thus failure to 4-11

respond by itself should still be considered to be a core melt.

The only effect should be a reduction in the procedural error probability, since eliminating the need to control level simplifies the actions which must be performed by the operator.

-The evaluation only evaluates the benefits without taking into consideration the potential down side. Specifically, the analysis assumes that all of the core melt frequency reduction in plant damage state TE2 from the installation of an 86 gpm SLCS becomes non-core melt. In actuality, some of that reduction should be C. added to other plant damage states (e.g., TL2). It is not correct 4

to base the potential benefits on the full reduction of TE2 frequency without considering the increase in TL2 frequency.

In order to account for these problems, a requantification has been performed using the baseline analysis discussed in Section 3.3. The models presented in that section have been modified to reflect the potential improvement from the installation of an 86 gpm SLCS. There are three potential benefits to this installation. It may be possible to eliminate O the need for the operator to reduce power by reducing RPV water level, it

, may be possible to retain sufficient NPSH to utilize low pressure injection

pumps, and it may be possible to eliminate the need for the operator to depressurize the RPV in order to retain sufficient torus heat capacity. It g . is very unlikely that all three of these benefits would be realized simul-taneously simply by the installation of an 86 gpm SLCS. However, a bounding I analysis can be performed by assuming that they will all be realized. In ;

this way, the maximum potential benefit can be assessed without the need for plant-specific calculations.

The analysis was performed by modifying the ATWS trees for loss of PCS, loss of feedwater, and loss of normal power shown in Section 3.3. Only these isolation transients are affected by the 86 gpm SLCS. The following changes were made to account for the potential benefits discussed below.

i - The failure probability of event Y1 was reduced from 0.16 to 0.031. This eliminated the probability that the operator would l make a procedural error in controlling RPV level (0.13) since that

! action is assumed not to be required.

1 I

l 4-12 l

l The failure probability of event 073 was reduced from 0.13 to 0.0, since it is assumed that this action (to depressurize to RPV) is no longer required to retain sufficient torus heat capacity.

Obviously, event I can also be eliminated from this part of the tree.

Event E (failure of low pressure pumps in manual) is redefined to include event I, since depressurization is required if the low pressure pumps are to be used. The failure probability is reduced f from 1.0 to 0.013 since sufficient NPSH is assumed to be available for the pumps.

The results of the sequence requantifications are shown on Figures 4.1, 4.2, and 4.3. In Section 3.3, two base cases were presented to account for

.O uncertainty in the capability of the presently installed 43 gpm SLCS for mitigating isolation ATWS events. Table 4.1 gives the ATWS contribution to core melt by plant damage state for each of the base cases and for the requantified case with an 86 gpm SLCS. Table 4.2 gives the total conse-

O quences for each of the plant damage states. The release category split fractions were developed by identifying sequences from the Millstone 1 IREP (1) which fit into each plant damage state and using the split fractions from that report. The total public dose was developed by multiplying these O . spl.it fractions by. the dose numbers given for each release category in NUREG-0933 (14) and summing across the plant damage state. The final results are presented in Table 4.3. This table gives the change in frequency and public dose for each plant damage state and overall for the installation of an 86 gpm SLCS. The benefits are calculated using both of the base cases. evaluated in Section 3.3.

4.4.4 Conclusion As can be seen from Table 4.3, the maximum potential risk reduction from the installation of an 86 gpm SLCS is rather small (about 100-350 man-rem over the life of the plant). This is true whether or not any credit is given for the 43 gpm SLCS presently installed. A good part of this is due to the increase in plant damage state TL2 which goes along with the reduc-tion in plant damage state TE2. This is caused by the high failure proba-4-13

i bility of the shutdown cooling (SDC) system. Even if SDC was significantly 2 more reliable, the total risk reduction would be small (about 200 man-rem to 800 man-rem over the life of the plant). The reduction in large-scale core-melt frequency is of the order of 10-6 Regardless of which case is

' selected, the risk reduction is low enough that this issue would'be con-sidered to be of medium priority if the NUREG-0933 priority ranking risk thresholds are applied. However, it should be noted that the overall result for base case 1 is very close to being a low ranking, and as previously mentioned, our, calculation is for a maximum potential benefit. If a plant-specific analysis of ATWS is performed and it shows that the presently

(. installed 43 gpm SLCS is capable of mitigating ATWS with condenser isolation and, further, it shows that installation of an 86 gpm SLCS will not provide all three of the benefits assumed in our analysis, then this issue would clearly be of low priority according to NUREG-0933. Thus, a plant-specific o ATWS analysis should be performed to finalize the priority of this issue.

We expect that the analysis would demonstrate that the issue should have a low priority, but until such time as it is performed the ranking should remain as medium.

0

~

c 4-14

E81 M2 C3 Y1 073 -- 1 DAMAGE C5 072 1.8E-6 TLS ATWS2 V

r i aM _ 3 DAMAGE 1.2E-7

.2 ,

% TE1 i o.M _.45 TE1 o.our 1-3.9E-9 O.6G - 6 TE2 E - 7 TE2 -

N/A - 8 TE2 1.4E-7 6.8E-7 r

o. o

_ 9 TE2 5.4E-8 L 10 TE2 c

1 o .oy

_ ~

^ 11 TE2 3.1E-8 04 _

Sa6M L 0 41G o.oOL ATWS2 ATWS W/0 MAIN CONDENSER Y RECIRC PUMPS TRIP (AUTC)

Figure 4.1 C5 FW POST TRIP 072 OP ACTION TO INJECf BORON '

4, c' A.T.W.S EVENT TREE WITH MAIN CONDENSER Y1 073 UNAVAILABLE SKCS WORKS (MAN)

OP ACTION FOR TORUS TEMP.

(LOSS OF PCS - 86 GPM SLCS) I 2 SRV'S OPEN (MAN)

(MAN)

.- C3 FW RESTORED E 1 LPCE OR I CS PUMP (MAN)

M2 SDC e

b o

L

O @ P w n C5 072 Y1 073 C3 E&I ~ M2 4 ATWS2 V 1 . DAMAGE 9 2 TLS 2.9E-7 N/A 3 DAMAGE

.0665

.39 4 TE1 1.9E-8 1.0 5 TE1 E

.013 6 TE2 -

N/A 7 TE2 -

0.0 8 TE2 2.3E-8

.84 9 TE2 1.1E-7

.031 1.6E-7 10 TE2

.13 .

11 TE2 6.1E-9 1.02E-6 .1625

! .006 Figure 4.3 ATWS2 ATWS W/0 MAIN CONDENSER V RECIRC PUMPS TRIP (AUT0)

? A.T.W.S EVENT TREE WITH MAIN CONDENSER UNAVAILABLE C5 FW POST TRIP U (LOSS OF NORMAL POWER - SUPPORT STATE 1 - 86 GPM SLCS) 072 OP ACTION TO INJECT BORON Y1 SKCS WORKS (MAN)

. 073 OP ACTION FOR TORUS TEMP.

I 2 SRV'S OPEN (MAN)

C3 FW RESTORED (MAN)

E 1 LPCE OR 1 CS PUMP (MAN)

M2 SDC AND TORUS COOLING o

k i

+

Table' 4.1 Requantified ATWS Contribution to Core Melt Plant Damage Frequency /Yr State Credit for No Credit for 86 gpm SLCS 4,3 gpm SLCS 43 gpm SLCS

C TE2 4.5 E-6 8.9 E-6 3.0 E-6 TE1 4.2 E-7 -

2.9 E-7 O TL2 3.9 E-6 1.4 E-6 4.6 E-6 TOTAL 8.8 E-6 1.03 E-5 7.9 E-6 Column represents giving no credit for the use of a 43 gpm SLCS during

$' isolation transients only. Credit is always allowed during non-isolation transients.

.O O

4-18

i Table 4.2 a

Public Dose By Plant Damage State From NUREG-0933 Plant Damage Release Category Split Fractions TOTAL State 1 2 3 4 Man-Rem C TE2 1E-4 .1 .9 5.3 E-6

, TE1 1E-4 .1 .9 1.1 E-6 o TL2 .01 .1 .9 5.4 E-6 O

Table 4.3 Change in Public Dose from Installation of 86 GPM SLCS 0)

Base Case f 1 Base Case #2 Plant Damage (Credit for 43 GPM SLCS) (No Credit for 43 GPM SLCS)

G) l State A Man-Rem A Man-Rem '

A Freq/Yr /Yr 25 Yrs A Freq/Yr /Yr 25 Yrs l

l TE2 -1.5 E-6 -8 -203 -5.9 E-6 -31 -782 l TE1 -1.3 E-7 1 - 4 +2.9 E-7 1 + 8 TL2 +7.0 E-7 +4 + 95 +3.2 E-6 +17 +432 i

TOTAL -9.0 E-7 -4 -112 -2.4 E-6 -14 -342 4-19

4.5 Topic 2.04: "High Steam Flow Setpoint Increase" 4.5.1 Background The existing warranty for the Main Steam Turbine requires ' weekly testing of each of the Turbine Stop Valves. When any one Stop Valve is tested, the steam flow rates in the other three lines increases. In order to prevent closure of the Main Steam Isolation Valves (MSIV) on these lines which presently occurs at 120% of rated steam flow, the present procedure is to reduce core power from 100% to 90% prior to and during testing. Any time f the reactor is changed there is a chance for a reactor transient resulting in a trip.

If the MSIV closure setpoint is increased from 120% to 140% of rated

.O steam flow, core power reduction will not be required during testing and the potential for a resultant plant transient and reactor trip will be eliminated. Conversely, however, increasing the MSIV closure setpoint increases the need for detection and manual mitigative action in case of steam line breaks in the higher setpoint range where automatic action would not be present.

4.5.2 Utility Evaluation

'O 4 The possible increase in the core melt frequency as a result of the change in the MSIV setpoint from 120% to 140% was evaluated by the utility by examining the frequency of initiation of steam line breaks that could result in a flow rate between 120% and 140% and human and hardware failures p to mitigate the consequences of this initiator.

The frequency of initiaton of the steam line break was evaluated by taking the number of steam line segments with a diameter greater than 3 inches downstream of the MSIVs, multiplying this by the frequency of pipe segment break per hour (from WASH-1400), number of hours per year and 0.2.

The factor of 0.2 comes from the argument that in case of a double ended steam line break, the Venturis in these lines limit the flow rate to 200%.

It was assumed that the break probability in the 100% to 200% range is uni fo rm. Thus, the frequency of breaks corresponding to a flowrate from 4-20

120% to 140% is 1/5 the frequency of a double ended break. This frequency was calculated to be 7.0x10-6/ year.

l Following this, two scenarios were postulated for core meltdown. First '

"if the operator fails to isolate the break but the feedwater continues to run, a late core melt with containment bypassed will occur. The second scenario consists of successful operator action followed by feedwater failure. Based on a human error probability of 1x10-2 in failing to isolate the break and feedwater unavailability of 1.031x10-2 an increase in core

! melt frequency of 7.0x10-8/ year was calculated. This results in an increase C-in public risk by 15 man-rem.

4.5.3 Review of the Utility Evaluation O There are two areas in the analysis of this issue where the utility's evaluation is either incorrect or questionable. The first one is the use of an incorrect hourly failure probability of the pipe segments in calculation of the initiating event. The hourly pipe segment failure probability of lx10-10/hr taken from Table III of WASH-1400(4) is a median value with an error factor of 30. This implies that the mean value for this failure rate which is the value that should have been used in this analysis, is about 8.5 times larger than the median value.

.O The second area is the assumption that the frequency of breaks corresponding to a flow rate from 120% to 140%, is 1/5 the frequency of a double ended break. This implies a uniform break probability in this range.

Based on the industry experience so far it has been shown that the frequency b of pipe breaks increases as the size of the pipe decreases. This fact is reflected in the frequency of initiating different size LOCAs used in PRAs for various plants. Thus, the frequency of break sizes corresponding to 120% to 140% -flow rate would be expected to be higher than 20% of the frequency of the double ended pipe break. l l

Correcting the hourly failure rate of the pipe segments mentioned above )

results in an increase in the core melt frequency, of 6.0x10-7/ year instead l of 7.0x10-8/ year. This translates to an increase in public risk by 127 man-rem instead of 15 man-rem.

4-21

With respect to the second area, namely the frequency of break sizes corresponding to 120% to 140% flow rates, there are no ' specific data on the possible shape of the distribution. If, based on the earlier argument about higher probability of smaller size breaks, one arbitrarily assumes that Trequency of breaks in this range are by a factor of 2 larger than the uniform distribution. The increase in public risk would become about 254 man-rem.

4.5.4 Conclusions f In reviewing the utility's evaluation of this topic, there are two areas where the treatment of the issues did not seem to be correct. The first area is the use of the median value for the hourly failure rate of pipe segments in calculation of the steam line break frequency. Correction O of this value results in an increase in core melt frequency of 6x10-7/ year instead of 8x10-8/ year as a result of MSIV setpoint increase. This corre-sponds to an increase in public risk of 127 man-rem instead of 15 man-rem as calculated by the utility.

b The second area is the assumption that the break frequency corresponding to 120% to 140% flow rate is 1/5 of the frequency of double ended pipe breaks. It was argued that based on available experience this break frequency should be higher than the 1/5 value. If this value is 0 -

arbitrarily higher by a factor of 2 the increase in public risk would be about 254 man-rem.

4.6 Topic 2.06: " Main Condenser Retube" "O

4.6.1 Background In 1982 Millstone Unit I was shut down as a result of a seawater intrusion into the primary coolant. The cause of the event was a failure of the main condenser tubing, allowing leakage from the circulating water yystem into the primary coolant. (The shutdown was manually initiated on high feedwater conductivity which also requires 'the isolation of main feed-water through the closure of the MSIVs.) Northeast Utilities is concerned that continued degradation of the main condenser tubing will result in 1 another such incident in the near future. Additionally, the degradation of j l

4-22

the tubing has an operational and economic impact in that periodic plugging of tubes and on-line sawdusting in the water boxes are necessary.

4.6.2 Utility Evaluation To evaluate the safety impact of this issue the utility re-evaluated the accident sequences initiated by reactor transients, which include the loss of main condenser transients. The frequency of the loss of main con-denser transient initiators was increased from 0.435/yr (the base case used in the PSS) to 0.568/yr to account for the main condenser tubing failure e initiated events. This increase of 0.13/yr was based on two events in fifteen years. The first event was the one that occurred in 1982, the second was the event expected in the "near" future. The analysis assumes that this increase of 0.13 events /yr is the benefit that can be gained, j 1.e., the initiators that can be avoided, by retubing with titanium tubes.

This increase in initiator frequency was calculated to increase the core-melt frequency from 8.07E-4/yr to 8.13E-4/yr, an increase.of 6E-6/yr. The increase in the core-melt frequency was the result of the increase in four plant damage state frequencies. The four dar age states and the increase in C their frequencies are listed below. (The damage state classifications are explained in Section 2.2.2 of the Millstone 1 PSS.)

TEl 2E-6/yr O TE2 3E-7/yr TIl IE-6/yr TL2 3.3E-6/yr j .

Using their consequence model Northeast Utilities calculated a public dose

~

aversion of 506.25 man-rem as the benefit from retubing the Millstone Unit 1 main condenser.

4.6.3 Review of Utility Evaluation In their analysis, Northeast Utilities has assumed that a second seawater intrusion event will occur during the next fuel cycle. This is based on arguments that the condenser tubing is thinning and the failure probability for many tubes should be approaching unity. This argument is conservative and makes the utility analysis a worst case, bounding analysis.

m 4-23

l A review of the dominant accident sequences in the Millstone Unit 1 PSS reveals that there are four sequences initiated by reactor transients (which include the loss of the main condenser). These sequences, the associated

' plant damage states, and the core melt frequency as calculated in the PSS are presented in Table 4.4. The core-melt frequency includes a contribution from the one seawater intrusion event that occurred in 1982. Replacement of the main condenser tubing with titanium tubing is supposed to eliminate this I

type of initiat.ing event.

The utility assumption of two main condenser failures due to tube lC failures results in an initiator frequency of 0.13/yr (2 failures in 15 l

years). Using only the observed data, that is the one event in 15 years,

the frequer.cy of main condenser failure due to tube failures is 0.067/yr.

o Accident sequences initiated by these events are the sequences that can be eliminated if the main condenser is retubed. In Table 4.4 the core-melt 4

frequency for main condenser tube failure initiated accident sequences is provided for both of the above initiator frequencies. Also provided is the impact on public risk calculated using the utility's consequence model.

1 The impact we calculated from the dominant sequences using the utility suggested main condenser tube failure frequency of 0.13/yr is slightly less than that calculated by the utility. The apparent discrepancy is the result

~

i@ . of the utility's ability to reassess all accident sequences while this review is limited to the dominant accident sequences.

O l

) :

J 4-24

1 Table 4.4 Main Condenser Retube -- Impact Assessment Initiator: Main Condenser Tube Failure Frequency = .13/Yr Frequency = .067/Yr c

Plant Core Melt Core Melt Public Core Melt Public Damage Frequency Frequency Risk Frequency Risk PSS Sequence i State (/Yr) (/Yr) (Man-Rem) (/Yr) (Man-Rem) 9

Sequence 4 TE1 3.5 E-5 3.3 E-7 12 1.7 E-7 6 i

j Sequence 5 TE1 1.4 E-6 8.5 E-7 32 4.3 E-7 16 O

Sequence 11 TIl 3.2 E-5 7.8 E-7 29 3.9 E-7 15 Sequence 16 TL2 4.5 E-5 3.0 E-6 338 1.5 E-7 169

5) WS TE2 3.0 E-7

23 1.5 E-7 12 TOTAL 434 218

(,

Taken from Northeast Utilities analysis l 4

4-25

. _ _ _ . . _ _ _ _ _ _ . . . . _ , _ . _ _ _ _ _ _ _ . _ . . _ . . . _ , _ _ _ . . . , _ _ _ - _ . _ . - ~ . _ . _ _ . - _ . _ . . . _ .

4.6.4 Conclusion The utility has performed what appears to be a bounding calculation on the impact of retubing the main condenser. The 506 man-rem reduction,is the

' maximum public safety benefit that could be achieved through this plant

, modification, provided the new titanium tubing does indeed eliminate the problem. The minimum benefit from this plant modification is in excess of 200 man-rem.

4.7 Topic 2.07: " Sodium Hypochlorite System" C

1 4.7.1 Background Certain plant equipment cooling systems at Millstone Unit I use sea-

!O water as a cooling source, and inherently have problems with biofouling growth. The plant presently uses a chlorine gas injection system to control this problem. The chlorine gas for this injection system is located on-site and stored in a 55 ton pressurized railroad tank car. The safety issue is f that, under circumstances where a massive amount of chlorine gas is released to the surroundings, the consequences to plant personnel and the public residing near the site could be significant. Due to this potential impact on plant and public safety, the utility is considering replacing the chlorine gas injection system with a sodium hypochlorite system.

4.7.2 Utility Evaluation In the assessment of the impact on public safety caused by a release of p the stored chlorine gas, the utility has considered two types of impact i scenarios: (a) release of chlorine gas impacted on the operation of the plant which could induce a core-melt accident, and (b) release of chlorine gas which directly affects the public residing near the plant. For each impact scenario, two release categories were considered: (1) a massive release of chlorine gas caused by a catastrophic failure of the railroad tank car, and (2) an intermediate continuous release of chlorine resulting from premature opening of the pressure relief valve located on the tank car.

Of the two impact scenarios indicated above, the results of analysis show that the first scenario, i.e., chlorine gas release leading to a core-melt 4-26

E accident does not have a significant impact on plant or public safety. As described in the utility's analysis, the core melt frequency of this accident A T.CR, is the product of the chlorine release probability (ACR) and' the subsequent failure of the feedwater system, isolation condenser and 1 ' isolation condenser make up system i.e., A T CR " A CR - Q FW.IC.ICMdP. The postulated accident frequency is then linearly dependent on A CR, given QFW.IC,1CMUP = 5.1 x 10-4 In the worst-case impact secnario considered by the utility (an intermediate continuous release of chlorine gas), the chlorine release frequency, >CR, is estimated at 1.8 x 10-3/yr. Thus, the contribution to core melt frequency is:

IC A T CR = (5.1 x 10-4)(1.8 x 10-3/yr) = 9.2 x 10 -7/yr For the catastrophic release of chrlorine gas, ACR is estimated at 1.5 x 10-5/yr, resulting in a 7.7 x 10-4/yr contribution to the total core melt frequency. Therefore, as shown above, the contribution to the core melt frequency from this accident is negligible.

For the second scenario, namely the effect of a release of chlorine gas E on the public residing near the plant, the utility's analysis shows the possibility of a significant threat to the public health and safety. The assessment results indicate that the consequences calculated for the postu-lated accident scenarios, in terms of equivalent radiation exposure term,

O -

are as follows:

475 man-rems for a massive release of chlorine gas 1.13x104 man-rems for an intermediate continuous release of 4 chlorine gas due to premature opening of the pressure relief valve As a result, the estimated public safety impact of removing this potential risk is ranked 10+ on the scale of.10.

4.7.3 Review of the Utility Evaluation The analysis performed by the utility appears to follow the methodology suggested in Regulatory Guides 1.78 and 1.95 for calculating the concentration of chlorine gas following an instantaneous (puff) release accident. The affected off-site population count was corrected for average 4-27

prevailing meteorological condition and average population density. The conversion from a severe health effect experienced by the off-site

population to an equivalent radiation induced latent cancer is reasonable, i and would provide a basis for comparing the impact caused by a non-nuclear

' health impact issue to other nuclear-related safety issues.

While the chosen methodology for the analysis is generally acceptable, there still remains a number of concerns with regard to the parameters considered in t.he release model. Firstly, as assumed in the topical report, the puff release of chlorine gas is estimated at 25% of the content of.the O tank car. Assuming that an adiabatic flashing of the chlorine content is applicable in this case, then in order to reach a 25% flashing, the average temperature must be around 1100F. A more reasonable temperature average would be 700F, and accordingly, the flashing amount would be 17.5% of the O tank car content.

i Secondly, for the intermediate release of chlorine gas accident, no exact assessment of the risk to public safety is provided. It is assumed g that because the concentration of the released gas in this case is 1/4 of that of the catastrophic release, the risk is then approximately 1/4 of the risk caused by the latter one. This assumption is somewhat questionable since the impact on public safety does not vary linearly with the concentration of the released gas. It is preferred to have the risk assessed based on the concentration calculated at various locations downwind from the release source. and the quantity of the gas released. It is assumed that this process was used to estimate the risk caused by the catastrophic release scenario, and if this is so, then the same process is p expected to be used in the assessment of the risk caused by the intermediate continuous release accident.

Thirdly, our evaluation indicates that the failure rate for premature opening of a pressure relief valve presented in the report (2 x 10-7/hr or 1.8 x 10-3/yr) is questionable. According to the information provided by the Chlorinef Institute (New York), it is indicated taht there is no incident of chlorine gas release involving premature opening of pressure relief valve or' railroad tank cars in ten years. The database includes data gathered during 1971 - 1975 and 1980 - 1984, with an average of 8500 railroad tank cars in service per year. Using a zero-failure probability 4-28 l

I approximation method, the upper band of the failure frequency for premature opening of tank car pressure relief valve can be estimated at a 50%

confidence level as follows:

N = 0 failure T = 10 years N = number of component in service per year (8500)

A = mean failure rate Ts = total . service time (5-yr) = M.T = 8.5 x 104 .5-yr A, = N+1 1 1.2 x 10-5/yr C TS 8.5 x 104 5-yr f2 = 2(N+1) = 2 degrees of freedom

.X.22 = 1.386 A

A50% = X,2. (1.2 x 10_-5/yr)(1.386) . 8.2 x 10-6/yr O 2 2 Thus, the potential impact to the off-site population due to the intermediate continuous chlorine release, in terms of equivalent exposure dosage, calculated using this revised relief valve failure rte would be:

O~

(1 x 104 man-rems / latent cancer)(25 equivalent latent cancer)(25 yr) *

(8.2 x 10-6/ yrs) = 51.25 man-rems Finally, it appears that the utility does not consider the possibility O

of evacuation of the affected off-site population in the analysis. From additional information provided by the utility, it is indicated that the reason for not including evacuation scenarios in the analysis is that there is little time for organizing an evacuation, and the affected population c will be overcome by the gas before any rescue operation can be effected.

Although it is reasonable for assuming worse-case accident, the analysis should also consider other important conditions that could influence the movement of the plume. These conditions include the type of terrain on the plume path, the average wind speed and the existence of monitoring devices for early warning. For example, if the terrain is vegetated, the plume movement will be much slower than on flat surfaces, and the concentra-tion of the plume will be reduced considerably due to reaction with the I vegetation. Thus, by considering these additional parameters to the analysis, it is possible that an evacuation of off-site population can be effected.

4-29

4.7.4 Conclusions Based on our evaluation of the utility's analysis on this safety issue,

'it appears that the chosen methodology is acceptable. However,' there remains a number of concerns with regard to the data on the failure rate of premature opening of relief valve, the possibility of evacuation, and the assessment of risk to the off-site public following an intermediate ,

continuous galease of chlorine gas. At best, the utility's results are illustrations of worst case scenarios coupled with doubtful component D reliability data. In particular, the estimated 1.13 x 104 ma'n-rems in terms of equivalent public exposure resulting from an intermediate continuous release of chlorine gase appears'to be be questionable. Our evaluation indicates a 51 man-rems equivalent exposure dose to the public for the same 3 accident, based on a failure rate of 8.2 x 10-6/yr instead of 1.8 x 10-3/yr for premature opening of tank car pressure relief valve. As a result, 'the reduction in public exposure by replacing the existing chlorine gas only amounts to 526 man-rems or an equivalent ranking of 1.3 on a scale of 10.

D 4.8 Topic 2.08: " Extraction Steam Piping Replacement" 4.8.1 Background 3

The nuclear industry has noted a number of cases of severe erosion and failures of extraction steam piping. These failures result in a plant trip with potential loss of coolant outside containment. Further, breaks of this type pose a serious occupational hazard to operating and maintenance 3 personnel who could be working in the area of this piping. Inspections performed at Millstone 1 have shown that significant erosion degradation exists in some of this piping. The purpose of this issue is to evaluate the effectiveness of replacing this piping in the near term with new, more erosion resistant piping and associated hardware.

4.8.2 Utility Evaluation Failure of this piping has the potential to result in two different initiating events. The first is a steam break outside containment (a form of interfacing systems LOCA). In order for this to occur, both the MSIVs 4-30

-- .__ . ~ - . - _ . ..- _ . -_ __ - - - -

i and the turbine stop valves would have to fail to isolate following the extraction steam pipe break. The utility concluded that this is not very t likely to occur and that this would have a negligible effect on risk. The f

> second initiator is a loss of PCS (MSIV closure), which is what would occur

'if the above mentioned valves successfully isolated the RPV follow'ing the pipe break. If the piping is not replaced, it was assumed that the poten-

] tial for a break would increase the overall frequency of this initiator,

which presently has a frequency of 0.435/yr.

In order to estimate the amount of increase, the utility calculated the

,:C rate of erosion in the extraction piping. It was determined that if the piping was not replaced in the next refueling cycle but field repairs were performed on piping where leaks are observed, wall thickness in most unrepaired welds would approach 0% by the end of the cycle. It was assumed f that one pipe failure would occur in each 24-month refueling cycle until the -

piping was replaced (which would occur within 10 years in any case). This raised the loss of PCS frequency by 0.5/ year over that time frame, to a total of 0.935/ year. The change in risk was calculated over that 10-year period by using Method A of the utility's prioritization procedure. The 8 plant damage state frequencies were easily recalculated by substituting the higher loss of PCS frequency in the computer model and generating new l numbers. The results by plant damage state are shown in Table 4.5, and this equates to a risk reduction of 709 man-rem. The issue was therefore given a O -

score of 1.75 out of 10.

4.8.3 Review of the Utility Evaluation p The evaluation of this issue appears generally reasonable. The conclu-sion that the likelihood of a failure of both the MSIVs and-the turbine stop valves is very small is supported by the Millstone 1 IREP study. That study l came to a similar conclusion when considering the potential for unisolated steam breaks outside the containment. Thus, we ~ agree that the total benefit 1 of replacing the extraction steam piping is in preventing an increase in the i

frequency of loss of PCS transients.

The ' analysis performed is very straightforward once the frequency of j extraction steam pipe break is determined. Thus, we feel that the only ques-tion at issue is the determination of that frequency. If indeed the welds i

4-31

are in as bad shape as is presented by the utility, and we have no reason to believe that they are not, then the assumption that a pipe break will occur during the next refueling cycle is clearly reasonable. It is even conceivable that a larger number of breaks may occur if none of them is inassive, that is, if they cause trip but do not cause substantial damage which might force the utility into some immediate replacements. On the other hand, a very massive break in the next cycle might result in action to immediately replace all the piping, thus reducing the 10-year (5-cycle) exposure time used in the calculation. All in.all, we feel the number used by the utility is not unreasonable for a prioritization analysis. However, D it is important to note that the results are directly proportionate to the exposure time and the number of breaks per cycle. For example, the benefit of replacing the piping now versus ten years from now might be about 700 man-rem, but the benefit of replacing them now versus waiting one extra g refueling cycle (two years) is only one-fifth of that. Similarly, if it is likely that the degradation is so bad that field maintenance cannot prevent two breaks from occurring during each cycle, the benefit would be twice that value.

D The only other review comment is like that of the other issues where, for reasons of comparison, we have recalculated the risk using public dose numbers from NUREG-0933 (11). Table 4.5 shows the utility's analysis of impact of not replacing the extraction steam piping at Millstone Unit 1.

3 -

Table 4.6 gives the public dose for each plant damage state using split fractions from the Millstone 1 IREP (1). Table 4.7 presents the dose reduc-tions using the public dose from Table 4.6 and the change in plant damage state frequency from the utility analysis shown in Table 4.5.

D '

4.8.4 Conclusion l

l As can be seen from Table 4.7, the risk reduction from replacement of the extraction steam piping is estimated to be about 800 man-rem over the life of the plant. Further, the reduction in large-scale core melt frequency is about 2E-5/ year. Using the priority ranking risk thresholds from NUREG-0933, this issue would be ranked as having a high priority.

i 4-32 l

Table 4.5 Impact of Not- Replacing the Extraction

, Steam Piping at Millstone Unit 1 -

Base Case Without Extraction Steam (As-Is) Piping Replacement C

M.S.I.V. Closure Frequency 0.435/Yr 0.935/Yr Plant Damage State Frequencies C '

TE1 2.57 x 10-4 2.62 x 10-4 TE2 1.41 x 10-5 1.53 x 10-5 O

TIl 2.26 x 10-4 2.30 x 10-4 TL2 8.25 x 10-5 9.49 x 10-5 0

O 4-33 I

I

l 4.9 Topic 2.30: "MSIV Closure Test Frequency" i 4 1 4.9.1 Background l

Once per month, the utility is required to test the operation of MSIV limit switches by closing each of the MSIVs 10% and verifying that limit switch contacts close. These limit switches are part of the reactor protection system and provide an anticipatory trip of the reactor if the MSIVs close prior to the occurrence of conditions which will cause the trip on high flux or high pressure. The utility has become concerned that these S tests might be increasing risk by increasing the frequency of loss of PCS l initiating events since on two occasions during this testing a valve has overtravelled, resulting in a steam line isolation signal and closure of all j MSIVs. The purpose of this issue is to determine if there is any benefit to o _ reducing the frequency of this testing to quarterly, in conjunction with the 60% power full MSIV closure time test.

4.9.2 Utility Evaluation O

The utility identified three potential effects of the reduced testing.

First, by not testing the limit switches as often, the failure probability

, of the switches could increase. This effect was rejected on the basis that the RPS had sufficient backup trip functions such that any increase in f switch unreliability would have no effect on overall RPS reliability.

Second, the failure probability of the MSIVs could increase. This was rejected on the basis that the 10% closure test did not utilize the same I

parts of the valve actuator that were used for MSIV fast closure (isolation)

$ and that the valve was only partially closed, which did not demonstrate its isolation function. Third, eliminating testing at 100% power would reduce the frequency of loss of PCS transients. The historical frequency of loss of PCS transients was recalculated excluding the two trips which occurred

during testing, and it was determined that the reduced testing would yield a reduction in loss of PCS transient frequency from 0.435/ year to 0.27/ year.

4 This issue was evaluated using Method A of the utility's prioritization procedure. The analysis consisted of substituting the new frequency for the base case frequency and requantifying the models. This resulted in a reduction in total core-melt frequency of 8E-6/ year. About half of this was 4-34

Table 4.6 Public Dose By Plant Damage State From NUREG-0933 Plant Damage Release Category Split Fractions 1 j

State 1 2 3 4 TOTAL MAN-REM t C. TE1 1E-4 .1 .9 1.1 E+6 TE2 1E-4 .1 .9 5.3 E+6 TIl IE-4 .1 .9 1.1 E+6 TL2 .01 .1 .9 5.4 E+6 O -~~-~-~~~~-~~~~~~~~~~~~~------~~~~~~~~~~~~~~~~~~~~~~~~~~~~-----~~~~~-~~~~~~~

Table 4.7 O

Change in Public Dose from Replacement of Extraction Steam Piping

.O Plant Damage _

Frequency _

Man-Rem State (Per Year) Per Year Plant Lifetime

C TE1 5 E-6 -

6 - 55 T'E2 - 1.2 E.6 - 6 -

64 TIl - 4 E-6 - 4 -

44 TL2 - 1.24 E-5 - 67 - 670 TOTAL - 2.26 E-5 - 83 - 833

10 Year Exposure Time 4-35

in plant damage states TE1 and TIl while the other half of this was in damage state TL2. This corresponds to a risk reduction of 600 man-rem over the life of the plant and a prioritization score of 1.5 out of 10.

4.9.3 Review of the Utility Evaluation Each of the three potential effects of reduced testing and the utility resolution of them was considered in the review. That the reduced testing would not effect the reliability of the RPS was easily verified. First, the RPS unavailability at Millstone is completely dominated by mechanical f failure, especially considering that the plant has an alternate rod insertion (ARI) system. Thus a slight change in the reliability of the electrical portion of the system would not be expected to affect the overall reliability. Further, a review of the detailed RPS analysis in the o Millstone 1 IREP study (1) showed that, even without ARI, the total elimination of this trip function would not affect the reliability of the electrical portion of the RPS. Thus, the utility assumption that sufficient backup to this trip signal exists is borne out by the review, t

O The assumption that reduced testing of the valves will not reduce the reliability of the valves is somewhat more questionable. While we agree that many of the potential valve failure modes are not tested during the monthly test, it does demonstrate that the valve disk and stem are not O -

binding. Thus, reduced testing could lead to increased occurrence of this failure mode. However, even if the overall failure rate of the valves was tripled (as the test interval would be) we doubt that there would be a significant increase in failures to isolate. This is because with two MSIVs p in each line and the backup isolation provided by the turbine stop valves, the isolation function is very reliable. Both the PSS and the Millstone 1 IREP study concluded that failure to isolate was a negligible contributor to risk, and it would take a vast increase in the failure probability to make it anything other than negligible.

Finally, the recalculation of the loss of PCS frequency by eliminating the two events which occurred during the 10% closure testing is intuitively reasonable.

4-36 1

We do, however, have a problem with the results. While we do not question the reduction noted in the plant damage states presented, we question the absence of plant damage state TE2, which results only from ATWS events. The reduction of loss of PCS frequency would be expected to reduce this damage state also, since these initiators are a significant contributor to risk from ATWS. In order to estimate this additional effect, the modified loss of PCS ATWS analysis presented in Section 3.3 was utilized.

The loss of PCS ATWS tree was requantified by replacing the baseline initiating even.t frequency (0.435) with the new value (0.27). This resulted in a reduction in the frequency of damage state TE2 of 7E-7. The other

[ damage states on this tree were not considered since they are dominated by non-ATWS events which are already included in the utility evaluation.

The risk reduction was recalculated by plant damage state'and is g presented in Table 4.8. The public dose numbers used were from NUREG-0933, as discussed for Topic 1.18 and presented in Table 4.2 in the section on that issue.

4.9.4 Conclusion G

As can be seen from Table 4.8, the risk reduction from elimination of monthly MSIV testing is estimated to be about 700 man-rem over the life of the plant. Further, the reduction in large-scale core-melt frequency is O about 9E-6/ year. Using the priority ranking risk thresholds from NUREG- ;

0933, this issue would be initially ranked as having a medium priority.

However, since the cost of this change is negligible, the number of man-rem per million dollars value/ impact ratio would be extremely high (well in According to the criteria used in NUREG-0933, this would g excess of 3000).

change the priority of this issue to high.

4.10 Brief Discussion of the Remaining Topics In this section a brief discussion on the rest of the topics will be presented. These are the topics that were received too late for a detailed

)

analysis. These topics will be reviewed in detail for the final report, l

1 4-37 l

Table 4.8 Change in Public Dose from the Elimination of Monthly MSIV Testing Plant Damage Chg Frequency Chg Man-Rem State (Per Year) Per Year Plant Lifetime

TE1 and TIl 4 E-6 -

4 - 110 C

TL2 - 4 E-6 - 22 - 540 TE2 - 7 E-7 - 4 -

93 C) ----------------------------------------------------------------------------

TOTAL - 8.7 E-6 30 - 743

25 Years O

O P .

4-38

4 4

/

4.10.1 Topic 1.01: " Gas Turbine Generator Start logic Modifications"

Topic 1.24: " Emergency Power" 1

The NRC has had continuing concern over the reliability of emergency M wer sources. A number of internal studies as well as virtually all PRAs have indicated that loss of off-site power is a major contributor to core melt. The Millstone Unit 1 ISAP study found that 30% of the core melt 1 frequency was due to this initiator, with over one-third of that due to

]

failure of the gas turbine generator. The purpose of this combined issue is I

to evaluate the possible improvement of gas turbine reliability by making lC modifications in two particular areas: bypassing non-essential protective trips during emergency operation and improving the gas turbine preventative maintenance program.

1 0

This issue was evaluated using Method A of the utility's prioritization procedure. For each of the areas mentioned above, a number of modifications was suggested. The effect of the modifications was evaluated by reviewing

the operating history of the gas turbine, in particular the failures it has i experienced, and determining if the implementation of the modifications h would eliminate any future occurrences of previously observed failures. The failure probability of the gas turbine was then recalculated with the

" eliminated" failures removed from the data base. The sequences were then requantified using the new failure probability. The sum total reduction in O risk from all the suggested modifications was 375 man-rem over the life of the plant, a prioritization score of 1 out of 10.

i The analysis performed for this issue is straightforward and i i methodologically sound. Thus, the detailed review of this issue to be I 9 ,

performed will concentrate on two specific areas. First, are the suggested )

modifications reasonable and inclusive? Second, was the determination of l the number and type of " eliminated" failures also reasonable? This will be done by reviewing in detail the historical data on Millstone Unit 1 gas turbine failures which is contained in the utility's response, dated February 4,1985, to the NRC's Generic Letter 84-15. " Proposed Staf.f Actions to Improve and Maintain Diesel Generator Reliability."

4-39 i

. . - . ~ , , , . _ . ,- ,.. .- . _ .. ,__-,-._-,-_.,._-__-_--..-mm_m._. _ ,__ . - - -. _ _ ,~ _ _ . -

4.10.2 Topic 1.04: "RWCU System Pressure Interlock" The reactor water cleanup system at Millstone Unit 1 is used to remove impurities from reactor coolant during all modes of operation. It, inter-

" faces directly with the RCS, but parts of the system are designed to operate at pressures much lower than normal RCS operating pressure. Pressure in these parts of the system is regulated by an air operated control valve which is backed up by a pair of isolation valves which are designed to close if the regulating valve fails to perform its function. A single pressure interlock also exists. The purpose of this issue is to evaluate the C

possible reduction in risk associated with putting in a second pressure interlock.

This issue was evaluated using Method A of the utility's priorization 3 procedure. Two possible events were analyzed. The RWCU has a relief valve bac,k to the torus in addition to the features previously discussed. If the regulating valve fails and the isolation valves fail to close, a LOCA will occur. If in turn this relief valve opens, flow will be directed to the g torus, and this event will be like a standard small LOCA. If the relief valve does not open or is in some way bypassed, an interfacing systems LOCA will occur, resulting in a core melt due to loss of reactor coolant outside of the containment. The frequency of these two events was determined using fault trees to represent the ways in which they could occur. Two cases were 3

considered, one pressure interlock (as is) and two pressure interlocks (modified system). These frequencies were used to requantify the frequency of interfacing LOCA and small LOCA core melt for the two cases and the difference between them. This difference yielded a potential reduction of 4 D man-rem over the life of the plant.

The review of this issue will concentrate on a number of areas. First, is it reasonable under the conditions which would accompany the failure of the pressure regulating valve to take credit for the temperature interlock as a backup to the pressure interlock? Second, the utility evaluation did not consider that a second relief valve, which discharges outside the con-tainment, exists in the system and could lead to an interfacing systems LOCA. The review will evaluate whether this could be a significant ommis-sion. Third, are the numbers used in the fault tree analysis reasonable? l Finally, is the satellite model used for the requantification of the small 1

4-40 l

LOCA core melt sequences (where the relief valve to the torus succeeds) correctly developed and evaluated?

,4.10.3 Topiot 1.06: " Seismic Qualification of Safety Related Piping" The NRC has been very concerned about the ability of plant structures and equipment to function following an earthquake. I&E Bulletin 79-14 specifically addressed the field verification of the seismic qualification of safety related piping. Millstone Unit I has performed this field verifi-C cation, and several piping supports were in need of modification. All of the modifications needed to qualify piping for the OBE have been completed.

Many of the modifications needed to qualify piping for the SSE have also been completed. This issue addresses the reduction in public risk if the remaining modifications to_ qualify piping for the SSE are completed.

O This topic was evaluated using Method B of the utility's prioritization procedure. The utility reviewed the results of seismic PRAs at other plants, as well as seismic experience data collected by the Seismic Qualifi-o cation Utility Group (SQUG) and others. From this information, they con-cluded that piping generally has higher capacity than other key safety related structures and equipment and does not contribute highly to core melt risk. Seismic risk estimates have been dominated by failure of large tanks.

O

structures, mechanical and electrical equipment, and buried piping. Using engineering judgment, a prioritization score of 0.1 out of 10 was assigned.

The detailed review' of this topic will consist of a verification that the conclusions drawn about piping from the material reviewed by the utility O is reasonable. Further, insights recently developed by the Expert Panel on the Quantification of Seismic Margins 15 will be included in the review.

From this material, a conclusion will be drawn about whether the utility's assigned priority is (a) reasonable for all safety related piping, (b) reasonable for some safety related piping but not others, (e.g., intra-building versus interbuilding), or (c) unreasonable for all safety related piping.

4-41

l l

l 4.10.4 Topic 2.02: "LPCI Remotely Operated Valves 1-LP-50A and B" The two LPCI valves 1-LP-50A and 1-LP-50B are used to drain the torus !

when the torus water level must be lowered to remain within acceptable limits. These valves would also be used to remove water from the torus, for cleanup purposes, in a post-accident environment. Currently these valves are manually operated and may not be accessable after an accident due to high radiation levels. The proposed project would provide remote operation of these valves, either by adding motor operators or 40 foot reach rods.

s The utility did not quantitively calculate the benefit of this modification, engineering judgment was used. Addition of remote operation for these valves does not affect the course of a transient. The benefit is derived from an ability to more efficiently clean-up after an accident which

'g may help to limit the release to the public. The utility did identify a potential negative impact from this modification. The installation of remote operation capability may increase the probability of inadvertantly opening these drain lines during a transient. However, the utility expects the affect of an inadvertant valve opening to be negligible since the amount 9 of flow is small. Based on these considerations, the utility assigned this project a score of 0.1 out of 10 on their risk importance scale.

The utility did not attempt to quantify the benefits and negative 3 . im, acts of this issue but instead chose to use engineering judgment in their assessment. The review of this issue must therefore be restricted to an examination of any possible benefits or negative impacts that may not have been included in the analysis.

D 4.10.5 Topic 2.31: "LPCI Lube Oil Cooler Test Frequency The purpose of this issue is to evaluate the benefits to be gained from modifying the monthly LPCI pump tests to include a test of the solenoid valves on the pump lube oil cooling lines. Currently, the functionality of these valves is verified only during refueling outages when the LPCI pumps are run for an extended period.

Due to the infrequent testing of these valves, the Millstone Unit 1 PSS assigned a relatively high probability for failure of these valves to open.

4-42

In the alternate shutdown coding (SDC) mode of operation a failure of either solenoid valve to open will result in a system failure. (Each valve controls the lube oil cooling flow to both pumps in one of the LPCI trains.)

There fore, failure of either of the solenoid valves is a significant

contributor to alternate SDC failure and a major contributor to the dbminant accident sequences.

The utility analysis showed a reduction in the valve failure probability from 2.75E-2 to 1.25E-2 when the test frequency was modified to once a month. This resulted in a reduction of the alternate SDC C unavailability from 0.148 to 0.0955, a 13% reduction. Using their consequence model this results~ in a 5500 man-rem reduction over the remaining life of the plant.

O The review of this issue would concentrate on two areas. The utilities calculations would have to be verified. More importantly, this issue is closely related to issue 2.28 "Long-term Cooling Study". That issue is addressing the low reliability of the long-term cooling systems at Millstone Unit 1. One area in particular is the lack of redundancy in the alternate O SDC system. The resolution of issue 2.28 could have a significant impact on the perceived importance of this issue.

O t

4-43

5.0 REFERENCES

1. Interim Reliability Evaluation Program: Analysis of the Millstone Unit 1 Nuclear Power Plant. NUREG/CR-3085, January 1983.

2. Millstone Unit 1 Probabilistic Safety Study, NUSCO 147, July 1985.

3. ATWS: A Reappraisal, Part 3: Frequency of Anticipated Trannsients, EPRI NP-2230, January 1982.

C 4. Reactor Safety Study "An Assessment of Accident Risks in U.S.

Commercial Nuclear Power Plants," WASH-1400 (NUREG-75/014), October 1975.

5. . Handbook of Human Reliability Analysis with Emphasis on Nuclear Power O Plant Applications, NUREG/CR-1278, October 1980.

6. Post Event Human Decision Errors: Operator Action Tree / Time Reli-ability Coorelation, NUREG/CR-3010, November 1982.

O

7. Systematic Human Action Reliability Procedure (SHARP), EPRI NP-3583, June 1984.

g . 8. Probabilistic Safety Analysis Procedures Guide, NUREG/CR-2815. January 1984

9. Aldrich, D.C. et al., " Technical Guide for Siting Criteria Development".

NUREG/CR-2239, SAND 81-1549, December 1982.

O

10. Millstone Unit 3 Probabilistic Safety Study. August 1983.

11. Strip, D.R., " Estimates of the Financial Consequences of Nuclear Power Reactor Accidents," NUREG/CR-2733, SAND 82-1110 September 1982.

12. Twisdale, L.A. and Dunn, W.L. "Probabilistic Analysis of Tornado Wind Risks," Journal of the Structural Division, ASCE, Vol.109, No. 2, February 1983.

5-1

_._.,.-__,_..._,__,__,.,______.,m_-,...._ _..___.m___. - , _ _ - _ _ , , _ , , _ _ _ _ _ _ _. _ _ . _ . . , . - . _

r

5.0 REFERENCES

13. " Severe Accident Sequences Analysis Program Anticipated Transients Without Scram Simulators for Browns Ferry Nuclear Plant Unit 1,"

NUREG/CR-4155, EGG-2379. February 1985. -

14. Emrit. R. et al., "A Prioritization of Generic Safety Issues," NUREG-0933 December 1983.

15. Budnitz,' R.J. et al., "An Approach to the Quantification of Seismic 0 Margins," NUREG/CR-4334, August 1983.

O 0

0 -

C 5-2

,

ML20133A910

Contents

Text

5.0 REFERENCES

1.0 INTRODUCTION

5.0 REFERENCES

5.0 REFERENCES

Navigation menu

ML20133A910

Text

5.0 REFERENCES

1.0 INTRODUCTION

5.0 REFERENCES

5.0 REFERENCES

Navigation menu

Search