Text

Technical Evaluation Report of IPE Submittal & RAI Responses for Plant
	ML20134D515
Person / Time
Site:	Big Rock Point File:Consumers Energy icon.png
Issue date:	10/11/1996
From:	; BROOKHAVEN NATIONAL LABORATORY
To:	; NRC
Shared Package
ML20134D104	List: ML20134D100; ML20134D515;
References
	CON-FIN-W-6449 NUDOCS 9702050199
	Download: ML20134D515 (69)
	v • d • e

1 l-i TECHNICAL REPORT

{ FIN W4449 1W11M l ,

i k

i i

l TECHNICAL EVALUATION REPORT l OF THE IPE SUBMITTAL AND J

i i RAI RESPONSES FOR THE 1

I BIG ROCK POINT NUCLEAR l

POWER PLANT i

j 1

i Zoran Musicki C.C.Un l John Forester l

Department of Advanced Technology, Brookhaven National Laboratory Upton,New York 11973 3

i i

l l -

k n'

Piepend en om UA Maser mapeewy ommession i

omneafNasserAqpdemyReemmeh j

comme Ms.DE4COMOOMEDMS f

I 'saneau sons tenore

! 9702050199 970129 1 PDR ADOCK 05000155 i P PDR I _

1 l

l J

CONTENTS Page Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

- Namanel = hire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

1. Intruhu haa ................................... ................... ... ......... I 1.1 Renew Process . . . . . . . . . . . . . . . . . . . . . . . . . . . ............. .. ............ I 1.2 Plant Characternatmn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I

2. Technical Renew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 7 2.1 Li- 's IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . ........ 7 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status . . . . . . . . ........... 8 2.1.3 Li-- Participation and Peer Review . . . . . . . . . . . . .. . ............ 9 2.2 Front End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.1 Acculent Sequencenaliaantion and System Analysis . . . . . . . . .I . . . . . . . . . . . 9 2.2.2 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .......... 14 2.2.3 Inte face Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ........... 25 2.2.4 Internal F1oodmg . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . ...........26 2.2.5 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.3 Human Reliability Analysis Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . ..... ...... 31 2.3.2 Post-Initiator Human Actions . .................................32 2.4 Back End Technical Review . . . .........................................36 2.4.1 Contamment Analysis /Charactenzation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.4.2 Accident Progression and Contamment Performance Analysis . . . . . . . . . . . . . 43 2.5 Evaluation of Decay Heat Removal and Other Safety Issues . . . . . , . ...........46 2.5.1 Evaluation of Decay Heat Removal . . . . . . . . . . . . . . . . . . .. ...... .... 46 2.5.2 Other GSIs/USIs Addressed in the Submittal . . . . . . . . . . . ............47 2.5.3 R=aar to CPI Program Rw- = 4=tions . . . . . . . . . . . . . . . . . . . . . . . 47 ,

2.6 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

3. Contractor Observations and Conclusions . . . . . . ....................................49

4. References . . . . . . . . . . . . . . . . . . . .. . . ............ ... . ... . ..... ....... 53 iii

TABLES .

Page :

Tables ,

E-1 Accident Types and 'Iheir Contribution to the CDF . . ......... ............ . . . . . . . . . . ix E-2 Donunant Initiating Events and Their Contribution to the CDF . . . . . . . . . . . ... ........ .. x E-3 Containment Failure as a Percentage of Total CDF . ........... .............. . . .. xii 1 Plant and Contamment Charactenstics for Big Rock Point Plant . . . ... ... ...... ..5 2 Companson of Failure Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3 Companson of Cornmon-Cause Failure Factors . . . .... ........ ..... ... .... . . 21

)

4 Big Rock Point Initiating Event Frequencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Sa Accident Classes and Their Contribution to the CDF . . . . . . . . . . . . .................. . 28 Sb Initiating Events and Their Contribution to the CDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 6 Dommant Initiating Events and Their Contribution to the CDF . . . . . . . . . . . . . .,. . . . . . . . 29 7 Dommant Core Damage _% .........................................30 8 Important Human Actions . . . . . . . . . . . . . . . . . . . . . .... .... .. .. ... . 38 9 Containment Failure as a Percentage of Total CDF . . . . . . . . . . . ..... .. . ........ 44 T

f f

.i l

J J

lv

l i

2 EXECUTIVE

SUMMARY

i This Technical Evaluation Report (TER) documents the fmdings from a review of the Individual Plant l Examination (IPE) for the Big Rock Point (BRP) Nuclear Power Plant. The primary purpose of the review is to ascertam whether or not, and to what extent, the IPE submittal satisfies the major intent of Generic letter ,

! (GL) 88-20 and achieves the four IPE sub-objectives. The review utilized both the information provided in l the IPE submittal and additional information provided by the licensee, the Consumers Power Company (CPC), in the response (RAI Responses) to an NRC request for additional information (RAI). ;

l

E.1 Plant Characterization 4

The BRP Nuclear Power Plant is a 75 MWe,240 MWth General Electric boiling water reactor (BWR) of BWR-1 design. The reactor coolant system (RCS) consists of the reactor vessel, the main feedwater and the i I

steam system, the steam dmm, the emergency che, outside pump driven recirculation loops and interconnected piping. The plant is operated by Consumers Power Company (CPC), and started commercial operation in December 1962. There are no other operating units on site.

Design features at BRP that impact the core damage frequency (CDF) relative to other BWRs are as follows:

1) Large primary water inventory relative to core thermal power and decay heat levels. Over 35,000 lbm of water covers the core in the reactor and the steam drum following a reactor trip. Therefore, it would take 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to deplete inventory to the top of the core even if no decay heat removal systems were to function. This feature decreues the core damage frequency relative to other BWRs.

2) Emergency c=b= (EC) for high pressure : ore cooling and makeup This system is similar to the isolation e-hw found at some other olda BWRs. The system enables passive cooling of the reactor, without reliance on ac power (diesel c' riven pumps can be used for shell side makeup). The time scales for success of various steps in EC operation are relatively long: with no makeup supply for shell cooling available, the emergency condenser operation can prevent safety valve lifting (setpoint at 1535 psig) for a period of 6.5 tours. With makeup available, Big Rock Point has sufficient de capacity to cope with station blackout conditions for over a week. In case of ATWS, the emergency condenser can remove full power for 30 min before depletion of shell side inventory, thus giving the operators additional time to respond.

This feature decreases CDF vulnerability relative to most other BWRs.

3) The firewater system, consisting of one diesel driven and one electric pump, can be used as part of the ECCS. This system can be used for low pressure injection (i.e., core spray), for cooling of the '

post inculent (i.e., recirculation) heat exchangers, or for " fill the ball" (used when recirculation is not available). It can also be used for emergency c=danw ==lary side makeup (as backup to de==arahmod water system), or to provide inventory for the main e-hw There is also an .

additional, and portable, diesel driven pump, which can be used for emergency c=he makeup. i This feature tends to decrease the CDF. I

4) Lake Michigan can be used as the ultimate heat sink. The fire system takes. suction from Lake Michigan. This feature decreases the CDF. l i

v j

5) In case recirculation is unavailable for continued core cooling, " fill the ball" can be used. This involves continuing in the injection mode, thus ahnost filling the spherical contamment with water.

The post-incident (or recirculation) system is initiated when the water level reaches the 587 ft elevation inside the contamment, in order to preserve contamment integrity. The maxunum permissible contamment water level is 596 ft, based on the design pressure (about midplane).

Depending on how many ECCS pumps are operating, this level will be reached in between 6.3 and 21 hours2.430556e-4 days 0.00583 hours 3.472222e-5 weeks 7.9905e-6 months after the initiator. Should the post incident system fail, fill the ball is used (i.e., injection is continued until most of the 130 ft diameter sphere is filled with water), as calculations show that the contamment can really withstand fill up to about 620-636 ft level (dapaading on internal air pressure), at which point injection is terminated and passive cooling via natural circulation and air cooling of the containment steel shell takes over. However, although the operators are tramed in this picere, no credit is given for fill the ball operation in the IPE. If credited, this feature would decrease the CDF.

i

6) The emergency ac power consists of one 200 kW emergency diesel generator, and one 250 kW, standby diesel generator. There is only one safety bus, and the diesels are sized for just one CRD pump and/or the electric fire pump (and/or the demineralized water system for emergency enadanner makeup). The absence of diesel capacity for any other pumps would be dem. setal, compared to other BWRs, were it not for the fact that the plant relies extensively on passive features. The core cooling function can be accomplished without ac power. DC power is supplied by two battery banks, i.e., the normal and the alternate shutdown battery. The alternate shutdown battery supplies the post-initiator loads of interest, and is sized such that a blackout can be survived for about a week, a positive plant feature. The emergency power system requires no support function.

7) CRD pumps cannot be used in conjunction with safety valve cycling or actuation of the reactor depressurization system due to high temperature in the CRD pump room, a negative plant feature. i' In general, this plant seems to be more vulnerable to environmental conditions (some of the other systems vulnerable to harsh conditions are the reactor cooling water system, emergency condenser j outlet valves, primary core spray' valves, the reactor pressure and level instrumentation, as well as some operator actions). ,

8) The instrument air system has three air compressors, with one being sufficient for system success.

Apparently domestic water can be used for backup cooling of air compressors. These are positive features. (A fourth compressor has recently been added, but is not credited in the analysis).

9) The plant has a recently improved "100% load rejection capability", a positive feature, however, not entirely proven in practice (before the recent improvement this feature never actually worked when called upon). (The plant also has a 100% turbine bypass capacity, however this feature needs additional operator actions for success).

10) No high flow rate high pressure ECCS pumps, a negative feature, except in some ATWS --

where this prevente contmament failure.

I1) A fast acting, passive, manually initiated liquid poison system in case of ATWS, a positive feature.

12) A single two train low pressure ECCS for LOCA evolutions, a negative feature 1

i

13) A portion of pnmary system piping which is located below core midplane, a negative feature.

l l

I vi

-. - - - . - - - ~- - .-. - _._.--..- - -. - - - - ---- --- - .

1 a

14) No sign of the classic symptoms ofIGSCC (inter granular stress corrosion cracking) found at other BWRs, a positive feature

15) The large dry contamment which effectively decouples contamment considerations from the I.evel 1 analysis, compared to other BWRs, a positive feature Other features are described in Section 1.2.

The Big Rock Point (BRP) Plant utilires a spherical steel vessel for a large dry enntamment The plant is designed such that operating iwM may enter the sphere and remam inside as necentary during normal i operation, shutdown, and refueling. In companson with other plants that use large dry enntainmente (PWRs),

the contamment volume to thermal power ratio for BRP is significantly (about four times) higher.

The following plant-speedic features are important for acculent progression in the BRP plant:

The only BWR plant that uses a large dry enntamment (a spherical steel vasel). -

A contamment that can be accessible durmg power operation. The plant is designed so that operating personnel may enter the sphere and remam inside as necessary during normal operation. The potential for a single access door to be open while personnel are entenng or leaving the contamment thus exists. Interlocks on the doors prevent simultaneous opemng of both equipment lock doors or both pr.isorgel doors.

. The small core and large contamment volume. The contamment volume to core thermal power ratio is about 5 times that of PWRs with large dry enatavunent. The large contamment volume reduces the challenges to contamment integrity from contamment pressunzation ==h=k ; It also provides significant passive heat removal capability through the contamment shell and other passive heat sinks.

. The capability to flood the contamment. Procedures are in place at BRP to direct the operators to fill the contamment vessel with water (called " fill-the-ball" in the IPE submittal). This provides cooling to the core debris in-vessel such that vessel failure may be avoided, or provides cooling and scrubbing of the debris ex-vessel if vessel failure is not prevented.

. A sump beneath the reactor vessel that has the volume to hold the entire core debris. The sump in the CRD room beneath the reactor vessel has a depth of 3 feet and a volume of 126 cubic feet. This sump may hold the entire BRP core after vessel breach (with a total depth of 1.6 feet, or 50 cm).

E.2 Licensee's IPE Process

'Ihe bcensee has provxied the type ofinformation r-* by Generic later 88-20 and NUREG 1335.

The front-end portion of the IPE is a level 1 PRA. The specific technique used for the I.evel 1 PRA was a small event tree /large fault tree, with fault tme hnkmg and it is clearly described in the submittal.

The IPE level 1 model (imtssted in 1992) is an update of an carher BRP I.evel 1 PRA, which was submitted in 1981 and reviewed by the NRC. Model updates reflect the plant =Mine*+ ions and data since 1981. The freeze date for the analysis was late 1992.

vii

It appears the licensee intends to maintain a "living" PRA, and reference is made to future use of the BRP IPE models in ongoing risk management activities.

Licensee personnel were involved in all aspects of the analysis. In-plant expertise was already existent due to the previous BRP PRA study. Specialized help for aspects oflevel 1 analysis r.nd review were provided by Gabor Kenton & Associates and Tenera, and by an iadanaadaat consultant.

The reviews performed for the IPE included both k'-y ==t in-house reviews and an external review. The internal review was extensive and consisted of work by managers and key personnel from key orgamzations of the utility. Extemal peer review was performed by the above nanwi consultants. Some comments and their disposition from the external review are %-ad The submittal states that the Big Rock Point (BRP) HRA was performed by a combination of plant personnel and contractors from Tenera. It appears that plant staff had the lead in identifying the human actions to be modeled and for collecting relevant information regarding those events. Plant staff shared responsibility for quantifying pre-initiator events and assisted the contractors in quantifying the post-initiator events. Procedure reviews, discussions with operations and training staff, observations of simulator exercises, review of the

" control room design review", and walkdowns of important operater actions, including local actions, helped assure that the IPE HRA represented the as-built, as-operated plant. Contractors (not named) sad training, operations and management personnel performed a review of the HRA. Both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident) were addressed in the IPE. Important human actions were identified and several procedure related enhancaments were discussed in the licensee's response to the NRC's RAI.

E.3 IPE Analysis E.3.1 Front-End Analysis The methodology chosen for the front end analysis was a level 1 PRA using the small event tree-large fault J tree methodology. The computer code used for modeling and quanti 5 cation was IRRAS.

l The IPE quantified the following initiating ever.t categories: 8 LOCAs,7 steam line breaks,9 transients,7 ATWSs, 2 special initiators (flooding and ISLOCA) and 2 manual shutdown initiators. The IPE developed I

37 event trees to model the plant i@cesc t( these initiating events. The floodmg analysis was a relatively comprehensive analysis, but with pipe failura 3e chief =achaaian of causing the flood.

Success criteria were based on existmg information (e.g., BWROG) supplemented by calculations, as needed For reactor depressurization, a conservative criterion of 3/4 RDS valves opemag was assumed, whereas in reality in all but two sequences 1/4 valves is sufBeient.

Impact of harsh envirnnmants on systems is considered. SM.ny, CRD pumps, core sprays, emergency condaaaar and some instnanantahan (reactor level) are vulnerable to steam environments in some accidents.

Water collection and interacdon with electrical equipment due to steam =- '= don is also considered.

Other types of dapaadaaeia= were also considered,iaebdia= HVAC. The HVAC is not needed within the mission time.

viii

I RCP seal LOCA is not considered due to the design and test results of recirculation pump seals at BRP.

The data collection process period was from 1982 through 1992, except for initiators where the period 1964 1992 was used. Plant specific component failure data were used to update generic data with the use of Bayesian whnir 1

BRP data are generally consistent with the NUREG/CR-4550 data. Some of the initiating event frequencies l

j (spurious RDS, small LOCAs) seem low. The generic and Bayesian updated data for diesel pumps seem low; the licensee provided a reasonably complete discussion of such in the RAI responses, along with a sensitivity l

analysis to see the impact of higher values on the CDF results.

The multiple Greek letter (MGL) approach was used to characterize common cause failures. The CCF

parameters used are generally consistent with the NUREG/CR-4550 ie>- =>=' values. The process used i to arrive at these values follows established procedures, specializing the generic occurrences to the plant

specific design and configuration. A potential weakness is that CCF between the normal and attemate plant l battery is not considered (due to different location and maintenance procedures); nor is the CCF between the electric and diesel driven fire pump considered (the pumps themselves have the same design).

i

! The internal core damage frequency is 5.4E-5/yr. The flooding contributes an additional 1.lE-9/yr. The internal accident types and initiating events that contribute most to the CDF and their percent contributions are listed below in Tables E-1 and E-2. Several sensitivity and importance analyses were performed, including also Fussell Vesely and Birnbaum importance of systems. The discussion of these subjects is very comprehensive and thorough. Calculation of Birnbaum importance for a few systems was wrong in the submittal, but this was corrected in the RAI responses.

Table E-1 Accident Types and Their Contribution to the CDF Initiating Event Category Annual Frequency %CDF LOCA below core 3.2E-5 59.33 LOCA above core 7.7E-6 14.30 Support system transient 5.1E-6 9.44 3.7E-6 6.% l ATWS 3.4E-6 6.30 SLB inside contamment 1.2E-6 2.18 Cswal transient 7.6E-7 1.42 Ims ofoffsite power group (load rejection, loss of station power, station blackout) 2.5E-8 0.05 SLB outside contamment Other (ISLOCAs, flaading) 1.3E-8 0.03 ix

Table E.2 Dominant Initiating Events and Their Contribution to the CDF Initiating Event Contribution to CDF Uvr) %

Very small LOCA below core 1.4E-5 25.27 Small LOCA below core 1.0E-5 19.50 Medium LOCA below core 6.3E-6 11.83 loss ofInstruraaat Air 4.8E-6 9.03 Small LOCA above core 4.6E-6 8.64 i

Turbine trip ATWS 3.4E-6 6.35 Medium LOCA above core 2.5E-6 4.66 Large LOCA below core 1.5E-6 -

2.7."

Very small SLB inside contamment 1.3E-6 2.50 Small SLB inside contamment 1.1E-6 1.99 -

Manual shutdown 8.1E-7 1.51 Medium SLB inside contamment 7.7E-7 1.44 ,

Large LOCA above core 5.4E-7 1.00 Station Blackout 5.3E-7 0.99 E.3.2 Human Reliability Analysis The HRA process for the Big Rock Point IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). The analysis of pre-initiator actions considered both miscalibrations and restoration faults. All pre initiator restoration errors were analyzed in detail (no screenmg analysis) and quantified using the ASEP HRA procedure (NUREG/CR-4772). All common cause miscalibrations were quantified in detail using a method derived from THERP (NUREG/CR-1278).

The Big Rock Point IPE acknowledges both response and recovery type post-initiator human actions.

However, post-initiator actions were modeled only when clear yi. Aal guidance (normal, abnormal, or emergency procedures) existed for the operators and repair activities were apparently not credited. To account for d aaad ies during the initial (screemng) analysis, the submittal states that "where it was initially ramaai=d hatt resultmg sequences may matam multiple operator actions, the HEPs were initial!y set to 1.0." After the mittal ---- 2= don and when quantified operator actions were first included, the

==ia=1 ASEP HRA method was applied to all post-initiator hinnan actions. Where unportant ==-

contained multiple operator act ans, the actmas were analyzed to determur. the W= between the HEPs. The HEPs obtamed using the ASEP ==thad are known to be somewhat conservative. After the sequences were iantified with the ASEP values, operator actions idenhbd as potentially being impoltant were re-analyze; asing the THERP =*+f-: logy. All the actions re-analyzed had a Birnbaum importance greater than 1.0E-6.

1 X

) -

i '

l While in many cases the application of THERP was reasonable, there were several events for which the i quantification process did not seem appropriate. It is thought that the resulting HEPs should be considered j optimistic and that the use of such values for these events is a weakness of the HRA. The problem arises i through the licensee's use of HEP values from the " annunciator response model" (Table 20-13 or Table Il-13 j from THERP) in situations where very limited time (less than 10 minutes) is available for the operator action.

! While it can be argued that the HEPs from this model are acceptable when substantial time (greater than 30 J minutes) is available for the operators to determme the relevant actions and when the operators need only j respond to the existence of an annunciator in the control room, the HEPs from this model do not reflect the unpact of the time available on the likelihood of success Thus, this model will under=ti='a HEPs for short-time frame scenarios relative to the ASEP/THERP time-reliability diagnosis model. Nevertheless, the i i

submittal still identified the events of concern as being relatively important in terms of contribution to CDF and a sensitivity analysis WH that substantialincreases in CDF would not be --W if the events were

{

! set to fail. Therefore, potential vulnerabilities related to these events were not overlooked Other important 4

aspects of the post-initiator HRA analysis .py M to be conducted appropriately. Human errors were identified as important contributors in accident sequences leadmg to core damage and several procedure related enh= ===ts were discussed in the licensee's response to the NRC's RAI. -

i E.3.3 Back-End Analysis 1

The Approach usedfor Back-EndAnalysis 1

3 Key Plant Damage States (KPDSs), which group the PDSs with similar effects on contamment accident i

progression, are used as the initial conditions for the Level 2 analysis. The PDSs are dermed in the IPE by an event tree structure with the parameters that are important to I.evel 2 accident progression as the top j events. Quantification of accident progression involves the development of a small containment event tree

(CET) with the top events of the CET determmed by fault trees, PDS definition, and contamment phenomenological analyses. The CET and its supporting analyses developed in the IPE address all the l l

contamment failure modes discussed in NUREG-1335.

4 l Quantification of the CET and its supportmg logic trees is based on the review of industry literature and

plant specific analyses using the MAAP BRP code, a computer code developed by the Department of Energy's Advanced Reactor Severe Accident Psogram, in corporation with General Electric, for the GE l l j Simplified BWR (SBWR). In general, the quantification process for the CET is systematic and traceable. The l

j results of the CET analyses lead to an extensive number of end states, which are binned into 15 release categories. Release fractions for the release categories are calculated in the BRP IPE by MAAP-BRP.

However, only release fractions for Csl are reported in the IPE submittal for the release categories.

l i Furthermore, only ranges of release fractions are reported.

t For the BRP IPE, the PDS definition erkme is ,Mle. The CET is well 4.E-od and easy to l understand The CET cah= is also syst-ahc and traceable. 'Ihe IPE process is in general logical and consistent vdth GL 88-20. However, the iq~rdog of only the release fractions for CsI may limit their ,

usein a consequence analysis. .

! Back-EndAnalysis Results

! The KPDSs defined in the IPE are pnmanly based on the type of accident sequences (or initiatmg events),

i RPV pmssure, and the availability ofinventory makeup. The most probable KPDS obtamed in the BRP IP involves accident ;m initiated or msulting in LOCAs for which the reactor is at low pressure with I

l l '

injection failure but with inventory makeup after vessel failure (55% CDF). This is followed by a transient KPDS with low reactor pressure and with the loss of coolant inventory makeup both before and after vessel ,

t failure (9.9%), and another LOCA KPDS with the reactor at high pressure with inventory makeup available after vessel failure (9.8%). q Table E 3 shows the probabilities of contamment failure modes for BRP as percentages of the total CDF.

Results from the NUREG-1150 analyses for Suny and Zion are also presented for companson l

Table E-3 Containment Failure as a Percentage of Total CDF j Containment Failure Surry Zion BWEM NUREG-1150 NUREG-1150 Mode Early Failure 4.2 0.7 1.4 Late Failure +++ 5.9 24.0 j Bypass 1.5 12.2 0.7 Isolation Failure Intact 94.3 81.2 Q9 _

CDF (l/ry) 1.7E-5 4.0E-5 3.4E-4

++ The data presented for BRP are based on Figure 12.8-17 of the IPE submittal. .

l Late contamment failure is assigned a probability of IE 4 in the CETs presented in the IPE submittal. However,

+++

results presented in Figure 12.8-17 shows a zero probability for late failure. The negligible late failure probability is due to the large contamment volume and the use of a 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months (after vessel failure) mission time.

Included in Early Failure, approximately 0.02%.

" included in Early Failure, approximately 0.5%. l

"* Included in Early Failure. Of the 4.2% probability of early failure about 0.5% is from leaks through penetrations.

Of the 1.5% bypass probability, only 0.06% comes from Level I bypass sequences (i.e., ISLOCA), while the majority comes from failure to isolated the process lines that connect to the primary system. Although LOCA is the dominant contributor to total plant CDF, the main contributors to this failure mode are transients (0.8%

of CDF). This is because MSIV operator is required in some transient =am to temunate the event, and faihue to holate the MSIV results in direct containment bypass.

The conditional probability of early contamment failure for BRP is about 4.2% (of total CDF). The leading contributor to this failure mode is contamment overpressure failure before vessel breach in ATWS events i

(3.5% CDF). This is followed by leakage through contamment penetrations (0.5%), mostly from leakage through vent valves and door seals. C-*aia==* g L ion leakage comes primarily from LOCA (about 80% ofleakage cases) and transient g- (about 20% ofleakage cases).

Because of the large contamment volume and the use of a 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months mission time, mntamment failure by the

! energetic events at vessel breach and long-term pressunzation and thermal attack is not likely at BRP.

Source term definition in the BRP IPE is based on the fission product release time and magnitude. Although l there are 15 possible release categones, the CET quant *mtmn results show only 5 release categones with non-zero fi% es (Figurei 12.8-17 of the submittal). Besides a no entainmant failure category, all the other release categories involve early releases. The conditional probability for the no-contamment failure category is about 94%. The next release category, which contributes about 4% to total CDF, has a Csl relea fraction 0.1% to 1% It is primanly from ATWS and LOCA gm with enclosure spray available. The l

i xii

i

f release category that has a high Csl release (i.e., greater than 20% release fraction) contributes about 1.5%

to the total CDF. It is mostly from contamment bypass sequences in which the enclosure spray and any water i collected in the sump provide no benefit in limiting the source term severity.

l The sensitivity studies perfonned in the BRP IPE are determuustic sensitivity studies, which were performed i by varying some MAAP-BRP parameter values from their base case values and analyzing the differences in j MAAP-BRP calculation results. The effects of uncestamties on CET quantification results are not addressed i

directly. For example, it is not clear (from the sensitivity studies presented in the IPE submittal) what is the effect of the amount of core forced out of the vessel (which is one sensitivity study item) on DCH load, and j consequently, the probability of early contamment failure. Although probabilistic sensitivity studies were not

! discussed in the IPE submittal, the uncertamties on some key containment phenomenological issues were

discussed in some detail in CET quantification. For example, early contamment failure due to DCH was evaluated in the IPE by the use of a decomposition event tree (DET). The top events of the DET addressed the issues of significant uncertamties for DCH. The BRP IPE seems to have addressed the issues of significant uncertainties in the IPE analysis.

E.4 Generic Issues and Containment Performance Improvements The IPE addresses decay heat removal (DHR). CDF contributions were estimated for the following DHR methods: main condenser, feedwater, emergency condenser, reactor depressurization (RDS), condensate, core spray, past incident recirculation and containment flooding. -

The following generic issues are also considered closed in the submittal:

1) USI-A43," Containment Sump Emergency Performance"

2) Closure of the BRP Severe Accident Management Guidelines.

E.5 Vulnerabilities and Plant Improvements The licensee dermed a vulnerability as new or unusual means of reachmg a situation in which core damage or containment failure would occur, or if the PRA results indicated BRP would prevent the industry from meeting published safety goals. No vulnerabilities were found.

No improvements were identified or planned A list of improvements stemmmg from the 1981 PRA was provided. No SBO rule improvements resulted except for minor EOP modifications. The licensee intends to monitor and maintain the performance of moi,cests and systems with high Birnbaum importance E.6 Observations l

Based on the level 1 review of the BRP IPE the heanne appears to have analyzed the design and operations of BRP to discover mstances of particular vulnerability to core damage. It also appears that the licensee has:

developed an overall appreciation of severe accident behavior, gamed an underdaad% of the most likely severe accidents at BRP; gamed a q=*i+=tive understandag of the overall frequency of core damage; and considered implemanting changes to the plant to help prevent and mitigate severe accidents.

l xiii j

4 Strengths of the IPE are as follows: Thorough analysis of initiating events and their impact, descriptions of the plant responses, modeling of accident scenarios, reasonable failure data and common cause factors employed and usage of plant specific data where possible to support the quantification of initiating events and component unavailabilities. Treatment of dependencies and harsh environments was thorough, as were the various sensitivity and importance analyses The effort seems to have been evenly distributed across the various areas of the analysis. The haantation is very detailmi, and there seems to have been a conscious effort to respond to the RAls to the best of the licensee's ability.

There are some areas of concern related to the IPE but these are not avp~*d to have a major impact on the conclusions. In the area of IE frequency, the RDS spurious opemag frequency and the small LOCA frequency seem low. As far as dat.a is csun 1, data for the fire pumps seem low (corrected by a sensitivity analysis). There are questions as to the Bayesian updatmg algorithm used, as unreasonable values are produced for the fire pumps (the other v-.3=- = seem OK). The common cause failure between the two station batteries was not considered. The common cause failure between the electric and diesel driven fire pumps was not considered. Also, the system Bimbaum importance calculation algorithm seems to break down at high Bimbaum importance values (partially corrected by recalculating select systems, per RAI responses). There is a question as to why only pipe failures seem to be important in the flooding analysis.

It is not clear if maintenance induced floods and spray effects were treated properly. Finally, the documentation is sometunes self-contradictory, and some parts of it seem not to have been reviewed prior to publication.

The IPE determined that LOCAs contribute about 80% to the CDF at BRP. The most impartant sequences have failures of the post incident system, the reactor depressurization system and/or the core spray system.

The interfacing system LOCAs and contamment bypass sequences show negligible contribution to the CDF.

The same can be said for the flooding scenarios. The blackout contribution is small (1%), due to existence of the 100% load rejection capability, the emergency condenser, the ac indapanAant makeup to the emergency condenser and long life of the altemate shutdown battery, as well as existence of two diesel generators (albeit with limited capability). The loss ofinstrument air contribution is relatively large (9%) due to its usage for emergency condenser makeup from demmeralized water, feedwater flow control, feedwater pump cooling, and main condenser hotwell makeup. The ATWS contribution (7%) is governed by two opposing forces: less

time than at other BWRs is available for injection of the standby liquid control system, due to nonexistence of a higt: pressure high volume ECCS system at BRP; however the SLCS at BRP is a fast acting one that ensures subcriticality in about I min after operator actuation. The 100% bypass capability is not credited as the operators have to trip the recirculation pumps in a very short time in order to avoid losing the feedwater system (even though they were able to accomplish this in traimng exercises). Also, the trip frequency at BRP seems to be higher than at other plants.

The BRP level I risk profile does not look like that of a typical BWR, where blackout and ATWS usually dominate the core damage frequency. Here LOCAs dnminate, with ATWS contributing (in the absolute sense) about the same or slightly higher CDF than most other BWRs due to the features mentioned above.

The blackout contribution is much smaller than at other BWRs, as explamad above. There are several reasons for the high LOCA contribution: a portion of pnmary piping is located below the level of the core, which leads to a more severe case of LOCAs; there is paucity of high pressure (/high flow rate) makeup systems; for larger LOCAs, makeup to the madansar hotwell is iand~r* which leaves the two fire pumps as the only low pressure system available; some -,ud d systems would be disabled by the harsh envunamante due to LOCAs and/or steam line breaks; lack of suppression pool means that at some point recirculation must be brought into play (called the post incident system); and finally, no credit is given for fill the-ball procedurahzed action, with its passive cooling features, if recuculation fails. On the othe hand, it is stated that the BRP piping is not subject to the inter-granular stress corrosion crackmg (IGSCC) which plagues other xiv

i

~

\

L f BWRs; the recirculation strainers are much less vulnerable to plugging than at other BWRs; it is also claimed ;

that the LOCA initiating event frequencies are conservative.

No improvements are contemplated as a result of the IPE. The Fussel Vesely and Birnbaum measures will l be used to identify important systems,9-: -:==* and operator actions and maintain their performance (i.e.,

their reliability and availability).

! 1 The HRA review of the Big Rock Point IPE submittal did not identify any significant problems or errors.

A viable approach was used in performmg the HRA and nothmg in the licensees submittal indicated that it failed to meet the intent of Generic 1.etter 88-20 in regards to the HRA. Important elements pertment to this detemunation include the following:

1) The subnuttal indicated that utility iwev el were involved in the HRA. Procedure reviews, discussions with operations and traming staff, observations of simulator exercises, review of the

" control room design review", and walkdowns ofimportant operator actions, including local actions, helped assure that the IPE HRA represented the as-built, as-operated plant. -

2) The HRA process for the Big Rock Point IPE addressed both pre initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). The analysis of pre-initiator actions considered both miscalibrations and restoration faults. All pre-mitiator restoration errors were analyzed in detail (no screening analysis) and quantified using the ASEP HRA procedure (NUREG/CR-4772). All common cause miscalibrations were quantified in detail using a method derived from THERP (NUREG/CR-1278). A reasonable and thorough analysis of pre-initiator events was performed.

I

3) In general, the licensee's analysis of post initiator events was perfonned reasonably. A detailed

~

" screening" was performed and important human actions were given an even more detailed analysis.

However, there were several events for which the quantification process did not seem appropriate. It is thought that the resulting HEPs should be considered optimistic and that the use of such values for these events is a weakness of the HRA. The problem arises through the licensee's use of HEP values , ,

from the " annunciator isycase model" (Table 20-13 or Table 11-13 from THERP) in situations where very limited time (less than 10 minutes) is available for the operator action. While it can be argued that the HEPs from this model are acceptable when substantial time (greater than 30 minutes) is available for the operators to det-use the relevant actions and when the operators need only respond to the existence of an annunciator in the control room, the HEPs from this model do not reflect the impact of the time available on the likelihood of success Thus, this model will underestunate HEPs for short time frame scenarios relative to the ASEP/THERP time-reliability diagnosis model. Nevertheless, the submittal still identified the events of concern as being relatively important in terms of contnbution to CDF and a sensitivity analysis mdestad that substantial increases in CDF would not be =pW if the events were set to fail. Therefore, even though the quantification of these events must be considered a weakneen of the HRA, potential vulnerabilities related to thee events were not overlooked.

4) Plant-specific performance shaping factors (PSFs), s;=='= des, and event tumng (with the

~~ *a== noted in item 3 above) were appropnately considered in most instances However, in one event the beenece may not have .yymyiistely factored in the impact of potential radiation hazard on operator performance 'Ibe operator action associated with aligning the fire system for makeup to the hotwell requires a valve on top of the turbine shield to be opened. The licensee notes that "this area of the plant is not shielded from matamment" and that "as a result a very short time frame is xv

s e

conservatively assumed to complete this action." Presumably this statement means that the person performing this action will caly be there for a short time. The licensee does not assume that there is time for an individual to put on protective clothing, but they do note that high stress was assumed for this event. Thus, the impact of radiation is apparently factored in to the HRA by assuming high stress.

Additional information regarding specifics of a particular event would be needed to determine whether or not such treatment is adequate. The licensee's sensitivity analysis iaArW that CDF would not increase substantially even if the action to align the fire system to the hotwell was assumed to fail.

5) A list ofimportant human actions based on their contribution to core damage frequency was provided !

in the submittal.

The following are the major fmdings of the back-end analysis desenbed in the submittal:

1) The back end portion of the IPE supplies a substantial amount ofinformation with regards to the subject areas identified in Generic letter 88 20.

2) The Big Rock Point Plant IPE provides an evaluation of all ph--na of importance to severe accident progression in accordance with Appendix I of the Generic letter

3) Because of the large contamment volume, the probability of contamment failure due to contamment ;

pressurization at and after vessel failure is not significant. The major contributor to containment l failure is from containment overpressux in ATWS event (3.5% CDF) and containment bypass (1.5%)

and leakage (0.5%) due to isolation failure.

4) The probability of contamment leakage (0.5% CDF) may be partly due to the access of the containment during normal operation. One of the two doors of containment access locks may be open ,

during normal operation. Leakage through door seals and vent valve leakage contribute over 90% to i the totalleakage probability. l

5) The negligible late contamment failure probability is pnmarily due to the large containment volume and thick concrete below the CRD room sump beneath the reactor vessel. It is also in0-r>A by the ,

I use of a 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months mission time.

i

6) The cortainment analyses indicate that there is a 6% conditional probability of contamment failure. !

The conditional probability of contamment failure is about 1.5% for containment bypass,4.2% for l carly containment failure, and negligible for late containment failure.

l

7) Only release fractions for Csl are used in the IPE for source tenn classification and are reported in the IPE submittal for the various source terms. Release fractions for other fission products categories are not reported in theIPE submittal.

i 4

NOMENCLATURE AFW Auxiliary Feed Water ASEP Accident Sequence Evaluation Program BRP Big Rock Point BWROG BWROwnersGroup CAC Contamment Air Cooler CCF Common Cause Failure CCI Core-ConcreteInteraction CCW Component Cooling Water CDB CoreDamage Bins CDF Core Damage Frequency CET Containment Event Tree CPC Consumer Power Company CPI Contamment Performance Improvement ~

CRD Control Rod Drive CS Contamment Spray CST Condensate StorageTank DHR Decay Heat Removal EC Emergency Condenser ECCS Emergency Core Cooling System EOP Emergency Operating Procedures FTC Failure to Close FTO Failure to Open FTR Failure to Run FTS Failure to Start GSI Generic SafetyIssue HEP Human Error Probability HPI High PressureInjection HPME High Pressure MeltEjection HRA HumanReliability Analysis HVAC Heating, Ventilation and Air Conditioning ICC Inadequate Core Cooling IGSCC Inter-granular Stress Corrosion Cracking ISLOCA InterfacingSystemLOCA IPE Individual Plant Exammation KPDS Key Plant Damage States LCO Limiting Conditions for Operation LER Licensee EventReport LPI Low Pressureinjection MDAFW MotorDriven AFW MGL Multiple Greek Letter PDS Plant Damage State PORV Power Operated Relief Valve

'PRA Probabilistic Risk Asm==t Performance Shaping Factor PSF PWR PressunzedWater Reactor RAI Request for AdditionalInformation xvii

RAV Risk Achievement Value .

RC Release Category RCS Reactor Coolant System RDS Reactor Depressurization System RWST Refueling Water Storage Tank SBO Station Blackout SFAS Safety Features Actuation System SLCS Standby Liquid Control System TDAFW Turbine Driven AFW TER Technical Evaluation Report THERP Technique for Human Error Rate Prediction UFSAR Updated Final Safety Analysis Report USI Unresolved SafetyIssue 9

9 XViii

l 1 INTRODUCTION 1.1 Review Process This tachaicM evaluation report (TER) himants the results of the BNL review of the Big Rock Point (BRP)

Individual Plant Fr==iantion (IPE) submittal and the responses to the Requests for Additional Information

[lPE submittal, RAI Responses). This technical evaluation report adopts the NRC review objectives, which include the following:

To assess if the IPE submittal meets the intent of Generic letter 88 20, and To determme if the IPE submittal provides the level of detail r~aW~I in the " Submittal Guidance Daenmaat " NUREG-1335.

A Request of Additional Information (RAI), which resulted from a prelimmary review of the IPE submittal, was prepared by BNL and discussed with the NRC. Based on this discussion, the NRC staff submitted an RAI to Consumers Power Ccmpany (CPC) on January 29,1996. A subsequent telephone discussion between BNL and the NRC on February 20-22,19% revealed the need for additional clarification, which resulted in another RAI being sent to the CPC on March 1,1996. CPC responded to both RAI packets in a darumaat dated April 4,1996 (RAI Responses). This TER is based on the original submittal and the responses to the RAls.

1.2 Plant Characterization The Big Rock Point (BRP) Nuclear Power Plant is a 75 MWe,240 MWth General Electric boiling wawr reactor (BWR). This is an early BWR design (BWR-1), in many respects dissimilar to the other operating BWRs, having a much smaller power output than later BWRs. The reactor coolant system (RCS) consists of the reactor vessel, main feedwater system, main steam system, external motor pump driven recirculation -

loops, a steam drum, an isolation (or emergency) eaad-amar and inters- =wJ piping. There are no jet pumps in the BRP reactor pressure vessel and the i,e.wss are external to the vessel.

The reactor is housed in a large dry contamment (unhke any other operating BWRs), which is a steel sphere 130 ft in diameter, and having almost 1 million cubic feet of free volume. There is no suppression pool, and thus, from a level 2 standpoint, the plant can be compared to a typical PWR. The contamment free volume to core thermal power ratio is substantially higher than at a typical PWR (almost 5 times that of Zion), as is the free volume to core mass ratio (almost 2.5 times that of Zion), while the conta=maat ultimate failure pressure is a little over half that of a typical PWR (79 psig). The plant is operated by Consumers Power

, Company of Michigan (CPC), and started c.-- --dal operation in December 1962. There are no other i opera +ing unite on site.

Design features at BRP that impact the core damage frequency (CDF) relative to other BWRs are as follows:

1) Large pnmary water inventory relative to core thermal power and decay heat levels. Over 35,000 lbm of water covers the core in the reactor and the steam drum, followmg a reactor trip. Therefore,it would take 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to deplete inventory to the top of the core even if no decay heat removal systems were to function. This is a positive feature relative to other BWRs.

2) Emergency condenser (EC) for high pressure core cooling and makeup This system is similar to the 1

isolation condenser found at some other older BWRs and is automatically initiated when the primary pressure reaches 1435 psig. It can also be initiated manually from the control room or the alternate shutdown buildmg. The system enables passive cooling of the reactor, without reliance on ac power.

DC power is needed for initial opening of the EC isolation valves, as well as for the valves admitting makeup water to the EC shell side. The makeup can be provided by the deminerahzed water system (if ac power is available), the firewater system or by the portable diesel driven pump (distinguished fro'm the fixed diesel driven fire pump). The time scales for success of various steps in EC operation i are relatively long: with no makeup supply for shell cooling available, the emergency condenser operation can prevent safety valve lifting (setpoint at 1535 psig) for a peried of 6.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months (an additional 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months would pass before the core is uncovered). With makeup available, Big Rock Point has sufficient de capacity to cope with station blackout conditions for over a week. Makeup valve actuation can be initiated remotely from the control room or the attemate shutdown building. The de battery supplying power to the EC makeup valves is located in the altemate shutdown building.

The emergency condenser contains two tube bundles, each capable of removing 100% of the decay heat. -

In case of ATWS, emergency condenser can remove full power for 30 min, thus giving the operators additional time to respond.

These are positive features relative to most other BWRs.

3) The main condenser, which, in conjunction with the feedwater system, the circulating water system and the turbine bypass system can be used for reactor makeup / decay heat removal. It has three sources of water inventory: hotwell inventory, the gravity feed from the condensate storage tank and a connection from the firewater system. The redundancy in condenser makeup is a positive feature, however, hotwell inventory would only last 3 minutes at full power, a negative feature from reactor inventory makeup standpoint, but a positive feature from containment failure standpoint.

4) The firewater system, consisting of one diesel driven and one electric pump, can be used as part of the ECCS. This system can be used for low pressure injection (i.e., core spray), for cooling of the post incident (i.e., recirculation) heat exchangers, or for " fill the ball" (used when recirculation is not available). It can also be used for emergency condenser secondary side makeup, or to provide inventory for the main condenser. This is a positive feature relative to other BWRs.

5) Lake Michigan can be used as the ultimate heat sink. The fire system takes suction from Lake Michigan. This is a positive feature.

6) A portable diesel driven pump is available for emergency condenser secondary side makeup if all other methods fail. This is a positive feature.

7) In case recirculation is unavailable for continued core cooling, " fill the ball" can be used. This involves continuing in the injection mode, thus filling the spherical contamment with water. The post-incident (or recuculation) system is initiated when the water level reaches the 587 ft elevation inside the contamment, in order to preserve mntamment integrity. The maxunum pernussible contamment water level is 596 ft, based on the design pressure (about midplane). Depending on how many pieces of ECCS equipment are operating, this level will be reached in between 6.3 and 21 hours2.430556e-4 days 0.00583 hours 3.472222e-5 weeks 7.9905e-6 months after the initiator. Should the post incident system fail, fill the ball is used, as :alculations show that the contamment can really withstand fill up to about 620-636 ft level (dependmg on internal air pressure),

2 r

I

! at which point injection is termmated and passive cooling via natural circulation and air cooling of j the containment steel shell takes over. However, although the operators are trained in this procedure,

. no credit is given for fill the ball operation in the IPE. If credited, this would be a positive feature.

1

8) Except for the diesel driven fire pump and the portable diesel driven pump, all pumps are motor driven (no turbine driven pumps). His is a positive feature, according to the IPE.

9) The emergency ac power consists of one 200 kW emergency diesel generator, and one 250 kW, t

standby diesel generator. The diesel capacity is sized just for the electric fire pump and/or one CRD i pump and/or daminarah=1 system for emergency ceeA&E shell makeup, clearly below what other

BWRs' capability and thus a negative feature The diesels could also be used to power the l

' instrumentation and control system, for operation of the alternate core spray valves or to charge the j various battenes De EDG antamatically starts on detection of undervoltage on the 480V safety bus.

i The SDG is manually started should the EDG fail. Dere is only one emergency bus serviced by the L diesels, a negative feature Equipment is manually loaded onto the emergency bus on an as-needed

basis. The core cooling function can be accomplished without ac power. -

j i

l l DC power is supplied by two battery banks, i.e., the normal and the alternate shutdown battery. The .

j alternate shutdown ~ battery supplies most post-initiator loads of interest (including emergency l j caadaa=ar makeup valves and EC level switch, the reactor level and pressure transmitters, and the

MSIV power), and is sized for days' of blackout conditions, a pcsitive feature The normal battery 4

supplies most of the instrumentation, control and annunciator loals and openmg of the core spray

)

valves and is good for about 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months in a blackout. Dedicated batteries are provided for other systems l

(the diesel generators and the reactor depressurization system). Control room instrumentation has an l alternate source of power should de power be lost in conditions other than a blackout (125 V ac). The i 2 emergency power system requires no support function, a positive feature. The EDG is provided with, but does not need room ventilation, for at least 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (cesfoowd by actual test). The SDG is mounted in a trailer, with ventilation provuled by operung the trailer doors.

10) Either CRD pump capacity is greater than the decay inat levels, a positive feature. There are two CRD pumps, the standby pump starts automatically on reactor trip. However, CRD pumps cannot be used in conjunction with safety vahc cycling or actuation of the reactor depressurization system due to high temperature in the CRD room, a negative feature.

11) The instrument air system has three air compressors, with one being sufficient for system success.

Apparently domestic water can be used for backup cooling of air compressors, a positive feature The instrument air system supports the main condenser (including hotwell makeup from the CST) and one method of emergency nandannar shell side makeup (from the dannnarahzed water system).

12) The RCW (reactor coohng water, mmdar to CCW at a PWR) system is not anamd for harsh in-cantammant conditions, a negative feature, and is thus not credited in case of LOCA/ steam line break, or operation of safety valves or the reactor depressurszation system De system ofinterest which is cocied by the RCW is the shutdown coohng system. Firewster can be used as backup for RCW, however this is not credited in the IPE.

13) ne SW system oools the RCW best "=E=fe as well as the instrmnant air compressors and after coolers and the feedwater pumps (lube oil and seal coolers). Relatively few systems need service j water.

3

- . . - - . ~ . - . - - . - . - . . ~ - - - - . - . - - _ . . - . - _ - . -

l

14) Big Rock Point has a fast acting, manually actuated, passive liquid poison system or standby liquid system, utilizing nitrogen accumulators and squib valves. Reactor shutdown is achieved within 75 seconds ofinitiation (on first pass through the core). This is a positive feature.

15) The plant has a "100% load rejec' ion capability", a positive feature in the past, only load rejection from 50% power or lower has been successful. At higher power levels, load rejection has always failed due to secondary instabilities. However, prior to the IPE submittal, a hardware modification had been implemented, wluch seems to give the utility a high confidence (90% probability of success in the IPE) that load rejection from full power would be successful (no actual events had been experienced at the time of the submittal or the RAI responses). This moddication is an unmatic trip of one of the two recirculation pumps on load rejection. In case ofload rejection, most of the steam would be bypassed to the condenser'and the reactor power would be reduced (by ird voiding in the core, and later, by optional manual operator control rod insertion), such that the rear, tor and the turbine generator would continue to run, generating just enough electncal power for the house loads.

16) The 100% turbine bypass capacity, i.e., no safety valve challenge after failure to scram from full power under certam conditions, a positive feature. However, the feedwater system will not continue to operate unless a recirculation pump trip c: curs (for the same reasons as in the paragraph above),

lowering the reactor power by 40%. Thus, in practice, the plant really doesn't have the 100% bypass capacity (not for a long time at least). This feature is credited in high pressure sequences where the emergency cer4w.ect setpoint is reached and the recirculation pump is tripped automatically (as explained above). In low pressure sequences (e.g., spurious ope.n eaaha= bypass valve), the operator has some time to manually trip one recirculation pump, however this is not credited.

17) No high flow rate high pressure ECCS pumps, a negative feature, except in case of ATWS whem this may prevent contamment failure.

18) A single two train low pressure ECCS for LOCA evolutions, a negative feature

19) A portion of primary system piping which is located below core midplane, a negative feature.

20) No sign of the classic symptoms ofIGSCC (inter granular stress corrosion cracking) found at other BWRs, a positive feature.

21) 200% full steam flow pnmary system safety relief capacity, a positive feature.

22) No total dependence of cr@si safety features on suppcrt systems such as service water and instrument air, a positive feature However, many systems are vulnerable to harsh env;--.cr.:al conditions, a negative feature (CRD, RCW, energency c=A== outlet valves, prunary core spray valves, reactor level and pressure instrumantstina, etc.).

23) The large dry containment winch effectively decouples cantammant considerations from the level 1 analysis, a positive feature 1

24) 1he BRP sump wtuch is less susceptible to stramer blockage than at other BWRs, a positive feature This is due to: a lack of suppression pool (which may cantam LOCA .a .ii4 debris), as water is pumped from Lake Michigan; recirculation is not needed for a long time (and injection can be reentered should recirculation fail); there is a (non-procedurainM) capability to backflush the strainers; the post LOCA pool is relatively large and *==nant, with relatively low flow velocities; the 1 4 l

l 1

4 suction strainers are located away from the contamment floor and awry from the top of the pool; and coarse mesh screen doors are located at the entrances of the containment areas with the suction strainers.

25) The RDS (reactor depressurnation system) valves are de power dependent. However, they have their '

own dedicated batteries (good for 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months in a blackout), a positive feature, i%t of the normal station battery or the standby battery The RDS is oflimited help in a blackout due to the limited battery life and also because the core spray system depends on the normal station battery which has a life of only 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months in a blackout. His is a slightly negative feature (as the blackout is not a significant CDF contributor).

26) A relatively wide gap exists between the operating pressure of 1335 psi and the design pressure of 1700 psi, a positive feature.

27) In case of ATWS, and if stable conditions at full power have been achieved, an altemate, albeit time consuming method exists for shutting down the reactor (a positive feature). This is accomplished by batching the borax or boric acid into the condensate tnakeup system, which is then injected by feedwater.

The Big Rock Point (BRP) Plant utilizes a sphaical steel vessel for a large dry contamment. The plant is designed such that operating perse.r,cl may enter the sphere and remam inside as necessary dudng normal operation, shutdown, and refueling. Some of the plant characteristics important to the back-end analysis are summarued in Table 1 of this report.

Table 1 Plant and Containment Characteristics for Big Rock Point Plant Characteristic BRP Zion Surry Thermal Power, MW(t) 240 3236 244i RCS Water Volume, ft 3 600 12,700 9200 i Coritamment Free volume, ft3 940,000 2,860,000 1,800,000 Mass of Fuel, Ibm 28,600 216,000 175,000 Mass of Zircalloy, Ibm 11,480 44,500 36,200 Contamment Design Pressure, psig 27 47 45 l Median Contamment Failure Pressure, psig 79 135 126 i RCS Water Volmne1 Power, 3ft /MW(t) 2.5 3.9 3.8 Containment Volmne> Power, ft3 /MW(t) 3917 884 737 Zr Mass /Cna*=ia-aat Volume, Ibm / ft3 0.012 0.016 0.020 Fuel Mass /Cna*=i=maat Volume, Ibm / ft 3 0.030 0.076 0.097 Because BRP is the only BWR plant that uses a large dry ='=i-t. it is more appropriate to compare the enat==mant characteristics with those of PWRs with large dry enatamments. As seen in the above table, the thermal power level of BRP is more than 10 times smaller than those of Zion and Surry. On the other hand, the containment free volume of BRP is only about 2 to 3 times smaller. He enatamment volume to thermal power ratio, which is an indicator of the contamment performance in meetmg the pressure challenges during a severe accident, is much greater for BRP than for I', ion or Surry. The data in the above table also show the 5

comparison of some other parameters, and all of these comparisons reflect the relatively large containment volume for BRP than for other plants. On the other hand, the contamment pressure capability for BRP is lower. It is noted that the parameters presented in the above table provide only rough indications of the containment's capability to meet severe accident challenges and that both the contamment strength and the challenges associated with the severe accident involve significant uncertamties.

The plant characteristics important to the back-end analysis are:

The only BWR plant that uses a large dry contamment (a spherical steel vessel).

A containment that can be accessible during power operation. The plant is designed so that operating personnel may enter the sphere and remam inside as tweaary during normal operation. The potential for a single access door to be open while personnel are entermg or leaving the containment thus exists. !

Interlocks on the doors prevent simultaneous openmg of both equipment lock doors or both personnel ,

doors. '

The small core and large contamment volume. The contamment volume to core thermal power ratio I is about 5 times that of PWRs with large dry contamment. The large contamment volume reduces the !

challenges to contamment integrity from contamment pressurization mechanisms. It also provides !

significant passive heat removal capability through the contamment shell and other passive heat sinks.

The capability to flood the contamment. Procedures are in place at BRP to direct the operators to fill the containment vessel with water (called " fill-the-ball" in the IPE submittal). This provides cooling to the core debris in-vessel such that vessel failure may be avoided, or provides cooling and scrubbing of the debris ex-vessel if vessel failure is not prevented.

1

A sump beneath the reactor vessel that has the volume to hold the entire core debris. The sump in the CRD room beneath the reactor vessel has a depth of 3 feet and a volume of 126 cubic feet. This sump )

may hold the entire BRP core after vessel breach (with a total depth of 1.6 feet, or 50 cm).

O I

I l

6

2 TECHNICAL REVIEW 2.1 Licensee's IPE Process 2.1.1 Completeness and Methodology The licensee has provided the type ofinformation requested by Generic letter 88-20 and NUREG 1335.

The front-end portion of the IPE is a level 1 PRA. The specific tarhaigy used for the Level 1 PRA was a small event tree /large fault tree, and it is clearly described in the submittal.

Internal initiating events and internal floadmg were considered. Event trees were developed for all classes of initiating events. No uncertamty analysis was performed. Several sensitivity analyses were performed (with regard to the diesel fuel oil supply, the load rejection assumption, the hotwell makeup, the electrical bus failure rate, the temperature in Rooms 418 and 400, and the liquid poison squib valve sensitivity).

System importance analysis w.ss also performed (utilizing the Fussel-Vesely and the Birnbaum importance measures).

The IPE Level 1 model (submitted in late 1994) is an update of an earlier BRP Level 3 PRA, which was submitted in 1981 (for TMI exemptions) and reviewed by the NRC. Model updates reflect.the plant :

modifications and data since 1981. The event trees were revised based on Rev. 4 of BWROG EPGs and updated success criteria. Other PRA studies were also reviewed: NUREG-1150 for Surty, Peach Bottom and Grand Gulf, and the 1983 Shoreham PRA. It seems that the Sequoyah PRA was also reviewed.

The submittal information on the HRA process was adequate. However, on the basis of the licensee's response to the NRC's RAI, information in some parts of Section 4 (the overall " methods and approach") was apparently inaccurate. The response to the RAI indicates that some of the information in section 4 (at least some related to the HRA) was boilerplate and should have been revised after completion of the analysis.

Sections 10 and 13 provided enough information to evaluate the HRA, but it would have helped to be able to rely on the information in section 4. Nevertheless, the information contained in the submittal and that obtained from the licensee's response to the RAI, indir='ad hat t the HRA was generally complete in scope The HRA process for the Big Rock Point IPE considered both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post initiator actions (performed as part of the response to an accident). A detailed analysis was performed for all pre-initiators. The Big Rocx Point IPE acknowledges ,

both response and recovery type post initiator human actions. However, post initiator actions were modeled )

only when clear procedural guidance (normal, abnormal, or emergency procedures) existed for the operators and repair activities were apparently not credited. To account for dapaadaaries durmg the initial (screening) analysis, the submittal states that "where it was initially r=ca-ai=A that resulting sequences may cantam multiple operator actions, the HEPs were initially set to 1.0." After the initial quantification and when quantified operator actions were first included, the nammal ASEP HRA method was applied to all post-initiator human actions. Where unportant sequences caa*=laad multiple operator actions, the actions were l analyzed to determme the daaaadaaries between the HEPs. The HEPs obtained using the ASEP method are known to be somewhat conservative. After the sequeces were gnaan&d with the ASEP values, operator f l

actions identified as paeaad=Hy being important were re-analyzed using the THERP methodology. All the actions re-analyzed had a Birnbaum importance greater than 1.0E-6.

7

While in many cases the application of THERP was reasonable, there were several events for which the quantification process did not seem appropriate. It is thought that the resulting HEPs should be considered optimistic and that the use of such values for these events is a weakness of the HRA. The problem arises through the licensee's use of HEP values from the " annunciator response model"(Table 20-13 or Table Il 13 from THERP) in situations where very limited time is available for the operator action. While it can be argued that the HEPs from this model are acceptable when substantial time is available for the operators to determine the relevant actions and when the operators need only respond to the existence of an annunciator in the control room, the HEPs from this model do not reflect the impact of the time available on the Wiihed of success Thus, this model will clearly underestunate HEPs for short time frame scenados and the ASEP/THERP time-reliability diagnosis model is clearly indicated in such situations. Other unportant aspects of the post-initiator HRA analysis appeared to be c=t si appropriately. Human errors were identified as unportant contributors in accident sequences leading to core damage and several procedure related anhs. - -- =ts were discussed in the licensee's iesponse to the NRC's RAI.

The Big Rock Point Plant Individual Plant Examination (IPE) back-end submittal is essentially consistent with respect to the level of detail requested in NUREG-1335. -

The methodology employed in the BRP IPE for the level 2 evaluation is clearly described in the submittal.

Plant Damage States (PDSs), which are dermed in the IPE by an event tree structure with the parameters important to Level 2 accident progression as the top events, are dermed in the IPE. They are further grouped to key PDSs (KPDSs) to be used as the initial ccaditions for the level 2 analysis. Quantification of the Level 2 accident progression involves the development of small top level contamment event trees (CETs). The top events of the CETs are determmed by the fault trees, the PDS definition, and analyses of unportant containment phenomena. The CETs and the supporting logic trees addressed in detail all the containment failure modes discussed in NUREG-1335. The results of the CET analyses are an extensive number of CET end states which are binned into fifteen release categories (only five of which have non-zero frequencies).

The CET quantification relies on review of industry literature, primarily the NUREG 1150 document, and plant-specific analyses using the MAAP-BRP code. Release fractions for the release categories are based on the plant specific MAAP-BRP calculation results. However, only release fractions for Csl are reported in the IPE submittal, The release fractions of other fission product groups are not reported in the submittal.

2.1.2 Multi-Unit Effects and As-Built, As-Operated Status There are no other units on site. .

A wide variety of up-to-date information sources were used to develop the IPE: Final Hazards Analysis Report (for system success criteria), BRP technical specifications (system operating guidelines and system design), plant operations manual (system descriptions and operating procedures), emergency operating procedures (system operation during an emergency and operator actions during an emergency), BRP drawings (system layout, system intaconnections and component control achamas), scram reports, event reports and liceneae event reports (initiating event data, plant response and failure data), plant surveillance procedures (demand data, test frequencies and run times) and maintenance orders (failure data and component availability).

The plant configuraten was modeled as it existed early in 1993. De data was collected for the last 10 years of operation, while the initiating event frequency data were collected fan 30 years of cperatmg experience.

Many plant walkdowns have been performed throughout the 30 year BRP history. In addition to the walkdowns performed for the 1981 PRA, the various plant upgradas and other plant specific activities, several

^

8

walkdowns were performed as part of the IPE. These were performed on an as needed basis as part of the The fault tree and event tree development, and also for the flooding, HEP and containment analyses.

walkdowns were part of the iterative PRA process, and were easier to perform here than at most plants because a) the PRA team (i.e., CPC personnel) work on site and b) the BRP containment is not inerted and access is relatively easy.

Significant participation in the IPE by plant staff, procedure reviews, discussions with operations and t .

t staff, observations of simulator exercises, review of the " control room design review", and walkdowns of important operator actions, including local actions, helped assure that the IPE HRA represented the as-b as-operated plant. Contractors (not named) and training, operations and management personnel perform .

review of the HRA. This also helped assure that the IPE HRA represented the as built, as-operated plant Insofar as the back-end analyses are wwsed, it appears that all the BRP contamment specific features are modeled.

It seems the licensee intends to maintain a "living PRA".

2.1.3 Licensee Participation and Peer Review Licensee personnel were involved in all aspects of the analysis. In plant expertise was already existent due to the previous BRP PRA study, such that CPC personnel performed most of the work, with (unspecified) help from Gabor Kenton and Associates, and Tenera. It appears that almost all of Level I work was done by CPC.

The reviews performed for the IPE seem to have been done by the analysts in the course of their work and by other CPC personnel in the cowse of interactions with the maintenance, engmeenng, reactor engineering and training personnel. Formal renew was performed by the present plant manager, operations manager, the simulator operations supervisor, the safety and licensing director, selected SRO qualified training nuclear instructors and selected maintenance persv. wl (RAI responses).

i Outside review was performed by experts from Tenera, Gabor Kenton & Assoc. (now Dames & Moore) and by an independent contractor (David Bizzak). .

From the description provided in the IPE submittal it seems that the intent of Generic Letter 88-20 is satisfied.

2.2 Front End Technical Review l

2.2.1 Accident Sequence Delineation and System Analysis 2.2.1.1 Initiating Events The initiating events for BRP IPE were idenhfied primarily based on the 1981 PRA and by reviewing the plant operating experience. A couple of mmor initiators from the 1981 PRA were deleted as they would not .

be a significant contributor. Connolled manual shutdowns were not included in the analysis, but forced '

manual shutdowns were, wLg to the submittal, although the value of 5.6 forced manual shutdowns per year appears high.

9 1

I As a result, a total of 35-40 initiating events were identified (some initiators, such as ISLOCA or turbine trip can be further broken down into subinitiators). In addition, only I flooding scenario survived the screening process, and will be described in the flooding section of this report. The intemal initiators are:

LOCAs:

RPV Rupture below core Large LOCA below core Medium LOCA below core Small LOCA below core Very smallLOCA belowcore Large LOCA above core Medium LOCA above core Small LOCA above core Steamline break inside containment:

Large SLBIC -

Medium SLBIC Small SLBIC Very small SLBIC Steamline break outside containment:

Large SLBOC Medium SLBOC Small SLBOC Transients:

Turbine Trip Loss of Feedwater loss of Main Condenser Spurious MSIV Closure Spurious Bypass Valve Operung Spurious RDS (Reactor Depressurization System) Valve Opening load Rejection loss of DC Power Loss ofInstrument Air ATWS:

Turbice Trip loss of Feedwater loss of Main CWeer Spurious MSIV Closure Spurious Bypass Valve Opemng loss ofIratrmocnt Air loss of Offsite Power SpecialInitiators:

Interfacing Systems LOCA Internal Flooding Manua! Shutdown:

10 1

Manual Shutdown less of Service Water The initiating event list seems to be complete and comparable to events considered in other PRAs. HVAC failures do not lead to initiating events (RAI responses).

The loss of offsite power initiating event is included under " load rejection". Ioad rejection occurs when the main 138 kV transmission line " disconnects". At that point, the plant attempts to continue runmng the reactor to just supply the house loads (i.e., one recirculation pump is tripped off, voiding in the core increases, most of the steam is bypassed to the #-== , with only a small fraction flowing to the turbine in order to supply the 4 6 MWe needed). If this is unsuccessful, the turbine will trip and the reactor will scram (e.g. on high flux), and transfer of essential load:; to the 46 kV transmission line will be attempted, automatically. (Large loads, such as the feedwater pumps and the reactor recirculation pumps would be tripped automatically, with manual loading possib:e if the transfer to the 46 kV line was successful). Only if this transfer is unsuccessful, will the " loss of offsite power" c: cur, and the emergency diesel generator will start to supply select safety ,

loads (which would be loaded manually), mainly the electrical fire pump and/or the CRD pumps.

The loss of DC power initiator involves loss of power from the normal station battery (there is only one normal DC bus in this plant). The standby battery powers certain safety loads (e.g., the emergency condenser makeup and isolation valves), and its failure would not constitute an initiator (although LCO conditions would be entered, and the plant would have to be shutdown in 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ).

Loss of an individual AC bus was considered, and frequency ofindividual faults calculated. Apparently, this was not an important initiator (highest fault frequency was 7.7E-5/yr), and thus is not included in the Table of initiators, (Table 4 in Section 2.2.2.6).

For a discussion ofinitiator frequencies see Section 2.2.2.6 below, 2.2.1.2 EveniTrees The IPE developed 37 event trees to model the plant responses to intemal initiating events. Pretty much every initiating event has a separate event tree developed for it. In case ofinterfacing systems LOCA, there are two event trees, one for each of the two daminant pathways, and in case of load rejection there are three,

dependmg on tne stage in progression from failed load rejection to station blackout. Thus there are 7 general transient event trees (turbine trip, manual shutdown, loss of feedwater, MSIV closure, loss of main condenser,

- loss of instrument air and spurious bypass valve opemng event tree); 8 steam line break event trees (the 4 categories inside the containment, the 3 categories outside the contamment plus the spurious RDS operation event tree); 7 LOCA event trees (correspondmg to the three categories above the core and 4 categories below the core, no event tree is developed for the RPV rupture; however, all below LOCA events are treateOs RPV tures at the lowest point in the primary system, iMag the large LOCA, with a break area of up to 3.5

. ftnp; 4 loss of power event trees (failed load rejection, loss of station power, station blackout and l power ever.t. t.2es); 7 ATWS event trees, corrwdmg to the 7 ATWS categories enumerated in the initiat rection; aM 4 "other transients" event trees (the intercal floodmg event tree, the two interfacing LOCA event trees and the long term cooling event tree). The long term cooling event tree is a transfer event tree used for transients where low pressure cenditbus for initiation of the shutdown cooling cystem or the post incident system exist within the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time.

The event trees are systemic. The mission time used in the core damage analysis was 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

I1

i l

I The event tree end states are divided into two possible outcomes: success or core damage (which is then put i I

into the appropriate plant damage bin).

The analysts used the peak clad temperature of 2500 F as the definition of core damage.

I Success criteria are based on performance or review of engmeenng analyses. These analyses were comprised of the following:

1) Existing in-house best estunate or design basis calculations performed for Big Rock Point;

2) Hand calculations tailored to the event sequence success criteria development, based on contmuity, momentum and energy balances;

3) Computer modeling of the event sequence success criteria using plant analysis codes such as MAAP;

4) Engineeringjudgement. .

l The success criteria appear reasonable. The licensee claims that the RDS success criterion of 3 out of 4 valves opening for depressurization, used in the IPE, is conservative. In reality, in all but two sequences, one out of 4 valves is sufficient (RAI responses). In all non-ATWS scenarios, lifting of one out of 6 safety valves (different system from the RDS) will prevent overpressurization; in ATWS that success criterion is 3 out of 6 safety valves.

I The RCP (recirculation pump) seal LOCAs are not modeled, either as an initiator or as part of an accident sequence, for the following reasons

1) Procedures instruct the operators to trip the RCPs if seal pressure and temperature cannot be maintamed,

2) RCP loop isolation valves could be closed to isolau, excessive seal leakage if ac power is available;

3) If seal cooling were lost via loss of reactor cooling water or loss of service water, RCP seal failure would not occur immediately. A test of the BRP RCP O rings maMad in 1981 exposed the seals to 580 F for a 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months period without failure.

The steam drum enclosure sprays are modeled for certain initiators (e.g., F=Haa breaks inside contamment) because of environmental operability reqmrements of certam equipment within the enclosure (e.g., emergency condenser valves).

The environmental quahfication reqmtemente of systems are noted and nodeled (e.g., harsh LOCA conditions inside the mntainment; floodmg of matammmt by injection nycLts or from steam e=dannation, etc.). However, the effect on termmal mnnartinne and cables is apparently not ==dahd No repair activities were credited except for offsite power recovery. Certam rocovery actions (e.g., maAan=ar hotwell makeup via L-.;w in case of ATWS) wue not credited. The fill-the-ball operation does appear in the event trees but is assigned a failure probability of 1. Thae is also a discussion which considers that cooling of the core through nucleate boding via a submerged lower head of the reactor vessel should be effective, but this is not credited, either. On balance, these conservatisms seem reasonable (based on limited time available, lack of thermal hydraulic discussion etc.). "Ihe assumptions related to the fill-the-ball strategy 12

1 l

always failing are responsible for 42% of the core damage. This is due to LOCA sequences. Thus, if this ;

i strategy were credited, the CDF would drop by almost a half, but the LOCAs would still be a dommant

contributor, therefore the conclusions regarding relative importance of various accident scenarios would still j be mostly valid.

Other modeling conservatism are also no J in the RAI responses. Feedwater hydro of the steam drum was

not credited (the operators could raise the steam drum level to above the steam separators and cool the core through the risers for the small pipe break initiators). Emergency c='== could be used for depressunzation in very small LOCA below core conditions below the shutoff head of the fire pumps (not credited). The proceduralized manual operation of the alternate core spray injection path (MOV-7072) was never modeled. The proceduralized portable diesel pump was only credited in case of station blackout and intemal flooding. The recently installed fourth air compressor was not credited.

For ISLOCAs pathways outside contamment through low pressure piping were considered. Inside i containment ISLOCAs were included in the LOCA and steam line break inside contamment analyses.

Outside contamment steam line breaks were also considered in a separate analysis (see above), therefore i ISLOCA analysis does not consider such events (including, for example breaks in emergency condenser

tubing).

l Two dominant pathways resulted from this analysis, and two separate event trees were developed. One was

an ISLOCA above core, which resulted in the core spray injection line. The structure of this tree is similar 6 to that of a medium LOCA above core, w th i eme events missing: the core spray is assumed failed, the enclosure spray is not needed, the pod incident and the fill-the-ball systems are not credited as the discharge is outside the containment. The other event tree was for an ISLOCA below the core, which represented a

! break in the reactor fuel pit drain / blowdown line. The structure of the tree is similar to that of a small LOCA below the core without events representing the post incident system and the fill-the-ball strategy.

2.2.1.3 Systems Analysis

{

! A total of 22 systems / functions are described in the Submitt:1. Included are descriptions of the following

{ systems: emergency mahn , emergency condenser makeup, reactor depressurization system, primary system safety relief valves, main steam isolation system, main mahaw shutdown cooling system, post

! incident system, feedwater system, condensate system, control rod drive system, fire protection system, core j spray system, enclosure spray system, contamment isolation system, fill-the-ball, station power system, j component and instrument air, condenser circulating water system, reactor cooling water system, service 1

, water system and liquid poison system. A discussion of the HVAC system considerations was provided in

the RAIW+3 = =

Note: the post incident system is analogous to a low pressure recirculation system in a PWR, i.e., suction is j l ta'.en from the matammet sump via 5 stramers, through two parallel 100% capacity pumps outside the !

containment, through a heat exchanger and then back inside the cantammet and over the core through spray

spargers.

i Eadi system description includes a discussion of the system descnption and function, support systems, testing

, and mamtmanm, tehaieml apeibneions and ifapsuse=4aii, systern operation under accident conditions, j system success criteria, key =ahling assumptions, fault tree description, mmmon cause information j (including the values of the MGL parameters), himian reliability, plant specific experience, results and j insights (ine1Hiag the Fussell-Vesely and the Birnbaum importance measures for the system) and initiating

evait review.

4 13 4

d

4 Also included for many systems are simplified schematics that show major equipment items and important flow and configuration information.

Section 1.2 of this TER provides a description ofimportant plant features.

l 2.2.1.4 System Dependencies ne IPE addressed and considered the following types of dapaadancies: shared component, mstrumentaten and control, isolation, motive power, direct equipment cooling, areas reqmnng HVAC, operator actions and environmental effects. The HVAC system is assumed to be not needed in any of the rooms, due to tests showing equipment not rQ the damage ty. hire (e.g., in the control room), availability of natural circulation and passive cooling due to non.s.yG=:=1i=d nature of certam areas, and availability of simple operator actions such as openmg of a roll up door.

2.2.2 Quantitative Process 2.2.2.1 Quantification of Accident Sequence Frequescles ,

The IPE used a small event tree /large fault tree technique with fault tree linking to quantify core damage M-~. The event trees were systemic. The IRRAS computer code was used for development and quantification of top event probabilities and accident frequencies.

The cut set truncation limit used was 1.E-09/yr, without the initiating event frequency. Initial cutsets with a conditional probability of 1.E-6 were scrutinized to make sure they made sense.

The IPE took credit for recovery of offsite power. The IPE power recovery curve is based on BRP experience and is consistM with everage industry data cited in an Electric Power Research Institute (EPRI)-sponsored study (NSAC-147) (actually the BRP data are conservative compared to the NSAC data).

No other recoveries or equipment repair were credited. For instance, restoration of the main condenser after MSIV closure was not credited, nor was the restoration of feedwater in a loss of feedwater event tree. In addition, no recovery was included in the Imel 2 analysis However, simple recoveries from operator errors were credited.

Other conservatisms in the model are related to double counting of data and cutsets. Muumal sortmg of raw failure data was done, such that a failure of a sup9- .; =t such as the diesel generator may also be counted as a failure ofits constituent parts, e.g., a relay. Non-muumal cutsets were not ali aia mi as an older version of IRRAS was used (Ver. 4.16) which apparently did not have that capability, acanirg to the submittal l .

2.2.2.2 Point Estismates and Uncertalaty/Sessitivity Analyses Mean values were used for the point estunate initiator frequencies and all other basic events. The CDF This last assertica, about IRRAS version 4.16, may not be correct. De author of this TER tried to contact Ken Russell ofINEL, the developer ofIRRAS, unsuccessfully, but the author's recollection is this capability existed much sooner than this version, and, defmitely, much earlier than 1993, the year the IPE was done (the earlier versions ofIRRAS, i.e. 2.xx, back in 1989 and 1990 had this problem).

14

- - - - - - . . - - - - - - - . - ~ - ~ - . - . - . - - - .

l

. l calculated is 5.4E-5/yr. No uncertainty analysis was performed Fussel-Vesely and Birnbaum importance measures are given for systems and key basic events, and insights are gained about importance of systems and maintaming their performance based on these measures.

l l

Six non-HRA sensitivity studies were also performed in the first study, sensitivity to the diesel fuel oil supply is explored. There are several diesel engines on site: '

the diesel driven fire pump, the emergency diesel generator, the standby diesel generator and the portable diesel pump. All of these motors, except for the portable pump, require dedicated fuel. It is possible to refill all the tanks with the same fuel, thus incapacitating the engines for which this is the wrong type of fuel. He sensitivity study set all the diesel engine nm failure probabilities to 1. The increase in the CDF was 2.25E-3/yr, i.e., very substantial. This is understandable, as these diesel engines are used as backup in many j scenanos.

The second study calculated the sensitivity to the load rejection assumption. The current assumption is that the load rejection from full power would fail only 10% of the time, due to the recent hardware modification of tripping one recirculation pump on load rejection. However, this assumption is untested (there have been ,

no load rejections since the modification), and full power load rejections had always failed prior to this improvement (partial power load rejections, from up to 50% power had been successful in the past). This study set the load rejection failure probability equal to 1. The resultant increase in the core damage frequency was 6.0E-6/yr, i.e., only about 11%. This is due to the electrical distribution system redundancy, existence of two diesel generators, the diesel driven fire pump and the portable diesel pump, as well as the long time to battery depletion (about a week). It seems plausible that this sensitivity to the load rejection assumption ,

would be increased with increased unreliability of the two diesel driven pumps (a point of one of the RAls, l see section 2.2.2.3), however no updated sensitivity study was performed as part of the RAI responses. l The third sensitivity study was performed for the ability to use the condensate system as a low pressure water supply to the reactor. Makeup to the condenser hotwell can be provided by gravity feed from the condensate j storage tank or by the fire protection system (the latter was apparently not credited due to the short time scale !

for this manual action). The condenser makeup was disabled in this study (i.e., failure probability of makeup valves set to 1), thus disabling the low pressure condensate pump injection into the reactor, the resultant uxrease in the CDF was 7.6E-5/yr, i.e., significant. In this case, the low pressure makeup to the reactor vessel is reduced to the design basis (the core sprays with fire water). When the valve failure rate was increased by an order of magnitude from its base case value, the increase in the CDF was 6.0E-6/yr, i.e., relatively small (11%). Thus the reliability of these e-+ ==ts can be relatively flexible. ;

The fourth study calculated the unportance measures (Fussel Vesely and Birnbaum) of various electrical distribution panels and buses. The Fussel-Vesely -,,44.cs for all of these components was relatively low (between 1.E-5 and 6.E-3). De Birnbaum M6.cs ranged from medium (1.4E-5/yr) to high (7.5E-3/yr), ,

i.e., these would be the increases in the CDF if the appmpnate component was assumed failed. De highest Birnbaum importance was derived for the panel that would service the post incident system, the manual pressure control and the enndensate valve control.

The fifth study dealt with the tom Are in Rooms 418 (spent fuel pit heat d== room) and 400 (steam drum enclosure). De LOCA and F =9= break event trees wue reanalyzed assummg i we J failure probabilities of equipment within these two rooms due to severe envirnaments The important equipment in these rooms are the core spray level and pressure instnwnentahan used for cutomatic valve operation (room 418), reactor water level trancmitters for the low reactor wa'er level pemussive signal for the RDS (room 418), the pnmary core spray motor operated valves (room 400) and the emergency conderaer outlet valves.

15 I

i I

4 Two sensitivities were performed, one assuming a moderate degradation of equipment performance that doubles the base failure rate, and two, a severe degradation which increases the base failure rate by an order of magnitude. The moderate degradation case produced a CDF increase of 2.9E-6/yr, which is small, i.e.,

moderate degradation can be tolerated. The severe degradation increased the CDF by 3.8E-5/yr, which is significant.

The final study considered the sensitivity of the liquid poison squib valves to thermal degradation while in service (these valves are regularly replaced every few years, and randomly tested). The seven squib valves are explosive actuated valves which have replaceable primer and trigger assemblies. Two sensitivity studies were performed. The first study assumes the squib valves would fail to actuate when exposed to a high temperature steam environment, as would be expected in case of safety valve actuation during an ATWS event. The second sensitivity assumes the squib valves will automatically actuate when exposed to prolonged (greater than 10 minutes) high temperatures. The first sensitivity produced a small increase in the CDF of 2.0E-6/yr. This is due to the fact that majority of ATWS sequences arise from the low pressure turbine trip, thus no SRV actuation results (ATWS contributes 7% to the CDF overall). The second sensitivity produced a small decrease in the CDF of 6.0E-7/yr, as the operator action to fire the squib valves is effectively removed.

2.2.2.3 Use of Plant Specific Data The data collection process period was from 1982 through 1992 (10 years). The initiating event collection period was from the start of commercial operation in 1964 through the end of 1992 (29 years).

Both demand and time related failures were addressed. The sources of plant specific failure data and maintenance / testing unavailability data were: control room log books, deviation reports, licensee event reports, maintenance orders, surveillance tests and switching and tagging orders.

For components for which no plant specific data existed, generic data were used. For components for which relatively plentiful plant data existed, that data was used directly (e.g., dividing the number of failures by the 10 year data window and adjusting for the plant capacity factor). For components for which relatively sparse data existed, Bayesian updating of generic data with the plant specific experience was performed, according to the submittal. however, a spot check of the data base leaves the impression that Bayesian updating was used extensively (e.g., in case of the fire pumps, relatively plentiful plant specific data exists, yet Bayesian updating was performed). Most important canaanents have plant specific data.

The submittal shows both the generic data and plant specific data used for a component, along with the plant specific experience (e.g., number of failures and total running time in hours) for that (wr-:==t.

Table 2 of this review compares the plant specific failure data for selected c<- .r-==ts from the IPE to values typically used in PRA and IPE studies, using the NUREG/CR-4550 data for companson [NUREG/CR 4550, Methodology).

BRP data are generally in as wum with the NUREG/CR-4550 data, with data for the standby diesel generators and the diesel driven fire pump lower than ~p-M The reported failure rates seem to be supported by the exhibited plant data and the genenc priors used, except for the fire pumps, see discussion below and in Section 2.2.2.4. Note that in Table 2, some failure rate data under BRP the column are generic, i.e., there was insufficient plant specific experience (e.g., electric bus, squib valves).

16 i

I

Table 2 Comparison of Failure Data Component BRP 4550 MD Pump fail to start 4.0E-4 to 8.0E-3 3.0E-3 fail to run 1.7E-5 to 2.5E-4 3.0E-5 Electrical fire pump failto start 1.2E-3 3.0E-3 fail to run 3.6E-4 3.0E-5 Diesel Driven fire pump fail to start 2.4E-3 3.0E-2 failto run 4.8E-4 8.0E-4 Diesel Driven portable pump l failto start -

failto run 7.0E-2 (HEP) 3.0E-2 standby failure (90 days btw. tests) 3.4E-5 8.0E-4 3.4E-5 IAS Compressor fail to start 4.3E-3 8.0E-2 :

failto run 9.5E-5 to 1.4E-4 2.0E-4 Battery Charger Failure 1.9E-5 to 5.2E-5 1.0E-6 (1.3E-5 for RDS chargers)

Battery Failure 2.0E-6 1.0E-6 Circuit Breaker (480V) failto remam closed 2.2E-6 to 2.8E-6 1.0E-6 failto close 3.6E-3 to 3.0E-2 3.0E-3 AC Bus Fault during operation 5.0E-7 1.0E-7 Check Valve failto open 5.3E-4 to 1.8E-3 1.0E-4 fail to close 6.lE-4 to 6.3E-4 1.0E-3 MOV failto open 2.7E-3 to 2.8E-2 3.0E-3 failto close 1.2E-2 to 2.0E-2 3.0E-3 Air OperatedValve failto open/close 1.6E-3 to 2.6E-3 2.0E-3 i

Solenoid Valve '

fail to operate 1.3E-3 to 7.2E-3 2.0E-3 17 i

,- n - 4

_ _ - =. - ._ __ _ _ .

4 Table 2 Comparison of Failure Data Component BRP 4550 Pneumatic valve, hydraulic valve fail to operate 1.5E 3 to 2.4E-3 2.0E-3 Explosive valve (squib) 3.0E-3 3.0E-3 Steam Drum Safety ReliefValves fails to open 4.6E-3 1.0E-5 RDS valve fails to energize /open 7.0E 3 to 1.5E-2 1.0E-2 (solenoid + relief)

Emergency Diesel Generator, Standby D.G. -

fails to start 1.6E-2,4.4E-3 3.0E-2 fails to run 4.8E-2,2.2E-2 2.0E-3 l (1) 4550 are mean values taken from NUREG/CR-4550,i.e., from the NUREG-1150 study of !

five U.S. nuclear power plants. ;

(2) Demand failures are probabilities per demand. Failures to run or operate are frequencies expressed in number of failures per hour.

l In case of the diesel driven fire pump (DFP), there were two aspects of the data which were problematic. !

First, the generic prior used for Bayesian updating was the failure rates for the motor driven pump, whereas j the diesel driven pumps tend to be significantly more unreliable. This would bias the posterior failure rate l toward lower values, if the plant specific experience were weak (e.g., no failure). Second, while the plant j specific experience was relatively strong, this was not reflected in the posterior values for DFP failure rates, I which were unreasonably low.

Specifically, the generic value used for failure to start and failure to run, respectively, was 3.3E-3/d and 3.4E-5/hr, whereas the corresponding values in NUREG/CR-4550 are 3.0E-2/d and 8.0E-4/hr. The plant specific evidence for the DFP was 2 start failures in 814 demands and 7 failures in 407 hours0.00471 days 0.113 hours 6.729497e-4 weeks 1.548635e-4 months of operation (i.e.,

testing). This yields the plant specific start failure rate of 2.5E-3/d and the run failure rate of 1.7E-2/hr. As l can be seen from Table 2, the DFP run failure rate used in the IPE is much lower than expected (4.8E-4/hr),

in spite of the relatively strong plant experience. Somewhat similar, though less pronounced, problem appears in the electric (motor driven) fire pump (MFP) failure to run (3.6E-4/hr used in the IPE vs. 4.4E-3/hr calculated from 3 failures in 679 hours0.00786 days 0.189 hours 0.00112 weeks 2.583595e-4 months ). As far as the diesel driven portable pump is corsroed, the usage of a low generic pump failure rate is somewhat offset by including the standby failure rate in the model.

The data used for these pumps is important as they are used for makeup to the emergency condenser, for the i core spray injection and recirculation cooling, and would be depended on in a station blackout. As a result, a relatively high Birnbaum importance is calculated.for these pumps (4.E-4/yr for the DFP and 6.E-4/yr for the MFP).

18

h e i In response to the RAI dealing with these issues, the licensee stated that the plant data collected over predict failure for several reasons: the actual run time of the pumps during tests is sometunes much longer than the

% hour required; the failures may be double counted between the pumps and their modeled constituent components (relays, switches, etc.); failure is assumed even if a slight departure from nommal parameters occurs, even if the pump can still produce the reqmrod flow (for example of the 7 DFP run failures, only one was clauned to be a "true" failure).

The licensee also states that other conservatism are built into the analysis which would offset any optinustic failure rates. The assumed mission time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is re==anahle for breaks below the core, but is conservative for most other initiators. For above core breaks and emergency e-i== operation, the fire pumps would be operated intenmttently. Also not included are passive contairunet sinks and core cooling i

via liquid film vessel cooling, wluch the CPC analysis shows would be effective in long term decay heat removal.

The licensee performed a sensitivity analysis in winch the fire pump failure rates were resed to 1.0E-2/d for start failures and 1.0E-2/hr for run failures. 'Ihe new total CDF is not shown, although itappears it is at least double the base case CDF (i.e., on the order of 1.E-4/yr). Instead, a companson is made between CDF contributors (in terms of initiators ) between the submittal and the sensitivity analysis, in which three types ofinitiators are compared: LOCAs and SLBs, loss ofinstrinnant air, and other non LOCA. In the sensitivity analysis, the LOCA and SLB contribution as a fraction of the total CDF dropped precipitously, from 80% in '

the base case to 46%. *Ihe loss ofinstrument air contribution rose markedly, from 9% in the submittal to 42%

in the sensitivity analysis. The other non-LOCA contribution stayed approximately the same, in a relative '

sense (11% of the CDF in the submittal vs.12% in the sensitivity analysis).

9ere are four sequences in the loss of instrument air event tree which cause most of the increase in this imtiator contribution to the total CDF. All four have failure of the emergency ' === and low pressure makeup to the core, which are dommated by failure of the fire pumps to run. The licensee states that, in reality, the recently installed fourth air sym.cr would also be used, and also the portable diesel pump would be used for emergency madamar makeup The portable pump is now credited only for station ;

blackout and floodmg sequences The fourth air compressor was not credited, however it has not been formally related to plant operations (RAI -yeiss). Accordmg to the RAI raepaa=,includmg the portable ,

pump in the analysis would reduce the loss of instrument air contribution to 7%'of the new CDF, while including the fourth compressor would reduce this even further. It should be noted that the portable pump run failure rate used is also optimistic, by 1 to 2 orders of magnitude. However, due to inclusion of the operator start failure rate of 7.E-2/d and the standby failure rate which adds another 3.7E-2/d to the start failure rate, this pump's mission time total unavailability is only mildly under i+M 2.2.2.4 Use of Generic Data Genenc data used were mostly PLG data, with some EGAG data and data from the Paheadas and the Monticello IPEs/PRAs. The genenc data are generally reasonable, with the exception of data used for the diesel driven pumps In that case, the genenc " pump" is used, i.e., data for the motor driven pump are used.

This will lead to underestimatxm of failure probability of the desel dnven fi:e pump (genene data used as prior for Bayesian updada=). In tum, this may lead to under representation of stataan blackout sequences in the list of dominant sequences The Iwmar did perform some sensitivity studies to correct this deficiency (see M====Es in section 2.2.2.3 above), in response to the RAls.

t 19

2.2.2.5 Common-Cause Quantification Redundant components were systematically exammed to address potential common-cause failures. The approach used was the multiple Greek letter approach (MGL). The and (if applicable) the y, the 6, the e and the ( factors are reported in the submittal, with disenmmation based on failure modes (e.g., in general, different values of MGL parameters are given to failure to start as opposed to failure to run).

The methodology used was not described in detail, although it appears that it has yielded reasonable common cause parameter values (for the most part). The process used is consistent with that described in NUREG 1478, " Procedures for Treating Common Cause Failures in Safety Reliability Studies" (RAI responses). The submittal states that the following references were consulted for data on common cause failures: EPRI NP-3967, the PLG data base, NUREG/CR-3289 and NPRDS.

When calculating the common cause failure rate of two or more components, the highest random failure rate is used as the basis for calculation. For instance, in case of the common cause failures of the emergency diesel generator and the standby diesel generator, the failure of the emergency diesel generator is multiplied by the p factor to arrive at the common cause failure rate. The EDO failure rates are higher (see Table 2).

As can be seen from Table 3, most important components are modeled with regard to the common cause failure. The batteries a e not modeled, e.g., common cause between the station battery and the altemate shutdown panel (or standby station) battery, because they are located in different plant areas and are tested and maintained by separate procedures (RAI responses). Still, the batteries are of the same design, and some kind of common cause factor should have probably been included. (These two batteries are used for different purposes, there is only one safety de bus, served by the alternate shutdown panel battery). The common cause among the four dedicated RDS batteries is not modeled, due to probabilistic insignificance, as the chargers can supply the needed power. There are other batteries in the plant, such as the ones associated with the diesel generators and the diesel driven fire pump, but apparently their failure is included under the supercomponent failure to start.

He common cause failures between the diesel driven and the electric fire pump are not modeled, rven though the pumps are identical four stage vertical Worthington turbines. Common cause failures due to environmental factors (e.g., flooding), maintenance errors, functional sEnilanaes (e.g., plugging by the zebra mussell) are included in the fault trees. Common cause due to design similariGes would manifest itselfin the metallurgical defects of the driver, which have not manifested themselves during routine disassembly of the pumps. However, lack of observed defects or observed failure mode does not necessarily mean lack of common cause failure between components. Common cause between pumps using different drivers has been modeled in other PRAs (e.g., between the motor driven and the turbine driven AFW pumps m PWRs). Due to the significance of the fire protection system as a frontline ECCS system, it appears there is a slight undercounting of failure in this regard. However, there seems to have been communication between the independent reviewer and the analyst on this issue (at first, CCF of these two pumps was modeled).

A companson of effective p factors in the submittal vs. those suggested in NUREG/CR-4550 (" reference p factor") is presented in Table 3. Note that NUREG/CR-4550 does not dieinguich between failure modes (e.g., failure to run vs. failure to start) in common cause failures, and the values given are those for failure to start.

Le table shows general consistency between the BRP CCF data and that recommended in NUREG/CR-4550.

For some pumps, the CCF data are somewhat lower in the IPE. The safety relief valve CCF values are substantially lower in the IPE. This is due to the fact that the BRP valves are of a different design; they are 20

1 i

spring loaded m:chanical valves, whereas the NUREG-1150 BWRs use pilot operated relief valves (RAI responses). It is not explained how this affects the possibility of common cause failure between valves (as W_ to their failure rate). However, the impact of even including the higher CCF values is negligible on the final result (RAI responses). This is substantiated by the low Birnbaum importance calculated in the IPE for these valves (4.5E-7/yr for the whole system of 6 valves).

Table 3. Comparison of Common-Cause Failure Factors Component BRPS 4550$

EDG, SDG (FTS&FTR) 0.05 0.038 pumps FTS 0.01 0.056 to 0.21 FTR 0.001 SW pumps, FTS&FTR 0.03 0._026 CRD pump ;

FTS 0.07 0.21 ;

FTR 0.001 l AFW aux. oil pumps; core spray 0.11 0.11 to 0.15 I pumps; shutdown cooling ,

pumps;FTS&FTR Instrument air compressors FTS FTR 0.07 0.01 circuit breaker, FTC 0.07 AOV 0.07 0.10 RDS relief valves 0.07 0.07 (7)(PWR PORVs) solenoid viv 0.07 ck valve 0.01 MOV, FTO&FTC 0.08 0.088 safety relief valves, FTO 0.01 0.22 trammitters (level, etc) 0.17 to 0.20 switches 0.07 2.2.2.6 Initiating Event Frequency QuantlAcation ;

The initiatmg event frequencies used in the IPE are rJ in Table 4, and the method used in calculation of the inquency is noted there as well. Followmg are some c===a on the IE calculations and frequencies foundin the Table.

For spurious RDS actuation, the potential for RDS opamg due to valve failures and/or misahanment is calculated. It includes cae evet in 1993 (outside the data wmdow) where one valve was found in the wrong position after replacement of a leakmg pilot valve. 'Ibe event did not result in an RDS valve opemng, however it was counted as part of the cutset for this occurrence The hcensee states that c= man cause 21

failures of the sensors or the actuation logic is probabilistically insignificant and was not considered in developing the frequency of this event (RAI responses). In case of sensor failure, two low steam drum level and two low reactor water level signals would have to be generated. In case of actuator failure, two elements within one logic actuation cabinet would have to fail. It is not clear that this is probabilistically insignificant compared to the calculated IE frequency of 6.4E-5/yr, especially since this is mbdadially lower than the spunous depressunzation frequency used in other BWR studies (orders of magnitude). i For event "spunous opemng of turbine bypass valve", the data wmdow was 27 years i.e., from 1966 through 1992, because the original bypass valve was replaced in 1%5 due to unsatisfactory performance Since that time there have been no events, but one event of spurious bypass closure at low power (<l5% power) was Counted in the calenlation.

For many events where there have been no failure in the 29 year data wmdow, one failure was --A to have w.-wd and the frequency calculated wiim-:=% gly.

For the most part, and with the caveat about the RDS spurious actuation frequency above, the frequencies in Table 4 seem reasonable, except for the small small LOCA frequency which is substantially lower than the value found in NUREG/CR-4550, which was 2.E-2/yr (vs. the BRP value of 1.7E-3/yr).

It is stated that the LOCA frequencies used are up to an order of magnitude higher than those used in the 1981 i study, which accounted for the fact that the plant had less piping than a typical nuclear power plant, due to its smaller sire.

The LOCA and steam line break frequencies were derived from the EPRI BWR frequencies for small, medium and large breaks, and apportioned according to the BRP piping length fraction in different categories )

(4% for steam line breaks outside contamment,43% for steam line breaks inside contamment,11% for l LOCAs above the core and 42% for LOCAs below the core). When a small small LOCA frequency is i needed, the EPRI value for the small LOCA frequency is split evenly between the small and the small small LOCAs. The EPRI frequencies are conservative (by 2-3 orders of magnitude) when compared to the BWROG upper bound mean values which were derived using a " conservative statistical method of estimating break probabilities in a population in which no breaks have occurred". The BRP IPE states that the LOCA frequencies have been going down as more expenence is gained with no breaks.

The RCP (recirculation pump) seal failure is not included in the initiating event frequency because procedures instruct the operators to trip the RCPs if the seal pressure and temperature cannot be maintained and because the RCP loop isolation valves could be closed to isolate excessive seal leakage if ac power is available.

The CDF at BRP is sensitive to the small-small LOCA frequency estunate it is stated in the submittal that NUREG/CR 4792 value of 1.E-3/yr/ loop, for double ended guillotine break (DEGB) of SS-304 BWR recirculation piping is Lyymydate for Big Rock Point for several reasons-

1) No credit is given for actions taken to mitigate IGSCC and no credit for inspections which detect cracks priorto failure; ,

l

2) The IGSCC mitigative actions have been >===-nud to be effective through an extensive testing ,

program performed by EPRl/BWROG/GE in the 1980s, and have been ramai-d as effective by the NRC (NUREG-0313,Rev. 2); j l

22 !

l l

\

3) "Ihe IGSCC analysis performed in NUREG/CR-4792 was performed primarily to compare the relative ;

i performance of 304 and 316 NG material, not to provide a point estimate.

E l 4 It is also stated that BRP is not susceptible to IGSCC (except for two cases which occurred in the cleanup system due to specialized conditions associated with welds, which had been anticipated and have been corrected). The reasons for BRP " immunity" from IGSCC are the following:

1) The primary system is mostly cast stainless, specifically the 17 inch,20 inch and 24 inch pipe.

2) The cast stainless has enough ferrite that microgranular cracks are arrested. It is generally agreed that cast stainless with 8% ferrite is immune to IGSCC, whereas selected BRP pnmary samples have shown the ferrite content to range from 10% to 25%.

3) The welding was done to mmmuze the thermal effects on the nearby heat affected zone.

4) BRP primary system has inherent flexibility (due to the configuration of the reactor vessel, the steam drum and the emergency cam), which allows for thermal growth during power operation; this alleviates the residual stress, thus muumizing a necessary precursor condition for IGSCC.

l For ISLOCA initiating event frequency, several pathways were considered (separate from the steam ime J break outside contamment category) which bypass the containment. Valve failures were considered, but then i a conditional probability oflow pressure pipe mpture was also credited, given the high/ low pressure isolation j failure. It is assumed the pipe will fail due to intemal pipe stresses and not because of the dynamic stresses due to a rapid pressurization. The conditional low pressure pipe rupture probability is 6.0E-3, based on BWROG data, as stated in the submittal. As the valve failure fault tree yields a frequency of high/ low pressure boundary failure of 2.0E-5/yr for the core spray injection line, and 6.lE-3/yr for the fuel pit drain / blowdown line, then the initiating event frequencies for these two daminant pathways are 1.2E-7/yr for the fonner and 3.7E-6/yr for the latter.

Table 4 Big Rock Point Initiating Event Frequencies Category Initiator Method

Frequency (/yr)

LOCA, below core Very small 2 1.7E-3 Small 2 1.7E-3 Medium 2 1.3E-4 Large 2 3.0E-4 RPV Rupture 2 2.7E-7 LOCA, above core Small 2 8.8E-4

)

Medium 2 3.3E-4 j Larne 2 7.7E-5 j 23 l

1 Table 4 Big Rock Point Initiating Event Frequencies Category Initiator Method

Frequency (/yr)

Steamhne break,inside Very small 2 1.7E-3 contamment

, Small 2 1.7E-3 Medium 2 1.3E-3 Large 2 3.0E-4 Sta=line break, outside Small 2 3.2E-4 contamment !

Medium 2 1.2E-4 Large 2 2.8E.7 General transients Turbine trip 4 1.13 loss of feedwater 4 0.045 loss ofmain 4 0.045 condenser Spurious MSIV 1 0.018 closure Spurious bypass 4 0.049 valve opening Spurious RDS 1,3 6.4E-5 valve openmg Support system Ioad rejection 4 0.280 degradation loss of DC power 3 0.045 less ofinstrument 4 0.045 l air ATWS Turbine trip 2 1.lE 5 less of feedwater 2 5.0E-7 Ioss ofmain 2 4.5E-7 cnnaan er Spurious bypass 2 4.9E 7 j valve t=aia-24

. - . - . . . -~ ~

Table 4 Big Rock Point Initiating Event Frequencies Initiator Method

Frequency (/yr)

Catenory Spurious MSIV 22 1.8E-7 closure loss ofinstrument 2 4.5E-7 air loss ofOtsite 2 6.lE-7 power Specialinitiators Interfacing system 1 3.8E-6 LOCA Internal flaadina 1 1.4E Manual shedawn 4 5.60 Manual shutdown e

Loss of service 4 0.09 water

Method of calculating initiating event frequencies:

g

1. plant specific data

2. generic / industry data

3. system fault tree analysis

4. actual occurrences I

i l 2.2.3 InterfaceIssues

(

i 2.2.3.1 Front-End and Back-End Interfaces Contamment heat removal (i.e., the steam drum enclosure sprays) is modeled for certam initiators (steam line breaks inside containment) in order to insure survival of certain equipment inside the steam drum enclosure (e.g., emergency condenser valves, reactor level instnnnentation, etc.). As mentioned above, at BRP injection can continue for substantial period of time followmg a LOCA, or another initiator, until the containment steel sphere design pressure (due to the hydrostatic head and the air pre-s::ure inside) is reached, at which point a switchover to recundaten (post incident systan (PIS)] is Mai In case PIS swithcover is unsuccessful, injection can be r**M such that the fill-the-ball strategy is used, wherein the matammant is filled to its ultimate failure pressure This strategy, while not credited, can buy substantial time, in addition to the long ,

time periods avn~+~i for most accident evolutions it is clannad in the IPE that suf5cient best transfer can be obtamed from cooling the s-se (or partially s_,4) reactor vessel and through passive heat transfer to the matainmant structures and passive cooling of the enatamment shell (by the outside ----@), that no father mjection or cooling may be necessary (although this is not credited in the analysis). 'Ibe fact that the contamment is a steel shell may have deleterious effects on certam operatcr actions (e.g., startmg the standby diesel generator or aligning the portable pump) in case of radiation release inside the matninment 25

Section 2.4 provides more infonnation on level 2 considerations.

5 2.2J.2 Human Factors Interfaces l

{ The operator actions which may be important at this plant are: manual loading of the EDG or the SDG onto i the emergericy bus, manual starting of the SDG, alignment and starting of the portable diesel pump for

] emergency cmarecz makeup, manual depressurization or pressure control, actuation of the liquid poison !

j system, recovery of the PIS (not credited) and fill-the-ball (not credited). )

2 i

There are also some radiation concerns, mentioned above in 2.2.3.1. I l

l Section 2.3 provides more information on HRA considerations.

2.2.4 Internal Flooding 2.2.4.1 Internal Flooding Methodology 1

The methodology used to perform the floodmg analysis consisted of three major steps:

l

1) Identification of potential floods and areas affected (flood zones),

~

2) Identification and initial screemng of flooding scenarios, and j 3) Quantification ofimportant floodmg scenarios.

i

The development of flooding scenarios was supported by plant walkdowns.

The flood analysis was a refmement of previous flood analyses done for Big Rock Point to address certain

. issues, such as plant response to a break in circulating watch piping following the Quad Cities 1 event of June

1972, leakage inside the contamment and pipe breaks outside the contamment. Some of these issues were addressedin the 1981 BRP PRA.

In this IPE analysis, several potential floodmg areas were identified: the contamment sphere, the turbine i building, the core spray pump room, the screenhouse and the altemate shutdown panel building. Most of these areas were screened from further analysis based on qualitative arguments: the amount and flow rate of

! potential flood sources, alarms and other indications to.the operator (e.g., startup of a fire pump on low

{ system pressure), existence of a 2-hour operator patrol inside the contamment, connection of the area to the j outside, lad 'f sensitive equipment or a plant trip from a flood in the area. No estunate is provided of the CDF from the screened areas. All equipment in an affected area was assumed failed, both during the j screening analysis and during the derailad analysis It is noted that earher studies have stated that certam i equipment had splash guards, however, this is not credited here (RAI responses). However, if the area in j question was open to other areas of the plant, such that there was na possibility of submergence, then no eqw in that area was failed, w4 to our understandag of the RAI responses This is a non-

! conservatism, as spraying could still disable 5;-* Some areas were screened out initially because the equipment had oveibead splash guards, w4 to the submittal, thus contradicting the RAI responses This would be an -g :Sc assumption if the spray could come from a droction other than directly overhead j (no details were provided in the submittal or the RAI responses). No credit is given to floor drains, but ;

possibility is considered of flood propagation through the drains, HVAC vents, etc. (RAI responses) l 26 l

(_ _ ____ ______ ____._. ._ _ ._ __ _ _

, t Mostly passive failures (pipe breaks) seem to have been analyzed. It is not clea whether induced floods were considered, other than to discount the maintenance errors committed a responses). However, maintenance errors at shutdown could,if undetected, cause a flood a in addition, potential floodmg effects were part of the internal events analysis, where environm -

seem to have been given a lot of attention, for etample water level rising in a compartment from steam condensation and affectmg the electncal eqmpment inside. i Only one floodmg scenario survived the screenmg process. An event tree was constructed applicable to this scenario.

The possibility of isolating the flood seems to have been considered only qualitatively, a part screening analysis, but was not given credit in the detaded analysis of the remaining scenario.

in conclusion, the flooding analysis seems to have been appropriate, with some hogermg questions abou treatment of sprays and maintenance induced flooding. !

i 2.2.42 Internal Flooding Results The total CDF from flooding events is estimated to be 1.1E-9/yr. No estunate of the CDF due to the suwa,d ,

scenarios is offered in the IPE.

The one scenario that survived the screemng was a flood in the suwJanse. This structure houses the I !

I condenser circulating water pumps, the service water pumps and the two fire pumps (the e.loctric and the t diesel driven fire pump).

l A break in the piping of one of the systems is assumed to occur. The initiating evera frequency for this event i

was calculated to be 1.4E-6/yr. This was calculated based on 182 ft of piping capable of floodmg the scrdane and the (high energy) pipe break frequency of 7.7E-9/fl/yr. ,

Assuming a flood flow rate of 500 gpm, electrical equipment in the downstairs portion of the screenhouse ^

will begin to have contact with water in about 17 minutes. The 500 gpm is commensurate with the flow l capacities of the various systems inside (1000 gpm for the fire pumps,2100 gpm for the SW pumps,24,500 gpm for the circulating water pumps, each).

l i I

l Upon the postulated loss of the circulating water system due to the flood, the reactor and the turbine will trip due to loss of ca~iaa=ar vacuum As the main condenser is unavailable, the desired response is to remove I

decay heat via the emergency nandanmar. As the firewster is unavailable, the shell side makeupt 'o the "

emergency condenser can be accomphshed by either the danmerahzed water system or the use of the portable e

diesel driven pump In order to use the d===arahmed water option, and operate the air +.id control valves, alternate coohng (via domestic water) of the air compressors noods to be established, as the service water system is unavailable due to the flood. If emergency candansar long tenn coohng is established, it can ,

be used until mi SW pump is brought back into servxz, such that the shutdown coohng system can be placed in operation. Otherwise, the foodwater systan can be used, in conjunction with gravity food makeup to the condenscr hotwell from the anad===te storage tank (or from the d=ninarshmed water storage tank or from Lake Michigan), with pressure relief provuled by the safety valves or the manual operation of the RDS system. Alternatively, CRD system can be used with manual operation of the RDS system and the hotwell l 1

27 L

The dominant sequence in the above event tree involves a failure of the emergency condenser, failure of feedwater, successful CRD operation but failure to manually control the reactor pressure using the R system. This sequence has a frequency of 1.lE-9/yr.

2.2.5 Core Damage Sequence Results 2.2.5.1 Dossinant Core Damage Sequences The resuhs of the IPE analysis are in the fonn of systemic sequences, therefore NUREG 1335 screemng criteria for reportmg of such sequences are used. The point estimate for the core damage frequency from internal events is 5.4E-5/yr, with intemal flooding contributing an additional 1.lE-9/yr. Accident classes and types and their percent contribution to the CDF, are listed in Tabla 5a and 5b. The most important initiators are given in Table 6.

The donunant sequences were provided. Each of these important sequences has a frequency greater than 1.E-6/yr. The important sequences are summanzed below in Table 7. -

Table 5a Accident Classes and Their Contribution to the CDF Accident Class Contribution to CDF(/yr) ~%

LOCAs with post incident recirculation 2.3E-5 42.6 failure l

LOCAs with core spray injection failure 1.3E-5 24.1 LOCAs with core damage at high 7.5E-6 13.9 pressure Transients with core damage at low 4.5E-6 8.3 pressure Transients with core damage at high 2.0E 6 3.7 pressure ATWS with failure of reactor inventory 1.9E-6 3.5 makeup ATWS with contamment overpressure 1.9E-6 3.5

failure due to continued reactor makeup Station blackout 5.lE<7 0.9 CMain-at bypass 1.8E-8 0.03 !

1

' 28 1

Table 5b Initiating Event Catenories and Their CDF Contribution Annual Frequency %CDF l Initiating Event Category 3.2E-5 59.33 LOCA below core 7.7E-6 14.30 LOCA above core 5.lE-6 9.44 Suppoit system transient i 3.7E-6 6.% ,

ATWS $

3.4E-6 6.30 SLB inside contamment I 1.2E-6 2.18 C-:=ral transient 7.6E-7 1.42 Loss ofoffsite power group (load rejection, loss of station power, station ' -

blackout) 2.5E-8 0.05 SLB outside contamment 1.3E-8 0.03 Other(ISLOCAs, f1 Mag)

Table 6 Dominant Initiating Events and Their Contribution to the CDF Contribution to CDF(/yr) %

Initiatina Event Very s==11 LOCA below core 1.4E-5 25.27 1.0E-5 19.50 t SmallLOCA below core r 6.3L' ', 11.83 Medium LOCA below core 4.8E-6 9.03 Ims ofInsthunent Air 4.6E-6 8.64 SmallLOCA above core Turbine trip ATWS 3.4E-6 6.35 ;

2.5E-6 4.66 Medium LOCA above core 1.5E-6 2.73 Larne LOCA below core Very small SLB inside matninnwnt 1.3E-6 2.50 1.1E-6 1.99 Small SLB inside contmanwnt ,

8.1E-7 1.51 ;

Manual shinedawn 7.7E-7 1.44 1 Medium SLB inside ==tamewnt 1

5.4E 7 1.00 Larne LOCA above core i Station Ble6d -

5.3E-7 0.99 29 i l

i

Table 7 Dominant Core Damage Sequences -

Initiating Event % of Dominant Subsequent Failures in Sequence CDF Very small LOCA below core long term failure of post incident recirculation 14.1

_Sm-!! LOCA below core long term failure of post incident recirculation 14.1 Medium LOCA below me failure ofcore spravinjection 7.4 Very small LOCA below core failure of Reactor Depressuritation System 6.5 Medium LOCA below core failure of post incident system recirculation 4.3 Loss ofinstrument air failure of emergency condenser makeup, 3.9 successful depressurizati-n, but loss oflow pressure makeup with core sprav or condensate Turbine trip ATWS successful turbine bypass, feedwater loss due to 3.2 condensate reject to CST, liquid poison not injeced before auto RDS; operator terminates core spray to avoid containment overpressure; core damage at low pressure with intact containment Turbine trip ATWS successful turbine bypass, feedwater loss due to 3.2 condensate reject to CST, liquid poison not injected before auto RDS; operator fails to termmate core spray, reactor returns to power; containment fails on overpressure with core damage at low pressure Small LOCA above core failure of core spray and condensate makeup 3.2 Loss ofinstrument air failure of emergency condenser initiation or 2.8 makeup, failure of reactor depressurization Small LOCA below core failure ofreactor depressurization 2.4 Small LOCA above core failure of post incident recirculation 2.0 Medium LOCA above core successful makeup with condensate, failure of 2.0 post incident system Loss ofinstrument air failure of emergency condenser, SRV actuation 2.0 leads to a stuck open SRV, failure of makeup with care spray and condemsate Very small LOCA below core failure ofcore spray and condensate 1.9 Very small LOCA below core failure of reactor depressurization 1.9 Small LOCA below core failure of feedwater and core spray 1.9 I

30

The SBO contribution is about 1% of the CDF. The ATWS contribution is about 7%

contribution is 0.024%, while all containment bypass sequences contribute 0.20% (including ISLOCA, steam line break outside contamment and spurious bypass valve opening). System importances are calculated.

relative importance of systems seems reasonable for the design of the plant. Fussell-Vesely and Bim importance measures are calculated. High Bimbaum importance indicates systems whose per to be maintained in order not to substantially increase the CDF (i.e., CDF is sensitive to the data used f these systems). The systems which both have a high Fussell-Vesely and high Birnbaum importan critical systems. 'Ihe most important systems from that standpoint are the firewater system, the core spra the post incident, the reactor depressurization, ti.e reactor protection system These systems ha Vesely importance greater than 0.10 and a Bimbaum importance greater than 1.0E-2/yr.

2.3 Human Reliability Analysis Technical Review 2.3.1 Pre-Initiator Human Actions Errors in the performance of pre-initiator human actions (such as failure to restore or properly align equipment after testing or maintenance, or miscalibration of system logic instrumentation), may cause components, trains, or entire systems to be unavailable on demand during an initiating event. T the human reliability analysis (HRA) portion of the IPE exanunes the licensee's HRA process to determme the extent to which pre-initiator human events were considered, how potential events were identified, the effectiveness of any quantitative and/or qualitative screening processes used, and the processes used to account for plant-specific performance shaping factors (PSFs), recovery factors, and dependencies amo multiple actions.

2.3.1.1 Types of Pre-Initiator Human Actions Considered The Big Rock Point IPE considered both of the traditional types of pre-initiator human actions: failures restore systems after test, maintenance, or surveillance activities and instrument miscalibrations.

range of both types of events were modeled, including 21 failure to restore events and 21 common caus miscalibration events. All pre-initiator or " latent" events were modeled in the fault trees.

2.3.1.2 Process for Identification and Selection of Pre-Initiator Human Actions All operator actions in the fault trees were identified by Big Rock Point analysts during the de the logic models. Identification of the events were based on a review of each system and on pla (operating and test and maintenance). While plant personnel were apparently involved in the and selection of pre-initiator actions, interviews with maintenance and instrumentation and control technicians regarding specific plant practices and application of procedures were not mentioned. How the description of the application of the ASEP HRA procedure (NUREG/CR-4772) suggests th reviews of pre initiator related practices and procedures did occur. Thus, it appears that relevan sources were n=ied and that factors which could influence the probability of pre-initiator errors were considered.

23.1.3 Screening Process for Pre-Initiator Human Actions The licensee stated that no screemng values were used when modeling pre initiator human errors screening analysis in ASEP requires more or less the same activities as the nominr1 analy 31 ,

l

events were given the detailed nominal analysis. In addition, common cause miscalibration errors were also given detailed analysis (no screening) using the THERP methodology (NtJREG/CR-1278).

2.3.lA Quantification of Pre-Initiator Human Actions As noted above, pre-initiator restoration faults were quantified using the ASEP method. The qu process appeared to follow the method as documented and the resulting HEPs were reasonable. Pla recoveries (PSFs) were appropriately considered, e.g., post maintenance tests etc. Some fairly low (3.0E-6) were found in the tables hmating the analysis, e.g., Table 10-1, but these values reflected where indications regarding the restoration fault would be annunciated in the control room. The valu appeared consistent with the methodology and many other licensees have simply not quantified restorati faults if appropriate indications are received in the control room. Dependence within a system was c and quantified with guidance from the ASEP/THERP dependency tables. Possible dependencies be restoration errors that could affect components in more than one system were not quantified and this approach was appropriatelyjustified on the basis ofplant practices.

The common cause miscalibrations were calcuiated using a method based on THERP. In the NRCs RAI, the Big Rock Point licensee provided examples of the calculations of common cause miscalibration HEPs and addressed why the range of HEPs was large, e.g.,7.5E-2 to 2.7E-some instruments are calihated only using " data sheets" which documents the "as found, as-left con of the instrument, but do not provide detailed work instructions. The skill and knowledge of the I&C technicians are relied upon for these events. Thus, the resulting 7.5E-2 common cause HEPs. Whe procedures must be followed, along with appropriate checks and sign-offs, lower HEPs are r obtained. The general application of THERP appeared reasonable, as did the treatment of depe across similar instruments etc. While complete dependence across similar instruments was not assu least some level of dependency was assumed and treated with appropriate THERP equations.

2.3.2 Post-Initiator Human Actions Post-initiator human actions are those required in response to initiating events or related syste Although different labels are often applied, there are two important types of post-initiator human ac are usually addressed in PRAs: response actions and recovery actions. Response actions are g distinguished from recovery actions in that response actions are usually explicitly directed operating procedures (EOPs). Alternatively, recovery actions are usually performed in order to recover a specific system in time to prevent undesired consequences. Recovery actions may entail going b directives and using systems in relatively unusual ways. Credit for recovery actions is normally n unless at least some procedural guidance is available.

The review of the human reliability analysis (HRA) portion of the IPE determmes the types of pos human actions considered by the licensee and evaluates the processes used to identify and selec quantify the post-initiator actions. The licensees treatment of operator action timing, dependencie human actions, consideration of accident context, and consideration of plant-specific PSFs is also exa 2.3.2.1 Types of Post-Initiator Human Actions Considered The Big Rock Point IPE acknowledges both response and recovery type post-initiator human actions.

However, post-initiator actions were modeled only when clear procedural guidance (normal, abnorm emergency procedures) existed for the operator and repair activities were apparently not credited. In addition, l

32

i 1 1

l the same methods were used to quantify all post initiator actions. Thus, the distinction between the two types

of events was not really relevant for the Big Rock Point IPE.

2.3.2.2 Process for Identincation and Selection of Post-Initiator Human Actions i

l In the response to the NRCs RAI, the licensee indicates that there are some inaccurecies in section 4 of the

submittal (method and approach). It is stated that section 4 was included to " address the reportmg guidelines that required a concise description of the major tasks and methodology" and that "the intent from the BRP's PRA staff perspective was to provide an ovemew for plant personnel on how risk assessments were

! assembled." The hcensee further states that " consequently several sections include boilerplate...that should have been edited aAer completion of the study." Given this assertion, it cannot be exactly determmed how

the post-initiator actions were identified and selected. Nevertheless, the process was apparently keyed to the i plant response scenanos Ih===** don from the submittal and the response to the RAI indicates that

, procedures were reviewed, appropriate personnel reviewed the models, intemews with operators and training 1

personnel were held, and simulator exercises were conducted. The submittal also indicated that the " Control ,

Room Design Review" was reviewed for human factors considerations and that a plant tour included locations i outside the control room where operators actions would take place. Thus, reasonable steps were taken that !

would help ensure appropriate actions were identified and modeled. l In addition, it was also stated in the submittal that in most cases," dynamic and recovery operator actions were not included in the fault tree acd event tree models unless dictated by the models." Thus, many of the operator actions were included during " recovery" and could have been identified at that time.

l 2.3.2.3 Screenlag Process for Post-Initiator Response Actions As noted above, in most cases," dynamic and recovery operator actions were not included in the fault tree and event tree models." In addition,"all event tree sequences were solved with the initiating events set to 1.0 and a truncation limit of 1.0E-9" and " where it was initially recognized that resulting sequences may contain multiple operator actions, the HEPs were initially set to 1.0." After the initial quantification and when quantified operator actions were first included, the nommal ASEP HRA method was applied to all post-initiator. human actions. Where important sequences contamed multiple operator actions, the actions were analyzed to determine the danaadaaries between the HEPs. The HEPs obtained using the ASEP method are known to be somewhat conservative and from the licensees perspective, use of ASEP provided a fairly detailed screening approach. After the sequences were quantified with the ASEP values, operator actions identified as potentially being important were re-analyzed using the THERP wisdology. All the actions re-analyzed had a Bimbaum importance greater than 1.0E-6. (The submittal notes that no latent human actions had a Birnbaum greater than this, so none of them were re-analyzed).

2.3.2A Quantincation of Post I= lei =*ar Human Actions The application of the ASEP methad to each event that did not receive quantecation with THERP was documented in the subnuttal in Appendix C 'Ihe described derivation of the HEPs closely followed ASEP and seemed thorough and reasonable. Appaadiv C also darnmante the application of THERP to each of thirteen events identified as pa'=d=Hy ==r4-i. While in many cases the application of THERP was also r===anahle, there was several events for which the a==adbanon process did not seem appmydate. It is thought that the resulting HEPs should be considered -? M and that the use of such values for these events is a waalmane of the HRA. The problem arises through the hcensee's use of HEP values from the "araunciator response model" (Table 20-13 or Table 11-13 from THERP) in situations where very limited time (less than 10 minutes) is available for the operator action. While it can be argued that the HEPs from 33

this model are acceptable when substantial time (greater than 30 minutes) is available for the operators to determine the relevant actions and when the operators need only respond to the existence of an annunciator :

in the control room, the HEPs from this model do not reflect the impact of time on the likalihaad of success.

Thus, this model will unoerestimate HEPs for short time frame scenarios relative to the ASEP/THERP time-reliability diagnosis model.

The events ofinterest include the following:

1) Operators fail to restart the feedwater pump (FW-PM-P85RT-POIC) after a trip in a LOCA scenario.

Only 6 mmutes are assumed available for diagnosis and the value used by the licensee for r==paading to the annunciator is 0.001, with the total HEP equal to 0.0046. The "best case" HEP from use of the diagnosis model would be at least 0.02, and with the action failurm added in, the total HEP would be even higher. Moreover, there is little reason to assume that this is a "best case" event.

l 2) Operators fail to open MO-7073 & 7074 to provide make-up to the hotwell (FP-OO-MAKUP-POIC).

This actions occurs in LOCA scenarios and also requires operators to locally open valve VFP-33 (this '

valve is apparently in a high radiation area of the plant). The licensee assumes that the actions only require 3 minutes (including the one outside the control room on top of the turbine shield) and that 6 minutes are available to diagnose / respond to the " low hotwell level and alarm." The total HEP for this event is listed at 0.016, but the diagnosis model, along with the fact that very little time is available for an ex control room action in an area unshielded from contamment, would be likely to produce a failure probability of 1.0 for this event.

3) Operators fail to trip the condensate pumps on low hotwell level (CD-HS P9TRP-POIC). Two minutes are assumed available for this action during a small or medium LOCA and the total HEP is listed at 0.08. The diagnosis model would produce a diagnosis value alone of at least 0.5 and the total would be close to 1.0.

While the quantification of the above three events may be considered a wealmeen of the HRA, it cannot be concluded that the intent of the generic letter was not met in terms ofidentifying vulnerabilities related to the events. All three of the events were identified in the submittal as being relatively important in terms of contribution to CDF and a sensitivity analysis indicated that substantial increases in CDF would not be expected if the events were set to fail. Therefore, potential vulnerabilities related to these events were not overlooked. As noted above, the quantifcation of the remaining events was acceptable and as will be discussed below, other aspects of the HRA were generally done well.

2.3.2.4.1 Estimates and Considemtion ofOperator Response Time The determmation of the time available for operators to diagnose and perform event related actions is a critical aspect of HRA mathade. In the 1==aaa's discussion of the application of HRA mathade, it appears that appropriate tumng parameters were can=lared. The i yest occurrence of control room indicators were en==idared in .'- 11., the available time and in most instances (for -=* ions see section 2.3.2.4.

above) the impact of time on operator diagnosis was .yy.vy.-@ considered. Apparently MAAP runs were used to determine the latest time an operator action could be comple:ed. General guidance from ASEP was used in t g other relevant times. In addition, the licensee states that walkdowns for important local actions w..d, takmg into account timing, distances, envunamental factors, required controls, location of indicators etc. A ==tions of available and requved times were 2+, =miin the submittal.

34

, , - - - , . - . - , + ,-,w -- , " y

2.3.2.4.2 Other Performance Shaping Facion Considered PSFs addressed in the application of ASEP and THERP included training, practice during simulator training, '

and whether the event was covered in the EOPs. In addition, the existence of written procedures for conducting the action, whether the procedural actions were step-by-step or dynamic, stress level, and size of crew and time available for recovery credit were considered. These PSFs are those normally considered in applying the ASEP and THERP '=aAadalogies. In addition, the " control room design review" was reviewed for any additional human factors issues that should be considered and simulator exercises were observed to '

verify assumptions made during the HRA. A reasonable set of PSFs were apparently considered.

While the submittal states that environmental factors for local operator actions were considered, no explicit .

discussion of the potential impact of high radiation near equipment to be manipulated by operators was provided. Radiation could be s concem at Big Rock Point due to the lack of concrete shielding in containment. In response to a question on this topic in the NRCs RAI, the licensee indicated that no operator l actions were credited after core damage. They then discussed three of the nine level I human action events which required actions outside the control. For one of the actions, which involved aligning the fire system for makeup to the hotwell, they note that a valve on top of the turbine shield has to opened and that "this area of the plant is not shielded from contamment." The licensee then states that "as a result a very short time frame is conservatively assumed to complete this action." Presumably this statement means that the person performmg this action will only be there for a short time. They clearly do not assume that there is time for an individual to put on protective clothing, but they do note that high stress was assumed for this event. Thus, the impact of radiation is apparently factored in to the HRA by assuming high stress. Additional information regarding specifics of a particular event would be needed to determme whether or not such treatment is -

adequate.

2.3.2.4.3 Consideration ofDependencies Two basic types of dependencies are normally considered in quantifying post-initiator human actions: 1) time dependence and 2) dapadencies between multiple actions in a sequence or cut set. One type of time dependence is cewmed with the fact that the time needed to perform an action influences the time available to recognize that a problem has occurred and to diagnose the need for an action. This type of time depandance was treated in using the ASEP and THERP quantification approaches.

Another aspect of time dependence is that when sequential actions are considered, the time to complete one action will impact the time available to complete another. Similarly, the sooner one action is performed, the slower or quicker the conditbn of the plant changes. This type of time dependence is normally addressed by makmg conservative assumptions with respect to accident me definitions. One aspect of this approach is to let the timing of the first action in a g- initially mmmuze the time window for subsequent actions. The occurrence of cues for later actions are then used as new time origins. The Big Rock Point submittal inde=ta= that evaluation of such timing factors occurred, but detads were not provided.

The samad type of dmaad--a considers the extent to which the failure probabilities of multiple human actions within a sequence or cutset are related. There are clearly cases where the context of the accident and the pattern of meca==a= and frilure can influence the probability of human error. Thus, in many cases it would clearly be inappropriate to assume that multiple in= nan actions in a sequence or cut set would be independent.

Furthermore, context effects should be evaminad even for single actions in a cut set. While the same basic action can be asked in a number of different sequences, different contexts can obviously lead to different likelihoods of success.

35

l i

i Several discussions in the submittal indicate that potential Wies among the operator actions were appropriately cotisidered in the initia: analyses, multiple events in a sequence were set to 1.0. However, the j submittal also states that except for two innances, sequences with multiple actions were only credited with l one action (see page 10-14). All the remauung actions were left at 1.0 1 2.3.2.4.4 Quant:Jication ofRecowry Type Actions As noted.above, all post-initiator human actions were quantified using the same awM Only actions directed by procedure were included and repair activities were not credited. i l

2.3.2.4.5 Human Actions in the Flooding Analysis Eleven human actions were incorporated into the Big Rock Point floodmg analysis (p. 7.1.6-11).

The eleven actions were also modeled in the overall internal events analysis, and while the flooding context etc. appeared to have been -==iM the HEPs used were the same as those used in the overall internal events analysis.

2.3.2.4.6 Human Actions in the Lewi2 Analysis No operator actions were credited in the level 2 analysis.

2J.2.5 Important Human Actions The Big Rock Point IPE provided a list ofimportant human actions as deternuned on the basis of a Fussel-Vesely and Birnbaum measures. Events identified with a Bimbaum greater than 1.0E-6 were included in the table in the submittal. The events, their Fussel-Vesely and Birnbaum values, and their HEPs are presented below in Table 8. As discussed above, the HEPs for at least three of the events listed must be considered optimistic.

2.4 Back End Technical Review 2.4.1 Containment Analysis / Characterization i

2.4.1.1 Front-end Back end Dependencies ]

The interfaces between the front-end and back-end analyses are provided in the IPE by the definition of 18 l key plant damage states (KPDSs). An event tree structure (called plant damage event tree in the IPE submittal), which includes enntainment conditions and enntammant system status as headmgs,is attac1=i to the Level 1 event trees to determme the 0+7='= of the Plant damage states (PDSs) Based on their effects on level 2 accident progression, these PDSs are then grouped to KPDSs to be used as the initiatmg events for cantammant event tree (CET) analysis. The contamment parameters used in the IPE to define the PDSs I

include:

C- ia==* bypass, Containment leakage, Enclosure spray system status, 36

l

)

Pool of water in contamment, and Inven'.ory makeup available after vessel penetration.

The PDSs are dermed by combining the contamment states dermed by the above parameters and the accident j sequence Jubclasses (which are groups of Level I accident -aaarae). In the BRP IPE there are 16 accident i sequence subclasses and 12 possible contamment state dermitions for each subclass. This yield a total of 192 PDSs, of which 83 are reported in the IPE with non-zero frequencies (response to RAI level 2 Question 1).

The 83 PDSs are grouped to 18 KPDSs for CET quantification.

The leading PDS (54% of total CDF) is represented by low presswe LOCA sequences with a pool of water in the contamment before and aAer vessel penetration and the enclosure spray available. This is followed by a transient PDS with low reactor presswe, with a pool of water before vessel penetration, but with enclosure spray not available (10%), and another LOCA PDS with high reactor pressure (denned in the IPE as greater than 200 psig), with a pool of water and with the enclosure spray available (9%).

Other PDSs that are of interest to contamment performance are those associated with contamment failures.

In the BRP IPE, contamment integrity can be lost before vessel failure by overpressure, isolation failure, and bypass. PDSs which involve containment overpressure failure constitute about 4% of total CDF. The dominant PDS for this class is an ATWS PDS with both core injection and enclosure spray available.

PDSs with containment leakage contribute about 0.5 % to the total CDF. Containment leakage in the BRP IPE is a result of containment isolation failure. However, according to the IPE submittal, the main contributor to containment isolation failure for BRP is leakage as opposed to failure of isolation valve closure.

Components such as the air locks and the vent valves make up the majority of contamment leakage. The leakage probabilities used in the IPE quantification are determined from actual plant leak test data.

PDSs with containment bypass contribute about 1.5% to the total CDF. Contamment bypass comes from either the level I bypass sequences or failure of the containment isolation valves that are canwad directly l to the reactor to close. Of the bypass PDSs, the contribution from the level I bypass sequences is small (less than 0.1%). Although over 70% of the BRP sequences are LOCA sequences, the leading contributor to i bypass PDSs is from transient sequences (about 1%). This, according to the IPE, is because the main steam isolation valve is required in some transient sequences to termmate the event, and failure to isolate the main steam line results in direct contamment bypass.

In summary, for the BRP PDSs, the probability of successful contamment isolation is about 94%, contamment onrpressure failure is about 4%, contamment isolation failure is about 0.5%, and contamment bypass is about i 1.5%. The PDSs definad in the BRP IPE are of sufficient detail to provide a proper account of the front-end and back-end danandaaries and @* informaten for back end accident progression analysis. Although the PDSs of various contamment conditions are grouped to the same KPDS, the information is captured in CET quanhfication by CET headags for nantmamant conditions.

4 O

37

k Table 8 Important Human Actions ,

Event Description F-V Birnbaum P babI EP)

Operator fails to line up RDS for pressure control 7.0E-00 3.59E-05 1.50E-01 ;

using EIP-4 (RD-00-PCNTL-POIC)

Operator fails to trip the condensate pumps on low 7.23E-02 4.84E-05 8.00E-02 hotwelllevel(CD-HS-P9TRP-POIC)

Operator fails to trip the recirculaten pumps 6.72E-02 7.20E-05 3.00E-00 !'

during an ATWS and initiate LPS (LI-00-INJ2-j POIC)

Control Room operator fails to scram the reactor 4.80E-02 4.28E-03 6.00E-04 ,

during a steam line break (RP-RX-VSSLB-POIC) ;

Operator fails to open MO-7073 & 7074 to provide 1.45E-02 4.84E-05 1.60E-02 i makeup to the hotwell (FP-00-MAKUP-POIC) i Operator fails to align the post incident system, per 1.0E-02 6.47E-03 8.30E-05 SOP-8, following a LOCA (PI-OO-PISYS-POIC)

Operator fails to manual open core spray valves 6.47E-03 5.58E-05 6.20E-03 i during an SLB (CS MV-CSVLV-POIC)

Operator fails to restart feedwater pump (FW-PM- 5.89E-03 6.85E-05 4.60E-03

)

P8SRT-POIC)

Operatorrails to open the emergency e- '==- 5.07E-03 2.70E-05 3.70E-02 i outlet valves (EC MV ECOUT-POIC)

Operator fails to isolate TBV warm-up line on 2.65E-03 7.09E-05 1.30E-02 steam sealleak (MS-00-ISOLT POIC)

Operator fails to start SDG (standby diesel 3.26E-04 7.98E-06 8.80E-03 generator) from local control panel (EP-GE-SDG-POOC)

Operator fails to trip the recirculation pumps 2.87E-04 or 7.54E-06 6.10E-02 during an ATWS and initiate LPS (LI-OO-INJ2 6.70E-02 POIC)

Operator fails to provide make-up from fire 2.74E-04 7.73E-04 8.50E-05 protection system via SV-4947 (EM-KV-4947-POIC)

Operator fails to back up anta== tic reactor scram 7.80E-05 7.50E-05 5.00E-03 (RP-RX-MANUL-POIC) 38

. - - . -~ . -- . - - . _ - - - -. -_- ._ .- . ~ - , . _ -

1

. j i

2.4.1.2 Contalamient Event Tree Developanent i Probability quantification of severe weident progression is performed in the IPE by the use of containment event trees (CETs). The development of the CETs is discussed in Sections 12.5 of the IPE submittal. The CETs includes the following top events:

Key plant damage state (KPDS),

- Containment bypass, C=tamment leakage, Early containment failure, ,

Nhn.yrsy (i.e., contmament spray) available, Ex-vessel debris coolability, Late contamment failure.

Figures 12.8 2 through 12.8 16 of the submittal show the CETs used in the IPE to determine the contamment failure modes for the various KPDSs. It is noted that some of the parameters used in the CETs are also used in the dermition of the PDSs (i.e., contamment bypass, mntavunent leakage, and enclosure spray status).

They are included in the CETs because their status, although dermed in the PDS, is lost in the KPDS in the binning process. In the BRP IPE, the binning of the PDSs to the KPDSs is based on their effect on containment accident progression, not on contamment status. As a result, PDSs with various matammant integrity and contamment system status, but with sirmlar effect on contamment accident progression, are '

grouped to the same KPDS. Although the data related to these parameters are lost in the KPDS dermition, they are recovered in CET quantification. The split fractions used in CET quantification for these parameters >

are obtamed from the data obtamed in PDS definition. In ' general, the CETs developed in the BRP IPE are

' well structured and easy to understand. The top events of the CET cover the important issues that determme the RCS integrity, containment response, and eventual release from the contamment.

Fault trees are used in the IPE to quantify the top events of the CETs. The fault trees used in CET quantification are very detailed and address all pWa=aa= and systems unportant to Level 2 accident progression. The quantification of the CETs is based on review of industry literature and plant-specific analyses using the MAAP BRP code. In general, the quantification process used in the IPE is systematic and traceable. Although the values assigned in the IPE seem adequate, their adequacy cannot be verified in this technical evaluation report because of the limited scope of this evaluation. Some items that are ofinterest are discussed in the following.

Containment Bypass Ca *=he bypass is a PDS parameter The results of the PDS event tree T- M don are used to develop the event tree split fraction for this CET headmg. In the BRP IPE, A very dat= dad fault tree structure is hig4 for the quantification of aantammant bypass. The BRP matammant bypass fault tree includes those faults associated with an isolation failure of the process lines that marwt to the pnmary system. The failure estimates of the basic events in the fault tree are determmed by a combinatma of plant-specific and generic data. Results of the IPE analysis show that the aiain contributor to cantamment bypass failure for BRP is main steam isolation valve (MSIV) failure.

The failure of emergency aandanner (EC) tubes due to high L , - creep rupture, which is considered in some other IPEs for BWRs with emergency aandansers, is not considered a credible failure mode for BRP.

This is based on the consideration of the EC tube design charactenstics, the fact that both inlet and outlet EC 39 i

l l

. J valves could isolate a failed tube, and that low RPV pressure events (i.e., LOCAs) constitute the larges *. ;

1 fraction of the BRP core damage sequences (The licensee's response to RAI Level 2 Question 3). ,

I Containment Leakage ]

Similar to contamment bypass, contamment leakage is also a PDS parameter. The results of the PDS event !

tree quantification are used to develop the event tree split fraction for this CET headmg. In the BRP IPE, A 3

very detailed fault tree structure is developed for the quantification of contamment leakage. The BRP containment leakage fault tree includes those faults associated with an isolation failure of the ps.tions ;

that connect to the contamment atma =phere. The failure estimates of the basic events in the fault tree are determined by a combination of plant-specific and generic data. Results of the IPE analysis show that door .

4 seals and vent valve leakage contribute over 90% to the total failure probability For the contamment access ,

1 j locks potential failures considered in the IPE include leakage past one door with the other door open or leakage past both closed doors. ;

j in the PDS definition, contamment overpressure failure (before vessel penetration) in an ATWS event is !

included in the contamment leakage PDS. It is assumed in the IPE that failure to insert negative reactivity and l continued RPV makeup will pressurize the contamment to its pressure capability over the course of an hour-Early Containment Fatlure 1

l Early containment failure is defmed in the BRP IPE as that which occurs at or shortly after vessel breach time.

Key phenomena evaluated in the IPE include direct contamment heating (DCH), energetic fuel / coolant interaction, and early hydrogen deflagration / detonation.

The probability of contamment failure due to DCH is evaluated in the IPE by a hamnacition event tree ]

(DET) with the consideration of the RPV pressure at vessel failure, the containment pressure prior to vessel ;

{ failure, the mode of RPV failure, the debris mass expelled from the RFV at vessel failure, the debris ;

i entramment time, the fraction of debris fragmented and transported to the recirculation pump room, l l unoxidized Zirconium fraction in the debris, and peak contamment pressure following RPV failure. The j j containment failure probability is then deternuned by comparing the contamment pressure load with the contamment fragility curve. According to the results presented in the IPE, contamment failure probabilities

for DCH vary from 2 3E-3 to 2.8E-1 for the various conditions described by the above parameters (Figure 3

12.4.1-1 of the submittal).

i s The potential failure modes for fuel coolant interaction considered in the IPE include those from (1) the transmission of a shock wave through water to the structure such as the reactor pedestal, (2) the impulse load from the shock wave through the enntammant air space, and 3) the loading by slugs of water propelled into contamment structures. In vessel steam explosions are considered highly improbable for BWRs, and are thus not considered in the BRP IPE.

For hydrogen, a two step aprivech is used in the IPE to investigate hydrogen ennerntrations in the BRP containment The first is an integrated severe accident analysis using MAAP-BRP code, and the r,ccond step involves putting a Wa= source of hydrogen into the enclosure room of the enatammet and evaluate its E yst to other contammen* regions using the MAAP-BRP code. The study shows that the hydrogen enneentration in all regions remain well below the detonation threshold. Early failure of the BRP containment due to hydrogen combustion is judged in the in the IPE to be of very low likelihood (~1E-3).

40 i

I l

Based on the description provided in the BRP IPE submittal, all the important early containment failure modes discussed in NUREG 1335 are addressed in the IPE. Quantification of containment failure for the failure modes is based on data available in the literature and plant-specific results from MAAP-BRP code calculations. Although the probability of early contamment failure from DCH can be high (e.g.,2.8E 2) under certain unlikely conditions, the probabilities of early contamment failure from all early failure wh-isms vary from 0.002 to 0.006 in the BRP IPE (Figures 12.8-2 to 12.8-15). Considering the large contamment volume to thermal power ratio and the strength of the contamment, these values seem to be reasonable. l

. Debris Coolability andLate Containment Failure

in the BRP contaiament there is a 3 foot deep valve pit located in the center of the BRP CRD room, beneath the reactor vessel. This sump area has a cross section of 42 square feet and a volume of 126 cubic feet, and ;

~

will collect core debris should a core damage accident progress to the point of vessel breach. A boundmg .

calculation provided in the IPE submittal shows that the entire BRP core can be held within the CRD room sump with a total depth of 1.6 feet (50 cm). In the BRP IPE the probability of debris coolability (with water) j 1

is assigned a value of 0.5 for low pressure core melt scenarios and 0.9 for high pressure scenarios. However, >

- It is assumed in the IPE that contamment failure by basemat melt-through will not occur even if the debris is not coolable.

Debris coolability, as one of the sensitivity issues, is analyzed in the IPE by the MAAP-BRP code. The following phenomena that are related to debris coolability are discussed in the sensitivity analysis: non-condensable gas generation, debris cooling in the sump, concrete attack, and contamment debris spreading.

According to the sensitivity analysis, concrete attack depth in " dry" cases, or in cases with very limited debris to water heat transfer coefficients, would be unlikely to lead to basemat failure in any reasonable length of

! time (e.g., a 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months mission time used in the BRP IPE). For BRP there is approximately 10 feet of concrete l

below the CRD room sump. ,

Late containment failure is a CET top event. The fault tree used in the IPE to determme the probability of late contamment failure include two basic events: One involves long term high contamment pressure failure and the other involves long term high contamment temperature failure. According to the containment event trees (Figures 12.8-2 to 12.815), the probability oflate contamment failure is assigned a value of IE-4 for all KPDSs. The probability of late contamment failure for BRP is small because of the large contamment ,

volume and the use of a 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months mission time (licensee's response to RAI level 2 Question 9). !

In- Vessel Recovery and Fill-the-Ball Procedure in the BRP EOPs, " Fill-the-Ball" is used to provide water to the contamment structure for reactor vessel heat removal in the event of a post incident system (for long term heat removal) failure. The fill-the-ball strategy will incorporate any available makeup system to provide continued water supply for heat removal. This will result in the submergence of the reactor vessel and cooling of the core debris in the lower head of the vessel. ,

Vessel failure may be p ad by this cooling inachan=n However, because of the uncertainties associated with this cooling method, it is not credited in the IPE as being able to provide @- core cooling to prevent vessel failure. Although failure is always assumed to occur it is incorporated into the LOCA event trees in the IPE as a potential mitigative action. Its effect on enntamment pressure, im.h s and

.me==M fission product release is investigated in the IPE in the sensitivity analysis.

41

2.4.1.3 Containment Failure Modes and Timing The BRP contamment ultimate strength evalut. tion is described in Section 12.3 of the IPE submittal. The ultimate containment failure pressure for the BRP IPE is estimated by plant-specific analysis and results are compared with that obtained in the IDCOR report for the GE Standard Mark III containments. The median pressure capacity obtained in the BRP IPE (79 psig) is the average between the service Ixvel C pressure and the pressure based on the ultimate tensile stress. The contamment failure pressure distribution (i.e., the fragility curve) is assumed to be a normal distribution with a coefficient of variation of 13 psi. This is based on the consideration of both the uncertamties involved in material strength and modeling. The derivation of the contamment fragility curve for BRP seems to be adequate and the results seem to be consistent with those obtained in other IPEs.

2.4.1.4 Containment Isolation Failure Two failure modes are considered in the BRP IPE for the containment isolation systems - bypass and leakage.

Fault trees are used in the IPE to evaluate the probabilities of these two failure modes. The containment bypass tree includ: those faults associated with an isolation failure of the process lines that connect to the primary system, and the containment leakage tree deals with the penetrations that connect to the containment atmosphere. According to the descriptions provided in the IPE submittal and the licensee's response to the RAI (Level 2 Question 5), all five areas identified in the Generic letter regarding the evaluation of containment isolation failure are addressed in the IPE.

2.4.1.5 System /Iluman Responses No recovery actions are credited in the Level 2 analysis of the BRP IPE.

2.4.1.6 Radionuclide Release Characterization Radionuclide release categories are discussed in Section 12.6 of the IPE submittal. The CET end states are grouped to release categories based on the following parameters:

Timing ofrelease, Early - Less than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months from accident initiation, Intermediate - Greater than or equal to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , but less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , Late - Greater than or equal to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , a

Total quantity of fission products released, High - A release of suflicient magnitude to cause near term health effects, greater than 20% Csl release fraction, Moderate -- A release with the potential for latent health effects, between 10% to 20% Csl release fraction, Moderate-Low - A release with minor health effects, between 1% to 10% Csl release fraction, Low - A release with the potential for minor health effects,, between 0.1% to 1% Csl release fraction, Low-Low -- A release that is less than or equal to containment design base leakage resulting in no health effects, less than 0.1% Csl release fraction.

According to the IPE submittal, the definition of release timing is based upon past experience with offsite responses. Emergency Action Level is considered in the definition. The time to the declaration of a General Emergency is estimated in the IPE to be about I hour or less for most accidents.

42

The classification of the release magnitude is based on the review of existing consequence analyses performed in previous IDCOR studies, PRAs, and NRC studies contairing detailed consequence modeling. Based on the review, the release fraction of Csl is used in the IPE for release magnitude classification. It is used because it correlates well with the predicted latent effect and shows a threshold value for predicted early fatalities in previous consequence analyses.

The use of the above classification method results in fifteen source term release categories A series of MAAP BRP calculations were performed in the BRP IPE to assign the proper source term category to the CET end states. The MAAP BRP calculations usually tenmnated at 36 hours4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months after vessel failure. Since containment failure in BRP is primarily due to bypass or leakage prior to vessel failure, wiuch, according to MAAP-BRP calculations, occurs before 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , the release timing for the contmament failure cases for BRP is pnmarily early.

Although there are 15 possible release categories, the CET quantification results show only 5 release categories with non-zero frequencies (Figure 12.817 of the submittal). Besides a no containment failure category, all the other release categories involve early releases. The conditional probability for the no-containment failure category is about 94%. The next release category, which contributes about 4% to total CDF, has a Csl release fraction 0.1% to 1%. It is primarily from ATWS and LOCA sequences with enclosure spray available. The release category that has high Csl release (i.e., greater than 20% release fraction) contributes about 1.5% to the total CDF. It is mostly from containment bypass sequences in which the enclosure spray and any water collected in the sump provide no benefit in limiting the source term severity.

Except for the release fractions of CsI, which is used in the IPE for source term classification, the release fractions of other fission product categories (e g., Te and Sr), are not provided in the IPE submittal.

Additionally, only ranges of Cs releases (e.g., between 0.1% to 1%) are provided in the IPE submittal for the various source terms. This seems to be sufficient to provide a general characterization of the BRP containment performance in a severe accident, but is not sufficient for a detailed E-sero analysis. Since MAAP-BRP code calculations were performed in the IPE for selected sequences, the release fractions for other fission products categories, although not reported in the submittal, were available from the MAAP-BRP

calculation results.

The discussion of source term classification provided in the IPE submittal is detailed and reasonable. The 4

grouping of the CET end states to source term release categories also seems reasonable. However, besides

Csi, the release fractions of other radionuclide groups are not reported in the IPE submittal. ;

2 2.4.2 Accident Progression and Containment Performance Analysis 4

2.4.2.1 Severe Accident Progression In the BRP IPE, a modified version of the MAAP 3.0B code (MAAP-BRP) was used in evaluating the reactor pressure vessel (RPV) and canninmant responses and L.J.dng the resulting source term. MAAP-BRP

- is based on the version of the MAAP code Mpd by the Department of Energy's Advanced Reactor

^

Severe Accident Program, in sim,.uon with General Electric, for the GE Simplified BWR (SBWR). Table 12.7.1-1 of the IPE submittal shows the MAAP BRP calculation results for 29 cases. The key plant conditions '

considered in the selectics of the MAAP-BRP cases include: contmamant bypass, enntmam-t isolation, early failure of cantainmant due to emersetic event at vessel failure, nantmamant sprays, ex-vessel debris coolability, late contamment failure, and reactor pressure.

43 1

w -.

rw- w- - , -- ,- - ,

4 The sequences selected for source term analyses and the source terms definition used in the IPE seem to be adequate.

2.4.2.2 Dominant Contributors: Consistency whh IPE Insights Radionuclide release categories (or containment failure modes) and their frequencies obtained from the BRP CET quantification are discussed in Section 12.8 of the submitta . Table 9, below, shows a comparison of the conditional probabilities for the various containment failure modes obtamed from the BRP IPE with those obtamed from the Surry and Zion NUREG 1150 analyses.

Table 9 Containment Failure as a Percentage of Total CDF Containment Failure Surry Zion I

Mode NUREG-1150 NUREG-1150 Early Failure 4.2 0.7 1.4 Late Failure +++ 5.9 24.0 Bypass 1.5 12.2 0.7 Isolation Failure Intact 94.3 81.2 73.0 ,

CDF (thy) 1.7E-5 4.0E-5 3.4E-4

++ The data presented for BRP are based on Figure 12.8-17 of the IPE subnuttal.

+++ Late containment failure is assigned a probability of IE-4 in the CETs presented in the IPE submittal. However, results presented in Figure 12.817 shows a zero probability for late failure. The negligible late failure probability is due to the large containment volume and the use of a 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months (after vessel failure) mission time. l

Included in Early Failure, approximately 0.02%.

1

" Included in Early Failure, approximately 0.5%.

"* Included in Early Failure. Of the 4.2% probability of early failure about 0.5% is from leaks through penetrations.

As shown in the above table, the conditional probability of containment bypass for BRP is 1.5% of total CDF.

Of the 1.5% bypass probability, only 0.06% comes from Level I bypass sequences (i.e., ISLOCA), and the majority is from failure to isolated the process lines that connect to the primary system. Although LOCA is the dominant contributor to total plant CDF, the main contributors to this failure mode are transients (0.8%

of CDF) This is because MSIV closure is required in some transient sequences to temunate the event, snd failure to isolate the MSIV results in direct containment bypass.

The conditional probability of early containment failure for BRP is about 4.2% (of total CDF). The leading contributor to this failure mode is containment overpressure failure before vessel breach in ATWS events (3.5% CDF). This is followed by leakage through contamment penetrations (0.5%), mostly from leakage through vent valves and door seals. Containment penetration leakage comes primarily from LOCA (about 80% ofleakage cases) and transient sequences (about 20% ofleakage cases).

Because of the large contamment volume and the use of a 36 hour4.166667e-4 days 0.01 hours 5.952381e-5 weeks 1.3698e-5 months mission time, contamment failure by the energetic events at vessel breach and long-term pressurization and thermal attack is not likely at BRP.

44 j

_ . - -- .- . - - - - - . . . - - _ _ - . - . , - . - - . - - . - - - . . . . _ ~ . - . -

I.

! 2.4.2J Characterisation of Containment Performance l i

As shown in Table 9, for Big Rock Point Plant, the core damage frequency (CDF) is lower than that obtained in NUREG 1150 for Zion and Surry. Although the contamment volume to thermal power ratio is much larger 4

) for BRP than for Zion and Surry, the conditional probability of early contamment failure for BRP is greater than that for Zion and Surry. The major contributor to early contamment failure for BRP is not from energetic event associated with HPME or hydrogen burn but from the steam generated during ATWS events and leakage through contamment penetrations. This may be partial!y attributed to the use of a BWR (for a more severe ATWS load) and the accessibility of the contauwnant durmg normal operation for BRP (for more

, severe leakage cases).

$ The =daaba of contamment bypass for BRP is also different than those for PWRs such as Zion and 2

l Surry. SGTR, wluch is an important bypass failure mode for PWRs, is not important for BRP . De major i contributor to contamment bypass in BRP is the failure to isolated the processing lines connected to the ,

pnmary system, primarily the lack ofisolation of the MSIV. !

! The C Matrix, which shows the conditional probabihties of release categories (or contamment failure modes) l for the plant damage states (or KPDSs), can be obtamed from the data presented in Figures 12.8-18 and 12.8-

19 of the submittal.

2.4.2.4 Impact on Equipment Behavior f

j The enclosure spray is a system that is considered in the CET quantification. Contamment fan coolers that i are not intended to perform a safety function and are isolated upon a contamment isolation signal at BRP they 1

are not credited in the IPE. The availability of enclosure spray is detennined in PDS dermition and its j availability in CET quantification is primarily based on PDS definition. As a result, the effects of harsh a environmental conditions on the operation of enclosure spray are not addressed in CET quantification. This

! is not a serious problem because the probability oflong term contamment failure is negligible. The primary

effect of the enclosure spray in the BRP IPE is the scrubbing of fission products in the early failure cases.

Since the spray pumps are located outside the contamment the effects of harsh envirnaman*=1 conditions on its operation do not seem important.

2.4.2.5 Uncertainties and Sensitivity Analysis Sensitivity studies for Level 2 analyses are discussed in Section 13.7 of the IPE submittal. The uncertainties l

were, in general, addressed quantitatively in the BRP IPE, using determuustic methods, and MAAP BRP was I

selected to perform plant specific evaluations. De sensitivity studies provided in the IPE submittal address i the uncertainties associated with the following phenomena- .

Core melt progression - amount of residual debris in RPV, In-vessel hydrogen generation - core blockage, l '

, RPV pressure at vessel failure,

{ Debris coolability, i

2 A failure mode in BRP that is similar to that of SGTR for PWRs is that associated with creep rupture of i the emergency c= '== tubes. It is not important foi BRP.

j 45 1

t 4

y

)

. I l

Containment failure mode (size, locction, and type), and Containment flooding sensitivity.

The selection of the above issues for sensitivity analyses is based on the consideration of the sensitivity issues raised by NRC and the industry (e.g., the EPRI is--==dations).

As discussed above, the sensitivi:y studies performed in the ERF IPE are deternunistic sensitivity studies.

The sensitivity studies were perfomej varying some MAAP parameter values firom their base case values and analyzmg the differences in MAAP calculation results. The effects of uncertamties on CET quantification results are not addressed directly. For example, it is not clear (fem the sensitivity studies presented in the IPE submittal) what is the effect of the amount of core forced out of the vessel (which is one sensitivity study item, Section 13.7.3.1) on DCH load, and consequently, the probability of early contamment failure.

Althou6h such probabilistic sensitivity studies were not discussed in Section 13.7 of the submittal, the ;

uncertairfies on some key contamment phenomenological issues were discussed in some detail in CET i quantification. For example, early contamment failure due to DCH was evaluated in the IPE by the use of a decomposition event tree (DET). The top events of the DET addressed the issues of significant uncertainties for DCH. Results of the DET analyses presented in the IPE submittal show that the probabilities of early containment failure due to DCH vary from 0.002 to 0.28 (Figure 12.4.1-1). The high value (i.e.,0.28) obtamed in the IPE seems to be a conservative estimate and not likely to occur because of the large contamment volume to thermal power ratio and the strength of the contamment.

Although probabilistic sensitivity analyses are not discussed specifically in the sections addressing sensitivity issues in the IPE submittal, the accident phenamaan that have significant uncertainties on containment performance are evaluated and discussed in detail in the IPE submittal. The sensitivity studies provided in the BRP IPE seems to have addressed the issues of significant uncertamties in the IPE analysis.

2.5 Evaluation of Decay Heat Removal and Other Safety Issues This section of the report summarizes the review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSis/USIs addressed in the submittal were also reviewed.

2.5.1 Evaluation of Decay Heat Removal 2.5.1.1 Examination of DHR The IPE addresses decay heat removal (DHR). Several systems perfomiing the DHR function are mentioned including main condenser, feedwater, emergency condenser, reactor depressurization, low pressure injection with the enadanaste system, low pressure injection with the core sprays, long term recuculation with the post incident system and contamment flooding (or fill-the-ball). CDF fractions were eshmated in which these systems had failed, as follows: emergency enaderiser (2.9E-3), emergency enadaa=ar firewater makeup 2.6%,

reactor depressurization (14%), main condenser (7.4E-4), post incident system (17%), core spray valves (40%), feedwater system (4.8E-3), fill-the-ball (42%), condensate system (3.8E-3).

The unavailability of each system is shown for unportant initiators. Support systems are identified.

Contribution of M.ot hardware failures and important operator actions associated with the system are calenla**d (Fussel-Vesely importance).

46 i

)

l

- i

. 1 Several human actions are identified as being important to meetmg the DHR capability. The actions includl latent (pre-initiators) and post-initiator actions. They include actions related to the availability of th cor.im, feedwater, the emergency char, condensate, and the post-incident system.

The licennae considers this issue closed.

2.5.t.2 Diverse Means of DHR The IPE evaluated the diverse means for DHR, as shown in Section 2.5.1.1 above.

i i

2.5.tJ Unique Features etDMR Section 1.2 of this TER describes unique plant features, most of which are DHR features 2.5.2 Other GSIs/USIs Addressed in the Submittal in addition to USI A-45 (DHR Evaluation) the following USIs and Gls are considered closed by the licensee

)

as a result of theIPE submittal:

1) USI A43, "Contamment Sump Emergency Performance", which deals with post LOCA flow blockage i (see discussion in Section 1.2), and

2) Closure of BRP Severe Accident Management Guidelines.

In addition, the IPE will be used to comply with the maintenance rule.

2.5.3 Response to CPI Program Recommendations The CPI is+-.= Mon for PWRs with a dry contamment is the evaluation of contamment and equipment vulnerabilities to localized hydrogen combustion and the need for improvements. Although the effects of hydrogerrcombustion on contamment integrity are discussed in the submittal, the CPI issue is not specifically addressed. More detailed information on this issue is provided in the licensee's response to the RAI (Level 2 Question 2).

According to the response, several contamment walkdowns were enad-*ad to support the use of a Gacralized Contamment Model (GCM) which allows the evaluation of local effect and requires detailed containment informaton. Personnel involved in the walkdowns included the BRP Plant Manager, PRA staff members, and one of the GCM code authors. The walkdowns focused on all the different modes of room interaction rangmg from hydrogen to debns h-yest. The PRA staff contmues to monitor the matammant status through video taping and walkdowns subsequent to the IPE e ' W The evaluation of hydrogen macentrations and combusten in the BRP contammant showed that because of the large matammant volume, the hydrogen macentration in the BRP enntamment would only be 10% if 100% of Zucalloy is a hd and all the steam is enadensad Potential hydrogen release locetions were also eraminad in the IPE and showed that high incalimi tryi# cancentration is not likely to occur and that i the BRP cantammant will be well mivad Hydrogen datanations are not credible for the BRP enntamment !

and the pressure loads from hydrogen deflagratmo are not likely to challenge the integrity of the matamment i

47

2.6 Vulnerabilitics and Plant Improvements According to the licensee, a vulnerability would be identified by answering the following questions (R responses, page 5 and 6 of RAI responses, question 4 from the January 29,1996 NRC request for additional information):

1)

Are there any new or unusual means of reaching a situation in which core damage or containment failure would occur that had not been identified in previous PRAs?

2)

Do the results of the PRA suggest that the Big Rock Point Plant would contribute to the industry not meeting published safety goals?

Based on the above dermition, no vulnerabilities were found. It is stated that when compared to the n facilities, the large and robust containment is at least as effective (if not more) in limiting the poten significant releases following a severe accident.

No plant modifications were planned as a result of the IPE. A list ofplant improvements following PRA is provided in the RAI responses. These improvements have already been implemented.

No SB0 rule related hardware changes have been implemented. Some procedural changes in res SBO rule have been implemented.

Several human action related improvements were discussed in the licensee's response to the RAI. Not these improvements were directly related to the results of the PRA, but were related to the process performing the IPE. The improvements included:

Eight manual valves in the post incident system were modified such that they cannot be locke in their correct position.

A contingency was provided to EOP EIP-5 to allow operators to implement containment floodin a Severe Accident Management (SAM) strategy.

' +

The " Control Room Design Review" performed at Big Rock Point took advantage of the dominant accident sequences from the 1981 PRA to perform its task analysis and resolve potential human error deficiencies.

The complement of the PRA developed fault trees was used in writing the FORTRAN logic handlers for the simulator at Big Rock Point. As a consequence, the need to manually trip the condensate

. comps after the hotwell had emptied was identified.

No other plant improvements were discussed in the IPE subnuttal.

t 48

E

' 8 3 CONTRACTOR OBSERVATIONS AND CONCLUSIONS l l

Strengths of the IPE level I analysis are as follows: Thorough analysis ofinitiating events and their impact, descriptions of the plant responses, modeling of accident scenarios, reasonable failure data and common cause factors employed and usage of plant specific data where possible to support the quantification ofinitiating )

events and R 3 =at unavailabilities. The treatment of depandancies and environmental effects seems very j thorough, as does the sensitivity and importance analysis. The effort seems to have been evenly distributed ;

across the various areas of the analysis. The documentation is very detailed, and there seems to have been a conscious effort to respond to the RAls to the best of the licensees ability.

There are some areas of concem related to the IPE but these are not a-*ad to have a major impact on the !

i conclusions. In the area of initiating event frequency, the RDS spurious opemng frequency and the small LOCA frequency seem low. As far as data is concemed, data for the fire pumps seem low (w-W by a sensitivity analysis). There are questions as to the Bayesian updating algorithm used, as unreasonable values i

are produced for the fire pumps (the other components seem OK). The common cause failure between the electric and diesel driven pumps is not considered; the common cause failure between the two station batteries is not considered. Also, the system Bimbaum importance calculation algorithm seems to break down at high Birnbaum importance values (partially corrected by recalculating systems which seem to have a problem, per RAI responses) (corrected Bimbaum importance values are quoted in this technical evaluation report). There is a question as to why only pipe failures seem to be important in the flooding analysis. It is not clear if

maintenance induced floods and spray effects were treated properly. Finally, the documentation is sometimes

self-contradictory, and some part ofit seem not to have been reviewed prior to publication.

The IPE determined that LOCAs contribute about 80% to the CDF at BRP. The most important sequences i have failures of the post incident system, the reactor depressurization system ar.d/or the core spray system.

The interfacing system LOCAs and containment bypass sequences show negligible contribution to the CDF.

The same can be said for the flooding scenarios. The blackout contribution is small (1%), due to existence of the 100% load rejection capability, the emergency condenser, the ac independent makeup to the emergency 4 condenser and long life of the a!temate shutdown battery, as well as existence of two diesel generators (albeit with limited capability). The loss ofinstrument air contribution is relatively large (9%) due to its usage for

emergency condenser makeup from demmeralized water, feedwater flow control, feedwater pump cooling, i'

and main condenser hotwell makeup. The ATWS contribution (7%) is governed by two opposing forces: less time than at other BWRs is available for injection of the standby liquid control system, due to nonexistence of a high pressure high volume ECCS system at BRP; however the SLCS at BRP is a fast acting one that ensures subcriticality in about I min after operator actuation. The 100% bypass capability is not credited as the operators have to trip the recirculation pumps in a very short time in order to avoid losing the feedwater system (even though they were able to accomplish this in training exercises). Also, the trip frequency at BRP seems to be higher than at other plants.

The BRP Level I risk profile does not look like that of a typical BWR, where blackout and ATWS usually dominate the core damage frequency Here LOCAs dominate, with ATWS contributing (in the absolute ,

sense) about the same or slightly higher CDF than most other BWRs due to the features mentioned above. I

'lhe blackout contribution is much smaller than at other BWRs, as explained above. There are several reasons I for the high LOCA contribution: a porten of pnmary pipicg is located below the level of the core, which leads to a more severe case of LOCAs; there is paucity of high pressure (/high flow rate) makeup systems; for larger LOCAs, makeisp to the condemeer hotwell is ir=d-i=*a which leaves the two fire pumps as the only

. Iow pressure system available; come ;-@imi systems would be disabled by the harsh environments due to LOCAs and/or steam line breaks; lack of suppression pool means that at some point recirculation must be ,

1 49 1

I 1

1 brought into play' (called the post incident system); and finally, no credit is given for fill the-ball ,

proceduralized action, with its passive cooling features, if recirculation fails. On the other hand, it is stated j that the BRP piping is nombjcct to the inter-granular stress corrosion cracking (IGSCC) which plagues other i I

BWRs; the recirculation strainers are much less vulnerable to plugging than at other BWRs; it is also claimed that the LOCA initiating event frequencies are conservative.

The HRA review of the Big Rock Point IPE submittal did not identify any significant problems or errors.

A viable approach was used in performmg the HRA and nothmg in the licensees submittal indicated that it failed to meet the intent of Generic 1.etter 88 20 in regards to the HRA. Important elements pertment to this l

determmation include the following:

1) The cubmittal indicated that utility perscanel were involved in the HRA. Procedure reviews, discussions with operations and training staff, observations of simulator exercises, review of the

" control room design review", and walkdowns of important operator actions, including local actions, helped assure that the IPE HRA represented the as-built, as-operated plant.

2) The HRA process for the Big Rock Point IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). The analysis of pre-initiator actions considered both miscalibrations and restoration faults. All pre initiator restoration errors were analyzed in detail (no screemng analysis) and quantified using the ASEP HRA procedure (NUREG/CR-4772). All common cause miscalibrations were quantified in detail using a method derived from THERP (NUREG/CR-1278). A reasonable and thorough analysis of pre-initiator events was performed

3) in general, the licensee's analysis of post initiator events was performed reasonably. A detailed

" screening" was performed and important human actions were given an even more detailed analysis.

However, there were several events for which the quantification process did not seem appropriate. It is thought that the resulting HEPs should be considered optimistic and that the use of such values for these events is a weakness of the HRA. The problem arises through the licensee's use of HEP values from the " annunciator response model" (Table 20-13 or Table 11-13 from THERP) in situations where very limited time is available for the operator action. While it can be argued that the HEPs from this model are acceptable when substantial time is available for the operators to determme the relevant actions and when the operators need only respond to the existence of an annunciator in the .

control room, the HEPs from this model do not reflect the impact of the time available on the I likelihood of success. Thus, this model will clearly underestimate HEPs for short time frame j scenarios and the ASEP/fHERP time-reliability diagnosis model is clearly indicated in such ;

situations.

l

4) Plant-specific performance shaping factors (PSFs), event tumng, and Qhies were apparently appropriately considered in most instances. However, for the three events discussed above, timing was not considered appropriately. In addition, in at least one event the licensee may not have appropriately !

factored in the impact of potential radiation hazard on operator performance

5) A list ofimportant human actions based on their contribution to core damage frequency was provided i in the submittal.

The IPE uses small contmnmmt event trees (CETs) for level 2 analysis. The quantification of the CET in the BRP IPE is based on review ofindustry literature and plant-specific calculations using MAAP-BRP code.

50

o s

4 The interface between the level 1 and level 2 analyses is accomplished by the development of a set of 18 key plant damage states (KPDSs). The Level I core damage sequences are grouped in the KPDSs based on ,

accident types (e.g., transient. LOCA, ATWS, ISLOCA), RCS pressure, and the availability of injection l systems. The CET used in the BRP IPE include 7 top events addressing containment and containment system l conditions, various modes of contamment failure, and wh=aiems that affect fission product release. CET l

==ati&* tion is based on the data available in the industry literature and plant specific analysis using MAAP-BRP code. The dermition of the PDSs for Level 1 and level 2 interface seems adequate. The CETs used in the IPE provide a reasonable coverage of the important back end phenomena The quantification of the CETs also seems adequate.

The important pomts of the technical evaluation of the BRP IPE back-end analysis are summarized below

1) The back-end portion of the IPE supplies a substantial amount of information with regards to tle i subject areas identified in Generic letter 88-20. ,

1

2) The Big Rock Point Plant IPE provides an evaluation of all phenomena of importance to severe l accident progression in accordance with Appendix I of the Generic Letter. l l

l l

l 51 l

l

o 4 REFERENCES

[IPE) Big Rock Point Plant Individual Plant Exammation, October 11,1996.

[RAI Responses) Response to NRC Request for Additional Information, Big Rock Point Plant IPE

[NUREGICR-1278} A.D. Swain and H.E. Guttman, Handbook of Human Reliabilth Analysis with Emphasis on Nuclear Power Applications : Technique for Human Error Rate Prediction, NUREG/CR-1278, U.S. Nuclear Regulatory Cnmmienion, Wa=hiaran D.C.,1983.

[NUREGICR-4772) A.D. Swain, Accident Sequence Evaluation Program Human Reliability Analysis Procedure, NUREGICR-4772, U.S. Nuclear Regulatory Commission, W==hinyan, D.C., February,1987.

[NUREG-1150] USNRC, " Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG-1150, December 1990.

i i

l l

I l

53

__ ___

ML20134D515

Text

SUMMARY

Navigation menu

Search