ML20134D794
| ML20134D794 | |
| Person / Time | |
|---|---|
| Site: | Fort Calhoun  |
| Issue date: | 06/13/1996 |
| From: | Thomas W SCIENCE & ENGINEERING ASSOCIATES, INC. |
| To: | NRC |
| Shared Package | |
| ML20132F483 | List: |
| References | |
| CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-95-2339-010, SEA-95-2339-010-A:4, SEA-95-2339-10, SEA-95-2339-10-A:4, NUDOCS 9610300312 | |
| Download: ML20134D794 (45) | |
Text
... _ - _ _ - . _ _ _ _ . . _ . _ . _ _ . . _ . . . .-_ .__ _ _ _
h SEA-95-2339-010-A:4 June 13,1996 l
l Fort Calhoun Station Technical Evaluation Report on the Individual Plant Examination Front End Analysis i
NRC-04-91-066, Task 39 Willard Thomas 4 l
l l
d'
,q Y Science and Engineering Associates, Inc. 4 Prepared for the Nuclear Regulatory Commission
@Ll03cohD,$w*
I TABLE OF CONTENTS 1
E. EXEC UTIVE SU MM ARY . . . . . . . . . . . . . . . . . . . . . . . . . . ............ 1 I E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 E.2 Licensee's lPE Process .. .............................. 3 E.3 Front- End An alysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 E .4 G e n e ric i s s u e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 )
E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . 5 l E.6 O b s e rvat io n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
- 1. I NTR O D U CTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.1 R e vie w P ro c e s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.2 Plant Characte rization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 l
- 2. TECHNICAL REVIEW ............... ........................ 11 1 2.1 Lice ns e e's I P E P roce s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1.1 Comoteteness and Methodoloav . . . . . . . . . . . . . . . . . . . . . 11 1 2.1.2 Multi-Unit Effects and As-Builti As-Ocerated Status . . . . . . . . 11 l 2.1.3 Licensee Particioation and Peer Review . . . . . . . . . . . . . . . . 12 2.2 Accident Sequence Delineation and System Analysis . . . . ....... 12 2.2.1 Initiatino Events . . . . . . . . . . . . . . . . . . . . ............ 12
- 2. 2.2 E ve n t Tre e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2.3 Systems Analvsis . . . . . . . . . . . . . . . . . .............. 17 2.2.4 Svstem Decendencies ............................ 17 2.3 Quantitative Proce ss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.3.1 Quantification of Accident Secuence Frecuencies . . . . .... 18 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvses ...... 19 2.3.3 Use of Plant-Soecific Data ......................... 19 2.3.4 Use of Generic Data . . . . . . . . . . . . . . . . . ............ 20 2.3.5 Common-Cause Ouantification ...................... 22
- 2. 4 I nt e rf a c e i s s u e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.4.1 Front-End and Back-End Interfaces . . . . . . . . . . . . . . . . . . . 23 2.4.2 H uman Factors Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.5 Evaluation of Decay Heat Removal and Other Safety Issues . . . . . . . 25 2.5.1 E xa min ation of D H R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.5.2 Diverse Me an s of D H R . . . . . . . . . . . . . . . . . . . . . . . .... 25 2.5.3 Uniaue Features of DH R . . . . . . . . . . . . . . . . . . . . . ..... 25 2.5.4 Other GSI/USIs Addressed in the Submittal . . . . . . . . . . . . . 26 2.6 Inte rnal Floo din g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.6.1 Internal Flooding Methodoloav . . . . . . . . . . . . . . . . . . . . . . . 26 2.6.2 Internal Floodino Results .......................... 27 2.7 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.7.1 Dominant Core Damage Secuences . . . . . . . . . . . . . . . 28 2.7.2 Vulnerabilities . ....................... ......... 31 2.7.3 Procosed imorovements and Modifications . . . . . . . . . . . . . . 32 li
ApA-AA w A- .A. ~ nA fs a.A &ae ,-a.w+,w. .,6-. J. ( d. A 4 A >< W--.-e 3r-4e.#- p e. 44 L,a ,Ah 4 -44 4 .M.< Aw.h s pqM1 y44 l
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . 34
- 4. DATA
SUMMARY
SHEETS . . . . . . . ............................. 35 l 1
i REFERENCES ..................... .......................... 41 !
-i I
I I
f i
I j
l l
1 i
i I
i lii !
i
4 i
i i 4 '
4 UST OF TABLES I
Table 2-1. Summary of Reported Front-End Sensitivity .................. 19 ;
- Table 2-2. Plant-Spwific Component Failure Data . . . . . . . . . . . . . . . . . . . . . . 21 l Table 2-3. Generic Component Failure Data .......................... 22 l
- Table 2-4. Comparison of Common-Cause Failure Factors . . . . . . . . . . . . . . . . 23 ,
- Table 2-5. Accident Types and Tneir Contribution to Core Damage Frequency . . 28 Table 2-6. Initiating Events and Their Contribution to Core Damage Frequency . 29 j Table 2-7. Top 5 Dominant Functional Core Damage Sequences ........... 31 Table 2-8. Summary of Plant improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 i
3 h
1 4
I l
1 i
i IV
E. EXECUTIVE
SUMMARY
This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for the Fort Calhoun Station. This review is based on information contained in the IPE submittal [lPE Submittal) along with the licensee's responses [RAI Responses] to a request for additional information (RAl).
E.1 Plant Characterization The Fort Calhoun Station consists of a single unit,2-loop Combustion Engineering (CE) plant. Design features at Fort Calhoun that impact the core damage frequency (CDF) relative to other Pressurized Water Reactors (PWRs) are as follows:
Ability to cerform feed and bleed once-through coolina. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of the Auxiliary Feedwater (AFW) system.
Use of self-contained radiators for diesel aenerator coolina. The diesel generators are cooled with self-contained radiators and thus do not require external cooling from plant cooling water systems. This design feature lowers the CDF.
. Diverse means of sucolvina AFW to steam generators. The AFW system contains a motor-driven pump, a turbine-driven pump, and a diesel-driven pump. The diesel-driven pump is independent of all plant support systems, including AC and DC electrical power. In addition to supplying steam generator makeup, the diesel-driven AFW pump can be used to transfer water from the condensate storage tank to replenish the AFW suction source, the emergency feedwater storage tank (EFWST). This design feature lowers the CDF.
- Robust design of reactor coolant oumo (RCP) seals. The seals on the Byron-Jackson RCPs are of a special design stated to be highly resistant to leakage in the event seal cooling water is lost. This design feature lowers the CDF.
. Lack of a reauirement for emergenev core cooling system (ECCS) oumo external coolina during the iniection mode. The high pressure safety injection (HPSI), low pressure safety injection (LPSI), and containment spray pumps require cooling water only in the recirculation mode. This design feature tends to lower the CDF.
- Indeoendence of HPSI oumos from LPSI oumos during recirculation. Thr HPSI pumps do not require " piggy-back" suction from the LPSI pumps for operation during recirculation. This design feature tends to decrease the CDF.
1
l l
l
! . Automatic switchover of ECCS from iniection to recirculation. This design I
j feature tends to decrease the CDF over what it would otherwise be with a
. manual system.
. Ability to use the raw water system as a backuo to comoonent coolina water.
The raw water system can be manually-aligned backup to component cooling water for the shutdown cooling heat exchangers, the containment cooling units, the safety injection and containment spray pump bearing coolers, and control room air conditioners. This design feature tends to decrease the CDF.
. Ability to use a diesel-driven fire oumo for olant functions. A diesel-driven fire pump, independent of plant systems, is available for long-term makeup to the AFW suction source, the EFWST. In addition, this pump can also serve as a backup to the raw water system for the purpose of cooling the component cooling water system. The ability to use the diesel-driven fire pump for these plant functions tends to reduce the CDF.
l
. Oversized steam cenerators. The steam generators are designed for a larger l reactor. Consequently, the ability to cool the reactor during an accident has a I margin above what is normally expected. The steam generator boil off time is j stated to be 55 minutes. This design feature tends to reduce the CDF. !
. Vital 120 VAC backuo oower source. If a vitalinverter fails and 480 VAC is availabie, the 120 VAC control power normally supplied by the inverter is automatically supplied by a bypass transformer. This design feature tends to decrease the CDF. j i
. Eiaht hour batterv caoacitv. With apparent credit for load shedding, the l batteries can provide power to basic safety-related control and instrumentation l loads for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> battery lifetime is longer than at some other plants. This design feature tends to lower the CDF.
. Wide use of air-ooerated valves (AOVst Fort Calhoun uses AOVs for many applications in which other plants use motor-operated valves (MOVs). Generic data indicate that demand failure probabilities for AOVs tend to be slightly lower than corresponding failure probabilities for MOVs. In addition, the AOVs normally fail in their accident positions, reducing the vulnerability of the plant to station blackout. This dengn feature reduces the CDF.
. Favorable olant accessibilitv. Fort Calhoun is a relatively compact plant. Areas in which outside control room human actions would be performed can be readily accessed. This design feature tends to reduce the CDF.
. Ooen desian of auxiliarv buildino and other olant areas. The open design of the auxiliary building and various rooms in the plant make it unlikely that heating, 2
i
' l ventilating, and air conditioning (HVAC) will be required to cool many items of i plant equipment due to effective natural circulation. This design feature tends !
to reduce the CDF. j
- Containment air coolina and filterino system. The plant design includes a containment air cooling and filtering i,ystem. This system provides a means of performing containment cooling that is independent of the containment spray l l system. This design feature tends to decrease the CDF. j E.2 Licensee's IPE Process l The licensee developed a Level 3 probabilistic risk assessment (PRA) in response to the requests of Generic Letter 88-20. The freeze date of the analysis was February 1989, with one exception, namely credit for a diesel-driven AFW pump placed in service in August 1990.
- The licensee provided the overall technical management of the IPE. Contractors used in the project include Science Applications International Inc. (SAIC) and Combustion l
Engineering. Well over 50% of the total engineering effort applied to the IPE project was contributed by licensee personnel.
i Plant walkdowns were used to support the IPE analysis. Major documentation used in i the IPE included: engineering drawings, system descriptions, the Updated Final Safety Analysis Report (UFSAR), Technical Specifications, and applicable plant procedures.
1 An independent external review of the IPE was performed by a team composed of
- PRA experts from Duke Power, Yankee Engineering Services, and Combustion 1 Engineering.
The licensee intends to maintain a "living" PRA to respond to licensing and accident management issues.
E.3 Front-End Analysis 1
The methodology chosen for the Fort Calhoun IPE front-end analysis was a Level 1 l PRA. The small event tree /large fault-tree technique with fault tree linking was used to quantify core damage sequences.
Core damage was defined to correspond to loss of an intact coolable geometry, a condition stated to occur if (1) a substantial portion of the core is uncovered and (2) a fuel cladding temperature of at least 2,200 deg F is reached in any node of the core ,
as determined by best-estimate calculations. In many sequences, core damage was !
i assumed if core uncovery had occurred and core recovery was not anticipated due to equipment failures.
1 l
3
l
! 1 The success criteria are based best-estimate thermal hydraulic analyses, other PRAs, and judgment. At least some of the thermal hydraulic analyses appear to have been j provided by Combustion Engineering. Like IPE studies for several other PWRs, the Fort Calhoun IPE assumes that a large LOCA can be mitigated without LPSI pumps.
Other elements of the Fort Calhoun success criteria are generally consistent with typical PWR IPE/PRA studies.
l l The IPE quantified 37 initiating events exclusive of internal flooding: 8 loss of coolant accidents (LOCAs), including steam generator tube rupture (SGTR) and interfacing systerns LOCA (ISLOCA); 15 generic transients including loss of offsite power (LOSP);
and 14 specialinitiating events representing support system failures. The number of ;
initiating events considered in the flooding analysis is not specified.
l Plant-specific data applicable to component failures and test / maintenance unavailabilities were collected over a 6-year window from January 1,1985 through December 31,1990. Plant data were also used to support the quantification of initiating events.
The beta factor method was used to model common cause failures. The beta factors used in the IPE are consistent with generic values typically used in other IPE/PRA studies.
The point estimate CDF for Fort Calhoun is 1.36E-05/yr', including internal flooding.
The CDF contribution from flooding is 1.9E-06/yr. The internal initiating ever,ts that contribute most to the CDF and their percent contribution are listed below*:
LOSP (161 KV switchyard, no transfer to station gen) 28%
LOSP (345 KV switchyard) 12%
Small LOCA 6%
internal flood: CCW break, HX room 18 6%
LOSP (weather-induced) 6%
SGTR 6%
Loss of HVAC east switchgear room 3%
Loss of HVAC west switchgear room 3%
Loss of 125 VDC Bus 1 3%
LOSP (grid-related) 3%
Core damage contributions by accident type are listed below:
Station Blackout 35 %
Transient 31 %
' As used here and in other portions of this report, the term Tr' refers to a reactor year.
- A more cornplete set of initiating event CDF contributors is provided in Table 2-6 of this report.
1 4
. . . ~_ - - . ~ ~ - - - - .- . . . - - . .
l l
- internal Flood 14%
LOCAs 8%
SGTR 6%
1 ISLOCA 5%
Anticipated Transient Without Scram (ATWS) 2%
i
- The most important non-initiating event contributors to CDF are (in order):
- = Common cause unsuccessful load shed from 4,160 VAC buses 1 A3 and 1 A4 l
- Failure of diesel-driven auxiliary feedwater pump ;
l
. Operator fails to use diesel-driven feedwater pump to replenish emergency feedwater storage tank l
= Failure of RCP seals given insufficient cooling 1
- Run failure of diesel generator DG-1
)
- Operator falls to use diesel-driven fire pump to replenish emergency feedwater
, storage tank
= Run failure of diesel generator DG-2 i
- - Operator fails to manually trip 4,160 VAC circuit breaker, given that breaker i does not trip automatically l
Plant damage states (PDSs) were used to couple the front and back-end analyses.
i The assignment of PDSs in the IPE is consistent with other IPE/PRA studies.
E.4 Generic issues i The licensee addresses decay heat removal (DHR) and its contribution to CDF. The submittal compares DHR vulnerability insights from Unresolved Safety issue (USI) A-45 studies with their applicability to Fort Calhoun. Using mainly qualitative arguments,
- the licensee demonstrates that the IPE results are consistent with or better than those l identified in the A-45 studies. Based on this comparison of Fort Calhoun results with
! the A-45 studies, the licensee concludes that there are no unique DHR vulnerabilities
{ at Fort Calhoun.
The licensee does not propose to resolve any Generic Safety Issues (GSis) or USIs other than A-45.
i
! E.5 Vulnerabilities and Plant improvements 2
The licensee adopted criteria from the Nuclear Management and Resource Council (NUMARC) to screen the for plant specific vulnerabilities. These criteria were applied to the functional core damage sequences. Based on the NUMARC criteria, no plant-unique severe accident vulnerabilities were identified. However, the NUMARC l screening process did identify 3 functional transient sequences that would merit additional licensee action. One of these transient sequences (failure of long-term
- cooling via shutdown cooling or EFWST makeup) contributes 39% of the total CDF. In 1
5 e
4
- response to NUMARC guidance, the licensee will address this sequence by placing a l
- greater emphasis on training. In addition, Severe Accident Management Guidelines (SAMGs) will be developed with emphasis on prevention / mitigation of core damage, i vessel failure, or containment failure. SAMGs were also used to address two other o transient functional sequences having frequencies between 1E-05/yr to 1E-06/yr.
The following plant improvements were identified in conjunction with the IPE: ,
- Periodically leak test downstream shutdown cooling valve (ISLOCA path)
- Install anti-galloping devices on 161 KV offsite power source.
- Revise procedures to establish appropriate position of door to spent / regenerative tank / pump room during flood i
The total CDF reduction from the four improvements was approximately 1.82E 05/yr.
Without these improvements, the CDF would increase by a factor of 2.3 (from its i current value of 1.36E-05/yr to 3.18E-05/yr). l 1
E.6 Observations
! The licensee appears to have analyzed the design and operations of Fort Calhoun to discover instances of particular vulnerability to core damage, it also appears that the ,
licensee has: developed an overall appreciation of severe accident behavior; gained j J an understanding of the most likely severe accidents at Fort Calhoun; gained a j quantitative understanding of the overall frequency of core damage; and implemented '
changes to the plant to help prevent and mitigate severe accidents. l 2,
Strengths of the IPE are as follows: The identification and evaluation of initiating events is thorough compared to some other IPE/PRA studies.
No major weaknesses of the IPE were identified.
Significant level-one IPE findings are as follows:
- Without credit for the diesel-driven AFW pump, the CDF would increase by a factor of about 5 (from its current value of 1.36E-05/yr to 6.94E-05/yr).
- If the conditional RCP seal LOCA probability (given loss of seal cooling) is increased from 1.5E-03 to 1E-01, the CDF would increase by a factor of 10.4 (from its current value of 1.36E-05/yr to 1.42E-04/yr).
- Based on plant-specific deterministic analyses, the IPE assumed that a large LOCA can be mitigated without the use of LPSI pumps. In particular, the IPE assumed that successful core cooling during the early phase of a large LOCA can be accomplished with one HPSI pump and 3 safety injection pumps. This s
6
! element of the Fort Calhoun success criteria is more optimistic than many other PWR IPE/PRA studies which typically assume that large LOCA mitigation must include flow from at least one LPSI pump .
l l
i 1
I l
l l
9 7
1
- 1. INTRODUCTION 1.1 Review Process This report summarizes the results of our review of the front-end portion of the IPE for Fort Calhoun. This review is based on information contained in the IPE submittal [lPE Submittal] along with the licensee's responses (RAI Responses] to a request for 4 additional information (RAI).
1.2 Plant Characterization Fort Calhoun is a single unit Combustion Engineering (CE) plant located on the Missouri River, approximately 19 miles north of Omaha. Gibbs and Hill designed the balance-of- plant and auxiliary systems. This 2-loop (pre-System 80) plant has power ratings of 1,500 megawatts thermal (MWt) and 487 net megawatts electric (MWe).
Fort Calhoun began commercial operation in September 1973. The Fort Calhoun plant shares some features with other 2-loop pre-System 80 CE plants, for example Calvert Cliffs and Palisades. [pp. 2.1-8, 2.1-9,2.1-14,4.1-1, 4.1-9 of submittal]
Design features at Fort Calhoun that impact the core damage frequency (CDF) relative to other Pressurized Water Reactors (PWRs) are as follows: [pp.1.1-4 to 1.1-6, 6.0-6.
6.0-7 of submittal]
= Ability to oerform feed and bleed once-through coolina. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of the Auxiliary Feedwater (AFW) system.
= Use of self-contained radiators for diesel generator coolina. The diesel generators are cooled with self-contained radiators and thus do not require external cooling from plant cooling water systems. This design feature lowers the CDF.
- Diverse means of sucolvino AFW to steam aenerators. The AFW system contains a motor-driven pump, a turbine-driven pump, and a diesel-driven pump. The diesel-driven pump is independent of all plant support systems, including AC and DC electrical power. In addition to supplying steam generator makeup, the diesel-driven AFW pump can be used to transfer water from the condensate storage tank to replenish the AFW suction source, the emergency feedwater storage tank (EFWST). This design feature lowers the CDF. (p. 3.4-21 of submittal]
= Robust desian of reactor coolant oumo (RCP) seals. The seals on the Byron-Jackson RCPs are of a special design stated to be highly resistant to leakage in ;
the event seal cooling water is lost. This design feature lowers the CDF. l 8
l i
. Lack of a recuirement for emergencv core coolino system (ECCS) oumo j external cooling during the in_iection mode. The high pressure safety injection ,
(HPSI), low pressure safety injection (LPSI), and containment spray pumps :
require cooling water only in the recirculation mode. This design feature tends j to lower the CDF. 1
=
Indeoendence of HPSI oumos from LPSI oumos durina recirculatiol The HPSI !
pumps do not require " piggy-back" suction from the LPSI pumps for operation during recirculation. This design feature tends to decrease the CDF.
- Automatic switchover of ECCS from inlection to recirculation. This design feature tends to decrease the CDF over what it would otherwise be with a
- manual system. [p. 3.2-20, 3.2-28, 3.3-19 of submittal) '
l l l
- Abilitv to use the raw water system as a backuo to comoonent cooling water. I The raw water system can be manually-aligned backup to component cooling I
water for the shutdown cooling heat exchangers, the containment cooling units, the safety injection and containment spray pump bearing coolers, and control i room air conditioners. This design feature tends to decrease the CDF.
- Ability to use a diesel-driven fire oumo for olant functions. A diesel-driven fire pump, independent of plant systems, is available for long-term makeup to the AFW suction source, the EFWST. In addition, this pump can also serve as a backup to the raw water system for the purpose of cooling the component cooling water system. The ability to use the diesel-driven fire pump for these plant functions tends to reduce the CDF. (p. 3.4-21 of submittal]
. Oversized steam cenerators. The steam generators are designed for a larger reactor. Consequently, the ability to cool the reactor during an accident has a margin above what is normally expected. The steam generator boil off time is stated to be 55 minutes. This design feature tends to reduce the CDF. [pp.
3.1-65, 3.1-67 of submittal] ,
. Vital 120 VAC backuo oower source. If a vital inverter fails and 480 VAC is available, the 120 VAC control power normally supplied by the inverter is automatically supplied by a bypass transformer. This design feature tends to decrease the CDF.
. Eight hour batterv caoacitv. With apparent credit for load shedding, the batteries can provide power to basic safety-related control and instrumentation loads for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> battery lifetime is longer than at some other plants. This design feature tends to lower the CDF. [p. 3.2-59, 3.3-17 of submittal]
9
l B
. Wide use of air-ooerated valves (AOVst Fort Calhoun uses AOVs for many applications in which other plants use motor-operated valves (MOVs). Generic data indicate that demand failure probabilities for AOVs tend to be slightly lower than corresponding failure probabilities for MOVs. In addition, the AOVs normally fail in their accident positions, reducing the vulnerability of the plant to station blackout. This design feature reduces the CDF.
. Favorable olant accessibilitv. Fort Calhoun is a relatively compact plant. Areas in which outside control room human actions would be performed can be readily l accessed. This design feature tends to reduce the CDF. l i
. Ooen desian of auxiliarv buildina and other olant areas. The open design of the auxiliary building and various rooms in the plant make it unlikely that HVAC will ;
be required to cool many items of plant equipment due to effective natural circulation. This design feature tends to reduce the CDF. [p. 3.2-67 of submittal]
=
Containment air coolina and filterina system. The plant design includes a containment air cooling and filtering system. This system provides a means of ]
performing containment cooling that is independent of the c ontainment spray )
syistem. This design feature tends to decrease the CDF. [pp. 3.2-45, 3.2-52 of '
submittal] ,
l 1
J I
l i
i l
I 10
l
- 2. TECHNICAL REVIEW 2.1 Licensee's IPE Process We reviewed the process used by the licensee with respect to: completeness and j methodology; multi-unit effects and as-built, as-operated status; and licensee participation end peer review.
l 2.1.1 Comoleteness and Methodoloov. )
l The submittalis complete with respect to the type of information requested by Generic ;
Letter 88-20 and NUREG 1335. No omissions were noted. l 4
The front-end portion of the IPE is a Level 1 PRA. The specific technique used for the j
- Level 1 PRA was a small event tree /large fault tree technique with fault tree linking.
.l [pp. 2.1-7, 3.3-46 to 3.3 48 of submittal) i i
i Intersystem dependencies are discussed and a table of system dependencies is i provided. Data for quantification of the models are provided, including common cause events and human recovery actions. The application of the technique for modeling internal flooding is described in the submittal. Results of an importance analysis of key CDF contributors are presented. Several types of sensitivity analysis were performed on the front-end results.
2.1.2 Multi-Unit Effects and As-Built. As-Ocerated Status.
The Fort Calhoun plant is a single unit site; therefore, multi-unit considerations do not apply to this plant.
. A plant familiarization effort was made by the licensee to support the IPE analysis.
This familiarization effort included walkdowns and the use of various sources of plant-specific information, including: engineering drawings, system descriptions, the UFSAR, Technical Specifications, and applicable plant procedures. Plant records were reviewed to develop plant-specific behavioral characteristics such as component failure rates and initiating event frequencies. [pp.1.1 -3,1.1 -4 of submittal]
The freeze date of the analysis was February 1989, with one exception. This freeze date exception involves credit for the diesel-driven AFW pump that was placed in service in August 1990. Without credit for the diesel-driven AFW pump, the total CDF would increase by a factor of 5.1 (from its current valve of 1.36E-05/yr to 6.94E-05/yr).
[pp.1,25 of RAI Responses)
The licensee intends to maintain a "living" PRA to respond to licensing and accident management issues. [p.1 of RAI Responses, pp. 1.1 -2, 5.0-2 of submittal) 11
l i
! 2.1.3 Licensee Particioation and Peer Review.
, The licensee provided the overall technical management of the IPE. It appears that ,
~
the licensee had five staff from an in-house PRA group assigned to the project.
Contractors used in the project include Science Applications Internaticnal Inc. (SAIC)
! and Combustion Engineering. As the project progressed, increasingly more work was done in-house, with consultants used in areas of special expertise. Well over 50% of ;
the total engineering effort applied to the IPE project was contributed by licensee
- personnel. The development of the IPE models involved interfacing and review activities with licensee staff from the Production Engineering, Operations, Training, and '
Maintenance and Reliability organizations. [pp. 1.1 -2, 1.1 -4, 5.0-2 of submittal, ;
- transmittal letter]
i I
There were three reviews of the IPE. For the first level of review, a PRA oversight
- committee was formed composed of licensee staff from System Engineering, Licensing, Training, Operations, Civil Engineering, Electrical Engineering, and Mechanical Engineering. This oversight committee met with the PRA group every two !
weeks to discuss the IPE results in general and specific findings. [pp. 5.0-2, 5.0-3 of submittal]
l A second level of review was performed by the PRA Executive Committee composed of upper level management. The third and finallevel of review was performed by a i peer review team composed of PRA experts from Duke Power, Yankee Engineering i 1
Services, and Combustion Engineering. The submittal summarizes major review i comments generated by the internal and independent external review teams, along l with corresponding comment resolutions [pp. 1.1-2, 5.0-3 to 5.0-6 cf submittal]
2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence i delineation and the evaluation of system performance and system dependencies j provided in the submittal.
{ 2.2.1 Initiatino Events.
l An initial identification of initiating events was made by collecting lists of initiating events from PRAs of similar plants and reviewing information contained in an Electric
- Power Research Institute (EPRI)-sponsored study [EPRI 2230]. Plant-specific initiating events were developed from the systems analysis. The list of initiating events was refined and finalized during the IPE process as the success criteria and accident sequence analysis were developed. [pp. 3.1 -4, 3.1 -5 of submittal]
The initiating events included in the analysis are listed below: [pp. 3.1-15 to 3.1-24, i 3.1-43 to 3.1-45. 3.3-88 of submittal]
i l 1
1 12
. .. . . -.. .-.- - _ - . . ~_. - . - _ _ - _
l l
-Generic Transients: 1 Reactor trip i Loss of condenser vacuum j Turbine trip ;
Loss of main feedwater LOSP (4 categories listed below)
Loss of 345 KV with 161 KV unavailable (plant-centered)
Loss of 161 KV with failure to fast transfer (plant-centered) ,
LOSP (grid-related) l LOSP (weather-induced) l Steamline/feedline break upstream of main steam isolation valves (MSIVs) and j downstream of feedwater control valves (FWCVs) j Steamline/feedline break downstream of MSIVs ;
Closure of MSIVs in 1 steam generator loop j Closure of MSIVs in both steam generator loops j Partial load rejection Spurious steam generator isolation signal Reactor trip with power-operated relief valve (PORV) opening Special Initiators:
Loss of 4,160 VAC bus (4 categories)
Loss of 125 VDC bus (2 categories)
Loss of 125 VDC panel (2 categories)
Loss of component cooling water Loss of raw service water Loss of instrument air Less of HVAC (3 categories listed below)
Loss of HVAC to east switchgear area (room 56)
Loss of HVAC to west switchgear area (room 56A)
Loss of HVAC to control room LOCAs:
Small LOCA (0.0005 ft" to 0.00225 ft ry .
Medium LOCA (0.00225 ft' minimum size)
Large LOCA SGTR ISLOCA (4 categories)
Internal Flooding:
(Number of initiating events not specified) l Manual scrams from full power were included in the reactor trip category. The l licensee considered primary system break sizes less than 0.0005 ft" to be leaks instead of LOCAs, as these break sizes are within the capability of the normal charging system. A stuck open PORV was assumed to represent a medium LOCA.
l The four ISLOCA events considered are: reactor coolant system (RCS)/LPSI injection interface, RCS/LPSI shutdown decay heat removal interface, RCP seal cooler, and 13
RCS/ chemical and voiume control (CVCS) letdown interface. [p. 6 if RAI Responsas, pp. 3.1-9, 3.1-25, 3.1-26, 3.1-116, 3.2-80 to 3.2-89 of submittal] i Loss of an individual DC bus was modeled as an initiating event, as this condition will i cause a plant trip. While the IPE does not also model complete loss of DC as an initiating event, the logic models account for accidents initiated by loss of an individual ,
DC bus, with subsequent loss of the remaining DC bus during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> accident I mission time. Complete loss of DC was excluded as an initiating event because the two DC buses are never cross-tied at power, and are physically separated. In addition, licensee reviews of industry and plant-specific data did not provide any evidence to support this type of common cause initiating event. [p. 9 of RAI l Responses]
Initiating event data were derived from a combination of both plant-specific data and generic sources. Relevant plant-specific data were gathered by reviewing Licensee Event Reports (LERs), control room logs, Nuclear Plant Reliability Data System (NPRDS), and monthly operating logs. Generic data were gathered from multiple sources including NUREG/CR-4550, NUREG/CR 3862, and WASH-1400. [p. 2 of RAI Responses,pp. 3.3-1, 3.3-10, 3.3-69 of submittal)
The IPE modeled four separate categories of LOSP events. These four categories were modeled to account for specific features of the Fort Calhoun grid, such as the ;
availability of two independent switchyards (345 Kv and 161 Kv). Together, these four ;
categories of LOSP events represent an initiator frequency of 0.22/yr, a value that is a factor of 2-5 higher than typically used in other PRA/IPE studies. Other PRA/IPE studies for single unit sites generally use a single LOSP initiating event. (Some ;
PRA/IPE studies associated with multiple unit sites have used separate LOSP events '
to distinguish individual unit LOSP from multiple unit LOSP.) [pp.3.1-16,3.1-17,3.1-18, 3.1-43 of submittal]
The ISLOCA frequencies are based on plant-specific logic models. The licensee considered overpressure effects on both piping and pump seals, and concluded that the piping would failinstead of the pump seals. The piping failure is postulated to occur before pump seals are exposed to full RCS pressure. [pp.10,11 of RAI Responses,pp. 1.1-9, 3.1-45, 3.1-117, 3.4-9, 4.3-29 of submittal]
The quantification of the majority of initiating events appears to be generally consistent with other PWR IPE/PRA studies. However, frequencies for the following initiating events are approximately an order of magnitude lower than corresponding data typically used in other PWR IPE/PRA studies: turbine trip, loss of main feedwater, medium LOCA, and large LOCA. [pp. 2 to 6 of RAI Responses, pp. 3.1-43 to 3.1-45 of submittal]
The turbine trip and loss of main feedwater initiating event frequencies were calculated
- by performing a Bayesian update of NUREG/CR-3862 generic data with plant-specific 14
_-. . . . - - - . _ .- _ = - - . . - - _ _ ~ .
experience from January 1,1985 through December 31,1990. During this data collection period, the plant did not experience any turbine trip or loss of main feedwater initiating events. [pp. 2 to 4 of RAI Responses)
The estimation of LOCA frequencies was based upon reviews of a fracture mechanics study (NUREG/CR-4290) and several PRA-related studies, including: NUREG/CR-4550, WASH-1400, the Big Rock PRA, and the Shoreham PRA. The licensee attempted to ensure consistency of the relative value of LOCA initiating events. For example, small LOCAs were judged to be more likely than large LOCAs, as is reflected in the IPE quantification. An attempt was also made to ensure that LOCA
. frequencies were intra-consistent with other Fort Calhoun initiating events (for example, high energy line breaks in the main steam or feedwater systems were j assumed to be analogous to medium LOCAs). The licensee states that sensitivity
- studies were performed for the quantification of initiating event frequencies, though 2
these sensitivity studies have not been provided. The licensee also states that initiating event frequencies will be re-examined during the next data update. [pp. 4 to 6 of RAI Responses)
Finally, it is noted that the frequencies fer loss of service water and loss of component cooling water appear to be an order of magnitude or more higher than data typically used in other IPE/PRA studies. [pp. 3.1-26, 3.1-43 to 3.1-45 of submittal) l 2.2.2 Event Trees.
1 The following event tree models were used in the analysis: [pp. 3.1-46 of submittal] !
Transient i Small LOCA i Medium LOCA l l Large LOCA l 1
SGTR l 4 ATWS ISLOCA The transient event tree includes the possibility that a transient will progress into a scenario involving loss of RCS integrity, either from an RCP seal LOCA or from stuck-open PORVs/SRVs. The ATWS event tree is adapted from a CE Owners Group generic study on ATWS. [pp. 3.1-48, 3.1-57, 3.1-103, 3.1-117, 3.2-8 to 3.2-90 of submittal][CE ATWS) 2 Core damage was defined to correspond to loss of an intact coolable geometry, a condition stated to occur if (1) a substantial portion of the core is uncovered and (2) a fuel cladding temperature of at least 2,200 deg F is reached in any node of the core as determined by best-estimate calculations. In many sequences, core damage was 15
a-l assumed if core uncovery had occurred and core recovery was not anticipated due to equipment failures. [p. 6 of RAI Responses]
The success criteria are based best-estimate thermal hydraulic analyses, other PRAs, and judgment. At least some of the thermal hydraulic analyses appear to have been provided by Combustion Engineering. Containment cooling is assumed to be required over the long term to ensure adequate net positive suction head (NPSH) for ECCS pumps during any type of accident where suction is taken from the containment sump.
[pp. 3.1 -7 to 3.1-9, 3.1-10, 3.1-105, 3.1-106 of submittal]
The IPE assumes that LPSI pumps are not requirM for the mitigation of a large LOCA. Specifically, the analysis assumes that successful core cooling during the early phase of a large LOCA can be accomplished with ore HPSI pump and 3 safety j injection tanks.8 This element of the Fort Calhoun success criteria is based on plant- )
specific best-estimate calculations performed with the CENTS computer code. Even if it is pessimistically assumed that all fission gas contained in the fuel pin gas plena is released during a successfully mitigated large LOCA, the total fission product release would represent less than 5% of the release associated with an unmitigated LOCA.
[pp. 7,8 of RAI Responses)
While the IPE modeled 4 separate ISLOCA categories, credit for possible accident '
mitigation was taken only in one instance, specifically for the RCP seal cooler ISLOCA. If an RCP seal cooler would fail, components in the CCW system would be overpressurized. The licensee determined tlat a rupture of CCW outside containment j would not result in failure of the HPSI pumr s, which have been credited for primary i system makeup. The likely location of ruptured CCW piping is relatively distant from the HPSI pump rooms. In addition, the HPSI pumps are contained in separate rooms that can be isolated during the event. Successful mitigation of the RCP seal cooler ISLOCA also requires primary / secondary heat removal via the AFW system and eventual termination of the ex-containment leakage. [pp. 9 to 11 of RAI Responses, pp. 3.1-117, 3.1-120 of submittal)
Fort Calhoun has Byron Jackson RCPs that utilize component cooling water for external cooling to the RCP seals and motors. The seats are designed so that seal injection is not required. Fort Calhoun is stated to be one of two Combustion Engineering plants having special RCP seals that are highly resistant to leakage if extemal cooling is lost (Palisades is the other plant). The submittal states that even under the worst circumstances where cooling is lost and the RCPs are run in excess of 30 minutes, the pumps will not be damaged. (It is acknowledged, however, that the operators are directed by procedure to trip the pumps on loss of cooling within S minutes.) [pp. 1.1-4, 3.1-9, 3.1-51, 3.4-23 of submittal]
' Other PV!R IPE/PRA studies typically assume that large LOCA mitigation must include flow from at least ono LPSI pump.
16
i Each of the Fort Calhoun RCPs has 4 hydrodynamic seal stages per RCP seal assembly. Each of the seal stages is capable of operating at full system pressure.
The IPE seal LOCA modelis largely based on results of tests sponsored by the CE Owners Group. Leaks greater than 120 gpm were assumed to occur either from random failure of all 4 seals in 1 of 4 RCPs, or common cause loss of 3/4 seals in all 4 RCPs (i.e. ,35 gpm per pump). The IPE assumes that a 120 gpm or greater seal LOCA will occur with a conditional probability of 1.5E-03 following a loss of CCW. The l IPE further assumes that if seal failure occurs, it will occur 90 minutes after loss of l seal cooling, consistent with NUREG-1150. [pp.11,12 of RAI Responses, pp.1.1-4, l l 3.1-9, 3.1-52, 3.1-53, 3.1-57, 3.4-23, 4.2-25, 4.6-9 of submittal]
The IPE seal model does not appear to have addressed the possibility of seal LOCAs less than 120 gpm, for example the potential for a 35 gpm LOCA caused by the failure of 3 of 4 seals in a single RCP. While 35 gpm is within the capacity of the plant l charging system, such makeup would be unavailable during a station blackout. Even so, the licensee believes the modeling of RCP seal LOCAs to be very pessimistic. For example, CE plants have experienced 12 operational occurre: .es in which RCP seat cooling was lost for periods between 30 minutes and 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />. In no case did the RCP sealleakage exceed 3 gpm. During a statior, blackout test run on a prototype seal assembly for one utility for more than 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br />, seal controlled leakage remained within normal limits (approximately 1 gpm) for the entire period. Realistically, the licensee does not expect the failure of more than a single RCP seal stage during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> front-end mission time, with maximum RCP leak rates in the 3 to 12 gpm range. With leak rates of this magnitude, the cort uncovery time would be in excess of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> from the onset of seal leakage. [pp.11,12 of RAI Responses]
2.2.3 Svstems Analysis.
Systems descriptions are included in Section 3.2.1 of the submittal. The system descriptions provide information related to system function, system design and operation, success criteria, and the pertinent fault tree model. The system descriptions also contain simplified schematics that show major equipment items and important flow and configuration information. A total of 18 systems are described, including ECCS, electrical power, cooling water, instrument air, and HVAC. Also described are plant features and analysis considerations related to the ISLOCA models.
2.2.4 Svstem Decendencies.
A system dependency matrix provided in Table 2.6.1 of the submittal. This matrix displays interdependencies among the various front-line and support systems. The support systems listed include AC power, DC power, cooling water, instrument air, and HVAC. It appears that the iPE has properly accounted for all component and system dependencies. [pp. 2.1-15,2.1-16 of submittal]
l 1
17
3 2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences. It also summarizes our review of the data base, including consideration given to plant-specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed were also reviewed.
2.3.1 Quantification of Accident Seouence Frecuencies.
The IPE used the small event tree /large fault-tree technique with fault tree linking to quantify core damage sequences. Fault tree models were developed for systems depicted in the event tree top logic and their support systems. Functional event trees are used. The Cutset and Fault Tree Analysis (CAFTA) software was used to developed the fault trees and perform the accident sequence quantification. Accident sequence cut sets were developed to the level of specific failures or basic events. [pp.
2.1-7, 3.3-46 to 3.3-48 of submittal)
A cut set frequency threshold of at least 1E-09/yr was generally applied to the quantified flooding sequences. The effective truncation values used in other portions of the IPE were initiator- and sequence-specific. For example, the effective truncation values for large and medium LOCAs were less than 1E-09/yr, while truncation values for small LOCAs ranged from 4.8E-09/yr to 1E-10/yr. Truncation values used in other sequences were generally in the 1E-06/yr to 1E-07/yr range. However, several important failure events in other sequences were initially quantified with values of 1.0, whereas the actual probability values for these events were 1E-05 to 1E-06 range.
Also, post-accident human failure events were assigned a value of 0.1 during the initial accident sequence analysis process. For all sequences with significant CDF contributions, the ratio of the unrecovered core damage sequence frequency to the sequence truncation value was no less than 1,000, and usually above 10,000. A ratio of 1,000 or more provides some degree of assurance that truncation limits are appropriate. [pp.17 to 20 of RAI Responses, p. 3.3-70 of submittal)
Non-recovery data for LOSP initiating events were based on plant-specific and generic data, including data provided in an EPRI document [EPRI 6780). Separate sets of non recovery factors were assigned to the four different LOSP initiating events. The IPE non-recovery data are more optimistic than average industry experience reported in an EPRI-sponsored study [NSAC 147). For example, at two hours, the weighted average of the IPE non-recovery data are about a factor to two lower than the ,
corresponding NSAC data. At 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />, the IPE non-recovery data are a factor of 8 lower than the NSAC data. While the IPE non recovery data are more optimistic than average industry data, the sum of the LOOP initiating event frequencies is about 0.22/yr, or a factor of 3 higher than the average value of 0.068/yr cited in the NSAC study. [pp. 21,22 of RAI Responses, 3.1-140, 3.1-143 to 3.1-160, 3.3-16 to 3.3-19, 4.6-37, 4.10-5 of submittal) 18
2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analyses.
The submittal presents mean and median values for component failure data. The human reliability analysis (HRA) data are presented in terms of mean values. It appears that the component failure and HRA data used in the IPE analysis represent mean values. The statistical significance (mean, medium, etc.) of the initiating event data are not explicitly stated. [pp. 3.1-43 to 3.1-45, 3.3-2 to 3.3-9, 3.3-11 to 3.3-14, 3.3-18,3.3-19 of submittal]
An uncertainty analysis was performed on the baseline core damage model. This uncertainty analysis addresses the parameter value uncertainties associated with the data analysis, HRA, and recovery analysis tasks. [pp. 3.5-1 to 3.5-4 of submittal]
The licensee presents the results of 4 types of sensitivity analysis, which are summarized below in Table 2-1. The licensee states that sensitivity studies were also performed for the quantification of the initiating event frequencies, though these sensitivity studies have not been provided. [pp.1,4 to 6 of RAI Responses, pp. 3.4-23 to 3.4-25, 4.2-25 of submittal]
2.3.3 Use of Plant-Soecific Data.
Plant-specific data were used where possible for component failure rates and test / maintenance unavailabilities. Plant-specific data applicable to component failures and test / maintenance unavailabilities were collected over a 6-year window from January 1,1985 through December 31,1990. The plant-specific data were extracted from the Computerized History and Maintenanco Planning System. [pp. 3.3-1, 3.3-10 of submittal]
Table 2-1. Summary of Reported Front-End Sensitivity Analyses Type of Sensitivity Analysis impact on Baseline CDF (1.36E 05/yr)
New CDF (yr) Ratio of new CDF/ baseline CDF increase conditional probability of RCP seal 1.42E-04 10.4 LOCA (given loss of cooling) from 1.5E-03 to 1E-01 Remove credit for 161 Kv power source 3.73E-05 2.7 Remove credit for diesel-driven AFW pump 6.94E 05 5.1 Increase individual human error Up to -7.1E 05, depending on specific Up to - 5, probabilities (HEPs) to 0.1 event; event that influences CDF depending on most is miscalibration of safety specific event injection refueling water tank (SIRWT) level instrumentation-19
Plant-specific component failure data were used as actual failure rates in the IPE (no d
l update of generic data) if plant-specific experience indicated at least one failure . In l l cases where plant-specific experience indicated zero failures, the associated plant-specific failure data were used to Bayesian update generic data. Plant-specific failure data were gathered for 16 systems modeled in the analysis. (p. 23 of RAI Responses, l pp. 3.3-1, 3.3-10 of submittal] j Table 2-2 of this review compares Fort Calhoun plant-specific failure data for selected I l
components to values typically used in PRA and IPE studies, using NUREG/CR-4550 data for comparison. [pp. 23,24 of RAI Responses, 3.2-1, 3.3-10, 3.3-11 to 3.3-14 of submittal] l, As can be seen from Table 2-2, plant-specific data for turbine-driven "run" failures are over a factor of 50 lower than generic data, in addition, the following component failure modes are about a factor of ten lower than corresponding generic data: turbine-driven pump " start", HPSI pump "run", raw water pump " start", CCW pump "run", and diesel generator " start". Also, the plant-specific CCW pump " start" data are about a l factor of 3 lower than generic data. On the other hand, plant-specific raw water pump "run" data are about a factor of 4 higher than the generic data. The remaining plant-specific data listed in Table 2-2 are within a factor of two of the corresponding generic data, l As previously discussed in Section 2.2.1 of this report, plant-specific data were used to support the quantification of initiating event frequencies.
2.3.4 Use of Generic Data.
Generic data were used for component failures when no plant data were available.
Also, as previously discussed, where plant data were available but no failures were experienced, generic data were Bayesian updated to reflect the plant experience. The generic data were based on either (1) the failure experience of nuclear utilities or other process industries, or (2) expert opinion. The submittal does not specifically identify l published sources of generic data used in the analysis. [pp. 3.3-1 of submittal]
We performed a comparison of the IPE generic component failure data to generic values used in NUREG/CR-4550. This comparison is summarized in Table 2-3. [pp.
3.3-2 to 3.3 9 of submittal]
- The diesel driven AFW pump represents an exception to this rule. Even though plant-specific failure data are available for this pump, the licensee decided to use slightly higher generic data, in part due to lingering pump vibration problems. The plant and generic data are comparable (start failure:
- generic = 4.1E-02, plant-specific = 2.8E-02; run failure probability for 24-hour mission time: generic =
1.8E 02, plant-specific = 1.5E-02). [p. 25 of RAI Responses) 20
Table 2-2. Plant-Specific Component Failure Data' .
i Component Failure Mode IPE Quantification Method IPE Estimate NUREG/CR ;
4550 Mean i Haw" plant data Bayesian update Value (at least 1 plant of generic data (no Estimate failure) plant failures)
Turbine- Start x 4.31E 03 3E 02 i 1
dn.ven pump Run x 8.87E-05 SE-03 l HPSIPump Start x 2.27E 03 3E-03 1 Run x 2.88E-06 3E-05 LPSIPump Start x 1.74E-03 3E-03 I Run x 1.68E-05 3E-05 Raw water Start x 5.66E-04 3E 03 P P Run x 1.30E-04 3E-05 CCW pump Start x 8.84E-04 3E 03 Run x 3.58E-06 3E-05 ECCS MOV Open (demand) x 1.93E-03 3E 03 Close (demand) x 1.93E-03 3E-03 Battery Operate x 5.9E-07 1 E-06 charger (see note 2)
Circuit Open (demand) x 5.67E-03 3E-03 Close (demand) x 5.67E-03 3E-03 Diesel Start x 3.14 E-03 3E-0?
9'"' # '
Run x 3.31 E-03 2E 03 Notes: (1) Failures to start, open, close, operate, or transfer are probabilities of failure on demand. The other failures represent frequencies expressed per hour. (2) As reported in the RAl responses, the !
battery failure frequency is 5.21E-03 (no units provided). Assuming this value is intended to represent a per-year value,5.21E-03/yr would correspond to 5.9E-07 per hour over a full calendar year (8,760 hours0.0088 days <br />0.211 hours <br />0.00126 weeks <br />2.8918e-4 months <br />).
l 21
_ ~ . . . . _ _ - _ . _ _ _ . . _ _ - . _ - _ . _ _ . . _ _ _ _ _ _ .. _ _ _ _ ..
i Table 2-3. Genetic Component Failute Data' l Component Failure Mode IPE Mean Value NUREG/CR-4550 Mean i Estimate Value Estimate Turbine-driven pump Start 2.62E-02 3E-02 l Run 8.91 E-05 SE-03 l Motor-driven pump Start 4.84E-03 3E 03 l Run 8.45E-05 3E-05 Diesel-driven pump Start 4.1 E-02 3E-02 i Run 7.5E-04 8E 04 MOV Open 5.07E 03 3E-03 !
Close 6.01 E-03 3E-03 j AOV Operate 2.17E-03 2E-03 Check valve Open 1.45E-04 1 E-04 Battery charger No output 7.78 E-06 1 E-06 ,
l l l
Battery No output 1.93E-06 1 E-06 i l i.iverter No output 2.87E-05 1 E-04 Diesel generator Start (see note 2) 1.76E-02 3E-02 Notes: (1) Failures to start, open, close, operate, or transfer are probabilities of failure on demand. The l other failures represent frequencies expressed per hour. (2) Diesel generator "run" failures were j quantified solely with plant-specific data. l As can be seen in Table 2-3, the IPE generic data for the turbine driven pump "run" i failure are about a factor of 50 lower than the NUREG/CR-4550 data. Also, the IPE
- generic data for inverter failures are over a factor of 3 lower than the NUREG/CR-l 4550 data. On the other hand, IPE generic data for battery charger failures are about
[ a factor of 8 higher than the NUREG/CR-4550 data. The remaining IPE and NUREG/CR-4550 listed in Table 2-3 are comparable.
~
! As previously noted in Section 2.2.1 of this report, generic data were combined with
! plant-specific data to support the development of various initiating events.
l 2.3.5 Common-Cause Quantification.
The estimation of common-cause failure probabilities was based on the beta factor method. Table 3.3.4.1 of the submittal lists some of the common cause beta factor j estimates used in the analysis. Components listed in this table are: circuit breakers, batteries, check valves, AOVs, MOVs, various pumps, diesel generators, and instrumentation components. The submittal notes that for components and/or failure
! modes not listed in Table 3.3.4.1, a beta factor of 0.1 was used. [pp. 3.3-42 to 3.3-45 l
of submittal]
22
The common cause beta factors were extracted from several NRC-sponsored studies, including: [NUREG/CR 4780], [NUREG/CR 2098), and (NUREG/CR 2770]. The common cause events were added to the fault tree models. [pp. 3.3-42, 3.3-44, 3.3-45 of submittal)
We performed a comparison of the extracted IPE common-cause beta factors with generic values used in the NUREG/CR-4550 studies. This comparison is summarized in Table 2-4.
Table 2-4. Comparison of Common-Cause Failure Factors i
Component IPE Beta Factor From Table NUREGICR 4550 Mean ;
3.3.4.1 (Assuming 2 Component Value Bets Factor l System) (2 Component System)
]
Pump - Service Water 0.03 Fail to Start or Run 0.026 Fail to Start '
Pump - Component Cooling Water 0.03 Fail to Start or Run 0.026 Fail to Start Pump - RHR 0.11 Fail to Start or Run 0.15 Fail to Start Pump - HPSI 0.17 Fail to Start or Run 0.21 Fail to Start Pump Containment Spray 0.05 Fail to Start or Run 0.11 Fail to Start l Valve - MOV 0.08 Fail to Open or Close 0.088 Fail to Operate l Valve - AOV 0.191 Fail to Open or Close 0.10 Fail to Operate Valve - Safety / Relief 0.07 Fail to Open 0.07 Fail to Open ;
Diesel Generator 0.05 Fail to Start or Run 0.038 Fail to Start Table 2-4 shows that the IPE common cause beta factors for the listed components !
are generally consistent with generic data from NUREG/CR-4550. l 1
2.4 Interface issues This section of the report summarizes our review of the interfaces between the front- )
end and back-end analyses, and the interfaces between the front-end .md numan factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.
2.4.1 Front-End and Back-End interfaces.
Containment cooling functions at Fort Calhoun are provided by a containment spray system and a containment air cooling and filtering system. The containment spray system consists of three pumps, two heat exchangers, and two spray headers. The containment air cooling and filtering system consists of two cooling and filtering units (CFUs) and two cooling fan units (CUs). The component cooling water system would be the primary means of removing heat from the containment spray heat exchangers, CFUs, and CUs. If component cooling water were not available, the service water
- system could be directly aligned to these components as an alternate means of 23
cooling. The IPE assumes that containment cooling is required over the long term to ;
ensure adequate NPSH for ECCS pumps during any type of accident where suction is <
taken from the containment sump. [pp. 3.1-7 to 3.1-9, 3.1-10, 3.2-6 to 3.2-11, 3.2-45, 3.2-52, 4.1-25, 4.1-26 of submittal) l l
Four ISLOCA events were considered in the analysis, specifically. RCS/LPSI injection interface, RCS/LPSI shutdown decay heat removal interface, RCP seal cooler, and .
RCS/ letdown interface. The ISLOCA frequencies are based on plant-specific logic l l models. The quantification of the following three ISLOCA initiating events could be determined from the submittal: RCS/LPSI injection interface, RCS/LPSI shutdown decay heat removal interface, and RCS/ letdown interface. The quantification of these three initiating events is comparable with other typical IPE/PRA studies. Significant i
credit was taken for the possibility that overpressurized systems will remain intact (for example, the probability of rupturing overpressurized LPSI system components outside containment was assumed to be 0.02). [pp.1.1 -9, 3.1 -123, 3.1 -127, 3.1 -128, 3.2-80 to 3.2-85, 4.2-71 of submittal]
As a group, ISLOCA events contribute almost 5% of the total CDF. This percent contribution is high compared with some other PWR IPE/PRA studies. This relatively high contribution of ISLOCA events can be explained by the fact no credit was given in the IPE for mitigation of three of the four ISLOCA categories, specifically: RCS/LPSI injection interface, RCS/LPSI shutdown decay heat removal interface, and RCS/ letdown interface. Other IPE/PRA studies typically have taken more credit for l ISLOCA mitigation than Fort Calhoun. [pp. 1.1-9, 3.1-127, 3.1 -123, 3.1-128, 4.2-71 of submittal)
Plant damage states (PDSs) were used to couple the front and back-end analyses.
The assignment of PDSs in the IPE based on core damage characteristics is consistent with other IPE/PRA studies. Prior to the assignment of PDSs, a-separate event tree analysis was used to identify the status of containment safeguards systems associated with the various front-end accident sequences. [pp. 3.1-136 to 3.1-171 of submittal) 1 2.4.2 Human Factors Interfaces.
Based on our review of the front-end analysis, the following broad categories of l operator actions were found to be important: [pp. 3.4-22 to 3.4-25]
= Operator actions needed to initiate feed and bleed cooling
. Operator actions related to recovery of offsite power
. Operator actions to align makeup flow to the EFWST Credit was taken in the floc. ding analysis for detection, isolation, and recovery actions j only where possible and where it would make a significant difference to the final CDF.
Credited actions include aligning a fire pump to the CCW heat exchangers and 24
_ . . . = - - - . _
- ~_. -
i 4
providing makeup to the safety injection refueling water tank after failure of automatic ECCS switchover. [pp. 36, 37 of RAI Responses, pp. 3.3-17 to 3.3-19, 3.3-70, 3.3 92, 3.3-93 of submittal] ;
2.5 Evaluation of Decay Heat Removal and Other Safety issues This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USIs, if they were addressed in i the submittal, were also reviewed.
2.5.1 Examination of DHR.
- The licensee specifically addresses DHR and its contribution to CDF. Table 3.4.5 of the submittal compares DHR vulnerability insights from USI A-45 studies with their applicability to Fort Calhoun. This table contains a discussion of DHR as related to:
support system failures, adequacy of physical separation, sharing and interconnections between redundant trains, human errors, contribution of LOSP, and effect of feed and bleed on DHR-related risk. Using mainty qualitative arguments, the licensee demonstrates that the IPE results are consistent with or better than those identified in the A-45 studies. Based on this comparison of Fort Calhoun results with the A-45 studies, the licensee concludes that there are no unique DHR vulnerabilities at Fort Calhoun. [pp. 3.4-15 to 3.4-22 of submittal]
2.5.2 Diverse Means of DHR.
The IPE evaluated the diverse means for accomplishing DHR, including: use of power conversion system, feed and bleed, auxiliary feedwater, and ECCS. In addition, the IPE addressed requirements for containment cooling to ensure adequate NPSH for ECCS pumps when ECCS pump suction is taken from the containment sump.
[pp.1.1-4 to 1.1-6, 6.0-6, 6.0-7 of submittal]
2.5.3 Uniaue Features of DHR.
The unique features at Fort Calhoun that directly impact the ability to provide DHR are as follows: [pp.1.1-4 to 1.1-6, 6.0-6, 6.0-7 of submittal]
I
. Ability to oerform feed and bleed once-throuch coolina. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of the Auxiliary Feedwater (AFW) system.
. Divers.e means of sucolvino AFW to steam aenerators. The AFW system j contains a motor-driven pump, a turbine-driven pump, and a diesel-driven '
pump. The diesel-driven pump is independent of all plant support systems, including AC and DC electrical power. In addition to supplying steam generator makeup, the diesel-driven AFW pump can be used to transfer water from the 25
condensate storage tank to replenish the AFW suction source, the emergency feedwater storage tank (EFWST). This design feature lowers the CDF.
- Automatic switchover of ECCS from iniection to recirculation. This design feature tends to decrease the CDF over what it would otherwise be with a manua! system.
. Oversized steam cenerators. The steam generators are designed for a larger reactor. Consequently, the ability to cool the reactor during an accident has a margin above what is normally expected. The steam generator boll off time is stated to be 55 minutes. This design feature tends to reduce the CDF.
l a Containment air coolina and filterina system. The plant design includes a ,
containment air cooling and filtering system. This system provides a means of l performing containment cooling that is independent of the containment spray i system. This design feature tends to decrease the CDF. l 2.5.4 Other GSl/USIs Addressed in the Submittal.
l The licensee does not propose to resolve any GSI/USis other than A-45. However, i the submittal notes that insights regarding flooding and water intrusion from USl A-17,
" Systems interactions in Nuclear Power Plants," have been considered in the IPE process. [p. 3.4-22 of submittal]
, 2.6 Internal Flooding This section of the report summarizes our reviews of the process used to model internal flooding and of the results of the analysis of internal flooding.
2.6.1 Internal Flooding Methodologv. l l
The methodology used to analyze internal flooding included the following general l steps: [pp. 3.3-66 of submittal]
4 e identification of flood sources a Definition of flood scenarios considering possible propagation paths a Assessment of the effects on plant equipment as a result of each flood initiator .
and subsequent propagation paths l
= Estimation of flooding-related CDF contributions.
During the f' coding analysis, screening of potential accident scenarios was done, I l
usually with a deterministic basis (for example expected flow rates and flood heights).
The flooding analysis included the review of a 1990 Fort Calhoun flooding study that .
was performed in response to Institute of Nuclear Power Operations (INPO)
- recommendations [SEOR 85-05). [pp. 3.3-66, 3.3-67 of submittal]
i 26
a e-o- - a a w a~e 2 - e ---- ,----e +--- + &.A The flooding analysis considered a variety of flood sources, including: piping, pipe welds, valve gaskets / seals, pump gaskets / seals, heat exchangers, and tanks. Plant '
l walkdowns were performed throughout the analysis to verify various aspects of the analysis, for example propagation paths and equipment locations. [pp. 3.3-67, 3.3-68 j of submittal]
The analysis considered effects from submergence, spray, splashing, and steam.
Flood initiating events were initially assumed to occur at a frequency of 3E-02/yr based l on actual experience from industry data. Scenarios not initially screened were quantitatively analyzed with the Level 1 logic models to assess the CDF. [pp. 3.3 67 to l
3.3-71 of submittal]
, Credit was taken for detection, isolation, and recovery actions only where possible and I
where it would make a significant difference to the final CDF. Credited actions include aligning a fire pump to the CCW heat exchangers and providing makeup to the safety l injection refueling water tank after failure of automatic ECCS switchover. [pp. 36,37 of RAI Responses, pp. 3.3-17 to 3.3-19, 3.3-70, 3.3-92, 3.3-93 of submittal]
2.6.2 Internal Flooding Results.
The CDF contribution from internal flooding was estimated to be 1.9E-06/yr, or 14% of the total CDF. Five dominant flooding scenarios account for 90% of this CDF contribution. These five dominant flooding scenarios are summarized below: [pp. 3.3- t 91, 3.3-93 to 3.3-94 of submittal]
CCW-related flood oriainating in auxiliary building basement room 18.
Equipment damaged by the flood includes the motor-driven and steam-driven AFW pumps, and all the air compressors. Loss of CCW results in the loss of multiple support functions, including cooling to the RCP seals and HPSI pumps.
Key independent failures include the failure of the diesel-driven AFW pump and operator failure to initiate feed and bleed. This sequence has a CDF of 8.0E-07/yr.
. CCW-related flood oriainatino in auxiliary buildino basement corridor 26.
Equipment damaged as a result of the flood includes the motor control center for the containment recirculation isolation valves. Loss of CCW results in the loss of multiple support functions, including cooling to the RCP seals and HPSI pumps. Key independent failures include the failure of operators to make up inventory to the SIRWT. This scenario has a CDF of 3.0E-07/yr.
- AFW-related flood originatino in AFW oumo room 19. Equipment damaged by l the flood includes the motor-driven and steam-driven AFW pumps, and all the l air compressors. Key independent failures include the failure of the diesel-driven AF J pump and operator failure to initiate feed and bleed. This sequence has a CDF of 2.7E-07/yr.
27
l
- Raw water-related flood oriainatina in auxiliary buildino room 56. Equipment damaged by the flood includes various items of electrical switchgear. Key independent failures include the failure of the diesel-driven AFW pump. This sequence has a CDF of 2.1E-07/yr.
= AFW-related flood oriainatina in auxiliary buildina room 56. Equipment damaged by the flood includes various items of electrical switchgear and both
! diesel generators. Key independent failures include the failure of the diesel-driven AFW pump. This sequence has a CDF of 1.1E-07/yr.
l 2.7 Core Damage Sequence Results This section of the report reviews the dominant core damage sequences reported in the submittal. The reporting of core damage sequences- whether systemic or functional-is reviewed for consistency with the screening criteria of NUREG-1335.
The definition of vulnerability provided in the submittalis reviewed. Vulnerabilities, enhancements, and plant hardware and procedural modifications, as reported in the submittal, are reviewed.
2.7.1 Dominant Core Damaae Seauences.
The IPE utilized functional event trees, and reported results using the screening criteria from Generic Letter 88-20 for functional sequences. The point CDF estimate (including internal flooding) is 1.36E-05/yr. [pp.1.1-4, 3.4-8, 3.5-1 of submittal] ;
i 5
Accident types and their contributions to CDF are provided below in Table 2-5. ,
Table 2-5. Accident Types and Their Contribution to Core Damage Frequency l
Accident Type CDF Contribution pr yr. Percent Contribution to CDF Station Blackout 4.8E-06 35 Transient 4.2 E-06 31 Internal Flood 1.9E-06 14 LOCAs 1.1 E-06 8 SGTR 7.6E 07 6 ISLOCA 6.7E-07 5 ATWS 2.9E-07 2
)
i i
s The data contained in this table were deriveo' from Table 3.4.1 of the submittal, the internal flood results presented on p. 3.3-91 of the submittal, and the station blackout CDF value of 4.77E-06/yr provided in the RAI Responses. [p.13 of RAI Responses, pp. 3.3-91,3.4 2 to 3.4-7 of submittal) 28
l Transient-induced RCP seal LOCAs represent 14% of the total CDF. Initiating events 5
and their percent contribution, are listed below in Table 2-6. As a group, the four LOSP initiating events contribute 49% of the CDF. [p.13 of RAI Responses, pp.1.1-8,1.1-10, 3.1-43 to 3.1-45, 3.3-88, 3.3-89, 3.3-93, 3.3-94, 3.4-2 to 3.4-8, 3.4-21 of
] submittal)
Table 2-6. Initiating Events and Their Contribution to Core Damage Frequency ,
Initiating Event CDF % Con
- Contribution /yr, to CDF LOSP (161 KV switchyard lost, fall of fast trans to station gen) 3.86E-06 28 LOSP (345 KV switchyard lost,161 KV not avail) 1.63E-06 12 Small LOCA 8.14 E-07 6.0 Internal flood: break of CCW in HX room 18, aux bldg elev 989' 8.0E 07 5.9 !
j LOSP (weather-induced) 7.79E-07 5.7 l
, SGTR 7.60E-07 5.6
! Loss of HVAC to east swgr area (room 56) 4.70E-07 3.5 Loss of HVAC to west swgr area (room 56A) 4.70E-07 3.5 l
j Loss of 125 VDC Bus 1 3.96E-07 2.9 LOSP (grid-related) 3.64E-07 2.7 j internal flood: break of CCW in corridor 26, aux bldg elev 1007' 3.0E-07 2.2 ISLOCA: RCS/CCW interface (RCP seal cooler) 2.98E-07 2.2 ISLOCA: RCS/LPSI DHR cooling interface 2.96E-07 2.2 Loss of instrument air 2.84E-07 2.1 ;
Internal flood; break of AFW in room 19, aux bldg elev 989' 2.7E-07 2.0 Turbine trip 2.06E-07 1.5 Internal flood: leak of raw water in east swgr area, aux bldg elev 1011' 2.1 E-07 1.5 Loss of r;.w water 1.79 E-07 1.3 Large LOCA 1.35E-07 1.0 Medium LOCA 1.22E-07 0.9 Internal flood: break of AFW in room east swgr area, aux bldg elev 1011 1.1 E-07 0.8 Reactor trip 1.09E-07 0.8 Partialload rejection 9.33E-08 0.7 Loss of 125 VDC Bus 2 6.03E-08 0.4
- With the exception of lower order flooding events, this table is complete. This table was assembled from information provided on p.13 of the RAI responses and Table 3.3.6.6 of the submittal. The RAI responses provide the non-flood related events, while dominant flooding sequences are listed in submittal
, Table 3.3.6.b. Together, the internal flood events listed in submittal Table 3.3.6.6 represent about 90% of the total flood-related CDF. Because internal flooding contributes about 14% to the total CDF, the missing flood-related initiating events represent less than 2% of the total CDF.
29
I Table 2-6. Initiating Events and Their Contribution to Core Damage Fmquency -
Continued initiating Event CDF % Cont.
Contribution /yr. to CDF Loss of 125 VDC Panel Al-41B 5.91 E-08 0.4 ISLOCA: RCS/LPSI injection interface 5.84E-08 0.4 Spurious steam generator isolation signal 5.50E-08 0.4 Steam /feedline break on SG2 downstream of MStVs 5.08E-08 0.4 Loss of HVAC to control room 4.75E-08 0.3 Loss of CCW 3.63E 08 0.3 Loss of main feedwater 3.08E 08 0.2 Loss of 125 VDC Panel Al-41 A 2.64E-08 0.2 Loss of 125 VDC Panel Al-41B 5.91 E-08 0.4 ISLOCA: RCS/LPSI injection interface 5.84E-08 0.4 Spurious steam generator isolation signal 5.50E 08 0.4 j Steam /feedline break on SG2 downstream of MSIVs 5.08E-08 0.4 Loss of HVAC to control room 4.75E-08 0.3 Loss of CCW 3.63E-08 0.3 Loss of main feedwater 3.08E-08 0.2 Loss of 125 VDC Panel Al-41 A 2.64E-08 0.2 ISLOCA: RCS/CVCS interface (letdown line) 2.32E-08 0.2 Steam /feedline break on SG2 upstream of MSIVs, downstream of FWCVs 1.86E-08 0.1 Closure of MSIV (1 SG loop) 1.84E 08 0.1 Reactor trip with PORV opening 9.56E-09 0.07 Closure of MSIVs in both SG loops 6.39E-09 0.05 Loss of condenser vacuum 3.94E-09 0.03 Loss of 4 Kv Bus 1 A3 5.05E-10 0.004 Loss of 4 Kv Bus 1 A4 <5E 10 <0.004 Loss of 4 Kv Bus 1 A2 <5E 10 <0.004 Loss of 4 Kv Bus 1 A1 <5E 10 <0.004 The 5 most dominant functional core damage sequences are summarized below in Table 2-7 of this report. [pp.1.1-9 of submittal]
30
1 Table 2-7. Top 5 Dominant Functional Core Damage Sequences initiating Event Dominant Subsequent % Contribution to Failures in Sequence Total CDF
, Transient (includes LOSP Failure of long-term decay heat removal; heat 39 initiators) removal most often falls because the emergency feedwater storage tank is not replenished Transient Loss of cooling to RCP seals, seal LOCA, failure 14 of high pressure safety injection Internal Flood Various equipment / system failures 14 Transient Failure of primary-to-secondary heat removal, 11 failure of feed-and-bleed Small LOCA Failure of high pressure safety injection 5 a
l The submittal also provides the results of a Fussell-Vesely importance analysis of the ;
basic and recovery events. The most important events based on this importance analysis are listed below: [pp. 3.4-25, 3.4-26 of submittal]
- Common cause unsuccessful load shed from 4,160 VAC buses 1 A3 and 1 A4
- Failure of diesel-driven auxiliary feedwater pump i
- Operator fails to use diesel-driven feedwater pump to replenish emergency ,
feedwater storage tank
- Failure of RCP seals given insufficient cooling ,
- Run failure of diesel generator DG-1 1
- Operator fails to use diesel-driven fire pump to replenish emergency feedwater ;
storage tank :
I
- Run failure of diesel generator DG-2
- Operator fails to manually trip 4,160 VAC circuit breaker, given that breaker {
does not trip automatically 2.7.2 Vulnerabilities.
The licensee adopted criteria from NUMARC [NUMARC 9104) to screen for plant-specific vulnerabilities. Based on the NUMARC criteria, no plant-unique severe accident vulnerabilities were identified. However, the NUMARC screening process did identify 3 functional transient sequences that would merit additional licensee action.
One of these transient sequences (failure of long term cooling via shutdown cooling or EFWST makeup) contributes 39% of the total CDF. In response to NUMARC guidance, the licensee will address this sequence by placing a greater emphasis on training. In addition, Severe Accident Management Guidelines (SAMGs) will be developed with emphasis on prevention / mitigation of core damage, vessel failure, or containment failure. SAMGs were also used to address two other transient functional l
. sequences having frequencies between 1E-05/yr to 1E-06/yr. [pp. 3.4 8,3.4-11 to 3.4-14, 6.0-2,7.0-2 of submittal, transmittal letter) j 31 ,
l
l i
2.7.3 Procosed imorovements and Modifications. j l
The licensee identified 4 plant improvements in conjunction with the IPE. These !
Improvements are summarized below in Table 2-8. [pp.14 to 16,25,26 of RAI
, Responses,pp. 3.1-14, 3.2-62, 3.2-81, 3.2-87, 3.3-89, 6.0-2, 6.0-4 of submittal] 1 l
l The total CDF reduction from the four improvements was approximately 1.82E-05/yr. !
j Without these improvements, the CDF would increase by a factor of 2.3 (from its l current value of 1.36E-05/yr to 3.18E-05/yr). [p.16 of RAI Responses]
Finally, the licensee stated that plant improvements related to the station blackout i study were essentially complete prior to completion of the IPE. These station blackout l improvements were credited in the IPE. However, estimates of CDF reductions ;
related to station blackout improvements are not available. (p.16 of RAI Responses] l J
)
1 i
l l
i l
)
l l
l l
r l
32 1
l i
l Table 2-8. Summary of Plant improvements .
I Plant improvement Status Plant Notes Estimated improvement CDF Credited in impact Per IPE7 Reactor-yr
' Not install door to mitigate Complete Yes (1) Door to provide alternate route for potential CCW ISLOCA operator access to raw water valves for provided effects from RCP seal the safe shutdown cooling HXs - by cooler failure using door, operator avoids passing through area affected by CCW ISLOCA (2) Subsequent to IPE, orientation of a CCW air-operated isolation valve has been changed; CCW ISLOCA will now force valve closed - previously, ISLOCA would have pushed valve open; this l
valve re-orientation diminishes the importance of the door installation
. (3) Main benefit of door is reduction in offsite release Periodically leak test Complete Yes Main benefit of additional testing is 2.0E-07 downstream shutdown reduction in offsite release cooling valve (HCV- ;
347) to reduce ISLOCA l potential Installation of anti- Complete No Not avail galloping devices on 161 Kv offsite power l source Revise procedures so in Yes (see (1) Room 23 is at the lowest level of 1.8E-05 that door to spent progress notes 2,3 at the aux bldg and has a large volume, regenerative tank / pump rignt) thereby providing a benefit to the room (room 23) is collection of water during an internal positioned appropriately flooding event.
during flood (2) The IPE assumed that room 23 door would be open; procedure revision would position door appropriately depending on whether flood originated outside or inside room 23 (3) Most flood events originate outside room 23, thus the open (versus closed) position of door provides the greatest safety benefit 33 .
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS i
4 This section of the report provides an overall evaluation of the quality of the IPE based on this review. Strengths and weaknesses of the IPE are summarized. Important
- assumptions of the model are summarized. Major insights from the IPE are I presented.
Strengths of the IPE are as follows: The identification end evaluation of initiating events is thorough compared to some other IPE/PRA studies.
No major weaknesses of the IPE were identified.
Based on our review, the following aspects of the modeling process have an impact on the overall CDF:
= A large LOCA can be mitigated without the use of LPSI pumps
- Initiating event frequencies for turbine trip, loss of main feedwater, large LOCAs, and medium LOCAs are an order of magnitude lower than generic values typically used in other IPE/PRA studies Both of these aspects of the modeling process tend to lower the CDF.
Significant findings on the front-end portion of the IPE are as follows:
= Without credit for the diesel-driven AFW pump, the CDF would increase by a factor of about 5 (from its current value of 1.36E-05/yr to 6.94E-05/yr).
- If the conditional RCP seal LOCA probability (given loss of seal cooling) is increased from 1.5E-03 to 1E-01, the CDF would increase by a factor of 10.4 (from its current value of 1.36E-05/yr to 1.42E-04/yr). ,
I
- Based on plant-specific deterministic analyses, the IPE assumed that a large LOCA can be mitigated without the use of LPSI pumps. In particular, the IPE assumed that successful core cooling during the early phase of a large LOCA can be accomplished with one HPSI pump and 3 safety injection pumps. This element of the Fort Calhoun success criteria is more optimistic than many other j PWR IPE/PRA studies which typically assume that large LOCA mitigation must i include flow from at least one LPSI pump.
I i
i 34
. . -- . .- .. _. _ = - - - _ _ _ _---_ . - - - -
i
- 4. DATA
SUMMARY
SHEETS i
This section of the report provides a summary of information from our review. !
Initiatina Event Freauencies i Initiating Event Frequency Per Year Reactor Trip 2.61E 01
. Loss of Condenser Vacuum 2.39E-02 '
i Turbine Trip 1.64E-01 Loss of Main Feedwater 2.05E-02 1
Loss of 345 kV with 161 kV Unavailable (Plant-Centered) 5.39E-02 l Loss of 161 kV with Failure to Fast Transfer (Plant-Centered) 1.42E-01 )
Loss of Off Site Power (Grid-Related) 1.42E-02 Loss of Off-Site Power (Weather-Induced) 7.37E-03 i Steamline/Feedline break on SG2 Upstream of MSIVs and Downstream of 2.34 E-03 FWCVs Steamline Break on SG2 Downstream of MSIVs 6.53E-03 Loss of 4 kV Bus 1 A1 2.94 E-04 Loss of 4 kV Bus 1 A3 2.94E-04 Loss of 4 kV Bus 1 A4 2.94E-04 Loss of 4 kV Bus 1 A2 2.94E-04 Loss of 125 VDC Bus #1 3.00E-03 !
Loss of 125 VDC Bus #2 3.00E-03 Loss of 125 VDC Panel Al-41 A 3.00E 03 l
Loss of 125 VDC Panel Al-41B 3.00E-03 Loss of CCW System 1.55E-02 Loss of Raw Water System 1.49E-02 Loss of instrument Air 3.13E-02 Loss of HVAC to Room 56 2.69E-03 Loss of HVAC to Room 56A 2.69E-03 Loss of HVAC to Control Room 1.07E-03 Closure of MSIV (1 SG Loop) 1.54E 02 Closure of Both MSIVs 5.09E-03 Partial Load Rejection 6.82E-02 Spurious SGIS Signal 6.41 E-03 Reactor Trip with PORV Opening 2.61 E-02 Small LOCA 1.0E-03
. Medium LOCA 1.0E-04 35
-..- -._~ - _ __-- --.
1 !
l Initiating Event Frequency Per Year i Large LOCA 1.0E-05 Steam Generator Tube Rupture 9.27E-03 RCl/LPSI Injection interface ISLOCA 5.84E-08 RCS/LPSI DHR Return interface ISLOCA 2.96E-07 l
RCS/CCW Interface ISLOCA Explicitly Modeled RCS/ Letdown Interface ISLOCA 2.32E-08 Overall CDF The point estimate CDF for Fort Calhoun is 1.36E-05/yr, including internal flooding.
The CDF contribution from flooding is 1.9E-06/yr.
Dominant initiatino Events Contributina to CDF LOSP (161 KV switchyard, no transfer to stat gen) 28%
LOSP (345 KV switchyard) 12%
Small LOCA 6%
Internal flood: CCW break, HX room 18 6%
LOSP (weather-induced) 6%
SGTR 6% l Loss of HVAC east switchgear room 3% l Loss of HVAC west switchgear room 3% i Loss of 125 VDC Bus 1 3% l LOSP (grid-related) 3%
Dominant Hardware Failures and Ooerator Errors Contributina to CDF Dominant hardware failures contributing to CDF include:
Common cause unsuccessful load shed from 4,160 VAC buses 1 A3 and 1 A4 Failure of diesel-driven auxiliary feedwater pump Failure of RCP seals given insufficient cooling Run failure of diesel generator DG-1 Run failure of diesel generator DG-2 Dominant human errors and recovery factors contributing to CDF include:
Common cause unsuccessfulload shed from 4,160 VAC buses 1 A3 and 1 A4 Operator fails to use diesel-driven feedwater pump to replenish emergency feedwater storage tank l Operator fails to use diesel-driven fire pump to replenish emergency feedwater l storage tank 36 .
l
.- a
Operator fails to manually trip 4,160 VAC circuit breaker, given that breaker does not trip automatically Dominant Accident Classes Contributina to CDF Station Blackout 35 %
Transient 31 %
internal Flood 14%
LOCAs 8%
SGTR 6%
ISLOCA 5%
Anticipated Transient Without Scram (ATWS) 2%
Design Characteristics imoortant for CDF The following design features impact the CDF:
Ability to oerform feed and bleed once-through cooling. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of the Auxiliary Feedwater (AFW) system.
Use of self-contained radiators for diesel generator cooling. The diesel generators are cooled with self-contained radiators and thus do not require external cooling from plant cooling water systems. This design feature lowers l the CDF.
Diverse means of sucolvina AFW to steam aenerators. The AFW system l contains a motor-driven pump, a turbine-driven pump, and a diesel-driven pump. The diesel-driven pump is independent of all plant support systems, including AC and DC electrical power. In addition to supplying steam generator makeup, the diesel driven AFW pump can be used to transfer water from the condensate storage tank to replenish the AFW suction source, the emergency feedwater storage tank (EFWST). This design feature lowers the CDF.
Robust design of reactor coolant oumo (RCP) seals. The seals on the Byron-Jackson RCPs are of a special design stated to be highly resistant to leakage in the event seal cooling water is lost. This design feature lowers the CDF.
- Lack of a reauirement for emergenev core cooling system (ECCS) oumo external coolina durino the iniection mode. The high pressure safety injection (HPSI), low pressure safety injection (LPSI), and containment spray pumps require cooling water only in the recirculation mode. This design feature tends to lower the CDF.
37
a Indeoendence of HPSI oumos from LPSI oumos durino recirculation. The HPSI pumps do not require " piggy-back" suction from the LPSI pumps for operation during recirculation. This design feature tends to decrease the CDF.
- Automatic switchover of ECCS from iniection to recirculation. This design feature tends to decrease the CDF over what it would otherwise be with a
, manual system.
= Ability to use the raw water system as a backuo to comoonent cooling waten The raw water system can be manually-aligned backup to component cooling water for the shutdown cooling heat exchangers, the containment cooling units, the safety injection and containment spray pump bearing coolers, and control
' room air conditioners. This design feature tends to decrease the CDF.
- Ability to use a diesel-driven fire oumo for olant functions. A diesel-driven fire pump, independent of plant systems, is available for long-term makeup to the AFW suction source, the EFWST. In addition, this pump can also serve as a backup to the raw water system for the purpose of cooling the component conting water system. The ability to use the diesel-driven fire pump for these plant functions tends to reduce the CDF.
- Oversized steam oenerators. The steam generators are designed for a larger reactor. Consequently, the ability to cool the reactor during an accident has a margin above what is normally expected. The steam generator boil off time is stated to be 55 minutes. This design feature tends to reduce the CDF.
. Vital 120 VAC backoo oower source. If a vitalinverter fails and 480 VAC is available, the 120 VAC control power normally supplied by the inverter is automatically supplied by a bypass transformer. This design feature tends to decrease the CDF.
. Eight hour batterv caoacitv. With apparent credit for load shedding, the batteries can provide power to basic safety-related control and instrumentation loads for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> battery lifetime is longer than at some other plants. This design feature tends to lower the CDF.
. Wide use of air-ooerated valves (AOVst Fort Calhoun uses AOVs for many applications in which other plants use motor-operated valves (MOVs). Generic data indicate that demand failure probabilities for AOVs tend to be slightly lower than corresponding failure probabilities for MOVs. In addition, the AOVs normally fail in their accident positions, reducing the vulnerability of the plant to station blackout. This design feature reduces the CDF.
38
- Favorable olant accessibilitv. Fort Calhoun is a relatively compact plant. Areas in which outside control room human actions would be performed can be readily accessed. This design feature tends to reduce the CDF.
. Ooen desian of auxiliarv buildina and other olant areas. The open design of the auxiliary building and various rooms in the plant make it unlikely that HVAC will be required to cool many items of plant equipment due to effective natural circulation. This design feature tends to reduce the CDF.
- Containment air coolino and filterino system. The plant design includes a containment air cooling and filtering system. This system provides a means of
, performing containment cooling that is independent of the containment spray system. This design feature tends to decrease the CDF.
Modifications
, The following plant improvements were identified in conjunction with the IPE:
- Install door to facilitate mitigation of RCP seal cooler ISLOCA a Periodically leak test downstream shutdown cooling valve (ISLOCA path) l
- Install anti-galloping devices on 161 KV offsite power source.
- Revise procedures to establish appropriate position of door to l spent / regenerative tank / pump room during flood Collectively, these improverrents reduced the CDF by 1.82E-05/yr (from 3.18E-05/yr to 1.36E-05/yr).
Other USI/GSts Addressed The IPE does not propose to resolve any GSI/USts other than A-45. l Sionificant PRA Findinas Significant findings on the front-end portion of the IPE are as follows: !
= Without credit for the diesel-driven AFW pump, the CDF would increase by a factor of about 5 (from its current value of 1.36E-05/yr to 6.94E-05/yr).
. If the conditional RCP seal LOCA probability (given loss of seal cooling) is increased from 1.5E-03 to 1E-01, the CDF would increase by a factor of 10.4 (from its current value of 1.36E-05/yr to 1.42E-04/yr).
. Based on plant-specific deterministic analyses, the IPE assumed that a large LOCA can be mitigated without the use of LPSI pumps. In particular, the IPE 39
l J !
4 1
[ assumed that successful core cooling during the early phase of a large LOCA can be accomplished with one HPSI pump and 3 safety injection pumps. This ;
j element of the Fort Calhoun success criteria is more optimistic than many other PWR IPE/PRA studies which typically assume that large LOCA mitigation must 7
- include flow from at least one LPSI pump.
3 4 - ;
i g
i !
! i i !
.i i
a
)
d 6
I i
l 1
l 4
l l
4 4
40 l
l
_ - . - ._ __ - __ - 1
1 l
REFERENCES
[CE ATWS] CEOG Best Estimate ATWS Scenarios and Success Criteria, ABB Combustion Engineering report CE-NPSD-591-P, October 1990.
[EPRI 2230] ATWS: A Reappraisal Part 3: Frequency of Anticipated Transients, EPRI repcrt NP-2230, January 1982.
[EPRI 6780] Advanced Light Water (ALWR) Utility Requirements Document, Rev. 3, EPRI report NP-6780-L, Rev. 3, November 1991. (The offsite power non-recovery factors are contained in Appendix A to Chapter 1 of this report which is referred to as "The PRA Key Assumptions and Ground rules (KAG)" document)
[lPE Submittal] Fort Calhoun IPE Submittal, December 1,1993.
[NSAC 147] Losses of Offsite-Power at U. S. Nuclear Power Plants Through 1989, EPRI (Nuclear Safety Analysis Center), NSAC-147, March 1990.
[NUREG/CR 2098] Common Cause Fault Rates for Pumps, NUREG/CR-2098, February 1983.
[NUREG/CR 2770] Common Cause Fault Rates for Valves, NUREG/CR-2770, February 1983.
1
[NUREG/CR 3862] Development of Transient initiating Event Frequencies for Use in !
Probabilistic Risk Assessment, NUREG/CR-3862, May 1985. )
[NUREG/CR 4780] Procedures for Treating Common Cause Failures in Safety and Reliability Studies, NUREG/CR-4780, Vol.1, February 1988 and Vol. 2, January 1989.
[RAI Responses] Letter from T. L. Patterson, Omaha Public Power District, to NRC, '
LIC-95-0223, November 30,1995.
[SEOR 85-05] Internal Flooding Analysis, INPO Significant Operating Experience ,
Report SOER 85-05, Rev. 2,1990.
[ WASH 1400] Reactor Safety Study, October 1975.
41
~t
- - __ _ a l
1 APPENDIX B HUMAN RELIABILITY ANALYSIS TECHNICAL EVALUATION REPORT I
I l
l l
l l
l i