Technical Evaluation Rept on Individual Plant Examination Back-End Analysis

ML20134D803
Person / Time
Site:	Fort Calhoun
Issue date:	05/31/1996
From:	Meyer J, Hanry Wagage SCIENTECH, INC.
To:	NRC
Shared Package
ML20132F483	List: ML20132F480 ML20132F491 ML20134D794 ML20134D797 ML20134D803
References
CON-NRC-04-91-068, CON-NRC-4-91-68 SCIE-NRC-239-95, NUDOCS 9610300319
Download: ML20134D803 (99)
v • d • e

Text

. _ _ _ . _ _ _ .- . _ . __ _ . - . . _ _ _ _ _ . - . _ . . . __ _

! i l

l SCIE-NRC-239-95 l

}

l i  ;

FORT CALHOUN UNIT 1 ,

TECHNICAL EVALUATION REPORT l ON THE INDIVIDUAL PLANT EXAMINATION BACK-END ANALYSIS 4 l

l i

1 3

H. A. Wagage J. F. Meyer ,

I l

l d,

4 Prepared for the U.S. Nuclear Regulatory Commission Under Contract NRC-04-91-%8-40 May 1996 SCIENTECH, Inc.

11140 Rockville Pike, Suite 500 Rockville, Maryland 20852 IO 3oC)33T .ppTU

I TABLE OF CONTENTS E. Executive Summary .................................. E-1

1. INTRODUCTION ................................... I

2. TECHNICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 Licensee's IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1.1 Completeness and Methodology .................. 3 2.1.2 Multi-Unit Effects and As-Built /As-Operated Status . . . . . . 4 2.1.3 Licensee Panicipation and Peer Review . . . . . . . . . . . . . . 4 2.2 Containment Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1 Front-end Back-end Dependencies . . . . ............ 5 2.2.2 Containment Event Tree Development .............. 7 2.2.3 Containment Failure Modes and Timing ............. 8 2.2.4 Contaimnent Isolation Failure . . . . . . . . . . . . . . . . . . . . 9 2.2.5 System / Human Response ...................... 10 2.2.6 Radionuclide Release Categories and Characterization . . . . . 10 2.3 Quantitative Assessment of Accident Progression and Containment Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3.1 Severe Accident Progression .................... I1 2.3.2 Dominant Contributors: Consistency with IPE Insights . . . . 16 2.3.3 Characterization of Containment Performance . . . . . . . . . . 16 2.3.4 Impact on Equipment Behavior . . . . . . . . . . . . . . . . . . . 20 2.3.5 Uncertainty and Sensitivity Analysis . . . . . . . . . . . . . . . . 20 2.4 Reducing Probability of Core Damage or Fission Pmduct Release . . 21 2.4.1 Definition of Vulnerability . . . . . . . . . . . . . . . . . . . . . . 21 2.4.2 Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.5 Responses to CPI Program Recommendations .............. 21 2.6 IPE Insights, Improvements, and Commitments . . . . . . . . . . . . . 22

3. CONTRACTOR OBSERVA'nONS AND CONCLUSIONS . . . . . . . . . . 25

4. REFERENCES ..................................... 27 Appendix: IPE Evaluation and Data Summary Sheet Fort Calhoun Unit 1 Back-End ii May 1996

I E. EXECUTIVE

SUMMARY

E.1 Plant Characterization The Fort Calhoun Station (FCS) consists of a Combustion Engineering nuclear steam )

supply system (NSSS) with a General Electric turbine. Gibbs and Hill designed the l balance of the plant and the auxiliary systems. l

)

The reactor system consists of a pressurized water reactor and its associated coolant

.. system arranged as two closed loops, each containing two reactor coolant pumps and a steam generator comwtad in parallel to the reactor. An electrically heated pressurizer is  ;

connected to one of the loops. The system is designed to operate at a core thermal power of 1500 MWt to provide steam at 850 psia.

The containment building consists of a concrete structure in the form of a vertical )

cylinder with domed roof and a flat base. The cylinder and dome are made of post-  ;

tensioned concrete and the base is made of reinforced concrete construction. A '

continuous carbon steel liner is included. Inside the containment structure, the reactor and other NSSS components are shielded with concrete. Facilities are provided for pressure and leak rate testing of the entire containment system.  ;

l The FCS containment was designed by Gibbs and Hill and has an intemal free volume of i 1.05 million cubic feet. The containment has a design pressure rating of 60 psig and a l median ultimate pressure of 215 psig. His ultimate pressure is higher than that  :

calculated for most of the other plants and therefore the Fort Calhoun containment is likely to outperform many other containments in the event of a hydrogen bum.

E.2 Licensee's IPE Process The IPE team performed a level III probabilistic risk analysis (PRA) for the FCS IPE.

De IPE team developed containment event trees (CETs) and supporting logic models similar to fault trees to interface with the level I plant damage states. The team  ;

determined the behavior of containment by various walkdowns, training, and literature j reviews about core melt phenomena. The team performed Modular Accident Analysis Program (MAAP) computer code runs to obtain more specific information about phenomena timing and parameters such as pressures and temperatures of specific core melt scenarios. MAAP also produced radioisotope infonnation for input into level III .

I analysis.

The FCS levelII analysis consisted of the following major tasks: containment event i trees, link level-I analysis with level-II analysis, containment ultimate structural analysis, i plant walkdowns, and MAAP runs.  ;

Fort Calhoun Unit 1 Back-End E1 May 1996

Omaha Public Power District (OPPD) provided the overall technical management of the FCS IPE. Tb- IPE program was run by the Supervisor of System Analysis, who reponed to the Manager of Nuclear Design Engineering. SAIC provided consulting service to the project at the beginning, and Combustion Engineering mMM plant-specific information later in the project. Other contractors with specialized skills were also used (not listed in the submittal).

As the project progressed, more work was increasingly done in-house, with consultants used in areas of special expenise. In-house expertise with the design engineering group was used in the areas of structuml, electrical, and thermohydraulics engineering. He submittal notes that well over 50 % of the total engineering effort applied to the project had been contributed by OPPD personnel, nere were three levels of review of the IPE submittal. For example, during the first level of review, a PRA Oversight Committee composed of OPPD personnel from System Engineering, Licensing, Training, Operations, Civil Engineering, Electrical Engineering, and Mechanical Engineering met with the PRA group every two weeks to discuss the IPE results in general and specific findings.

E.3 Back-End Analysis The IPE team used CETs to quantify containment failure modes and the radionuclide releases. The containment failure modes and the major phenomena that have a significant impact on the radionuclide. release fractions were represented as top events on the CET.

Detailed evaluations of phenomena which affected containment failure timing, fission product releases, or which may have an impact on downstream top events were treated by using supponing logic models. This approach allowed a relatively detailed treatment of the phenomena affecting containment performance while maintaining a relatively simple CET. Also, each end point on the CET represented a distinct release class. The CET used plant damage states (PDSs) as input.

Because the release consequences were affected by core melt timing and since there were differences in the various severe accident progressions, separate CETs were developed for the different core melt timing conditions - early, delayed, and late.

The IPE team defined early containment failure as occurring either at or within one hour of reactor vessel failure. Dey defined late containment failure as occurring later than one hour of reactor vessel failure.

Overall, the containment remained intact 59.8 % of the time following a severe accident.

Consequently the containment failed 40.2 % of the time for these sequences. He percentage of intact containment without accompanied vessel breach occurring was 26.0 %.

Fort Calhoun Unit 1 Back-End E-2 May 1996

-, -e w - --- , ,, - e - - - . + - -

n. . g

( ..

(

l The following were the contributions for 40.2 % of the containment failures (alpha mode

failure and basemat melt-through failures were negligible)

]

1 i

i

• Late containment failure 28.0 % i

'

• Bypass (interfacing systems LOCAs - 4.9 % and SGTR - 0.5 %) 5.4 %  :

• Containment isobtion failure 5.1 %

(isolation valve failure - 0.13 % and SGTR* - 5.0 %)

• Early containment failure 1.6 %

a

(* In other IPE submittals, the SGTR-event is completely grouped in bypass.)

• l

, i E.4 Generic and Containment Performance Improvement Issues i As a result of the Containment Performance Improvement (CPI) program, ,

recommendations were made for consideration by licensees as part of the IPE process. j These recommendations were identified in Generic letter 88-20, Supplement 3. The j

recommendation applicable to the FCS is as follows-l 1

Licensecs with dry containments are expected to evaluate containment and l equipment vulnembilities to localized hydrogen combustion and the need for )

improvements (including accident management procedures) as part of the IPE. '

In response to the NRC s*.aff's RAI, the licensee notes the following:

The containment structure was walked down and prints were reviewed to detennine if there were hydrogen " pockets" where hydrogen could cause equipment needed for accident mitigation to be damaged. No vulnerabilities were found, i.e., no pockets were found where damage to equipment would occur.

E.5 Vulnerabilities and Plant Improvements The licensee response to the NRC staffs RAI provides the following information. The IPE team retained all the sequences that met the guidelines in NUMARC 91-04. In performing the containment performance analyses, the IPE team coupled all retained core ,

damage sequences with the containment safeguards sequences to genente plant accident l sequences (PASS). 'Ihey mapped all PASS with a frequency of greater than or equal to IE-9, or which covered potential vulnerabilities, into PDSs. They mapped all PDSs into release classes by being propagated through the CET. The IPE team used all release classes with frequency greater than SE-10 in the calculation of risk. The IPE team reviewed the retained release classes for potential containment vulnembilities. They found no severe accident vulnembilities unique to the plant.

The plant improvements related to the IPE involved with the front-end analysis.

Fort Calhoun Unit 1 Back-End E-3 May 1996

I E.6 Observations The FCS IPE submittal contains a substantial amount of information with regard to the

, recommendations of GL 88-20, its supplements, and NUREG-1335. The submittal appears to be complete in accordance with the level of detail requested in NUREG-1335. l The methodology used to perform the IPE is described clearly in the submittal. The  !

approach taken, which is consistent with the basic tenets of GL 88-20, Appendix 1, is i also described clearly along with the team's basic underlying assumptions. The important j plant inferrna' ion and data are well documented and the key IPE results and findings are well prc. ated.

The IPE team found no severe accident vulnerabilities unique to the FCS. They identified no back-end plant improvements.

I

\

l 1

l l

l Fort Calhoun Unit 1 Back-End E-4 May 1996

i[

1. INTRODUCTION 1.1 Review Process i

This technical evaluation repon (TER) documents the results of the SCIENTECH review i of the back-end ponion of the Fon Calhoun Station Unit 1 (FCS) Individual Plant Examination (IPE) submittal [1,2]. His technical evaluation repon complies with the requinments for reviews of the U.S. Nuclear Regulatory Commission (NRC) contractor task order, and adopts the NRC review objectives, which include the following:

[. '

• To help NRC staff determine if the IPE submittal provides the level of detail requested in the " Submittal Guidance Document," NUREG-1335 l

• To help NRC staff assess the strengths and the weaknesses of the IPE submittal

• To complete the IPE Evaluation Data Summary Sheet Based in pan on SCIENTECH's preliminary review of the Callaway IPE submittal, the j NRC staff submitted a Request for Additional Information (RAI) to the Omaha Public Power District on September 12, 1995. De Omaha Public Power District responded to the RAI in a document dated November 30,1995. [2] This fmal TER is based on'the l original submittal and the response to the RAI.

i

} Section 2 of the TER summarizes our review findings and briefly describes the FCS IPE l submittal as it penains to the work requirements outlined in the contractor task order.

1 Each ponion of section 2 corresponds to a specific work requirement. Section 3 presents i our overall evaluation of the back-end ponion of the FCS IPE based on our submittal-l only review. Section 3 rdso outlines the conclusions and insights gained, plant

! improvements identified, and utility commitments made as a result of the IPE.

References are given in section 4. Appendix contains an IPE evaluation and data summary sheet.

1.2 Plant Characterization The FCS consists of a Combustion Engineering nuclear steam supply system (NSSS) with  ;

a General Electric turbine. Gibbs and Hill designed the balance of the plant and the j I

auxiliary systems.

ne reactor system consists of a pressurized water reactor and its associated coolant i system arranged as two closed loops, each containing two reactor coolant pumps and a l steam generator conWM in parallel to the reactor. An electrically heated pressurizer is connected to one of the loops. The system is designed to operate at a core thermal power of 1500 MWt to provide steam at 850 psia.

Fon Calhoun Unit 1 Back-End 1 May 1996

I The contaimnent building consists of a concrete structure in the form of a venical cylinder with domed roof and a flat base. The cylinder and dome are made of post-tensioned concrete and the base is made of reinforced concrete construction. A continuous carbon steel liner is included. Inside the containment structure, the reactor and other NSSS components are shielded with concrete. Facilities are provided for pressure and leak rate testing of the entire containment system.

'Ihe FCS containment was designed by Gibbs and Hill and has an internal free volume of 1.05 million cubic feet. The containment has a design pressure rating of 60 psig and a median ultimate pressure of 215 psig.

The containment has an inside diameter of 110 feet with an inside height of 137.4 feet.

The foundation slab is 13 feet thick. 'Ihe side walls are 3.875 feet thick and the domed roof is 3 feet thick. The walls and roof have 616 and 210 imbedded post-tensioned cables respectively. These cables provide external force to the structure to compensate for internal forces that occur during a design basis accident (DBA).

l The concrete foundation mat is constructed from a 50/50 limestone / common sand mixture and is reinforced with high strength reinforcing steel. A permanent access gallery extends under the containment structure directly below the cylindrical wall.

The containment has a maximum leak rate of 0.1 weight percent of containment atmosphere over a 24-hour period at 60 psig and 305 oF after a DBA.

Items of panicular note in the FCS design from a centainment performance (level II) and radiological consequence (level III) perspective include (section 4.1.1, page 4.1-1):

• A " passively" flooded reactor cavity combined with an integral "instmment-free" lower head which enables "in-vessel" retention of corium debris via external vessel cooling.

• A robust containment and reactor cavity design which reduces the contribution of early containment failure to less than 2 % of all core damage sequences.

• A large basemat area to promote spreading of the corium melt following vessel  !

breach and ex-vessel cooling of corium debris when an overlying water pool is present.

• A very thick basemat which prolongs the time to containment failure associated with corium basemat erosion.

i Fort Calhoun Unit 1 Back-End 2 May 1996 c

e

"l i

l i 2. TECHNICAL REVIEW j l

In performing the " submittal only" review, SCIENTECH compared the FCS IPE submittal with the recommendations of Generic letter (GL) 88-20 and its supplements, I according to the guidance provided in NUREG-1335. We used the structure of Task Order Subtask 1 in setting out the review findings reported in this section which ,

l addresses the key points of the GL and its supplements. His TER also notes  !

inconsistencies between the FCS IPE and other PRA studies in terms of the methodology i used and results obtained and identifies the FCS IPE strengths and weaknesses.

i 2.1 Licensee's IPE Process l

LL1 Comoleteness and Methodolorv.

1 l The FCS IPE submittal contains a substantial amount of information with regard to the i recommendations of GL 88-20, its supplements, and NUREG-1335. De submittal j appears to be complete in accordance with the level of detail requested in NUREG-1335.

The methodology used to perform the IPE is described clearly in the submittal. De i approach taken, which is consistent with the basic tenets of GL 88-20, Appendix 1, is i also described clearly along with the team's basic underlying assumptions. The important i plant information and data are well documented and the key IPE results and fm' dmgs are well presented.

l I The IPE team performed a level III probabilistic risk analysis (PRA) for the FCS IPE.

i The IPE team developed containment event trees (CETs) and supporting logic .aodels

similar to fault trees to interface with the level I plant damage states. The team determined the behavior of containment by various walkdowns, training, and literature i reviews about core melt phenomena. De team performed Modular Accident Analysis Program (MAAP) computer code runs to obtain more specific information about '

i phenomena timing and parameters such as pressures and temperatures of specific core melt scenarios. MAAF also produced radioisotope information for input into level III j analysis.

I The FCS level II analysis consisted of the following major tasks:

l

• Coritninment Event Trees. Develop CETs depicting possible accident progression

! after core damage that are phenomena-based, and quantify the events using supporting logic models.

• Iink level-I Analysis with Izvel-II Annivsis. Using plant damage states (PDSs) l

! and plant damage bins, link the level I core damage states to the CETs.

• Containment Ultimate Structural Analysis. Use finite element analysis to i determine the limiting conditions that various containment components and i structures will withstand before failure.

i Fon Calhoun Unit 1 Back End 3 May 1996

i (

4 r

J i

. i i

• Plant Walkdowns. Observe and become familiar with the layout in containment j and the auxiliary building including key component and structure locations to 1 comprehensively understand how various phenomena will affect the components i and structures and to define release paths to the environment.

j

• MAAP Runs. Run scenarios that cover the range of severe accidents so that  !

i timing of events, magnitude of events, and parameters of the accidents can be j estimated. ,

+

LL2 Mulli-Unit Effects and As-Built /As-Onerated Status.  ;

Multi-unit effects are not applicable to FCS because it is a single unit site.

5 To ensure as-built, as-operated modeling of FCS, the IPE team undenook several data i

collection and documentation activities during the initial phase of the project. The IPE team performed plant walkdowns during which the team observed and became familiar .

with the layout in containment and the auxiliary building including key component and l structure locations to comprehensively understand how various phenomena will affect the components and structures and to define release paths to the environment. The team  ;

prepared system notebooks after plant walkdowns and reviews of drawings, system descriptions, the Updated Safety Analysis Repon, Technical Specifications, and  ;

applicable plant procedures.

2M Licensee Panicioation and Peer Reyicg.

Omaha Public Power District (OPPD) provided the overall technical management of the FCS IPE. The IPE program was run by the Srpervisor of System Analysis, who ,

reponed to the Manager of Nuclear Design Engineering. SAIC provided consulting l service to the project at the beginning, and Combustion Engmeering added plant-specific l information later in the project. Other contractors with specialized skills were also used (not listed in the submittal).

The development of the plant risk model involved " extensive interfacing / review with Production Engineering Division to understand the design of the plant, the operations j personnel to fully underrtand the operating procedures, and the maintenance and i reliability personnel to understand maintenance philosophy and scheduling." (section 5.1, i

\ page 5.0-2) l As the project progressed, more work was increasingly done in-house, with consultants used in areas of special expenise. In-house expenise with the design engineering group was used in the areas of structural, electrical, and thermohydraulics engineering. 'Ihe .i submittal notes that well over 50 % of the total engineering effon applied to the project had been contributed by OPPD personnel (section 1.4, page 1.1-4).

Fort Calhoun Unit 1 Back-End 4 May 1996 ,

- ----w - eam- w m+

4 1

i There were three levels of review of the IPE submittal. For the first level of review, a

PRA Oversight Committee composed of OPPD personnel from System Engineering, Licensing, Training, Operations, Civil Engineering, Electrical Engineering, and Mechanical Engineering met with the PRA group every two weeks to discuss the IPE results in general and specific fmdings.

, ne second level of review was performed by the PRA Executive Committee consisting

! of the Senior Vice President and the three nuclear Division Managers, along with selected department managers. His group reviewed and proposed resolution for the significant i PRA findings.

The third level of the review was performed by a team organimi by Duke Engineering  ;

i and Services composed of experts in PRA from Duke Engineering, Yankee Atomic l Electric Company, and ABB/Combustiou Engineering. This team, composed of a total of five people experienced in PRA, peer reviewed the IPE to 1) ensure the accuracy of the  :

documentation package and to validate both the IPE process and its results and 2) determine whether the analysis methods used met the intent of GL 88-20.

The comments were mostly general on the IPE program or on the level I analysis.

2.2 Containment Analysis i

2.2.1 Front-end Back-end Dependencies.

l The IPE team defined the FCS PDSs based on eight characteristics as given in table 1.  !

By using the ORACLE data base system [3] and all the possible combinations of these characteristics, the team defined 9,072 PDSs. A set of deletion rules was developed to delete combinstions which were physically impossible or were counter to other definitions l used in the analysis. By excluding physically impossible combinations of characteristics, the IPE team reduced the number of PDSs to be considered to 510.

The IPE team evaluated containment safeguards (CSG) using a CSG event tree. Several branches of this event tree were evaluated using CAFTA computer code. A fault tree linking approach was used to solve the CSG event tree and create the CSG states. The cutsets in the CSG states were combined with the core damage cutsets using COMBINE code. The resultant cutsets were referred to as plant accident sequences (PASS). He fmal PAS cutsets were produced by deleting success path cu sets and mutually exclusive cutsets as appropriate.

Fort Calhoun Unit 1 Back-End 5 May 1996 l

. l

.1 -

i l

l Table 1. FCS Plant Damage State Parameters j i j No. Parameter Parameter Value Code j 1. RCS pressure High (> 1200 psia) HIGH i Medium (between 250 psia and 1200 psia) MED j Low (< 250 psia) LOW

, 2. RCS leak rate Large LOCA LL i Medium LOCA ML l Small LOCA SL

! '~

SGTR SGTR

} Cycling relief valve /PORV CRV l Intersystem LOCA (large) ISLL Intersystem LOCA (small) ISLS I

3. Steam generator Available SGA

! availability Unavailable SGU i Status not applicable SGNA )

l 4. Core melt timing Early (< 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) EARLY j

Delayed (2 to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) DELAY l LATE  !

} Late (> 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />)

5. Containment spray Available in both injection and recirculation CSA l

system modes

availability Available in injection mode but not in CSI

recirculation mode i Unavailable CSU

! 6. Containment heat Available (contamment air recirculation cooling CHA removal availability and/or containment spray heat exchangers

! available) l Unavailable CHU

! 7. Cavity condition Dry (no water) DRY

Low flood (wet below reactor vessel only) LOW Medium flood (wet to top of RV lower head) MID .  !

l Full flood (wet to top of active fuel) FULL" '

l l 8. Contamment Isolated CI j isolation Not isolated CNI i-i k

i Each PAS cutset was inspected and assigned to a PDS. I.eak rate, steam generator j status, and containment safeguards status were specified directly by the PASS. Core melt timing and cavity status were inferred on a cutset-by-cutset basis using knowledge of the j core damage and CSG sequences.

i

The quantified PDSs were filtered based on a cutoff value of IE-9. PDSs that were considered to be important (e.g., interfacing system LOCAs) were retained, although they

$ Fort Calhoun Unit 1 Back-End 6 May 1996 4:

s I

!O i

e

! were below the cutoff value. The resultant list consisting of 45 PDSs spresented the

. dominant PDSs which were analyzed in the level H PRA.

'Ihe process used by the IPE team to define PDSs to be analyzed in the level D PRA

! appears to have been complete in accounting for the front-end back-end rispendencies of j l

accident progression.

j 212 Contnitunent Event Tree Develooment.

l De IPE team used CETs to quantify containment failure modes and the radionuclide releases. The containment failure modes and the major phenomena that have a significant l

impact on the radionuclide release fractions were represented as top events on the CET.

! Detailed evaluations of phenomena which affected containment failure timing, fission product releases, or which may have an impact en downstream top events were treated by

using supporting logic models. This approach allowed a relatively detailed treatment of

the phenomena affecting containment performance while maintaining a relatively simple

CET. Also, each end point on the CET represented a distinct release class. The CET used PDSs as input.

Because the release consequences were affected by core melt timing and there were differences in the various severe accident prognssions, separate CETs were developed for the different core melt timing conditions - early, delayed, and late. For convenience, 1 the portions of the CETs pertaining to isolation failum and alpha failure were presented separately. This treatment resulted in a total of six CETs. Following were the 13 CET top events used:

• Is containment bypass presented?

• Is containment isolated?

• Is containment failure due to in-vessel steam explosion prevented?

• Is vessel breach prevented?

• Is early containment failure prevented?

• Is late containment failure prevented?

• Is basemat melt-through prevented?

• Is in-vessel fission product scrubbing available?

• Is a vaporization release prevented?

• Is a release prevented?

• Is a revaporization release scrubbed?

• Is a vaporization release scrubbed?

• Are intact containment fission products sembbed?

ne IPE team developed a supporting logic tree to further analyze each of the above top events, except the first two and the last one.

Fort Calhoun Unit 1 Back-End 7 May 1996

_ _ . . _ _ . _ . . . _ _ _ _ _ . _ . __ . _ . - _ _ _ _ _ . _ _ _ _ __ m .. . _ _ _

)

i i

213 Containment Failure Modes and Timing.

Fragility curves, covering full range of pressures versus failure probabilities for the following potential failure modes, were developed for the FCS:

• Bending failure of basemat

• Shear failure of basemat i

• Membrane failure of cylindrical shell

• Bending failure of the basemat-cylindrical shell juncture

• Shear failure of the basemat-cylindrical shell juncture

.

• Dome membrane failure j_

• Equipment hatch failure

Fragility curves were developed for 95 %,50 % (median), and 5 % confidence levels for l the above failure modes and their combinations. The team investigated the following four

, additional failure modes for which no fragility curves were developed:

!

• Personnel hatch failure j

• Refueling penetration failure

• Mechanical penetration failure

!

• Electrical penetration failure i

i To evaluate the containment capacity when subjected to an overpressure load, Stevenson

& Associates performed a finite element analysis using a global axisymmetric model.

i 1.ocal models were developed to evaluate the areas of the penetrations. Both static and

dynamic analysis were performed using the ANSYS-PC/ LINEAR code. [4] In the global

[ finite element model, the presence of the internal stmeture on the basemat was considered i in a simplified form. Because no detailed design information was available, the analysts

{ assumed a distributed weight of 45,000 tons.

, The dynamic overpressure calculation was performed by subjecting the axisymmetric l model to a time evolution described by a triangular impulse decaying to a constant pressure value of 15 % of the peak pressure. The magninide of this loading was generally analogous to a detonation shock wave pulse. The total duration of the triangular impulse was 0.01 seconds. To compute the fragility curves, the peak pressure level was varied from 60 psi to 600 psi.

i The containment shell failure is dominated by three failure modes: 1) tension failure due

to high membrane forces in the hoop direction in the cylinder above the mid-height, 2) tension failure in hoop / meridian direction due to high membrane forces in the dome at the i center, and 3) shear failure due to shear forces at the base of the cylinder, near the joint j with the basemat. The median failure pressures of the containmeest under these failure 4

modes were calculated to be 235, 285, and 268 psig. The licensee response to the NRC 4

staff's RAI notes that the median failure pressure of the CPS containment from all the modes was 215 psig, i

Fort Calhoun Unit 1 Back-End 8 May 1996

b The IPE team considered temperature induced failures of containment that result from high temperature degradation of NORDEL EPDM (ethylene-propylene type) seals used for all FCS penetrations (section 4.2.3.4.1, page 4.2-104). TW tean reviewed the FCS Updated Safety Analysis Report for the capabilities of the EPDM based scalants, and found that the mean instantaneous failure temperature of seal material was about 620 oF which was independent of the test environment media. Because that analyses of typical FCS accident scenarios showed that sustained temperatures in excess of 375eF were unlikely, instuitaneous failure of seals were considered unlikely.

Temperature induced containment failure resulting fmm penetration senhnt degradation F was considered possible for all sequences where containment heat removal was lost and  !

the reactor cavity was expected to be dry (i.e., occurrence of core concrete interactions).

In evaluating radiological consequences of containment overtemperatures, the containment failure mode was assumed to be a small leak.

214_ Containment Isolation Failure.

l The IPE team considered that loss of containment isolation could occur directly as a i result of the inability to isolate containment penetrations following a severe accident or  !

I indirectly as a result of a steam generator tube mpture (SGTR) with a consequent failure of secondary safety valves, atmospheric dump valves (ADVs), or turbine bypass valves.

Because SGTRs would result in successful isolation of the affected steam generator, most SGTRs (including those resulting in severe core damage) were considered to cause small environmental releases. Even if the affected steam generator was not isolated, secondary water that is available to the steam generator secondary side would produce a favorable environment (cool and low steaming rate) within the primary side of the steam generator tubes for fission products retention. When the secondary side water level covered the broken tube elevation, most iodine and cesium that leave the primary side would be  !

scrubbed out in the secondary side water pool.

Within the PRA, SGTRs were considered bypass events only if the affected steam generator was not isolated. (Note that most of the other IPEs categorized SGTR as a containment bypass.) This situation would arise from the inability to depressurize the steam generator and result in a condition where the main steam safety valves (MSSVs) cycle, releasing radiation intermittently, or from transients where a MSSV or ADV is stuck open.

Isolation failure from inability to close containrcent isolation valves had a combined frequency of 1.7E-8 per year (0.13 % of the total CDF). The consequences of these events depended on the availability of containment heat removal and sprays during the sequences. Isolation failure associated with a SGTR had a total frequency of 6.8E-7 per year (5.0 % of the total CDF).

! Fort Calhoun Unit i Back-End 9 May 1996 lY l

I The IPE team found that loss of FCS containment isolation was highly unlikely, mainly because of the following preventive features in the FCS design (section 4.2.2.5.3):

• Use of double isolation valves for containment penetrations

• Use of diverse means of powering isolation valves

• Selection of isolation valve failure position consistent with its safety related function L15 System / Human Response.

The utility response to NRC staff's RAI notes that the IPE team conservatively assumed that the operators would not open the PORVs to depressurize the RCS because of lack of procedures (response 37, reference 2). De utility plans to incorporate guidance on PORV operation during severe core damage events into plant-specific accident management piecedures.

The IPE team performed a sensitivity study to evaluate the impact of assuming a 50 %

chance that the operators would open the PORVs to depressurize the RCS. This resulted in a slight increase in the frequency of the intact non-vessel breach sequences and a slight decrease in the frequency of early containment failures due to ex-vessel steam explosions.

Dere were five other operator recovery or mitigation actions that were included in the back-end analyses. These actions and the locations of their discussions in the submittal are listed in table 2 below.

W Radionuclide Releste Cateeories and Characterintion.

As noted in section 2.2.2 of this report, the IPE team developed six CETs which addressed the various combinations of isolation status (failed /not failed), alpha failures, and core melt timing. The end states of these event trees defined a total of 201 potential Table 2. Additional Operator Recovery or Mitigation Actions in Back-end Analyses I.acation in Action Event Name Submittal [1]

Section Page Contamment heat removal not recovered NCHRECOV 4.6.7.1.2 4.6-36 Power is recovered late in the accident RESPARK 4.6.7.1.10 4.6-39 High pressure ECCS recovered during core SHP-SISI 4.6.5.1.6 4.6-13 melt Low pressure ECCS recovered during core SLP-SISI 4.6.5.1.7 4.6-14 melt Contamment sprays recovered SPRAYRECOV 4.6.9.1.3 4.6-47 Fort Calhoun Unit 1 Back-End 10 May 1996

l release states for each PDS. After quantifying the CETs, there were a total of 44 release

classes with a non-zero frequency. His included 12 carly core melt sequence release 4 classes,16 delayed core melt sequence release classes, and 16 late core melt sequence

! release classes. Of these, six release classes had individual frequency below the cutoff l value used, SE-10 per year hse six release classes had a total frequency of 6.21E-10 (0.005 % of the total core damage frequency) and were deleted from further consideration. The remaining 38 release classes consisted of 10 carly core melt sequence

! release classes,14 delayed core melt sequence release classes, and 14 late core melt 4

sequence release classes.

l~

The IPE team defined early containment failure as that occurring either at or within one hour of reactor vessel failure (section 4.5.2.5, p. 4.5-3). De team defined late containment failure as that occurring later than one hour of reactor vessel failure (section 4.5.2.6, p. 4.5-4).

In the containment perfonnance analysis, the IPE team conservatively assumed that any SGTR that resulted in core melt would subsequently have either a cycling or a " stuck" open MSSV; they therefore categorized this type of event as a containment isolation failure. His treatment is also conservative in terms of radiological releases; some of these sequences could result in a basemat melt-through with lower releases since a large fraction of SGTRs were expected to be depressurized and isolated before significant core uncovery.

The submittal notes the following with respect to reporting on the selection of important severe accident sequences (section 4.7.3, page 4.7-43):

There are no functional sequences that have a core damage frequency greater than or equal to 1.00E-06 per reactor year and lead to a containment failure which can result in a radioactive release magnitude greater than or equal to the PWR-4 release categories of WASH-1400.

The IPE team's characterization of release categories appears to be complete.

2.3 Quantitative Assessment of Accident Progression and Conta*mment Behavior 2.3.1 Severe Accident Prorression.

~ The submittal provides a detailed overview of the severe accident phenomenological issues on the following and their relationship to the various postulated containment failure modes of the FCS Unit 1 PRA (section 4.2, pages 4.2-1 through 4.2-148):

Fort Calhoun Unit 1 Back-End 11 May 1996 E

l

• External vessel cooling

• Mechanisms of early containment failure (direct containment heating (DCH),

l l hydrogen combustion, steam generation, missile generation, cavity overpressure, and corium debris impact on the containment shell liner)

• Mechanisms of late containment failure (gradual containment overpressurization, l

basemat melt-through, temperature induced penetration seal failure, and delayed combustion)

• Fission product release, tanspon, and retention Extemal Vessel Cooling. As shown in figure 1 of this report (reproduced from figure l

.- 4.2.1.1, page 4.2-10 of the submittal), the FCS reactor vessel sits partially below the bottom floor of the containment with about 12.5 feet of the reactor vessel residing below the emergency safeguards recirculation pump. Therefore, the vessel is expected to be submerged significantly for all reactor transients that either use containment recirculation (e.g., LOCAs) or provide sufficient containment spray flow to fill the emergency sump.

After reviewing the cavity geometry, available water sources, and the results of the plant accident simulations performed with MAAP computer code, the IPE team found that the loss of sufficient inventory to cover the core would result in submergence of the reactor vessel lower head if containment heat removal is maintained.

l Early Combustion-Engineering designs were amenable to this vessel cooling because top-mounted instrumentation designs resulted in a penetration-free and instrumentation-free i lower head. Thus, submergence of the reactor vessel lower head would be expected to better survive the corium attack-extemal vessel cooling process. In modeling the external vessel cooling process, the FCS IPE team considered the following in defining success:

• Availability of continuous internal water sources

• RCS pressure

• Water level in the rear.or cavity Note that although the cavity flooding would enable external vessel cooling, it increases the likelihood of occurring ex-vessel steam explosions in the event of vessel failure.

Mechanisms of Early Containment Failure. The IPE team found that the FCS design was )

expected to substantially mitigate containment threats from high pressure melt ejection ,

l (HPME) and direct containment heating (DCH) processes. FCS DCH mitigation features included 1) the availability of a PORV to reduce RCS pressure in the vicinity of, or below, the debris entrainment threshold (not credited in the PRA), and 2) the presence of a concrete floor located about 10 feet above the cavity manway exit to aid in de-entraining and retaining the bulk of the corium debris in the lower containment. In I addition to the above features, the FCS cavity is designed to be passively flooded before l reactor vessel lower head failure. Ejection of debris into a deep water pool would minimize the containment overpressurization threat from the HPME.

4 Fort Calhoun Unit 1 Back-End 12 May 1996 ip

l

,/=.

1 7 .. .. e

• '~* ^

r l -

. . l llM **

• ll .<

EL.1006 -5

%% (TM

? .

~

>  ; e

' > <

-- i . ., ,

K E A CT#L .

LEVEL OF SueAP

• .* . EL. 994 '-0"

. . . ** e,

• ~~-: .

(.4 c.e= ..

I

- = ~

.(

s * .

s e.

u, i

=. 't,

. . *e f s .-

.,, .. , , e

.O .

E.L. 976, 6,

• ( .,.

~

]

s4 q'. 0

• 14 ** 9 "  ;

6 Figure 1. Fort Calhoun Station Unit I reactor cavity (reproduced from figure 4.2.1.1, page 4.2-10 of the submittal).

Fort Calhoun Unit 1 Back-End 13 May 1996

i l

Using a two-cell DCH model as developed by M. Piltch of Sandia National Laboratories, f median discharges at vessel breach, and FCS composite fragility curve, the IPE team i calculated the following conditional containment failure probabilities for DCH for high pressure discharges: 1) in the presence of a pre-vessel breach hydrogen burn, < 0.08 -

and 2) without a pre-vessel breach hydrogen burn, < 0.15. For intermediate pressum discharges (RCS pressure < 1200 psia), the conditional containment failure was ,

calculated to be less than 0.005. l The peak containment pressure resulting from rapid steam generations events following  !

an FCS reactor vessel lower head breach were calculated for selected severe accident  !

.- scenarios as follows.  ;

i

• Station blackout, < 75 psia (design basis) )

• "V" sequence LOCA, < 75 psia (design basis)  :

• Large LOCA without containment sprays available, - 135 psia The IPE team calculated that rapid steam generation events would not result in a significant challenge to the FCS containment.

The IPE team found that the potential for hydrogen detonation within the FCS containment was remote before vessel breach but possible after vessel breach in " dry" containment environment.

Conditional probabilities that a hydrogen burn would either be initiated as, or become, a detonation were defined as follows (section 4.2.2.3.2.7, page 4.2-62):

• For accident scenarios where the steam concentration was expected to exceed 30

% by volume, detonations were not considered credible. Because of the large steam release associated with the HPME, DCH events were not considered precursors to detonations.

• For hydrogen concentration below 13 % by volume, detonations within the containment were considered impossible. This condition prevailed for pre-vessel breach situations at FCS.

• For conditions where the global hydrogen concentration was expected to be above 13 % by volume and steam concentration was below 30 % by volume (i.e.,

containment heat removal was successful), the fraction of hydrogen burns that might become detonations was taken to be 0.10 for sequences which discharge hydrogen directly to the containment.

It was assumed that the occurrence of a detonation would fail containment with a probability of 0.50.

Fort Calhoun Unit 1 Back-End 14 May 1996

!l l

Because of the special design feature that encloses all major RCS components within concrete structures, containment failure from direct impingement of debris was considered unlikely.

After comparing the post-vessel breach cavity pressure of 160 psia that was calculated l using MAAP with the design strength of 220 psia, the IPE team concluded that cavity ,

integrity would not be threatened. I For scenarios where vessel breach occurred at high RCS pressure, the IPE team calculated that the condidonal probability of rocket induced containment failure was

, 1.75E-3. For medium pressure vessel breach, the rocket failure probability was taken to

! an order of magnitude lower.

12te Containment Failure. The IPE team considered steam overpressurization failure of the containment before and after vessel breach. The containment could fail before vessel breach when the containment heat removal function is irrecoverably lost (e.g., via loss of CCW) and cooling of the RCS with a breach (either due to pipe mpture or open PORV) is facilitated. Containment failure before vessel breach was calculated to have a frequency of IE-10 per reactor year and therefore did not show up as a dominant l containment failure mode in the PRA.

l l

If active core heat removal systems (containment sprays and/or fan coolers) are '

unavailable, the steam addition will pressurize the containment to the point of failure.

MAAP calculations for FCS showed that the availability of one train of a containment heat removal system (sprays or fan coolers) will be sufficient to control containment l pressure well below the ultimate failure pressure threshold. j Overpressurization in the presence of non-condensibles was also evaluatM. The maximum amount of non-condensibles to be evolved durir.g the concrete thermal decomposition was found to yield about 1100 lbm-moles of hydrogen and about 2000 ,

Ibm-moles of carbon dioxide. These non-condensibles and uncombusted hydrogen l produced during oxidation of total core zircaloy inventory and total containment aluminum inventory (from fan coolers) were calculated to raise the containment pressure to 75 psia. Therefore, a concrete attack scenario sufficient to fail the containment via overpressure was not considered credible.

Because of the following FCS features, basemat penetration scenario for FCS was considered to be relatively benign:

• Low core power level (1500 MWt)

• Large reactor cavity floor area

• Passively flooded cavity following a variety of core melt scenarios

• 13-feet thick basemat .

l Fort Calhoun Unit 1 Back-End 15 May 1996

'L

_ . _ _ . . .~ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ . . __ . . . _ _ _ . _ . _

ll I

I I Wet cavity sequences comprised greater than 90 % of all core melt scenarios that did not bypass containment. The remaining dry cavity sequences were expected to result in basemat melt-through within several days to a week following the initial corium concrete attack. However, as noted in section 2.2.3 of this report, the dry cavity sequences were found to initiate from SGTRs and were categorized as containment isolation failures in radiological release chancterization.

The late hydrogen bum issue was addressed by considering combustion of hydrogen equivalent of 130 % oxidation of the corewide zirconium. Without early burn or DCH occurring 2000 lbm of hydrogen was calculated to burn which was limited by oxygen

! availability in the containment. The resultant pressure generated was 205 psia which had a probability of containment failuit of 0.25.

In addressing phenomenological issues applicable to FCS, the IPE team has extensively used previous work including experiments, and extensive descriptions of phenomena are presented in the submittal.

W Dominant Contributors Conciatency with IPE inciehts.

Tables 3 and 4 below show SCIENTECH comparisons of the FCS conditional .

containment failure probability with the results of other IPEs and Zion /NUREG-1150. l The CDF for FCS is in the mid range of the values shown in the tables; the FCS containment failure probabilities are in line, except the following, with those of the other plants:

l

• Several plants have zero probability of early containment failure; IPEs of these plants used phenomenological issue papers to address severe accident issues and J

found that early containment failure would not be a threat to each of the containments.

• FCS has comparatively higher probability of isolation failure, with the exception of Diablo Canyon. The major reason was that the FCS IPE team categorized SGTR as isolation failure.

W Characterivation of Containment Performance.

The FCS IPE team used CETs to characterize containment performance under severe accident sequences. The CETs and associated support logic models (SI.Ms) were quantified using the CAFTA GTPROB module. The six CETs were converted to three master CET fault trees, one for each core melt timing clas: (early, delayed, and late).

The top event on each of these fault trees was defined as " Release Occurs." 'Ihis event was defined as an OR gate with proper release classes (CET endpoints) as the first level inputs to this event. The logic for each release point element was defined based on the I path through the corresponding CET for that release class and the SLMs. These mojels Fort Calhoun Unit 1 Back-End 16 May 1996

.- .. - . _ .. . _ , - - - . - ... _.. _ ~ . _ . . . . _ . - -

[

l j Table 3. Conditional Containment Frilure Pavbability During Mission Time (Percent)

CDF Early Late Isolation l Study per rx yr Failure Failure Failure Intact l Bypass l Diablo Canyon IPE 8.8E-5 4.6 45.2 1.8 7 41.4 I Mame Yankee IPE'

• 7.4E-5 8 48 2.1 43 Palo Verde IPE 9.0E-5 10 14 4 0' 72 l

Kewaunee IPE 6.6E-5 0 0 8 0.023 92 l' Zion IPE 4.0E-6 0 5 30 2 63 t

! Haddam Neck IPE 1.8E-4 0.18 54 6.5 0.5 39 Point Beach IPE 1.0E-4 0 0 6.1 0.031 94 Farley IPE 1.3E-4 0 3.1 0.36 0.06 96.4 i Zion /NUREG-1150 6.2E-5 1.5 25 0.5 na 73 San Onofre IPE 3.0E-5 0 9.4 6.7 0.07 83.8' '

Vogtle IPE 4.9E-5 0 0 3.4 0.4 96.2 Callaway IPE 5.8E-5 0.2 52.8 2.0 0 45.0 Fort Calhoun IPE 1.4E-5 1.6 28.0 5.4 5.l' 59.8 Bypass and isolation combined na Not available s Values do not add to "100*

Probability is less than 0.001, conditional on core melt includes MCCI basemat penetration failures includes SGTR ,

i l i l

Fort Calhoun Unit 1 Back-End 17 May 1996

l Table 4. Conditional Containment Failure Pmbability Beyond Mission Time (Percent)

CDF Early Late Isolation Study rx yr Failure Failure Bypass Failure Intact Diablo Canyon IPE 8.8E-5 4.6 66.6 1.8 7 20

• 43 Maine Yankee IPE' 7.4E-5 8 48 2.1 l

Palo Verde IPE 9.0E-5 10 14 4 0' 72 Kewaunee IPE 6.6E-5 0 49 8 0.023 43 i

Zion IPE 4.0E-6 0 5 30 2 63 Haddam Neck IPE 1.8E-4 0.18 54 6.5 0.5 39 Point Beach IPE 1.0E-4 0 17.4 6.1 0.031 76.6 Farley IPE 1.3E-4 0 96.2 0.36 0.06 3.3 l

Zion /NUREG-1150 6.2E-5 1.5 25 0.5 na 73 San Onofre IPE 3.0E-5 0 9.4 6.7 0.07 83.8' {

Vogtle 4.9E-5 0 76.1 3.4 0.4 20.1 Callaway IPE 5.8E-5 0.2 52.8 2.0 0 45.0 f Fort Calhoun IPE 1.4E-5 1.6 28.0 5.4 5.1* 59.8 l

• Bypass and isolation combined na Not available Values do not add to "100" Probability is less than 0.001, conditional on core melt includes MCCI basemat penetration failures includes SGTR 1

1 Fort Calhoun Unit 1 Back-End 18 May 1996

j l

o l

I i

I I

were sequentially solved for all of the PDSs using GTPROB and the PDS dependent basic l event probabilities (listed in table 4.6.2 of the submittal). l l l Overall, the containment remained intact 59.8 % of the time following a severe accident. l l Consequently the containment failed 40.2 % of the time for these sequences. The

! percentage of intact containment without accompanied vessel breach occurring was 1 26.0 %. )

l ,

l Following were the contributions for 40.2 % of the containment failures (alpha mode fMure and basemat melt-through failures were negligible):

• Late containment failure 28.0 %

• Bypass (interfacing systems LOCAs - 4.9 % and SGTR - 0.5 %) 5.4 %

• Containment isolation failure 5.1 %

(isolation valve failure - 0.13 % and SGTR - 5.0 %)

• Early containment failure 1.6 %

Late containment failures at Fort Calhoun are dominated by containment overpressure.

Early containment failures at Fort Calhoun are dominated by hydrogen burn, DCH, and ex-vessel steam explosions.

l The submittal notes the following on the above results (section 4.7.2.4, pages 4.7-40 and l

4.7-41):

• Almost 60 % of the core damage equences would result in intact containment which was facilitated mainly from the FCS design which 1) provided redundant means of long-term containment heat removal and 2) was sufficiently robust in its plant performance characteristics and containment strength ta benefit from power recovery.

• Containment failure sequences were dominated by late containment overpressure failure which are associated with the level 1 finding that a large fraction of accident scenarios which resulted in core melt also disabled the containment heat I removal system. This combination would occur for all unrecovered station blackout scenarios, and core melt scenarios with complete loss of either Raw i Water or CCW. l

• The low conditional early containment failure probability was a consequence of the high containment pressure capacity and robust reactor cavity. Detailed structural analysis performed on FCS Unit I showed that the median failure l strength of the FCS containment was greater than 3.5 times the design pressure compared to typical PWR dry containment capacity values of 2.5 to 3 times the design pressure. At the FC.S ultimate pressure levels, containment overpressure scenarios caused by either hydrogen burn or DCH posed a small containment I

threat. Also, steam explosion threats associated with failure of the reactor vessel 1

[ Fort Calhoun Unit 1 Back-End 19 May 1996

1 I

lower head in the presence of water also posed a small threat to containment integrity.

• Basemat melt-through could occur during transients with dry reactor cavity conditions which were possible only during the sequences that deposited reactor inventory outside the containment building. This would occur for both ISLOCAs and SGTRs which were categorned as early containment releases; therefore, late containment failure was not considered. By assuming that 50 % (or more ) of the '

SGTRs were successfully isolated just before full inventory depletion, the IPE -

team calculated that containment isolation failure would reduce to 3.5 % and the

,, basemat melt-through containment failure would increase to 2.2 % of the overall CDF.

114 Imoact on Equipment Behavior.

The submittal notes the following with reference to impact on equipment behavior (section 4.1.2.7, pages 4.1-29 and 4.1-30, reference 1):

An engineering analysis (EA-FC-9226) was done to determine the ability of instrument and power cable to withstand extreme temperature. The cables are rated from the manufacturer to be able to survive 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> at 266 oF. Testing was also done to determine that cables could withstand 700 oF for a short period of time such as would occur with hydrogen bum.

The licensee response to the staff's RAI notes the following pieces of primary equipment / components necessary to mitigate the radiological consequences of a severe accident: .1) containment penetrations (electrical and mechanical), and 2) containment heat removal equipment (containment sprays and containment fan cooler units). FCS penetration seals were found to survive for sequences where containment failure was not otherwise expected.

Operation of either the containment spray system or the fan cooler units was essential to ensure containment integrity following a severe accident. For the containment spray system, the spray valves and pumps were located c%ide the containment and therefore were not subject to harsh environments.

'Ihe fan coolers were recirculation heat exchngers located within the containment. FCS l had two containment cooling units and two containment cooling and filtering units. I 2.3.5 Uncertainty and Sensitivity Analysis.

The IPE team performed sensitivity studies on the effects of the following on the back-end results (section 4.10):

Fort Calhoun Unit 1 Back-End 20 May 1996

ll

• RCS depressurization before vessel breach

• External vessel cooling and debris retention within the reactor vessel

• Ex-vessel steam explosions and rapid steam generation

• Containment integrity

• Hydrogen burn prior to vessel breach

• No recovery of offsite power (i.e., no recovery of containment heat removal or containment sprays)

Of these, the effect of no recovery of offsite power was found to have the greatest impact on the back-end results. For this case, the conditional probability (given core melt) that the containment is intact decreased by 33.0 % and the conditional probability of late containment failure increased by 32.8 % from the base case.

For all the other sensitivity studies, changes were not dramatic, even with large variations in basic event values. For example, by increasing the conditional probability of an ex-vessel steam explosion occurring, given vessel breach to a value of 1.0, the conditional probability of early_ containment failure increased by only 2.2 % and that of late containment failure decreased by only 0.94 % from the base case.

2.4 ' Reducing Probability of Core Damage or Fission Product Release 241 Definition of Vulnerability.

The licensee response to the NRC staff's RAI provides the following information (response 32, reference 2). The IPE team retained all the sequences that met the guidelines in NUMARC 91-04. In performing the containment performance analyses, the IPE team coupled all retained core damage sequences with the containment safeguards sequences to generate PASS. They mapped all PASS with a frequency of greater than or equal to IE-9, or which covered potential vulnerabilities, into PDSs. They mapped all PDSs into release classes by being propagated through the CET. The IPE team used all release classes with frequency greater than 5E-10 in the calculation of risk. The IPE team reviewed the retained release classes for potential containment vulnerabilities. They found no severe accident vulnerabilities unique to the plant.

2.4.2 Plant Imorovements.

The plant improvements related to the IPE involved with the front-end analysis (table 6-2 of the submittal). l 2.5 Responses to CPI Program Recommendations As a result of the Containment Performance Improvement (CPI) program, recommendations were made for consideration by licensees as part of the IPE process.

'Ihese recommendations were identified in Generic letter 88-20, Supplement 3. The recommendation applicable to the FCS is as follows:

Fort Calhoun Unit 1 Back-End 21 May 1996

- - _._ - _ - - . - . ~ . __- -. . - .. - -. . - - . - - - - . - .-

h a ,

)

Licensees with dry containments are expected to evaluate containment and equipment vulnerabilities to localized hydrogen combustion and the need for

improvements (including accident management procedures) as part of the IPE.

i In response to the NRC staff's RAI, the licensee notes the following (response 39, j l reference 2): l

- l

The containment structure was walked down and prints were reviewed to l determine if there were hydrogen " pockets" where hydrogen could cause  !

?

equipment needed for accident mitigation to be damaged. No vulnerabilities were  !

found, i.e., no pockets were found where damage to equipment would occur.

2.6 IPE Insights, Improvements, and Commitments t 1

] Following were the insights gained by performing the FCS IPE:

, No severe accident vulnerabilities associated with FCS had been found.

• The safety injection and containment spray pumps were installed in large rooms rather than companments. The pumps were therefore capable of operating for an extended period without heating, ventilation, and air conditioning. i l

The transfer of safety injection and containment spray systems from the injection I mode to the recirculation mode was accomplished entirely from the control room.

No human actions outside of the control room were required.

High pressure safety injection, low pressure safety injection, and containment spray pumps required cooling water only in the recirculation mode. Cooling water was not required in the injection mode.

The high pressure safety injection pumps took suction directly from the containment sump in the :ecirculation mode. Intermediate booster pumps were not required.

• FCS was a relatively compact plant. Areas outside the control room in which human actions would be performed could be reached quickly and easily. This increased the probability that an action would be successfully performed within the allowable time period.

• Raw water served as a manually-aligned backup to component cooling water for the shutdown cooling heat exchangers, containment cooling units, safety injection j

and containment spray pump bearing coolers, and control room air conditioners.

l l

Fon Calhoun Unit 1 Back-End 22 May 1996 a

I i

i

• FCS used air-operated valves for many applications compared to the generally ,

used motor-opented valves. Generic data showed that the failure probability for J

air-operated valves was lower than that for motor-operated valves. In addition, the air-operated valves nonnally failed to their accident positions, reducing the vulnembility to station blackout. For example, nonnally open containment )

4 isolation valves typically failed closed upon loss of air or loss of power. l l

.

• The FCS large dry containment design provided adequate capability to mitigate severe accidents. No unusually poor containment performance had been found.

i

!.

• Flooding of the reactor cavity allowed for retention of corium within the reactor ,

cavity for about 26 % of PDSs. Successful cavity floodmg reduced short tenn  !

, containment failure due to HPME and reduced radiological releases from the  !

j reactor coolant system. This lessened the impact of DCH.

l

i i For situations where the reactor vessel lower head failed, the ability to flood the reactor cavity pmvided for ex-vessel cooling of corium on the cavity basemat.

4 The large FCS basemat and low core power resulted in a high likelihood that overlying water would cool the corium debris.

i ,

j

• As a result of the high strength of the FCS containment, the conditional )

probability of early containment failure (given core melt) was relatively low (1.62  !

%). 'Ihe most significant early containment threats were associated with hydrogen burns following vessel breach and steam explosions in the reactor cavity.

i

• A key feature of the FCS containment design was that for about 75 % of the accident sequences, the reactor cavity was flooded with water. This decreased the

likelihood of reactor vessel failure (due to ex-vessel cooling) and resulted in lower

releases (due to retention of fission products by the water) compared to vessel failure with the core falling on a dry cavity floor.

i

A diesel-driven fire pump, independent of plant support systems,.was available for ,

long-term makeup to the emergency feedwater storage tank. This pump could l also serve as a backup to the raw water system for the purpose of cooling the component cooling water system. j i

• The architectural design of the reactor cavity and the drains in containment lead to I ex-vessel cooling of the reactor vessel for all no-interfacing LOCAs and prevented I or delayed vessel breach.

• The containment ultimate pressure analysis detennined that the failure pressure was more than three times the design pressure.

]

• The pathways from the reactor to the rest of containment is tortuous, and corium could not have contact with penetrations that could breach containment integrity.

a Fort Calhoun Unit 1 Back-End 23 May 1996

l 4

i

• In containment, both the fans and the sprays had the ability to cool the containment atmosphere independently. This redundant cooling was important for ,

containment integrity and equipment opembility.  !

1

• The thickness of the basemat of 13 feet was in excess of what was required to prevent the core from melting through the containment.

I j

• FCS was equipped with a hardened vent for potential use in hydrogen purge l t

activities, This venting was not proceduralized; however, during a severe iT~ accident, the hydrogen vent could be used as a mechanism to guarantee containment integrity and establish a controlled release.

4 l

i i

4

)

i Fon Calhoun Unit 1 Back-End 24 May 1996 9

'[

1 i

i 4

l

[

L j 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS

[;

! ne IPE submittal notes the following on back-end results:

i

• Almost 60 % of the core damage sequences would result in intact containment l' which was facilitated mainly from the FCS design which 1) provided redundant 4

means of long-term containment heat removal and 2) was sufficiently robust in its j l plant performance characteristics and containment strength to benefit from power l recovery. j i i

• Containment failure sequences were dominated by late containment overpressure

~

failure which are associated with the Level 1 finding that a large fraction of l

accident scenarios which resulted in core melt also disabled the containment heat  ;

l removal system. This combination would occur for all unrecovered station i

~

j blackout scenarios, and core melt scenarios with complete loss of either Raw ,

Water or CCW.  !

! i

• The low conditional early containment failure probability was a consequence of l the high containment pressure capacity and robust reactor cavity. Detailed j

' structural analysis performed on FCS Unit I showed that the median failure I j strength of the FCS containment was greater than 3.5 times the design pressure

compared to typical PWR dry containment capacity values of 2.5 to 3 times the ,

I i design pressure. At the FCS ultimate pressure levels, containment overpressure l scenarios caused by either hydrogen burn o." DCH posed a small containment j threat. Also, steam explosion threats associated with failure of the reactor vessel  ;

i lower head in the presence of water also posed a small threat to containment )

integrity. I i

j

• Basemat melt-through could occur during transients with dry reactor cavity ,

conditions which were possible only during the sequences : s t deposited reactor

inventory outside the containment building. This would occur for both ISLOCAs l and SGTRs which were categorized as early containment releases; and therefore, l late containment failure was not considered. By assuming that 50 % (or more ) of

! the SGTRs were successfully isolated just before full inventory depletion, the IPE

{ team calculated that containment isolation failure would reduce to 3.5 % and the i basemat melt-through containment failure would increase to 2.2 % of the overall j CDF.

l The FCS IPE submittal contains a substantial amount of information with regard to the recommendations of GL 88-20, its supplements, and NUREG-1335. The submittal appears to be complete in accordance with the level of detail requested in NUREG-1335.

3 The methodology used to perform the IPE is described clearly in the submittal. He i approach taken, which is consistent with the basic tenets of GL 88-20, Appendix 1, is i also described clearly along with the team's basic underlying assumptions. The important i i l Fon Calhoun Unit 1 Back-End 25 May 1996 j k

I plant infonnation and data are well documented and the key IPE results and findings are well presented.

l The IPE team found no severe accident vulnerabilities unique to the FCS. They identified no inck-end plant improvements.

I 1

1 l

i l

i l

l 1

l l

1 l

i l

l t

l '/ ort Calhoun Unit 1 Bac't-End 26 May 1996 lc

4. REFERENCE 9

1. Omaha PU'olic Power District " Fort Calhoun Station IPE, Final Report,"

December 1993.

2. Omaha Public Power District " Response to Request for Addidonal Information on ,

Fort Calhoun Station IPE Submittal," November 1995.

3. Oracle Corp., "SQL* FORMS Designers Reference," 1986.

. 4. Swanson Analysis Systems, Inc., Houston, PA, "ANSYS-PC/ LINEAR Reference Manual," 1987.

l i

Fon Calhoun Unit 1 Back-End 27 May 1996 e.

ll l.

Appendix IPE Evaluation and Data Summary Sheet PWR Back-End Facts Plant Name ,

Fon Calhoun Unit 1

! Containment Type l

1 Large, dry i

Unique Containment Features

• A diesel-driven fire pump, independent of plant support systems, was available for long-term makeup to the emergency feedwater storage tank. His pump could also serve as a backup to the raw water system for the purpose of cooling the component cooling water system.

• De architectural design of the reactor cavity and the drains in containment lead to ,

ex-vessel cooling of the reactor vessel for all non-interfacing LOCAs and prevented or delayed vessel breach.

• The pathways from the reactor to the rest of containment is tonuous, and corium could not have contact with penetrations that could breach containment integrity.

• In containment, both the fans and the sprays had the ability to cool the containment atmosphere independently. This redundant cooling was imponant for containment integrity and equipment operability.

• The thickness of the basemat of 13 feet was in excess of what was required to prevent the core from melting through the containment.

• FCS was equipped with a hardened vent for potential use in hydrogen purge l activities. This venting was not proceduralized; however, during a severe accident the hydrogen vent could be used as a mechanism to guarantee I containment integrity and establish a controlled release.

Fort Calhoun Unit 1 Back-End A-1 May 1996

.p

I Unique Vessel Features Similar to other early Combustion-Engineering designs, FCS reactor vessel was ,

amenable to external cooling because top-mounted instrumentation designs resulted I in a penetration-free and instrumentation-free lower head. Rus, submergence of I the reactor vessel lower head would be expected to better survive the corium attack-external vessel cooling process.

Number of Plant Damage States l 45 l

Ultimate Containment Failure Pressure l 215 psig (median or 50th percentile value)

Additional Radionuclide Transpon and Retention Structures Release mitigation by auxiliary building is credited Conditional Probability that the Containment Is Not Isolated

]

0.00056 (mainly from SGTRs)

Imponant Insights, Including Unique Safety Features

• Flooding of the reactor cavity allowed for retention of corium within the reactor cavity for about 25 % of PDSs. Successful cavity flooding reduced short-term containment failure due to HPME and reduced radiological releases from the reactor coolant system. This lessened the impact of DCH.

• For situations where the reactor vessel lower head failed, the ability to flood the reactor cavity provided for ex-vessel cooling of corium on the cavity basemat.  ;

ne large FCS basemat and low core power resulted in a high likelihood that  !

overlying water would cool the corium debris.

• As a result of the high strength of the FCS containment, the conditional probability of early containment failure (given core melt) was relatively low (1.62

%). The most significant early containment threats were associated with hydrogen j burns following vessel breach and steam explosions in the reactor cavity.

• For about 75 % of the accident sequences, the reactor cavity was flooded with water. his decreased the likelihood of reactor vessel failure (due to ex-vessel cooling) and resulted in lower releases (due to retention of fission products by the 4 water) compared to vessel failure with the core falling on a dry cavity floor.

I Fort Calhoun Unit 1 Back-End A-2 May 1996 p

I I )

Implemented Plant Improvements l No back-end plant improvements are considered C-Matrix  !

C-Matrix can be generated from the information provided in table 4.8.2-4, pages 4.8-19 through 4.8-22 of the submittal.  ;

6 l

1 i

l l

l l

l l

I I

i I

I Fort Calhoun Unit i Back-End A-3 May 1996 f

DilAFT STANDARD REVIEW PLAN USE OF PRA IN REGULATORY ACTIVITIES

YABLE OF CONTENTS INTRODUCTION 1 ROLES AND RESPONSIBILITIES 1 L AREAS OF REVIEW 3 IL ACCEPTANCECRITERIA 7 Ill GeneralGedence 7 IL2 Cntens for the Charactenraten of Channe (Element 11 8 IL3 Cntene for Determnsac Evalustums (Element 21 9

11.4 Criteria for Probabikste Evaluebens (Element 319

11. 4 . 1 Required Scope of Analysis 11 IL4.2 Required Level of Detail 12 IL4.3 Acceptance Criterie fa Quality Ior a PRA for Use in Risk Infenned Regulation 12 IL4.4 Cnteria for the Analysis of Model Uncertainties 13 i ILS Critoria for the implementation and Monitorina Processes (Element 4114 i

IL6 Criteria for intenrated Decision Makina (Element 5115 IL6.1 Criteria for Acceptable Risk Impact from Proposed Applications 15 ll.6.2 Criteria for Assuring Defense in Depth 16 j IL6.3 Criteria for Assuring Risk Balance 17 IL6.4 Criteria for Consideration of Cumulative and Synergistic Effects from all Applications 18 IL6.5 Integration of Deterministic and Probabilistic Considerations 19 j a

lit. REVIEW PROCEDURES 22 ,

l IILI GeneralGedance 22 ilL2 Evalustien of the Characterization of Channe 22 111. 3 Evaluston of Determastic Information 26 111. 4 Evaluecen of Probalukste Infermetion 28 IlL4.1 RequiredScopeof Analysis 29 lIL4.2 Required Level of Detail 30 llL4.3 PRA Dushty 31 IIL4.4 Evaluation of Medal Uncertainties 34 IIL5 Evaluation of the imolementation and Monitorina Stratenies 35 llL6 EvaluaDen of the Inteersted Decmen Melunn Process 36 IIL6.1 Evaluation of the Acceptance of Risk Impact 36 IIL6.2 Evaluation of Defense in Depth 37 IIL6.3 Evaluation of the Required Risk Balance 39

j lll.6.4 Evaluation of the Cumulative and Synagistic Effects from all Applications 40

• 111. 6 . 5 Integration of Detwministic and Probabilistic Considerations 41 IV. EVALUATION FINDINGS 44 l

IV.1 General 44 IV.2 Characterization of Channe 45 IV.3 Det..._._'_+c Evaluations 45 IV.4 ProbsMstic Evolvetions 45 IV.4.1 Scope of Analysis 45 IV.4.2 Levelof Detail 46 IV.4.3 Quality of the PRA 46 IV.4.4 Analysis of ModelUncertainties 46 IV.5 ' cl- _i. tion and Monitorina Processes 46 IV.6 Intearated Decision Makina 47 IV.6.1 Acceptable Numerical Riskimpact 47 IV.6.2 Maintenance of Defensein Depth 47 IV.6.3 Maintenance of Risk Balance 47 IV.6.4 Cumulative and Synergistic Effects from all Applications 47 IV.6.5 latogration of Deterministic and Probabilistic Considerations 48 V. IMPLEMENTATl0N 49 VI. REFERENCES 49 Appendix A Illlissellessees Prebebilistic Evelesties lesseeA 1 A.1 Use of Plant Specific DataA 1 A.2 Trunestion limits UsedA 3 .

A.3 Determination of Success CriterisA 5 A.4 Modelma of Common Cause FailuresA4 j A.5 Modeline of Human ReliabilityA 10 A.6 Reevirements for a livina PRAA 12 Appendix B Expert PenellesseeB 1 B.1 Use of an Exnert PanelB 1 B.2 Exnert Panel ProcessB4 B.3 Use of Exnert Panet to Dvercome Potentiallimitations of the PRA ModelB-5 B.4 Use of Exnert Panel for Treatment of SSCs not Modeled in the PRAB-B B.5 Use of System-tevel or FunctionalimportancesB 11 Appendix C Determinaties of Risk Importnese of CentribetereC 1 ,

l i

I 1

i i

i i

! E

! STANDARD REVIEW PLAN

USE OF PRA IN REGULATORY ACTIVITIES j 19.0 GENERAL GUICANCE l

1 i BITRODUCTION

! The pwpeens of this standard review plan (SRP) are to identify the roles and responsibilities of organizations in the NRC that participate

! in riekkformed reviews of regulated activities and provide general gedance to the NRC staff for evolustag information from a plant Jpecific probalubsts risk assessment (PRA) subetted for staff review. The SRP identifies the types of information, that may be used in l.

each activity and provides general guulence on how the information from the PRA can be comluned with other portment information in

the process of melung a regulatory decmen The gudence in this document is a logical artenmen of current NRC policy on the use of PRA in reguistery activities which is documented in the staff's PRA policy statement and PRA implementation plan trefwences 1,2 and 31. In developmg this document, the staff has canadored the relevant industry gudence documented in Refwence 4 and the idRC regulatory guide on the use of PRA in risk 4nformed regulatory appbcations, Regulatory Guide DG 1061 (Reference 51. Throughest this document, reference will be made te other SRP chapters which provide detailed guulance tw the review of speedic applications of PRA in regulated activities.

Risk informed decmen melung wiR be bened on the feRowing approach. The PRA enslyses should be uniussed (i.e., not deliberately conservative), and should address mem6 cant uncertainties. Results of these risk analyses wiR be one of severalinputs to the decmon process that evaluates mergin in plant capalulity Iboth in physical performance and in redundancyldiversity). The decimen process should supplement risk results with canaderation of defense in depth as e means of addressing issues of l--n2 -inriskmodalmg Risk analysis wiR inform, but wiR not determine regulatory decaens.

ROLES AND RESPONSIBILITIES Depoming on the techacel netwo of a licensee's request, an appropriate techocal review branch in NRR wiu serve es the primary review bronch; and as such, has evereR reopensdulity for leadmg the techocal review, drafting the staff safety evaluation report (SER) er other reguistory document, and coordinating inputs from other technical review weenizations. The reopensbilities of specific review organizations that will normally play a role in reviewing risk /mformed proposals ardisted below.

The Probabdists Safety Asessement Branch (SPSB) has primary reaper,sibility for review of the PRA information subetted by the bconsee meludag: the overall scope, level of detail and quality of the PRA: the acewacy and completeness and of au level 1 PRA (front endlinformation: the adequacy and appropriateness of the PRA fw 9ach particular application: and the select on and application of numencal docuen criteria. Support for the review in the eres of system medehng is provided, as needed, by the technical review branch in NRR that is reopenable for the review of information regardag the system. Support in reviewing the selecten of PRA scope and level of detailis provided by the leed NRR techocal branch for the PRA application (e.g., the Mechemcel Engmeering Branch for insonnce Testing).

The Reacter Systems Branch (SRXB) provides support to SPSB as necessary in the aron of acculent c,ce modeling, including treatment of reactivity and thermel hydraulic phenomena (e.g., criterie for avoiding core molt), the implementation of emergency operating precedwes and aimermal operating pre:edures and system reopense, and issues regarding operations when the plant is in a shutdown condmen.

The Contamment and Severe Acculent Branch (SCS8)has primary reopensibility for review of the accwacy and canpleteness of sillevel 2 PRA information sulmutted by a licensee in support of a request for regulatwy action.

I t

The Emernener Preswedness and Radiation Protection Branch (PERB) has primary responsibility for review of the accuracy and cornpleteness alllevel 3 PRA information submitted by a licensee in support of a request for regulatory action.

l The Office of Research (RES) At the request of NRR, RES provides technical support to primary review branches in NRR in areas involving millevels of PRA.

I The Office for Ansivsis and Evaluation of Operational Data (AE00) conducts system reliability studies and compiles genwie and plant specific data on the frequency of initiating events, common cause failures and human wrors from operating experience. This information is available to reviewers and can be used for independent verification of data used in PRAs subnutted by licensees and applicants. In i l

addition, AE00 conducts the Accident Sequence Procursor Program which is used to screen operating reactor events for safety significance. Information from this program should be used when reviewing applications which involve PRA assessments of reactor events, e.g., enforcement issues.

l

)

1 I

i 1

I

\

l

. _ _ _ _ _ _ _ _ _ _ _ . . _ _ _ _ . _ _ . _ _ _ . _ - _ _ _ _ . . _ _ ~ _ . . . _ _ _ _ . . _ _ _ _ . _

I. AREAS OF REVIEW f

4

The NRC's PRA implementation Preyam plan (refwence Ilidentifies a wide scope of regulatwy activites for which PRA can play a rele.

! This scope includes actness which require NRC review and approval and other activities which are considered intwnal to NRC and i affect licensees and appbconts in a less direct manner, e.g. genene issue prioritization. This Standard Review Plan chapter deals only with those actnnes subnutted fw NRC review and approval for which the staff has concluded PRA can play a role in the decision maldng

]

process. General review swdence for applicable activities is presented in this SRP. In addition, application-specific SRP chapters are j avadable to prende more detailed godence for several actnnes. Cwrently, these include

1 Changes to suewed outage times (A0T) and survedlance test intervals (STI) in plant specrhc techmcal specifications:

j

! Changes in scope and frequency of tests on components in a licensee's insernce test (IST) program; Changes in scope and frequency of inspectens in a licensee's insernce inspecten (ISI) progrant l

t i Grading of activities in the licensee's quality assaence (QA) proyant 4

in addition to the above, other activities which could involve a risk-informed deciwon melung process include:

! Safety evolustans regarding plant specific design issues and plant specific backfit evaluations:

Justification for centmued operation proposed by licensees in light of non-conforming conditions:

Techocal bases supportag notices of enforcement discretion:

Review of a design-specific PRA subnutted per secten 10 CFR 52.47 of the regulations; Interated esessement of youps of plant modifications which taken together result in e not decrease er no not increase j in risk.  !

Review guidance provided in this SRP apohes to all risk-informed application sulmuttels and supplements application-specife SRPs whwe l these exist. AN provisions in this SRP s ply to all applications except where en :

• f_.. , A SRP specificacy indicates otherwise.

The scope of the staff review of a risk intweed application wil be specific to the application itself. However, this scope should include the review of a six element approach as suggested in th6 general Reg Guide for risk informed deciwen melung (Reg Guide DG.1061, refwence 11. The stess of review for each of these elements are discussed below. Alternatives to this sixelement process may be acceptable if the reviewer can determine that an equivalent approach (i.e., addressing both deternumstic and probelulists risk issues) has been subnutted.

Element 1 - Characterization of the proposed regulatory change For this element, the revieww should look at the netwo of the proposed change and how this change is to be modeled in the PRA. To accomplish this, the revieww has to identify the elements of the PRA on which the proposed change is expected to have an impact, and to develop appropriate methods of mappeg the impact of the change onto those PRA model elements.

This would lead to e defunten of the determanc and probabdiste engmeenne evaluations needed to support the change. The reviewer should verify that licensee evaluation methods wwe supportable by available information, and that the plant PRA and the determasts analyses are capable of reflectag the impact of the changes. ,

Element 2 Conduct of a deternumste ensmeenne evaluation of the proposed change i

The reviewer should answa that the proposed changes do not unduly compromise the intent of the existing licensmg basis (NRC I requirements, licenses commitments, and plant specific design basial. Therefore, the scope of the review in this element should I

. . - . _ - - . . . .-- ~ .- . _ - ---- - - . - - - - . - _ _ _ - -

J l- '

. l

include cenaderation of the cwrent design basis and compliance requirements (including industry codes and standards, when )

relevant) and general design criteria. In addition, the maintenance of the defense in depth philosophy, balance between j preventen and mitigation, portment angmeenne data and analysis, plant operating exponence, and potential compensatory i nuesures are seasstel elements of the staff review and should be evaluated in tems of how they would be used to supplement

risk insights from a PRA.

1

\

l

Element 3 - Evaluation of the netwo of the centnbutie, of the proposed change to plant risk l

in this element the review should focus en the evalusten of the effects of the proposed changes en eqmpment functonality, j relehdity and evadabli

y and on the impset of these changes on plant risk. Cenaulerations should be given to the correct j application of the PRA in these areas.

i i As part of the review, the regarements of the PRA fw each appbcaten in terms of scope, level of detail, and PRA quality have -

to be addressed. In the wee of PRA quality, attention has to be paid to techucal issues like the modelag of success cntena,

j. commen esses failwes, and human releb6ty. Potentiallimitations of the PRA modelin tenns of tnmcation limits, screening

Maris used, analysis assumptions, modelag of initiating events, and modelmg of dynamic versus static plant configurations

sine have to be taken into account. The review of the PRA should be e focussed appbcatiendrected review on the specific

] centnbutors effected by the proposed changes.

i l Specificaly, the review should assess whether the PRA model is adequate in its coverage of the impact of the change. that is,

! whether elimpacts of the change are reflected in the model, or whether the degree a which the change can be reflected is f limited by PRA ecope er completeness issues. Recognizing any limitations impose by the scope er - f z of the PRA, 4

er recognizing any portens of the PRA that, by themselves, wiu model the propend change relative to plant risk, will establish l en appropriate scope of review and acceptance critain. This will also effectively identify whether the licenses scope of i analysis is appropriate, e.g., whether it is adequate to perform a relatively simple screening analysis; er a ranking analysis where SSCs er other plant elements am ranked relative to one another; er whether absolute or relative changes of risk l

menswes are to be evaluated in a dotaded fashion.

- FinaHy, staff actwines in this element should include a review of the modification of the PRA medals to reflect the cause+ffect

{ relationolups of the proposed change, and a review of the analyses requred for comparison with the acceptance criteria.

j Assessment of the robustness of analysis conclumens by the performance of appropriate sonstwity and uncertainty analyses j should ales be carried out as part of the licenses sulmettel.

In applications where component categoriration plays a role in the detensnation of acceptability of risk,i.s.,in cases where SSCs are selected for relaxed regulaton as a youp based on low risk contributions of the individual SSCs, the process used fer component categenration should be reviewed as part of this element.

1 I

Element 4 - Development of proposed implementation and perfwmance monitoring strategies Given that there may not be much svadable data en the rehabdity and evadalulity of SSC: under the proposed change to demon er operation, careful conaderation should be given to the proposed plan for implementation of the change and to performance I mestenne stretsgies for SSCs effected by the change. The review should answo that the processes will provide early in6cenen of falso soeumptions and provide criteria for taking actens based on results of monitoring efforts. As such, the review scope should be to ensure that the licenses proposed process for implementation and mestorme is adequate to account for uncertantes with regard to SSC perfonnance under the proposed change.

Element 5 - Determination of the acceptability of the impact from the proposed change l

As part of this element, the scope of the review wie include en evolustion of the process used to integrete probab6stic insights l with deternmuste cenadoretions to arrive at a final detennmotion of acceptability. The review of probab6stc results should include an asessement of: the change in risk from the application; the cumulative and synergistic effects from the cwrent and

l l l

all previous applications; the potential for creating new vulnwabilities or exacerbate pre existing vulnerabilities in risk; and the j potential for the erosion of nudtiple success paths.

The review of determuustic results should include an assessment of: the proposed change in light of existing regulations that is l part of the licensing basis; available and applicable detwministic engineering results; the consistency of current plant practices and operational data with that modeled in the risk analysis; and the implementation and monitoring strategias.

l

[ Finally, the review of the integration process should also include an evaluation of: the proper modeling of cause effect

! reistionsimps; the methods used for compensating potential PRA limitations; the treatment of components not explicitly modeled in the PRA; and the use of partial scope PRAs.

! j l

l Dement 6 - Documentation of the analysis and semittal of the request The review should determine if the subnuttal documentation is adequate for the staff to evaluate the acceptability of the proposed change. The availability of supporting documentation that is not part of the subnuttal should also bs a review conaderation.

1 i

i l

0 l

i 1

i

IL ACCEPTANCE CRITERIA l

Guidance criteria for the reviews of ,f f x in risk-informed regulation (RIR) era provided in the sub-sections baiew. Sub-section 11.1 documents general guidance entana. Sub secten IL2 documents the requirements needed for the characterization of a proposed reguistory edienge. Su sectens IL3 and IL4 provide general criteria for deternumste and probab6sts evaluations respectively. A quality PRA Iscope, level of detail, truncation, etc.lis central to all riskinfwmed efforts, and the general acceptance criteria for deteramme the quality of PHAs we included in sub-secten IL4. Criteria for the proper implementation of the proposed change end l criteria for mestorias of perfennance of eqmpment covered by the change are prended in sub-secten ILS. Finally, general criteria for the I

inteerstion of probabdste and deternumstic cenaderations lincludag the use of expert panels) are provided in sub-secten 11.6. The results from the integration wiu form the basis for potential risk 4nformed regulatory changes.

l Ill General Gedance To effectively review riekkformed regulation approaches, the staff must answo that the plant's current licenseg basis and actual operating condition and practices are property reftweted in the risk estnotes using the plant PRA model Otherwise, the risk assessment i may provide inaccwate or melse&ng information that will require corsful scrutmity before use in any regulatory decimoninalung process.

In order for the staff to make fmdags of acceptability reganing changes in regulatory requirements or postens, or previous licensou conuntments,liconeses must present bases which are built from a blend of deternumste and probalukste information. Specific types of deternunste and probalukste iniwmotion which should be included in sulmuttals we desenbod in secten 4 of Reg Guide DG 1031. Some general gudelmas and entaria for developmg an integrated basis for a fimling of acceptability are given below:

Assessmera s! risk importance should reflect not only results from PRAs but also detennustic evaluations such as test results, engmeenng analysis and operating exponence reviews; When risk insights from a PRA are used to quantify conservatism in engmallicenoeg basis analysis, the deternematic l

requirements that are effected G.e., being departed from) have to be characterited and re-analyzed to determine whether the original intent of the requirement is still being satisfied; l'RA results and conclumens have to be shown to be robust in terms of the analysis assumptions and uncertainties. Showing robustness does not necessarily mean carrying out uncertamty analyses but can enteil sensitivity analyses, beuming analyses, and engmeenng justifications:

When lack of completeness or uncertainties in the PRA models can effect risk infenned decmon malung, applicable determastm information er compensatory actions which can be shown to clearly reduce risk shall be used to asswa a conservative outcome:

Not changes in risk from risk informed applicatens should optimsHy reflect improvements in safety or be risk neutral Any proposed risk increase shal not exceed the criteria specified in Appendia B of Reg Guide DG 1061; Probaluists and deternumsts methods used to demonstrate the acceptability of proposed changes in requirements for certain SSCs should slee be apphed to identify changes where tightened centrols and evenmeht en other SSCs would improve safety, i.e., requirements and resowcas simuld be redirected from low risk importance centributws to high risk importance cantributors thereby schenne more balanced risk centribuJens.

The acceptability criteria and requirements for probaluliste and detenumstic evaluations in supportme regulatory deceen depends in part en the role each of these types of evaluations plays in the determination of the feel result. The riger required of the evaluation should be commenswate with the emphams placed en the use of the results to support tlw decmen melung process, in general, the results from PRA models will not be accepted as the sole basis for changes in regulatory practice. Rather, the results from such medals  !

must be supplemented with arguments based on other tradetsnal sowcas of godence, metalmg cenaderation of defense in depth and codified engmeenne standards.

Finally, reviewers should cenador whether er not a relief request is in any way centrary to en appleable code or standard. Generic j

~ . __ _ _ _ __ -

_ _ . . _ . _ - _ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ ~

requests which go agemst asisting codes or standards shouki not be accepted for review unless specific regulatory guidance for such applications Ls., a regulatory guide and standwd review plan has been developed.

IL2 Criteria for the C;-. -J2 of Chanas (Element 11 For a proposed regulatory change to be risk informed, the licenses has to be able to define the change in terms which are compatible with a PRA,i.e., the PRA has to be able to effectively evaluate er reelweceNy bound the effects of the ch6 age.

The cherecterusten of the problem has to include the estabishment of a cause effect reistionolup to identify pertens of the PRA effected by the issue being evaluated. This includes li)identdicotion of the speafic PRA contributors for the paracular application, (ii) en asessement of the pertens of the model which eheald be meddied tw the application, and (iii)identdication of supplemental tools and methods which could be used to support the appbconen. This wil establish criteria for the scope and level of detail of analysis required l for the remomme steps of the change process.

l lL3 Cntene for Deternumste Evalustens (Element 21

! General entene for deternumste evolustens are prevuled in Appendix A of Regulatory Guide DG 1061. In addicen, the application speedic regulatwy guides provide more speedic evaluations which we portment to each of the applications in questen.

In general, proposed diences have to be reviewed with regard to the current design basis, and it has to be shown that a change wiH not adversely affect the intent of the design basis. Enemaanne Ier other portment) analysis and dets have to be presented to identify the

! safety mergins or plant actnntes conducted to preserve those merges. If exemptions from regulations, techucal specsfication amendments, or relof requests are required to impisment the licensee's proposed riskkformed program, the appropriate requests should accompany the licensee's sulmuttal.

In addition, results from appropriate deteramiste engmeenne evaluations have to demonstrate that the proposed changes win not l

i compromise sound regulatory and engmeenne pnncqdes such as defense in depth, or compromise the belance between preventen and estigation. Changes that are found to compromise such pnncqdes or balance should either be simunsted from the scope of the proposed change or be packaged with appropriate compensatory menswas to mestam the defense in depth philosophy and the balance between prevention and mitigation. Datenomsuc information sowcas should include a cemlunsten of engmeenne analyses, plant and industry operational exponence, plant specdic performance history, and sound engmeenne iudgement.

IL4 Cntene for Probalulistic Evaluations (Element 3)

In this element a probabilistic risk asassament is parfstmed te evaluate the irvect of the prepond chenges en quantitative measurse of plant risk. Since the scope of these changes could include modificatens to plant SSCs, or modifications to testing, mestenance or other operational precedwes, the direct impact of the changes will be modeled in eqmpment funchenelity, rehalulity and sveilability, and in human error probaluktes.

The development of a plant speedic riskkformed program win require that infwmotion be svedeble to identify the application specific SSC:landler human accens) that centribute most memficantly to the plant's estimated risk. Components covered sher includr SSC: whose failwe could result in a plant trip.

Safety <sisted components that are relied upon to remain funenenal dwing and following design basis events or severe acadents to enews the integrity of the reacter coolant presswo boundary, the capabdity to shut down the reacter and maintain it in a este shutdown condition, and the capability to prevent er mitigets the consequences of acculents that could result in potential offsite expoews congierable to or in excess of 10 CFR 100 guulelmes, I Non-setety< slated structwas, systems, or canpenents that are relied upon to mitigate accidents or transients or are used in l

plant emergency operating precedwes; or whees failwe coedd prevent safetytaleted structwas, systems, or components from '

q ,

i .

l 4

i.

l fulfdeg their safety <eisted function: er whose failure could cause a reacter scram or actuation of a safety < elated system.

Human actens covered should include-thees that could directly result in an initiating event:

J sll pre auteter events that could result in the unavedab6ty of systems er components (e.g., restoration errors in retwning i systems or components to their normal state aftw the completon of meintenance or testing, and nascabbration strars of criticalinstrumentation); and i

j reopense and recovery postsitiater human events. Response actens melude these human actens performed in direct reopense to the acadent E.e., actans delmented by the E0Ps). Recovery actons inciale these human actens performed in

recovenas a failed er unavadelde system er component using avedsble procedwal guulance and plant tre.ining.

For each basic event directly affected by the proposed application. it is necessary for the licenses process to quantify the event using  ;

l models that captwo at the factanal,eletonslups between the appbcaten and the basic event. N offect of proposed changes en pwameters like commen cause failure probaluimos and operater errors of comnusmen must ales be addressed within the licenses process.

! In summary,in order for the PRA to support correct decaen melung, there must be good functional =epag between the

application speafic space and PRA model siements.

N results of the deternunaten of the cause-effect relatenslups between the proposed application and the PRA models win determine

{

the scope and the level of detail requred of the PRA to support the appbcation. Sub sectens IL4.1 and 11.4.2 6scuss these entena. In

]

i addition, since the quantstetmo results of the PRA we to play a mejor and direct reis in the deemen malung process,it has to be shown that the results are derwed frwi' quality" analyses. N criterie to help determine quality are 6scussed in sub section IL4.3 and else in l Appen6: A of this SRP. The entene for the analysis of PRA model uncertainties relative to deternenstion of risk impacts is provided sub

secten IL4.4. Finally, the issues related to the determination of risk contributionicomponent categorization are escussed in Appendix C l el this SRP.

5

. IL4.1 Resered Scese of Analvas N required scope of a PRA wiH depend on the specific application for which the PRA is intended. It i. not required for riskinformed

regulation that licensees submit level lli PRAs that treet sH plant operational modes and su initiators. Instead, when fur-scope PRAs are not evadable, licensees are required to shew that the needed findings are suppertable based on detennumstic, enqpneenng, or other plant

! eperationalintweetion that address modes and initiators not analyzed in the base PRA.

I j For each plant mede not analyzed in the PRA, and for each probaluksticaly memficant initiator in that mode, the licensee has to evolusta j the plant capelMhtes te respeed to that istister. These capabdmes can be descreed in tenns of systems, system trains,lunen actions, j etc. that provide some level of redundancy and 6versity. N iicenses must then slow that the ;= reposed change does not unacceptably I degrade that capability, that is, that redundancy and diversity stiN exist in the plant response capability, and that risk vulnerainimos are i not introduced by the changes.

l This issue is addressed acceptably it:

! ' The licensee addresses au modes and ag initistw types using PRA.

OR The licensee demonstrates that the appbcation does not unacceptably degrade plant capability and does not introduce risk i vulnerabdmes for any unanalyred plant modes and initiator types.

1-2 OR i ~

If the appbcaten potentisNy ingmets unanalyred plant modes and initieter types, the licenses-I

a) advances a suitably redundant and diverse plant response capability for all significant initiators in each mode (see the defense in depth criteria, sub section il 6.2, for redundancy and diversity attributes appropriate for particular initiating events);

and b) ensures that aH elements of the plant reopense capability are within the scope of progranunatic activities (IST, GQA,ISI, maintenance, monitoring, etc.) aimed at ensunne satisfactory safety performuce; and c) provides arguments that propeeed edienges do not introduce vulneralubties or remove elements of this capability from progranunene actmess aimed at enounne satisfactory safety performance; and d) provides a boundmg analysis en the change in plant risk from the application (e.g., by use of senestivity studies or use of partruen factwo as desenhed in Reg Guide DG 1061) l

11. 4 . 2 Reemired Levelof Detail Generally, the PAA has to be detailed enough to account for aR important system and operator f ; ' ifunctional, operational, and l

procedwal f:;M -1. SSCs that are being depended upon for more than one function should be modeled explicitly so that potential

%f - - wiH not be obscwed in the evaluation process. Initiating events caused by the less of support systems should be modeled in detail since the failwe of the SSCs that could lead to the initiating events could also result in failwe of functions that mitigate that event.

The usefulness of PRA results in riskinformed regulation is dependent eri the level of resolution of the modeled SSCs. A component level of resolution prevides inaghts et the component level. Hewever,if a PRA is perfenned at a system er train level, the insights of the PRA will be limited to the system er train level unless it can be demonstrated that component level inaghts can be bounded by system er train level effects. The direct application of PRA results will be limited to these SSCs that are exphcitly modeled as part of PRA basic events. i insights fw SSCs that are implicitly modeled li.e., screened out, assumed not important, etc.) shal only be used after additional l

canaderation (fw example, by an Expert Panel) of the effects of the proposed change en aR PRA assumptions, screening analyses and  ;

I boundery comistions.

IL4.3 Accestance Criteria for Quality for a PRA for Use in Risk-Infenned Reaulation 1

The basshne risk profile is used to model the plant's licenseg basis and operating procuces that are imertant to safe operation, and, by inqilication, areas in which suisting requirements can be relaxed without unacceptable safety consequences. Thus, this baseline risk profile provides an indication en how much relaxation may be appropriate. It is therefore essential that the PRA adequately reprpsent the l risk profile. To complement this,it is necessary not only to identify manificant risk centributors, but slee to identify these alonmits of the

~

! plant whose performance is respon& fu redd.g tt.s risk t s optable level:, and address thste e8--t: adswetely in licenses programmetic actmtes.

l Therefore, fw risk. informed regulation, the follow'ag criteria have to be satisfied.

Rossenable asswance of PRA adequacy: Requirements en PRA adequacy are justified by the important role played by the PRA in suppertas the decmen process. Cntene for the different quality issues tw the licensee's baseline PRA is provided in NUREG.1802 and ales in Appealix A of this SRP.

Robustness of results and conclueens PRA results and conciumens must be robust, and an analysis of uncertainties and l

senatutes have to be carried out to show this "rebustness". Sub esction 11.4.4 discusses criteria fw this in more detail l

Key performance elements are appropria'ely classfied and performance is backed up by licenses comnetments: PRA results are dependent en plant actmass. They reflect not only inherent device charactensbes but aise numerous programmenc actmess, such as IST,ISt GQA, and se on. Use of a PRA to justify relaxation of a requirement must therefere imply a conmutment to whatever programmetic activities are needed to maintain performance et the PRA. credited levels that served as f the basis for the proposed relaxation.

1

11. 4 . 4 Cntens for the Analveis of MedalU L _

The uncertsumes in the PRA results must be taken inte accost in the senseement of the risk impact and in the risk informed decmen

melung process. Hewever,if the risk change due to e proposed application can be verified to be conservative (i.e., e not risk reduc j no uncertemty estimates in the risk change we required.

j H the risk change is en increens and is cherecterned as best estimets, and if the mesmtude of the increens is ogsficant (10 percent er j poster) conyered to the aliewable change, then en apprepnote consdersten of uncertemtes must be included to demonstrate the rebamens of the rendis. This acertanty ensiysis shedd indede comedweinn of uncertemir dwiribuimas fw parameins and medds j

whid are used te quantify the appbcaten in questen. If performed, the analysis of uncertsumes should have the following attrilmtes:

It simuld reflect the data acertsumes associated with each parameter. A Monte Carle er Latin Hypercube model, or equmelent,is acceptable to esamste se overeR uncerteames from the distnheens semened to the iminndual premeters.

h should accout for model uncertaintes. There may be several alternets approaches to the snelysis of certain elements of the PRA model The licensee must document that the model that is used is acceptable es defmed by NUflEG 1802. In certain cases it may be namesary to perform senemvity analyses using etternste models to demonstrate the robustness of the conciumens.

'^

It should attanyt to address uncertainty that is seused by potannel = of the overeH PRA model. The liconese must address the lack of completeness either by demonstratag that the impact of the appbceton en the risk from the nasang parts of the PRA is bended se that the overaR inyect is acceptable, or by linutmg the scope of the applicanon to the SSCs fo which the ingset en risk can be evaluated.

H the increase in risk from e proposed application is smeN (10% or less) compared to the allowable change, then en acceptable alternati

[

to explot uncertemty propagenen is to show that events centnbutag to the change in risk ara est associated with memficant uncertainty. In order to argue this, the licenses must identify the application-specific events and the componestag events G.s., events i that occw in nunnel cutests along with these application specific events), and argue that none of these events is sesociated with menrficant uncertainty ler by performing senartmity onelyses to show robustness of results). For this purpees, e ogsficant un is a 7- - :- ' . ' uncertamty,i.e., e large uncertamty essenstad with an extremely two event, or en uncertemty easedeted with a cenpmenen of events whose rates we causely linked loud as idenneel ched velves in series); in the letter case, cutset uncertain tend to be memficant because the uncertem pwameters de not very independently. The acceptable entenen in this case is that th uncertamty in the change is emel compared to the mergin between the change and the elewable change.

^

ILS Critarie for the im ' __: and Monitorine Processes (Element 41 Decmses concernme mylementation of changes should be made in light of the certainty associated with the results of the detenumsec and probabilmec engmeenne evaluations. Broad inglementation within e leited time period may be justified when uncertain to be low (dets and medals are adequate, deternemsuc evaluations are venfied and validated, etc.), wheroes e slower phased approa molementation would be espected when acertamty in evolustion findags is higher.

The licenses proposed monitwing preyam should establish a means to adequately track the performance of eqmpment covere proposed liconens changes. The meutenne plan should be capable of adequately tracking eqmpment perfennonce a been buplemented to demonstrate that perfonnance is cenestant with that predicted by the detenunione and probabilisir, an were conducted to justify the change. The menetenne plan eheuld soeurs that any performance degradaten is doNeted ad ,

I bolwe eqmpment funenenelity and plant estety can be comprenamed. When needed, the program should eine "meluk :sai component performee et other plants to establish a sufficent dets bees of temporel reisted doyedstion it must be cleerfy established that suffiev siste wRI be obtained as part of the program to provide statisteely agmficent dete, and that the precedwe and evolusten methods we implemented which provide reasonable ensurance that doyedstion wil be detected.

ILS Critaris for Intsorated Decision Makinn Element 5)

The acceptainlity of a proposed change should inciale censulerations of probabilistic and deterministic criteria. In generst, the acceptance of risksformed changes in reguistory requiraments wiH depend en six elements:

Risk significance of the change, Maintenance of defense in depth:

Assurance that the change wiH not create instances of risk imbalance or disproportionate importance of individual items:

Consderation of cumulete and synergistic effects of au changes:

Canaderation of deternumste facters; and implementation of a performance 4ased feedback loop.

Criteria for risk acceptance, defense in depth, risk balance, and cumulatin effects of risk are provided in sub sectens IL6.1 through IL6.4 respectmiy. Criteria for deterumste evoluetens and ' / . L;. of a performance based feedback leap are 6scussed eerlier in sectens IL3 and IL5 respectively. Finsuy, sub secten IL6.5 provides the entens for an acceptable process to inteerste the abow elements for riskeformed applications.

11. 6 . 1 Cntens for Accostable Risk imoset from Prososed Ansbcatsons A quantitative estimate of the totalimpact of a proposed action, either temporary or permanent,is required for any riskefonned application. This includes the evolustion of the absolute and/or reistm changes in risk meeswes such as core damese frequency (CDF) and Iwee enty reiense frequency (LERFl. The necessary sophetsstion of this evaluation depends on the justification arguments and the magnitude of the potential risk impact. For these actions pustified pnmerily by deternumste consderations and for which nununal risk impact is anticipated, a beumhng estimate may be sufficient. For actions justified pnmerily by PRA cenaderations for which a substantial impact is pesable er is to be offset with compensatory menswes, en inilepth and comprehensin PRA analysis is needed.

The numancel risk acceptance entens for tempwary and permanent changes to the plant's risk profile we &scussed in Appendix B of Reg Guide DG 1061, in the detailed evolustion of risk - . * ==. the fellewing have to be cenadored: relative change in risic change in the baseline risk: risk in terms of CDF, LERF, and frequency of late centenment failws. It is necessary to address both internal and external events and au plant operational modes, but it may be pesable to accompbeh this without a fuu-scoped PRA in all cases.

11. 6 . 2 Cntena for Asswan Defense m Depth Proposed plant changes how to maintain defense in depth and have to answa that nultiple lines of defense exist for core damage and  !

large early release nutigation, shutdown risk management, and risk from orternal events. Therefore, controls should not be completely  ;

i removed without exhaustm analysis, and even when there is demonstrable justification, contrais should only be loosened in a step wise menner (as desenbod in secten 11.5).

The entens for sesunne the maintenance of defense in depth in risksformed regulation we as feRows. It is preferred, but not required that for sece inntates event modeled, ti.e plant reopense should have the feBowing capabilmer For anticipated operational occwrence (A00)'mitiating events: the PRA credited portion of the plant should withstand two actin failwes without core damage and three active failwes without a large early release; and For infrequent but severe design basis accdonts defined as those with frequencies of 10 s per year er smeRer le.g.,lerge LOCA, mein steem line breek, etch the PRA credited petion of the plant should witiatend one active failwe without core demese and two active failwes without large serfy refosse. ,

if the licensee does not satisfy the above critaris, the instances in which the plant faRs short simuld be identified, and meeswes to

i compensate for any such consten should be identified and discussed. For esemple,if an A00 and twe actiw failures can le l

! damage, then menswes need to be taken to keep the probalnktes of these failwes especiaNy low.

Instances in which common cause failwe ICCFi ceuld compromies the redundancy credited in the above evaluations should b l

sad messwas to povent the occurences of these CCF events should be identifed and emplemed. The gualehne in this cas l >

events in a nunnel cutset belong to a commen cause peup. as defined in NUREGICR4780 (reference 81, er if aN but one event b euch a roup, then CCF could compromise the redundancy credited. In the event that the cutset is entirely within a commen cause' the explanation of CCF paventen should be canadered and substantwo In the event that the nemmel cutest contams ev common cause youp, the esplaneten can be bened in part en meeswes taken to pavent these non-CCF events. Such cutsets aphcelly less threatemas then cutsets capable of occurnne es the result of a single commen cause, and less 6scusme; 1

As part of the search for CCFs that could compromise defense in depth, sequence cutsets should be evaluated for l

deteneration in nultiple components le.g., by aging) and for memficant relaxation of regarements in multple components. In th components of diffwent types have to be cenadored together as long as they show up in the same cutset. The entens flj el potential multiple conqpenent failures is similar to that listed for CCFs (in the precedag pareysphs).

For pwpesas of these evalustens.mentenance accens and failwes of certain operater actans (precedwalized actuation counted as active failwes. Post sccident recovery of failed eququnent should not be coated in the above criteria. Post acculent recovery of failed eqmpment may be credited for pwposes of assesong the overeN plant risk profile, sulgect to guaience NUREG 1602.

I

11. 6 . 3 Cntene for Assunna Rak Balance Regardless of the nemmel value of a risk imler such as CDF er LERF,it is umleeirable for too large a fraction of th with a few elements. A more desirable risk pefile is one in which ne contnbutors are overly denunant. If one or a few elements c densnate risk, there win tend to be residual concerns about the modelag of that item lincludes uncertaintyi er the effect en risk deyaded, even if the abeslute risk numbers are relatively low. Smolarly,if one er a few acculent sequences dommets, residual concerns about modeling assumptions in that sequence, meludes initistw frequency, etc.,in addition to pesable concern the components that are important within that sequence. Therefore, one of the issues to be addressed in riskhformed ch whether they create er exacerbate such a risk imbalance or whether plant resewcas and requirements con be redirec contributors.

The suggested *SSC importance* test is whether any components become high risk contnbutors as the result of a ris appbcation las defined as having a FusesNNessly importance of 0.05 or a Risk Acluevement Worth of yester than causes any components to become a high risk contnbutor, then it should be shown either to result from a not safet the relative importance of items, or shown to be a small change that happens to cross the boundenes as defined above.

A memficant upward changein importance of an already high risk centnbutor simuld not be accepted except in th safety benefit,i.e., this should only be suewed if the component itself is not being relaxed but its 'apertence centnbutors are being elemeted. Note that en aireedy high centnbutor is eles already a condulate for enhanced preyanu attention. If the proposed appbcation increens its 'apertence fwther, special cenadoration should be given to enha attention.

Smilarly, a memficant increase in importance should not be aBewed for streedysqmrtant sequences er 'mitiatorsj J is increasing as a result of elemation of other centnlmters. If defense in depth regarements are met and a seq mportant, this may be a result of high unavailability of some elements in the model, and these may becess c royammatic attention.

Note that

• risk belance" is not es ingiertant when the evereN calculated risk is relatively lew when compared to the Hewever, risk balance is oncewaged in su riskhiweed applications.

II.6.4 CJu for Canaderation of Cumulative and Svneraistic Effects from aN Anslications

i I i

i

\

l i

l The cwrent policy intention is to relate an everaN eHewed change in risk to each plant's existing risk level. In approaching any given  ;

! application, therefore, the flexibility avedeble to any given plant is not only a functon of where it started, but also a function of hew '

4 much risk increase has taken place in precedag appbcations. The risk balance issue (sub section IL6.3)is aise a part of this issue, l

because the intent of avoiding the creation of imbalance is meant to include not creating imbalance over several applications.

]

l Beyond these cumuletwo effects, synergistic effects are aise possible, not all of which would emerge from a point quantification of the j PRA. For example, rein to Figure I which shows differsnt influences en the svedability of a givsn component. If conventional i supertance ranking approaches are employed. it would be espected that some low memficant components wit! be relaxed under nuttiple f appbcatens. Referring to Figure 1,it can be seen for example that a given component might be a candidate for reissation both of its QA (petensely affectag the failwe rate) and of its test intervelipotentiaHy affecting fault expoews time). Failwe rate and fault expoews j time cembee mulapbcatively in the unavaildility. If the effects of QA en failws rate could be quantified convinemely, this would be 3

addressed explicitly under other figwes of merit, but this connet presently be answed. As a result, there is potential for different j sppbcations to lead to unintended syneripste effects en unavailabihty of a given component.

i

! In addmen to this, there is the potential for synergene offects within a given nummel cutset,if different elements of the cutset are relened. Therefore, compensating SSCs (SSCs appeenne in cutsets with SSCs directly effected by the application) must be reviewed to j onswa that their perfwmence is being adequately addressed in whatever asswance activities are applicable to that particular component

type.

Cumulative effects are addressed by:

ensunne that each appbcation is carried out with reference to a model that already reflects previous applications: ,

l showing that the cumulative change is within the aRewed increment; and showing that the accumulation of appbcations has not created dominant contributors lunless this is a consequence of importance resNecation as a result of a not safety benefiti.

Synergistic effects are addressed by:

showing that each component is relaxed under only one application: 011 emphcotly identifying aR components relaxed under rauluple applications, arguing that the synergistic effects can be modeled correctly, and showing that the results of such medelms are acceptable with respect to the acceptance criteria.

IL6.5 Inteorateen of Deternumstic and Probalubstic Canadersbens in general, the Econsee's integration of deternumste and probabilistic conaderations to form the basis for acceptance of a riskinformed application wiH be carried out by an Expert Panel. In order for this Expert Panel to be effective, a guidehne detailms the decision process is required. This Expert Panel process has to be wsR4efined, systematic, repeatable, and scrutalde. Scrutabinty implies that the process is techniceNy defensible and is detailed enough to aRew an i- f , M M party to reproduce the meier results.

A wen defined Expert Penal process should have the following (or similar) elements:

1) definition of ebiectives; l

2)selocuen of experts:  !'

3) identification of issues:

4) assembly and dweenunation of information: l

5) training of panel members meludme gedance for decimen criteria:

Sipaneldeliberstion:

7) poet deliberation feedbacic

8) treatment of disparate views and formuistien of c=' ;and

i

= ,

i I i

9) documentation.

The panel members should have the appropriate qualifications, and acceptance of the determination of the Expert Panelincludes the '

findag that the Expert Panel was advised of all the specific changes and relevant background information associated with the licensing action, and that the panel deliberated and approved each of the changes.

Dwing deliberations, both probabilistic and detwministic considwations have to be taken into account. Potentiallunitations of the risk model have to be identified, discussed and resolved. SSCs that are effected by the proposed application but that are not modeled in the j PRA have to be conodored iminmiuolly and evaluated based on a predefined and structured set of rules or criteria. Finally, the paners results should be demonstrated to be robust to diffwent plausible assumptions and analyses.

l l Additional criteria and review considerations relating to the Expert Panel are provided in Appendix 8 to this SRP which documents the requirements for qualifications of panel members and requirements for the verification of the consistency and accuracy of the paners results and conciumons l

l I

i

l l

Figere 1 l

Effects of Plant Activities se Componeet Performones l Compasset Performesse (Availsbelety)

Maintenann Congenent T Inspection 1 Dewatime Failwa Rate Testing i

Tenh l 188l SP*** l (A0T) l lST Maintenance Opwating Inhwant Environmental l Leeds Charactenstes Stresses. l Tech l Aging l Spees l l l (ACT)

I I I I Meisteessee l l l l Reis l l Item CampenentType l l l l Specific Characteristics l l l l 1 Oudtr I i l l I I I I I GQA l l 1 II I I Plant Activities l

l

. - . = . - . . . - . - _ . . - - . _ - - - - . - - .- - . - . - . _ . . ... . . . - . _.

Ill. REVIEW PROCEDUREE Specific procedwas for reviews in the woes of IST, IS1, graded QA, and technical specifications are provided in th en those topics. General guidance for revows in wees not treated in separate SRP sections is provided boisw.

111. 1 GenwelGedence When evaluating licenses requests fa changes in regulatory requirements et postens, or previous licenses conewtmen should answo that the subnuttal cleerfy identdies the original documented techocal basis fw the requirement, ponton, w comnetment.

This basis may be documented in en NRC erder, a regulation, the statement of cenaulersten for a rule, the statem a rule, bases sectos of techocal 5--

1 a regulatory guide, a formal staff pesmen artmulated in branch techocal poemen (BTP),

an industry code w standwd, e vender topical report, a staff safety evaluation report er inspecten report, or in a gen such as a bulistm w genene letter, w a cwrespondence to or from a liconess. The revieww should verify that the license completely identdied the techocal concern that is et the crux of his relief request. It is only aftw this has been done cenader the issue in light of new information.

111. 2 Evaluation of the Characterization of Channe The revieww should verify that the effects of the proposed changes on PRA parameters are correctly characterited,i.e., verify effects of the changes en SSC reliability and unavailability or en opwater actions are correctly accounted for. Where applicab modeling and quantifiestion of the effects of the change should also be reviewed to answa that the models are approp results can be supported by plant andler industry dets.

Another element of thr -auseiffect relationship is the potential effect of the application en the total plant risk model. General g for the identification ei P:iA model elements that may be effected by an application can be obtained from Secten 3.3 of the EP Applications Guide (refwence 4). This guidance, provided as a list of questions, will assist the revieww in estabhslung I

relationship between the application and the PRA model. A supplemented list of these questens is tabulated in Table 1.

_ _ . _ _ _ _ . ___ _ . _ . _ . _ ~ _ . __ - _ _ _ . . _ . _ _ _ _ _ _ _ _ _ . _ .

l

. 1 1

a. ,

, Tobis 1 (page 1 of 3) l Queeseos to Assist in Eatshhshing the Cemee Effect Reletiemebep  ;

i LEVEL 1 ONTEREAL EVENTS PRA) I I

leitiones Eveste I I Does tk apptcetoa entroduce ceasdersten of new intatag events?

Does the appicetna address ebenges that lead to e meddseton of the unistas event groups?

)

. Does the opphetna necesshete e , ^ of the frequenass of the mantes event groups?

Does the opptostaa merases the kehood of a system fahrs that was bounded by en intestag event group to the extent that k needs to be cenadered  ;

. espisney?

I Seesses Critorie l

f Does the ops 6setma necessnete medirsetna of the success creens?

{ Does the modifmeten of success crnens necesutete changes m ' other ernern, such as system atz 7 1

j Evnet Trees I

j Does the appiceton address se neue that ces be essecuted wah a partsuler branch, er branches en the event trees, and if se, e the branches structure odequete? )

l Does the appicetna necessnete the stroducten of new branches or top events to represent concerne not addressed in the event trees?

Does the opptsetna necessnete canaderetna of re erderms breach poets, Le, does the oppketna effect the sequence dependut f ailure snelys?

1 j System Rehehihty 18edels Does the oppicetna spect systes dampn in such e eey as to sker system rainbilty models?

j Does the opphetna sapect the support functions of the system si such a way as te eher the f , in the modeff Does the applicates supect the system performance, and,if se,is that impact en the function obscured by ceneuvetree andeling techniques?

j Petessetor Date Bees 8

Ces the appiceton be cinerty sesociated enh one or more of the basic owat defanens. er does a necessnete new besse events?

Does the opptcetes necessnete e speashred probabibly modells.g. tan > dependent model, etcJ7 i Does the opptceton necessnete meddsetens to specific parameter values?

l Does the appiceton introduce new coevenant f ailure sedes?

Does the appissten effect the component mesma tunes?

). Den the app 6catma necessnets that the pleetgecds lhetencel date be taken ute account, and con the be estuoved easily by en update of the previous j parameteraf j Does the oppheten invoin a change which umy sapect pwomete values, and de the present estenetes reflect the current status of the plant with respect j to what is to be shenged?

Dependset Feilere Amelysis l Does the oppteaten introduce er suggest new comunse cause feture (CCF) centrtetmast Does the oppketna otroduce new asysunstnes that sucht create subgemps othe ik CCF componeet groups?

{

le the applicetna kely to effect CCF probabtems?

i j

1 l

. - ,~ ,.- - -- - -- = -~ .. -.-..- - .. .- - - . -_ - - - . - . - . . - - _ - . -

Table 1 (page 2 of 3)

I Questsene to Assistin Establishing time Casse-Effect Relationebsp i

h % Analysie ,

Does the opptcetna avelse e precedwo chenpf Dem tem opphceton ovelse e new humes acten?

Does the oppiceton change the eveisbie tme fw homen actens?  !

Dess the appiceton affect the homen actos dependency enehem?

Does the appiestma shamas er undify en enstag humes acema? l Dem the opptostaa otrodues er meddy dependeness between plant metrementetisa and bumen acteas?

le the opptsetse seesomed with events that beve been screened from the model either si whole er a part?

Does the appicessa supect e pertauly perfonnance shepag fester FSF), or a group of PSFs, and are they esplanty addressed a the eI Fw esenets,if the innes is to ed'.rees treams,is tromme one of the PSFs mood in the HRAf Does success in the opptceton hay en scorpwetag the ispect of changes in PSFs, and if es, de the curre astestes reflect th current status of PSFof ls it peashle that the portmuler group of human error events that is effected by the cheap beng enelym as been truncated?

l

! Does the cheap tahiress new recovery actnest l

l l

leteteel FleeGeg Dem the opptcetna offect tk screenne snelyse, fw esempia, dem the apolcatma resuk a tk locates of redundant troms er compements m l

fleed rene?

Does the opptcolas introdues new fleedag eserces or acrosse eastag potentiel fleed inventwiss?

Does the appicetoa effect the statualevotabety of fleed autgeteen desces?

Does the oppiceton effect fleed propagetna pathways?

Dem the appimetna effect entical fleed hughts?

j I Ossetificaties Dess the appbcaten cheap any of the beac event probabibtus?

Does the oppicetna cheap reistm magnaudes of probabihtes?

Dem the opphcoton sair make probabeties emeter?

Is the new result needed a e ehwt tens scalef

' Does the oppiceten necesanete e change a the truncaten kuts for the modeff Does the opptcetna effect the

• delete tenus" used dweg the geentimetna process? (Idere specilmacy. does the oppiceton introd mentenance acteas or operstag nodes )et are deleted dureg the bees sees eventiftelee process useg the delete functionf)

Dem the appimeten effect equement that have been credited for operater recovery octions? Alse.fu recovery actnes that c* edit etwey cross tus, the effect se other systems or functeas er en the operaten of the other unit has to be censulerod and addressed.

Analysis of Reselk Does the opptcetes necenatete sa seessement of oncertemty, and is it is be guettetive er quantastive?

Are there oncertentes a the opptceton that cavid be cienfed by the opptcetion of eenenivity stedies?

Dem the appicetna strategy neceannate en supertence enehen to reak centributmas?

Does the appicetna necessitate that se onportance.sacertesty, or sensitivay onelysm of the bene case PRA sistf l

Plant Desiego State Closesfiseties Does the opptceties entect the choice of paremetere seed to defoe plant demoge state?

Does the Key Plent Demage States (KPDS) stikred edequately represent the reouks of the Level 1 enehen by sciudag the pl monilment frageancy of esaurrence?

Hove these plant damage states that have been olonmated a the process been osaped to KPDSs of hgher ceasegeencel Releasel?

l l

l

, Table 1 (page 3 of 3)

Questions to Assist in Estehleshing the Casse Effect Relatiesebip Level 2 EONTAIEWlENT ANALYSIS PRA)

Have new contamment feise modes identdeed by tem appEcaten been addressed in the Pfl A7 Are potental changes acesunted for?

Are any dependennes among contamment febre modes bang chenyd?

Does the opptesten ovelse meshenuss that ceuid lead to contamment bypass?

Dess the opptsetna avelse mestemman that seuid cause fatoe of the contemment is isolete?

Does the opptssten deacth effect the occurrence of any severe eccesnt phenamena?  !

i Dess the opp 6ceton necessnete use of ruk measures other then large, earty reisese?

Does the application change eqmpment quotisation to the poet where it effects tunes of egorient f ailure reistne to centomment failure?

Does the oppteeten effect core dehre path to the sump l euppressen peellscreen slogges) er to the other pertions of the centenment tdirect cantomment heetagit Dess the selected source term catepnes adequetely represent the revised Centemment Event Trw ICET) andpents? Are CET andpeat frequences changed i enough to offect the seissten of the dommentirepresentetse sequencelel a the source term bones process?

Does the opp 6ceton effect the temas of reinees of redensclides into the envuonannt reistne to the intietes of core meit? and reistne to the tune for vessel rupture?

I l

LEVEL 3 E05SEQUEECE ANALYSIS PRA)

Does the appicaten necessitate detaisd evacues desse?

Are indesdeel deans et speeds lecetmas needed for the appucaten? l i

Are terram features agedsent enough to impact becal wed pettoms?

is evecosten er eheiterug bens cenedered as a nutigsten measure?

Are long term deses a comedersten in the appEcoten?

EXTERNAL EVENTS PRA pleased Amelysis)

M the changes introduce esternal beterds not previously evolueted?

M the cheapes increase the inteneny of enstag herards siendmenth? l Are demon changes meddyng the structural reopense of the plant beng consdered?

Does the change supact the eveilabihty and performance of necessary mitageten systems for en esternal herard?

Does the opp 6 cation agnifmantly modify the inputs to the plant model condnioned on the esternel event?

Are changes beng requested for systems demoned to nutigate agemst speeds esternal events?

Dess the oppiseten ' avelve eveilabikty and peformance of contenment systems under the esternal herord?

SHUTDOWN PRA M the changes effect the schedving of outege ectivites?

M the changes effect the abiiny of the operator to respond to eletdown events?

M the appiseten effect the reliebiiny of equpment used for ehetdown condniens?

W the chenpas effect the eveinbiiny of eqmpment er instrumenteten used for contingency plans?

.- - - ---__. --.--- - - - - - . - . . - - - . . . - - - ~ . . - . _ - . - - . -

J

! l11.3 Evaluation of 02_ __Mk information

! Reviewers should snows that, for all risksformed applications, beenang basis and other engmeenne considerations have been taken inte account to supplement probabihste arguments. Te answa that a proposed change does not unacceptably affect the licanang basis

plant, deternumstic evolustens should include evolustions of

preservation of the defense in depth phdesophy; and general de

, in addmen, portment engmeenne data and analysis, plant operating experience, potential compensatory measwas, and a perform 2

based feedback leep should slee have been cenadered by the licenses j The cwrent licanang basis of the plant is defmed as that colecten of documents which forms the basis for granting the operating licens and authenang centmund operation of the plant (see 10 CFR 54.3 for addmenal defamen of " current liconens basis *l. Itincludes,fo j exengile, the licensee's Techocal Speafications, licones condmons, connutments documented in the updated safety analysis report (USAR), connutments made in reopense to NRC genanc letters and bulletas, comimens and analyses relied on in the NRC staff's s l enslyses reports, etc. Appbeation speafic design basis documents and relevant plant licenses conustments are eles important. T 2 bconung basis of the plant alas documents how the licenses setsfies certain basic regulatory regarements such as diversity, redund i defense in depth, and the General Design Cntens As part of the evaluation of detenenestm information,NRC review should include a check of engmeenne evalustens which may be needed to support the PRA especidy in areas where the cwrent licenses basis may be relaxed tan example being the detenninstion o j success enterial. Reviewers should alas verify and validate calculations and data used to model the effects of the risk 4nformed 4 appbcetiens en the affected SSCs and en PRA models, assumptions and parameters (cause effect relationslups!.

I I Finally, the reviewer should verify that the detenninistic cenaulerations used to supplement PRA results le.g.,information used te determine SSC importances, or informeten used to evaluate plant systems or components which are not modeled in PRA) are applied comprehensively and correctly. Among the non PRA sewees of informaten that should be exammed to support the evaluation of sa significance are the safety insights developed in licanang documents meludes the Final Safety Analysis Report, the bases for Te Specifications such as Limiting Condmons for Operation (LCOs), Auewed Outage Tunes (A0Tal, and SwveiRance Requirements FinaNy, where svedable, plant specife date and operationalinfennotion should be factored inte d safety deternunatens.

Enameenna Dets and Analvsis in many cases licensees will cite new data from plant tests er research projects, or analysis with medals based on new dets to suppo their proposal. The fellewing examples ihustrate situations in which data and analysis con be used effectively to support relief req To show that a phenomena of concern cannot occw or is r mch less likely to occw than engmeNy thought:

To show that the amount of safety mergin in the designis significant:y greater than that which was assumed when the requirement er poseen was imposed, To show that time evadable for operater actions is much groster than originaNy assumed The reviewer's pnmery algeetwo is te verify the relevance and acceptability of this new information with respect to the relief reque Data which applies directly to the engmal techmcel concern should be applied in the decimen process. Dependme en the circumstan additsenal specific gudence in the cognizant review branch may be available for reviewing the quality and acceptability of the d However,in sR cases, the date or analysis must be clearly apphcable to the plant and specific circumstances to which it is bein Oserstma Ensenence When conductag reviews of PRA sessesments, reviewers should canader the way in which the issues at hand are reflecte data. A substantial amount of engmeenne data is evadable for use in evaluating assumptions regarding initiating events, compon system reliability and commen cause failwe mechamems. AE00 gathers data from several sowcas, evaluates the substantal number of reports. Cwrently availaide reports are listed in Reference 7.

Usefulinaghts from plant specific operating experience can also be obtained from inspectans that follow incidents at the faci edudmg NRC inculent investigation and augmented teem inspectens, NiPO incident assessments documented in signifi l

i

event reports, bconses foHow up investigations and routine inspections by NRC resident inspectors. Inspection results can previde valuable qualitative insights in areas such as human performance, managanent controls, adequacy of procedures and rest causes of events which are often difficult to treet with precision in a PRA.

Comnenssterv tionswes Campensstery maseures at the plant site which reduce risk can be taken to offset incanpleteness er uncertainties in the deternumstic or probabihetic analysis that defines avadable safety mergm. Compensatory measures can sies be used to offset a quantifiable increase in ,

risk with a non guentifiable but expected improvements in safety. Such menswas may be taken voluntarily by licensees or may be required by the NRC as condmons of the licones, temporary changes to techocal specifications, er by order. Examples of such menswes eclude: specialinspectens or tests: enhanced condmen monitoring: moratenues or prelubstions of site actnnties dwing specified peneds of vulnerabdity: temporary increase in staffing level, special tromme for staff er centracters; procwoment and staging of portable back up safety agupment (e.g. skidinounted diesel generstw) and development of precedwes and training for use of such eqmpment.

Componestery meeswes should be given menefmant weight in the decimen process tw reviews of risk informed applications when:

1) they are keyed directly to a critical part of the snelysis that carries uncertamty (e.g. enhance training and precedwes when uncertamty in human performance is an important factor):

2) they qualitatively effast a quantitative risk increase: er

3) the menswes are required by the license and contreHed by explicit licenses procedwo er sub lect to inspection by the NRC.

IlL4 Evaluation of ProbainhsticInformation Reviewers should answa that PRA related intwmotion subnntted by a licenses for applications in riskinformed regulation includes 1) a characterization of the change snelysis: 2) a justification for the scope and level of detail of the PRA: 3) e discussion of the numerical results and risk insights obtained from the analysis and a comparison of the results to the decision criteria specified in the Regulatory Guide; and 4) the results of the licensee's independent peer review of the PRA in the form of the peer review team's final report.

In the review of riskinformed sulmuttels,it is saticipated that these subnuttels can be categenzad with respect to the expected level of soplustmation in the PRA analysis. For example, .he justrhcotion for centmund operation 1.1C0) proposed by licensees in light of non centerming condmons and the technmal reviem of the bases for notices of enforcement discretion INDED) we expected to be relatively simple applications in tenns of PRA analysis required, and therefers these applications wiu require less in tenns of PRA quality, scope and level of detail. However, for this PRA to be used,it must be shown to adequately bound the risk impact of the contributors associated with the opphcaten. Conversely, changes to plant specific techmcel specification aHowed outage times and swvedlance test intervals, safety evaluations regarding plant specific design issues and plant specific backfit evaluations, and review of a design specific PRA sulmutted per seenen 10 CFR 52.47 of the regulations are examples of applications that wiu require detailed PRA evaluations and wiH be subsect to a higher level of PRA quality, scope, and level of detail For each subnuttal the licenses wiH have to justify, and the staff reviewer will have to verify that the scope, level of detail and quality of PRA is sufficient to support the risk analysis. The determination of acceptable PRA scope and level of detail should be based,in large part, en the causeiffect ri - " esteldished in the charactagitation of the problem isse section HL2). The PRA quality wiH have to be conostent with that specifed in WUREG 1802 for the portions of the analysis that is effected by the application.

IlL4.1 - Resured Scene of Analvas The overaH scope of a PRA is charactwired in tenns of three attributes-

1. Which operational modes are cenadered, e.g., fuH power, low power, transmenal states, and shutdown:

2. Which initiating events are canadored, e.g., internal and extemal events; and

3. What level of analysis is perfenned, Le., level 1 (cere damage frequency), level 2 (conteinment response and for sowce term),

and levei 3 loffsite consequences).

N selecten of PRA scope will be guided by the netwo of the techocalissues being addressed with the PRA. Guidelmas for selecting the scope are provided in the apphcatan specific regulatory guides and standard review plans. N fellewing general guulance is provided for the use of staff reviewws for cases in which there is no application specific SRP.

N reviewer should verify that the licenses has cenadered all pesable opwating modes and initiating events that could be affected by the proposed appbesten.

N reviews should verify that the liconese's approach for selectag and evaluating appbcable initiating events and operating modes is similar to thees accepted by the staff in reviews of similar issues for similar plants. Unexplemed differences simuld be brought to the licenses for explanation.

A Level 1 PRA analysis is usually regered for most applications. A Level 2 study is recommended for appbcations which might have en impact en contamment systems or contamment imeletion probabdity. A Level 3 PRA is recommended for emergency reopense and plannes appbestens er when cost 4 enefit evaluations (person

l i The process applied by the Expert Penel to overcome inevitable limitations of PRA was appropriate. Where the panel felt

! obliged to make decmons that would not foRow straight forwardly from the PRA, the panel provided a technical basis for  ;

} the decision that shows how the PRA information and the supplementary information validly combine to support the panel's i

! finding. No panel finding contradicts the PRA in a fundamental way. Where the PRA can and should be modified in future i j to do a better job, the panel has indicated this on the record.

t i

i 8.4 Use of Enoert Penel for Treatment of SSC: not Modeled in the PRA 1

i j e. Area of Review:

l l It is not possible for PRA: to explicitly model el SSC: involved in performance of safety functions. Modeling eR SSC:

would require display of many items that are logicely necessary for system function, but whose failure is not believed to

{

i dominate system failure, and whose failure in any case is not believed to link feaures of different systems. If en unmodeled

! SSC is believed to link failures of different systems, then it arguably should have been modeled, unless there are strong j grounds for believing that the f ailure is extremely unlikely.

i

These omissions are not to be considered shortcomings of PRA. The point is that PRA is usuety done with a view towards quantifying the status que, and modeling priorities and modeling shortcuts are established accordingly. In RIR, however, the j PRA is used for elocation of programmatic resources over SSCs, including SSC

that are modeled explicitly, SSC: that are l implicitly reflected in modeled elements, SSC: that were effectively screened out in the modeling but need consideration in

! RIR, and perhaps SSCs that were simply neglected. In some cases, SSC: era omitted based on snelysts taking credit for j programmatic activities that snare a low failure frequency for that item or a short fault esposure time in the event that it

does fel. In such cases, when PRA importance measures will not reflect the SSC et eR,it would be inappropriate to j conclude that the programmatic activity is unimportant, on grounds that the target SSC is not important according to the j umelmesures.

i '

It is one of the jobs of the Expert Penel to extrapolate from the PRA to drew conclusions about SSC: not modeled in the i

i

l PRA. This does not mean that the experts are to impute to the PRA high level results that were not generated in the analysis;it does mean that if a success path is modeled in the PRA, the experts are justified in reasoning SSC:in that pat e implicitly invoked. If items were screened f rom the PRA,the experts need to be aware of the i screening proces. a order to avoid violating the basis for the screening.

h. Description of the liethed(s) Acceptable to the Staff for Addressing This issue l

SSCs involved in initiating events: In Maintenance Rule implementation, the licensee willidentify SSC: that could ,

reactor trip or an actuation of a safety related system. The Expert Panel should evaluate this list in terml might be aff acted by the proposed application.

l Screened out events: The only way to address this issue is f or the Expert Panel to understand the basis on (if any) ws: perf armed, and ascertain whether the credit taken in screening is implicitly conditional up l spplication, i l

Unmodeled components in modeled trains: The Expert Panellooks at detailed drawir,gs of systems that are c searching for unmodeled components in these systems. Having identifed these, the panel decides whethe  ;

play a role in the safety case, and if so, what level of programmatic resources is apptopriate.

4 Unmodeled SSC: isolating credited systems from other systems: The Expert Panellocks at detailed drawings of sy that are credited in the PRA, searching f or interf aces with other systems. Having identified these interf acef J assesses their safety significance and decides what level of programmatic resources is appropriate.

Sequence termination time: The Expert Panellooks not only at drawings but also at procedures to see what equipment a invoked that were not modeled. If these can f ailin ways that might prolong the transition to a completely sta condition, then some consideration may need to be given to allocating performance to these items. The s here are beyond single-f ailure but well short of vessel f ailure. The concem is whether delay in stabiliz create a window of vulnerability, during which another fsilure could occur or control of primary conditions cou l be lost.

c. Acceptance Guidelines:

The Expert Panelis required to affirm that it has:

reviewed the PRA assumption base for instances in which initiators were screened out on the basis of SSCs affected by the application; reviewed plant operating history f or initiating events whose occurrence might have been prevent proposed application; )

l reviewed plant operating history for f ailures of mitigating system trains as a result of events tha prevented by the proposed application, 1 reviewed detailed drawings for the affected SSCs that were not modeled because the) do net nor state, or components that perform a normally passive function such as isolation of mitigating sy systems; reviewed accident sequence modeling ior instancesin which early termination of the analysis obscu l

to effected SSC: that would normally come into play later than the termination point.

k i

Possible dispositions of the above include the foRowing

4

the item wil not effect initiating event frequency or mitigating system performance under reasonably foreseeable circumstances, and the proposed change is warranted; 3

j the item, although unmodeled, already receives and wil continue to receive programmatic attention commensurate withits significance; l the item does not currently receive sufficient programmatic attention, and in future wiR be subject to tighter

controls.

i

} . In addition, consideration should be given to modeling items that appear significent in a future update of the PRA.

d. Review Precedures:

Only in exceptional cucumstances, or when a decisen has been taken to perform en audit, win e reviewer undertake to j replicate the search for unmodeled components. Such a search would require access to too many drewings and system j notebooks, and the reviewer would be proceeding without the benefit of the intimate acquaintance with the plant that informs the Espat Penal's activities. Here, as in other stees, the reviewer must rely on isview of the process, as j documented in the formal record of the panel's work.

, The reviewer should verify that the documentation positively cherectorizes how the search was performed, shows what a components were identified, and shows how a decision was mode about each component. The reviewer should realize that ,

when a component is acknowledged to have safety significence, and plant resource (IST, maintenance, etc.lis allocated to l it for that reason ins opposed to e plant sveilability reason), the commitment may ensume legal significance. In particular, ,

! credit for that commitnwnt may be used as e reason to justify leu commitment aisewhere. Therefore,it needs to be  !

appropriately identified and procedures put in place to ensure continued satisfaction.

[.

i

, e. Evelsetion Findings:

I i The SER should contain lenguage essentially equivalent to the folowing; exceptions should be noted and discussed.

i )

The panel diligently searched for unmodeled components having safety significence that would warrant consideration of

potentiel benefits of the activity where relemation has been proposed. This included components that might contribute to initiating event occurrence, mitigating system components that were not modeled in the PRA because their failure was not ,

l espected to dominate system f ailure in the baseline configuration, and components in systems that do not play a direct role l l

in mitigation but that interface with mitigating systems. The panel's process for eBocating plant resources or functionely equivalent resources to these components ws: appropriate. The panel's elocations of these resources are adequately documented and captured as commitments.

B.5 Use of Svstem-l.evel or Functionallmoortances l

s. Area of Review:

l Use of system-level or functionalimportances can be e valuable tool for overcoming the limitations of single-event importance measures. Single event importance measures have the potentiel of dismissing et elements of a system despite the system having a high importance by any reasonable measure. A suitably defined measure of system importance can l

4

i l l, 4

i i i

help to avoid this pitter. Conversely, there may be grounds for screening out groups of SSCs, owing to the unimportance l l

the systems of which they are elements. Here, too, system importance measures would be useful.

i i i

! There are no widely accepted definitions of system importance. For front line systems, one possibility is to define a F V type mesure of system importance as the am of CDF over sequences involving failure of that system, divided by total l

):

4 CDF. Such a mesure would ned to be interpreted carefully if the numerator included contributions from failures of that l l system due to support systems. A Bimbaumlike mesure could be defined by quantifying CD sequencesinvolving the l system, conditional en its failure, and sumnung up those quantities. This would provide a measure of how often the system j

l is critical. .

For apport systems, the situation is more comples. To take a two division plant es en esemple, front line falutes can occur l se a result of failure of support division A in conjunction with failure of front line division B. Werking with a figure of merit l based on totalfailure of support system would miss contributions of this type.

However, the relative subtlety of quantifying system importance should not be eBowed to obscure the qualitative insight l that emerges simply from consideration of whether and how systems are invoked in particular scenarios. If a front line j system is credited in success paths, then it is in some sense important, and at least some of its SSC: must also be, in some j sense,important, even if a given single event importance measure does not reflect this. A system that apports such e l front line system must also be important as wel. This does not mean that al mch systems cannot be candidates for I. reissation, but simply that they must not be slowed to escape attention completely.

i b. Deseription of the IAsthodial Asseptable to the staff for Addressing This lesse 5

Given that a front line system is credited in the event trees,it must be premmed that some elements of it are,in some f sense,importent. This does not mean that eN components in such systems are presumed to need frequent ful i

programmatic attention;it does mean that al components in system treins credited in the PRA must be explicitly considered l

by the Espert Penel for fun programmatic attention.

4

e. Aseeptease Guidelines:

l The use of systemlfunctional measures is encouraged. At a minimum, the Espert Penel should:

l.

! identify sN systems invoked in plant response, and consider them for programmatic attention; 8

l check to see whether f ailure of components screened out on the basis that they are elements of unimportant j

systems could effect a system invoked in plant response, j

d. Review Presedures:

The reviewer should first check the Espert Penel documentation for evidence that the panel systematically identified systems as indicated above. The reviewer should then verify that at least some elements of each system are considered significant. If this is not the esse, then the reviewer should ascertain what performance is slocated to these items in the PRA, and escortein whether the level of commitment elocated to these elements is commonarete with that performance level. If a system is important but none of its elements is, this may be grounds for en RAl.

Consider the esse of a system that contains many redundant flowpaths. Single event importance snelysis win tend to dismiss the flowpaths one et a time, effectively dismissing the group. The focus of the above guidance is that the redundant flowpeths, considered as e absystem, are important and deserve some ettention, even though conventional

'unportance measures would not highlight them. This does not mean that it is necessary to assign every redundant poth to the high risk contributor category, in this esemple, especialy if the paths are essentiely similar,it is arguebly necessary to

consider common cause f ailure; e program that addresses common cause f ailure potential by monitoring component performance may provide more safety benefit then a programmed aimed at detecting en already feiled state in individual ,

components.

e. Evelection Findings:

The SER should incorporate lenguage substantisNy equivalent to the folowing. Exceptions,if any, should be noted and espleined.

The Espert Penel process esplicitly recognized el systems invoked in plant response to initiating events, and ensured that all SSC:in these systems are considered for programmatic attention in areas (IST,ISI, etc.) appropriate to their performance chorectoristics and to the level of performance needed from them. Al SSC:in these systems were explicitly reviewed by the Esport Penel, which assigned resources to them with due consideration of the role that they play in the system of which they are elements and the importance of the function that this system performs. The panel recognized the need to ellocate programmatic resources to et least some divisions of every function modeled. No important function has been missed due to misapplication of single 4 vent importance measures.

l i

i 4

j 4

{ Appendix C Determination of Riskimportense of Centributere

e. Area of Review:

i

! The identification of SSC: es potential condidates for reissation in current requirements can be done in many ways.

Component categorization by use of PRA importance measures to classify SSC:into high and low risk contributors is one of j j the acceptable methods. The remits from this importance snelysis can then be one of the inputs to the expert panel l deliberation process to help determine acceptance of a proposed application using the criterie specified in section 11.6.

! In addition to the determination of relative risk categorization for input to the Expert Penel, the determination of potential i risk contribution from SSC: by PRA importance determinetion can be useful for several other reasons f

l The Fussell Vesely i.V) measure can identify SSCs that have relatively large contributions to plant risk. The Risk l Reduction Worth (RRW) measure is a measure of the mesimum reduction in risk which could be schieved if a given  !

SSC were to be made completely reliable. The FV and RRW menares provide the some insights and are useful m  !

identifying components within the scope of en application that can remit in the greatest risk benefit if more j resources are elocated to improve their reliability. FV and RRW are also useful for evaluating plant design and l procedure improvements, operator training, and for backfitting activities. The Risk Achievement Worth (RAW) and Birnbaum IBM) measures can provide indications of how much the plant risk could increase if a given SSC or group j

of SSC: were to completely feil. This would be of interest in reliability esmrence programs and in inspection and I enforcement activities where the control of the SSC reliability and availshility isimportant. The determination of risk importances using en appropriate combination of the above (or otherl measures will help in the prioritization of  ;

licensee and NRC staff resources when the effects of change of requirements on each individual SSC: have to be  !

determined qualitatively es well as quantitatively. l When performed with a series of sensitivity evolustions,it can identily potential risk outliers by identifying SSC:

or cutset elements which could dominate risk for various plant configurations and operational modes, PRA model assumptions, and date and model uncertainties.

Importance evolustions con provide a usef ul means to identify improvements to current plant practices during the l risk informed application process. Therefore, while the process willidentify SSCs where the relaxing of regulations might be justified,importance measures con point out SSC: that are high contributors to risk and where more licensee resources should be focussed. Exemples could include identification of more QA for non safety reisted SSCs, identification of more effective test methods to detect the risk significent f ailure modes, etc.

The use of risk importance measures compensates for the uncertainty in bottom-line results when comparing the acceptable risk change to the ellowed change in risk. Robust categorization (including sensitivity studies) con show that a component will be a low risk contributor ior a pre specified range of date and assumptions used.

Therefore,lowimportance can help justify relaxetion of requirements. Thisis especiallyimportantin applications where the change in the performance of equipment before and af ter the proposed applications is not easily quantified (e.g.,in graded QA applicational, in such applications, the uncertainty associated with the calculation of a bottom line risk increase would be leqm, and importance measures can provide added confidence thet this increase is neceptable if it con be shown that only SSCs that were low risk contributors are involved in the application.

Importance measures can be used to systematically extend risk insights to SSC: not modeled h the PRA. For exemple, surrogates from the ranked list con be used for some unmodeled SSCs. HEPs, initiating events, or other SSCs from the ranked list een be used to represent SSC: that are implicitly modeled in the PRA.

! l

b. Description ef the M ' etbedts) Asseptable to the Staff for Addreening Thb leens

Acceptable methods and guidelines for risk categorization using PRA importance measures are provided in NUREG 1602.

2 i s. E g^-  : Guidelines:

l When using risk importance measures to identify SSCs that are low risk contributors, potentiellimitations of these i mesures have to be addressed. Therefore,information to be provided to the Expert Penel must include sensitivity studies

! andler other evolustions to demonstrate the sensitivity of the risk importance remits to the important PRA modeling

! techmques, assumptions, and date. lasues that have to be considered and addressed when determining low risk l contributors are listed below. Acceptance criterie for each inne are also provided.

i e

Transation limit

The truncetion limit should be low enough so that the truncated set of mamel cutsets contain ,

el the significent contributors and their logical combinetions for the application in question and be low enough to l capture et least 95 percent of the CDF. I Different risk metries

When determining reistive risk contributions, contributions from intemel events, extemel events, and shutdown and low power initiators have to be considered either by use of PRA or by the expert panel process les detailed in sections 11.4.1,11.6.5 and Appendix 8). Similarly, risk in terms of both CDF and I.ERF should be considered.

Multiple sempenent eensiderations: The aggregate impact of the degradation of multiple components has to be addressed and controlled. The criterie to assure defense in depth and guidelines on evolusting and guarding against multiple degredations, CCFs and removal of multiple controls will address this issue.

I consideration of all ellewable plant eenfigurations and maintenense states: The effects of plant j configuration should be evaluated as part of the sensitivity and robustness studies. Again, the criterie to assure j defense in depth will also help address this issue. l l

Sensitivity analysis for sempement date uneartainties: Component categorizations should be carried out using the 5th and 95th percontiles of the SSC unaveilability distributions to highlight any SSC: that might become a high risk contributor as a result of the large uncertainty in its unavailability.

Sensitivity analysis for sempenent group failures: Component categorization should be carried out using mean f ailure reto that have been increased by the generic error f actor associated with the component type to address the potential correlated change in the f ailure rate of a group of components.

Sensitivity enelysis for senunen sense failures: Component categorization should be carried using a wide range of CCF rates to determine the risk impact of modeling assumptions of CCF.

Sensitivity analysis for resevery actions: Component categorization should be carried out without credit in the PRA model for non procedurelized recovery actions and without credit for repair of failed components to determine the risk impact of non procedurelized and " uncertain" compensating operator actions.

Each of the above issues is discussed more in detailin NUREG-1602.

In addition to probabilistic risk categorization, risk significance of SSC: must also be evaluated based on deterministic considerations. SSC: that are categorized as low risk contributors using PRA have to be reviewed by en Expert Penel using

_ 7

.r

, e l criteria and guidelines similar to those discussed in Sections 11.6.5 and lit.6 5.

i

d. Review Procedures:

Results f rom SSC risk categorization can be used directly for identifying SSCs that are high risk contributors (e.g., f or the identification of risk outliers, or for the identification of SSCs where more resources should be allocated), however, when

,i risk importance methods are used to group components as low risk contributors, additional evaluations, sensitivity studies and other considerations have to be taken into account. These are summarized below.

Consideration of Transetion Limit In general truncation limits should be chosen such that at least 95 percent of the CDF or risk is captured. Depending on th PRA level of detoil(module level, component level, or piece part level), th;s may translate into a truncation limit from 1.0E 12 to 1.0E 8.

h addition, the truncated set of minimal cutsets have to be shown to contain the important application specific contributors er d their logical combinations. This coverage of the contributors by the trunested set can be checked by increasing the f ailure probabilities or unavailobilities of the contributou (e.g., to 0.51 and regenerating the minimal cutsets. l Consideration of Different Risk Metries Importance measures may be calculated based on a portion of the risk (e.g., CDF for intemal events and operational model or the overall

• total

• plant risk (CDF and LERF for intemal and extemal events including st power and shutdown risk). It is I critical that the basis for the evaluation of risk contribution be understood by the Expert Panel so that panel deliberations l can take the non modeled initiators and/or modes into account.

Multiple Component Considerations The aggregate impact of degradation of multiple components on safety should be understood and controlled. Where possible, multiple component importances should be evaluated to identify which combination of events might be risk significant. It should be noted that the concem about multiple component importance measures is also valid f or components of different types, as long as they show up in the same cutset. When multiple component importances cannot be readily performed, the review will have to use the defense in depth criteria and guidelines on evaluating and guarding against multiple degradations, CCFs and removal of multiple controls to address this issue, i

Consideration for Allowable Plant configuratione end Maintenance States a

l Plant Technical Specification allow two or more components to be down simultaneously for repair or other activities. The embedded assumption in the TS is that the remaining components provide adequate safety protection. lf current commitments on these remaining components are relaxed, their high re!iability could not be ensured. To evaluate risk contributions during all allowable plant configurations, sensitivity studies on these configurations have to be performed and results provided to the Expert Panel.

Considerations for Uncertainty Evolustien The effects of PRA uncertainties have to be addressed to show robustness of the risk categorization results. When

possible, a propagation of uncertainty estwnstes should be performed. However, for component risk categorization, sensitivity analyses could be a substitute for a formal uncertsSty evaluation. The following sensitivity analyses should be l

T 1

1 i

1-i i performed to demonstrate that remits are robust for difforent plausible assumptions or scenarios.

I

• * -OsPesifie sensitivity Analysee l

f. This sensitivity onelysis should be carried out to address the failure rate uncertainties of components and their potential invect on categorization. For esemple, en snelysis using the 5th and 95th percentiles of the unaveilability distributions of the components could be performed to determine the range of veristions in FV measures. The relative risk contributions

! from :mponents with large uncertainties (such as check valves) could very substantially, and these results should be

cena;

:ad by the Espert Penal.

1 Semeltivity Analyses for a Component Group l

l This sensitivity onelysis should be corried out to address the correlated change in a failure rate of a group of components as j e result of the proposed application er from such causes as aging and west. For e group of components (e.g., breakerel, en

! increase in the mean failure rete of al selected components with a generic error factor associated with the component type could result in risk impacts that have to be considered by the Espert Penel.

j Sensitivity Analysis for Ceaunes-Cease Failures (CCFe) l j CCFs are mmied in PRAs to account for dependent failures of redundant components within a system. Dependencies omong simder components performing redundant functions but across systems (in two different systems) are not currently j

modeled in PRAs. Component levelimportance measures (e.g., RAW, RRW, and FV) are typicely calculated based on the i combined effect of si basic Pf1A events. Such component importance measures would account for the direct risk contributions from associated basic component events, auch as failure to start and f6ilure to run, and indirect contributions through the impact on the probability of other besic events (such as human errors, recovery actions, and most importantly j CCFsi. Therefore, e component may be ranked as a high risk contributar mainly because of its contribution to CCFs, or a

! component may be ranked as low risk contributor mainly because it has negligible or no contribution to CCFs. In RlR, j removing or rolesing requirements may increase the CCF contribution, thereby changing the risk impact of an SSC. I l

Therefore, sensitivity studies using different CCF modeling esemptions we highlight the robustness of risk categorization  !

]

results to CCF,  !

Sensitivity Analysis for Resevery Astiene l

! TR4s typically model recovery actions sapecialy for dominent accident sequences. Quentification of reconry actions

!@ely depends on the time sveilable for diagnosis and performing the action, tramng, procedure, and knowledge of operators. There is a certain degree of mbjectivity involved in estimating the success probability for the recovery actions.

The concems in this case stem from situations where very high access probabilities are assigned to e sequence, resulting in

related components being renked as low risk contributors. Furthermore,it is not desirable for the categorization of SSC: to be impacted by recovery actions that sometimes are only modeled for the dominent scenarios. Sensitivity onelyses can be

used to show how the SSC categorization would change if al recovery actions were removed.

t j o. Eveleetion Findings.  ;

2 i

! The reviewer verifies that the informetion provided to the Espert Penel on the determination of risk importance of contributors is robust in terms of the " uncertainty" issues like common cause failure modeling and modeling of human j reliebility.

f i

l i

1 .

.~._ - ~ - _ ____ _ _. - .- _ _ . .-