Revised, TER of IPE Submittal & RAI Responses for Waterford-3 Steam Electric Station

ML20135E584
Person / Time
Site:	Waterford
Issue date:	02/26/1997
From:	Forester J, Lin C, Musicki Z BROOKHAVEN NATIONAL LABORATORY, SANDIA NATIONAL LABORATORIES
To:	NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML20135E569	List: ML20135E566 ML20135E584
References
CON-FIN-W-6449 NUDOCS 9703070154
Download: ML20135E584 (73)
v • d • e

Text

, , TECHNICAL REPORT FIN W4449 Revised 2/26/97 I

f TECHNICAL EVALUATION REPORT OF THE IPE SUBMITTAL AND RAI RESPONSES FOR THE WATERFORD-3 STEAM ELECTRIC STATION Zoran Musicki John Forester' ,

C. C. Lin l

l l

Department of Advanced Technology, Brookhaven National Laboratory l Upton, New York 11973 l l

III Prepwed fw the U.S. Nucteer Reguletary Commission l Office of Nudeer RegLdetary Rosserch j Contrad No. DE-ACO2-76CH00016 i i

'Sandia National Laboratories 9703070154 970304 PDR ADOCK 05000382 '

P PDR

i l

CONTENTS l

l Page EXECUTIVE S U M MARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi NOMEN CLATURE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix 1 INTRODU CTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . '. . . . . . . . . . . . . . . . I 2 TECH NICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1 Licensee's IPE Process .....................................7 2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status . . . . . . . . . . . . . . 8 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . . . . . . 9 2.2 Front End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2.1 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . . 10 2.2.2 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.3 Interface lssues ....................................23 2.2.4 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.2.5 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.3 Human Reliability Analysis Technical Review . . . . . . . . . . . . . . . . . . . . . . 28 2.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.3.2 Post-Initiator Haman Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.4 Back End Technical Review .................................37 2.4.1 Containment Analysis / Characterization . . . . . . . . . . . . . . . . . . . . . . 37 2.4.2 Accident Progression and Containment Performance Analysis . . . . . . . 43 2.5 Evaluation of Decay Heat Removal and Other Safety Issues . . . . . . . . . . . . . 46 2.5.1 Evaluation of Decay Heat Removal . . . . . . . . . . . . . . . . . . . . . . . . 46 2.5.2 Other GSis/USIs Addressed in the Submittal . . . . . . . . . . . . . . . . . . 49 2.5.3 Response to CPI Program Recommendations . . . . . . . . . . . . . . . . . . 49 2.6 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3 CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . . . 53

. REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 1

i lii

?

TABLES l 1

Page Accident Types and Deir Contribution to the CDF . . . . . . . . . . . . . . . . . . . . ix  :

, Table E-1 Table E . Dominant Initiating Events and heir Contribution to the CDF . . . . . . . . . . . . ix Table E-3 Containment Failure as a Percentage of Total CDF . . . . . . . . . . . . . . . . . . . xiii Table 1 Plant and Containmant Characteristics for Waterford 3 Steam Electric Station . . . 4 Table 2 IPE vs. NSAC-147, Nonrecovery of Offsite Power . . . . . . . . . . . . . . . . . . . 16 ,

Table 3 Comparison of Failure Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I8 Table 4. Comparison of Common-Cause Failure Factors . . . . . . . . . . . . . . . . . . . . . 20 Table 5 Initiating Event Frequencies for Waterford 3 IPE . . . . . . . . . . . . . . . . . . . . 23 Table 6 Accident Types and noir Contribution to the CDF . . . . . . . . . . . . . . . . . . . 26 Table 7 Dominant Initiating Events and Delt Contribution to the CDF . . . . . . . . . . . 26 Table 8 Dominant Core Damage Sequences . . . . . . . . . ...................27 Table 9 Important Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 ,

Table 10 Containment Failure as a Percentage of Total CDF . . . . . . . . . . . . . . . . . . . 44 FIGURES Figure 1 System Importance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 4

I f

I iv

)

l l

EXECUTIVE

SUMMARY

l Dis Technical Evaluation Report (TER) documents the findings from a review of the Individual Plant Examination (IPE) for the Waterford-3 Steam Electric Station (W3). De primary purpose of the review I l

is to ascertain whether or not, and to what extent, the IPE submittal satisfies the major intent of Generic Letter (GL) 88-20 and achieves the four IPE sub-objectives. De review utilized both the information j provided in the IPE submittal and additional information provided by the licensee, Entergy Operations, Inc., in response (RAI Responses) to NRC requests for additional information (RAI).

E.1 Plant Characterization -

De Waterford 3 Steam Electric Station is a 1153 MWe, 3410 MWth Combustion Engineering pressurized water reactor (PWR). De reactor coolant system (RCS) consists of the reactor vessel, two U-tube steam generators,4 shaft-sealed reactor coolant pumps, an electrically heated pressurizer and interconnected piping. De plant is operated by Entergy Operations, Inc., and started commercial operation in the Fall of 1985. Dere are no other operating units on site.

Design features at Waterford 3 that impact the core damage frequency (CDF) are as follows:

• There is ~no feed and bleed capability at this plant. No pressurizer PORV exists and the HPSI/ charging pumps do not have the requisite head to lift the safety valves.

• De turbine driven main feedwater pumps will continue to run for most transients, as the pump flow output is automatically matched to the decay heat level. -

• Dere are two motor driven (capacity 350 gpm each) and one turbine driven (capacity 700 gpm)

EFW pump. In addition, a manually started AFW pump is also available, should the other three pumps fail (the AFW pump is normally used during startup/ shutdown operations).

• De EFW control valves fail open on loss of instrument air, and there is also a backup nitrogen j accumulator supply in case of loss of instrument air. De turbine driven EFW pump does not require room cooling (according to calculations, RAI responses), whereas the motor driven EFW pumps do.

• De DC battery (battery AB) supplying control to the TDEFW pump has a SBO depletion time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> with proceduralized load sheddin7 (I bour without load shedding), according to the submittal.

• Condensate pumps may be used to provide feedwater to the steam generators, provided the secondary system has been depressurized to 500 psia. Dere are three parallel condensate pumps.

~

De condenser hotwells have enough inventory to supply the condensate pumps for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

• Dere are two EDGs. De EDGs need cooling by CCW, ventilation by dedicated fans and DC power provided by the station batteries. A diesel compressor has been added to the plant post-IPE, to help in case of problems with startup compressed air.

i l

• Dere is no service water system at this plant. Instead, the ultimate heat sink is provided by the l dry cooling towers. As them are multiple fans in the towers, they can be maintained piecemeal, j such the maintenance would not disable the whole tower (although in the IPE it is conservatively assumed that k does). Also, in case of increased demand (depending on air temperature) and during normal operation there are additional wet cooling towers which are used to increase the ,

beat rejection capacity. De IPE assenes abat the wet cooling towers are needed in case of a l LOCA, when several types of safety equipment may be operating simultaneously.

• De CCW is needed to cool the HPSI putnps, the LPSI pumps, matalan=at spray pumps, i shutdown heat exchangers (also used for matalaamar spray recirculation cooling), containment fan , the emergency diesel generators and the central ~ chillers used to provide HVAC cooling for f several plant areas.

'* De instrument air system is necessary for operation of the MFW system and the normal i

pressurizar spray (but not the auxiliary spray, supplied by the charging pump). All the other important systems (EFW, CCW, ACCW, containmant sump recirculation valves) are provided with a backup air or nitrogen amuanlator system. Dere are two instrumant air compressors, i of which one is sufficierit to supply the requisite loads in an intermittent type of operation. In case of failure of both corapressors, a cross tie to the station air system automatically opens; the  !

station air has three compressors. Derefore the compressed air system seems to be reistively l reliable and the systems affected are relatively few.

Room cooling or ventilation is needed for several important systems: HPSI [not needed during l

? the refueling weer storage pool (RWSP) injection phase due to the low temperature of the water l i

• pumped), LPSI (not needed during the injection phase), containnurit sprays (not needed in the

' injection phase), MDEFW pumps, nonnal pressurizer sprays, emergency diesel generators and the CCW pumps.  !

-* The switchover to recirculation is automatic. However, the operator must manually close the  ;

RWSP suction valves at that time.

• De recircadation spray (using the CSS pumps aligned to the containment sump and the shutdown  ;

heat exchangers) is necessary to provide cooling of the containment sump water.

Other design features are discussed in Section 1.2.

t De Waerford 3 Steam Electric Station utilizes a large dry marminnmar. It is a freestanding steel vessel  ;

surrounded by a reinforced concrete sbloid building. Both the thermal power level and the containment free volume of Waterford 3 are similar to those of Zion.

De following plant-specific features are important for accident progression in the Waterford 3 plant:

• A cavity design whidi facilitates Sooding of the reactor cavity. According to the IPE, water can '

readily flow from the matalamant semp to the reactor cavity. Flooding of the cavity is 4 accomplished through a small tunnel that manar* to the ductwork that provides reactor cavity cooling. Flooding of the reamor cavity and the low pl==nant of the reactor vessel in the reactor  ;

cavity ensures that ex-vessel cooling can occur.

vi ,

i l

t

- ~ . - - . . - - - - - - -

l A steel shell conwmian=it that is vulnerable to direct attack by dispersed core debris. However,

! based on the consideration of potential debris dispersing paths and MAAP calculations, the Waterford IPE discounts the possibility of direct corium attack on the steel containment wall.

l .

A reactor vasel whh no lower head penetrations. Bis delays the time of vessel failure, but may l cause a more energetic failure with larger hole size.

• De large amount of Zircalloy in the core assemblies. De amount of Zircalloy in the core assemblies of Waterford 3 is about 40% more than that of Zion. De amount of hydrogen produced during a severe accident is thus more for Waterford 3 than for Zion.

l ,,

• A small reactor cavity with very litde area for ejected core anatorial to disperse to the upper manemiamant region. De cavity is open to the upper compartment f.d4 a very small annulus between the vessel and cavity wall.

• De large containment volume, high containment pressure capability, and the open nature of j compartments which facilitates good atmospheric mixing.

E.2 Licensee's IPE Process  :

De IPE was initised in late 1988. De model re6ects the plant as of July 1,1989. Select plant changes made aAer that cutoff date that could have a significant impact on the model have been *mcorporated. A review of plant changes from the cutoff date up to July 1,1992 was completed prior to the submittal of the IPE report; none of these changes are expected to have a major impact op the results. Other PRA j studies were also reviewed: NUREG-1150 for Zion and Sequoyah, and the Crystal River 3 PRA of 1987. i IJoensee peris..d were involved in all aspects of the analysis and contributed more than 50% of the total effort. De licansae was p.Jw iag almost all the analysis in the latter half of the project (except internal ;

flooding analysis). De contractor was SAIC with ERIN Engineering performing the flooding analysis.

he analysis was reviewed at three levels. ERIN Eng'meering provided outside review. Plant personnel were also involved in a formal revieyv, as well as an ongoing review as part of the QA procedures, i Waterford 3 PSA staff were involved with the collection of data, interviews of operators, and perfbrmance and review of the calculations to determine the HRA probabilities. De analysis was initially performed by an expert from SAIC, with Waterford 3 sitaff assuming progressively,more responsibility.

All work on the HRA aRar Daramhar 1990 was performed by Watedbrd staff. A contractor with "a high

. level" of PSA expertise (ERIN Engineering) provided an external review of all aspects of the IPE, but l "the review team did not include an HRA expert " Regarding the IPE HRA representing the as-built, m-operated plant, the submittal states that "the HRA task served as an integral advisor to otLx project tasks to assure that relevant huanan interactions were identified and properly incorporated into the logic l

models." De HRA task was involved during laitial sequence and snodeling efforts and ."during this l

period had the opportunity to review plant and system design information and beconne familiar with the control room and related operatiang procedures.' While sin =laear exercises were act conducted, the statements discussed above suggest that the HRA analyst was significantly involved throughout the

. modeling effort. Dus, k appears that steps were taken to assure that the HRA represented the as built,

! meperated plant. However, it was not clear that the HRA gave detailed consideration of plant-specific l

t vii

t factors in determining the HEPs. Dere was no mention of any walkdowns of important or time consuming operator actions. Response thnes for actions outside the control room were based on  !

interviews with operators. Both pre-initiator actions (g JocM during maintenance, test, surveillance, j sac.) and post-initiator actions (i dvi- ri as part of the response to an accident) were addressed in the  !

IPE. A list of important human actions (as determined with a Fussell-Vesely analysis) was provided, as  !

was a list of several recommended improvements to plant procedures.

De Bad end anmalamam analysis was perforened by the utility with training and assistance from SAIC. , l De Waterford 3 IPE process as described in the submittal seems to satisfy the intent of Generic Letter l 88-20. j De licensee intends to ==Immla a living PRA.

i E.3 IPE Analysis E.3.1 Front-End Analysis j De methodology chosen for the front end analysis was a Level 1 PRA; the small event tree-large fault tree with fault tree linking approach was used. De computer code used for modeling and quantification was CAFTA.

' De IPE quotified the following initiating event categories: 3 LOCAs,16 transients, one SGTR, one  !

ISLOCA and 1 Sooding inklator. De IPE developed 7 everit trees to model the plant response to these  ;

initiating events. De flooding analysis utilized the existing transient event tree.

Success criteria were based on other PRAs, licensing basis analyses and more realistic calculations.

Containment beat removal is needed in recirculation to assure NPSH of core injection pumps. LPSI pumps cannot operate in recirculation together with containmant spray pumps due to NPSH concerns.

De RCP seal LOCA model assumes LOCA occurs only if the operators fall to trip the RCPs within 30 minutes of a loss of CCW. ,, ,

De data collection process period was 1985 to 1989, wkh the EDG data period extended to 1991. Piant  !

specific an=panam failure data were only used for EDGs; all other components use generic data. Plant specific data were used exclusively for unavailabilities due to test and ==intan==e* activities.

Wassrford 3 data me generally consistant wkb the NUREG/CR-4550 dats. De TDEFW run failure data j is substantially lower, and MDEFW CCF factors are somewhat lower. De LOOP and small LOCA l t initiating event fragmencies appear low. De power recovwy curve is enhatantially lower (up to an order of magnitude) than that used in NSAC-147.

De beta fuser approach was used for common cause failures, using established procedures. For some components, MGL approad was used.

'Ihe internal core damage frequency is 1.7E-5/yr. Of this, flooding contributes 1.lE-6/yr. The internal accident types and initiating events that contribute most to the CDF and their percent contributions are listed below in Tables E-1 and E-2:

Table E-1 Accident Types and Their Contribution to the CDP Initiating Event Group Contdbution to CDF (/3T)  %

Transients 8.69E4 51.9 LOCAs -

6.62E4 -

39.5 Internal Flooding (not included in (1.12 4) (6.7)

TOTAL)

Steam Generator Tube Rupture 8.26E-7 4.9 Interfacing Systems LOCA 4.86E-7 2.9 ATWS 1.30E-7 0.8 TOTAL INTERNAL CDF 1.68E-5 100.0 Table E 2. Dominani Initiating Events and 'Iheir Contribution to the CDF Initiating Event Contribution to CDF (/yr)  %

less of Offsite Power 7.58E-6 45.3 Small LOCA 5.30E-6 31.6 Medium LOCA 1.14E-6 6.8 Steam Generator Tube Rupture 8.26E-7 4.9 Feedline Break Upstream of Feedwater 5.18E-7 3.1 Isolation Valves ISLOCA (V event) 4.86E-7 2.9

~

Loss of Feedwater 3.91E-7 2.3 Large LOCA 1.82E-7 1.1 ATWS 1.30E-7 0.8 l

E.3.2 Human Reliability Analysis I

I The HRA process for the Waterford 3 IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an l

i ix l

accident). De analysis of pre-initiator actions included both miscalibrations and restoration faults. A acreening analysis was perfonned and pre-initiator human actions surviving screening were quantified in more detail using the "SAIC method" described in the book Henan Reliability Analysis by Dougherty and Fragola. Post-initiator human actions modeled essentially included both response-type (rule-based) and recovery 4ype accons, but the terminology and categorization was somewhat different. For the post-initiator screening analysis, the modeled sequences were first quantified considering only four top logic post-initiator operator actions. After initial quantification, surviving cutsets were examined and appmpriate post-initissor operator actions were added. Dese actions, includ'mg in- and ex-control room t actions were quantified using a time reliability correlation approach developed by SAIC and documented

. In the book by Dougherty and Fragola and in an American Nuclear Society conference paper by '

Dougherty (1989). In the response to the RAI, the basic form of the TRC is provided along with disassions regarding the relevant input parameters for both an in-control room model and an ex-control model (i.e., for actions to be p Lc-M outside the control room). Brief discussions of the input parameters were also provided in the submittal. De critical elamanra for the in-control room model include: the available response time and an ami=* of the median response time for the event examined, along with adjustments for type of behavior (verification, rule-based, and response type, see section 2.3.2.1 for descriptions), degree of " crew burden", success likelihood (an index that can be used to re6ect the impact of PSPs), and model uncertainty. For the ex-control room model, similar parameters are modeled, along with adjustments to response time for potential " delaying hazards" outside the control room. De model uncertainty factor can also be adjusted for uncertainty due to other influences or hazards. Hazard factors which can influence response time include lighting, instrument separation, need 6 for tools, need for protective clothing, and other miscellaneous hazards.

One potential limitation of the post-initiator analysis concerns the extent to which plant-specific factors were considered. While the model itself provides reasonable mechanisms for addressing relevant plant

-specific factors, on the basis of examples provided, it would appear that many of the parameters were left at their default values and that potential PSFs were not carcfully considered. De resulting analysis

_ therefore appears to be " generic" rather than plant-specific and may or may not adequately represent the plant. At a minimum, judgments were made regarding the extent to which operators are burdened in

. particular scenarios and the type of task involved.

s Consideration of dependencies between separate tasks was essentially treated by assuming they are independent. De licensee argues that "between separate tasks independence is provided because many of the tasks are performed by different people, and there is separation in time or " cognitive space", i.e.,

cues are independent enough to force subsequent diagnosis." De licensee further' states "that context effects were handled by lumping the different sequences into one event."

• Dis is done by using a sum

• average time for the available time parameter for events that are sequence dependent." Dese statements apparently reflect a " bounding" approach that could lead to pessimistic or optimistic HEPs, depending on the circumstances. A list of important human actions was provided and it was noted that several r cr to plant procedures were mmended. A list of the improvements are provided in section 2.6 of this report.

x

E.3.3 Back End Analysis yhe Approach Usedfor Back-End Analysis Plant Damage States (PDSs) are used as the initial conditions for the Level 2 analysis. De PDSs are

! denned in the IPE by an event tree structure with the parameters that are important to Level 2 accident pmgression as the top events. Quantification of accident progression involves the development of a small l containment event tree (CET) with the top events of the CET determined by logic trees (i.e., fault trees).

De CET and its supporting logic trees developed in the IPE address all the containment failure modes l

discussed in NUREG-1335.

l Quantification of the CET and its supporting logic trees is based on the review of industry literature, primarily the NUREG-1150 document, and plant specific analyses using the MAAP code. In general, the i

quantification process for the CET and the associated logic trees is systematic and traceable. De results of the CET analyses lead to an extensive number of CET end states, which are binned into 12 containment release categories (CRCs). Release fractions for the CRCs are calculated in the Waterford 3 IPE by a method similar to that developed in the NUREG-1150 analyses (i.e., the parametric XSOR j code).

l For the Waterford 3 IPE, the PDS definition scheme is reasonable. De CET is well structured and easy to understand. De CET quantification is also systematic and traceable. De IPE process is in general logical and consistent with GL 88-20.

1 Back-End Analysis Results -

1 Except for SBO and' bypass PDSs, the PDSs defined in the IPE are based on RCS pressure, which depends on the type of accident sequences (or initiators), the time of core melt, which depends on whether core cooling is lost during the injection or the recirculation phase, and the availability of  ;

containment systems. De most probable PDS obtained in the Waterford 3 IPE is a PDS with medium j l RCS pressure (made up primarily by small LOCA sequences), early core melt, and failure of containment  ;

heat removal (21% CDF). His is followed by a SBO PDS with early core melt (21%), a SBO with late l core melt (17%), and a transient PDS with early core melt, but with containment heat remeval available (15% CDF).

Table E-3 shows the probabilities of containment failure modes for Waterford 3 as percentages of the total CDF. Results from the NUREG-1150 analyses for Surry and Zion are also presented for comparison.

Two sets of data are presented in Table E-3 for Waterford 3. De data presented in the original IPE submittal are based on an overly conservative containment fragility curve. His leads to a very high

conditional pmbability of early containment failure. A revised containment fragility curve, which is more

! - maaintmt wkh that used in other IPEs, leads to significantly lower early containment failure probability.

xi

Table Fe3 Containment Failure as a Percentage of Total CDF Containment Waterford 3 Waterford 3 Surry Zion Failure Mode IPE+ IPE Update + + NUREG-1150 NUREG-1150 Early Failure 26 4 0.7 1.4 Late Failure 20 25 5.9 24.0 Bypass 8 8 12.2 0.7 Isolation Failure

. Intact 46 63 81.2 . 73.0 3)F (1/ry) 1.7E-5 1.7E-5 4.0E-5 3.4E-4 l

+ ne data pr essated for Waterford 3 are based ce Table 4.8-1 of the IPE submittal.

Data presented in this aal=== see ease chemined from using a mised ==*M=-e fragility curve

++

(reported in the response to a follow-up RAI).

• Included in Early Failure, approximately 0.02%

• • Included in Early Failure, approximately 0.5% .

• Included in Early Failure, approximately 0.1%

' Of the 8% conditional probability of containment bypass failure presented in the above table,5% comes from SGTR sequences and 3% comes from ISLOCA sequences. De contribution from ISGTR is  !

negligible. The effect of restarting the RCPs on ISGTR, which is considered in some other IPEs as a  ;

? mechanism that may increase the potential of induced SGIR, is not considered important in the Waterford i 3 IPE.  :

De conditional probability of early containment failure presented in the original IPE submittal is about l 26% of total CDF. De major threat to early containment failure is a combination of the loss of  !

, carmninment best removal with the RCS is at high pressure. For this case, the containment is at elevated  !

pressure due to steam generation such that a high pressure melt ejection (HPME) can challenge I

enmalament integrity. His occurs during SBO sequences, or in small LOCA sequences with the loss of both safety injection and containmant heat removal (CHR). Of the 26% early failure probability, over i 13% is from SBO sequences and over 11% is from small LOCA sequences. On a conditional basis, about 35% of SBO sequences result in early failure and 30% of small LOCA sequences result in early failure. According to the licensee's response to RAI follow-up questions, although the probability of early ansainmar' failure is signi5 candy reduced by the use of a revised containmant fragility curve (from 26% to 4%), the dominant sequences that lead to early containment failure remain the same as that described in the IPE submittal.

i l

De aandeinoal probability oflate ensninmars failure pramantad in the IPE W;mittal is 20%. De major contributor to late containmant failure is steam m.res L son whm CHR is lost. SBO does not ,

contribute as auch to late conninmant failuires because of tM high likelihood of AC power recovery (before nantainmant failure). Of the 20% late failure probability about 15% is from small LOCA,4%

from SBO, and 1.3% from other transients. On a conditional basis, about 39% of small LOCA  ;

mary ===,12% oflarge I.DCA sequences,10% of SBO sequences, and 9% of other transients result in j late failure. According to the l';ensee's response to the RAI, the conditional probability of late containment failure increased frot 20% to 25% when the revised cantslarnant fragility is used. Since xii  !

i i detailed data are not provided in the RAI responses, contributions from the various accident sequences to late containment failure cannot be obtained. It seems that the increase in late containment failure probability is primarily due to the decrease of early containment failure probability, and the dominant i sequences that lead to late containmant failure remain the same as that described in the IPE submittal.

i Source terms for the anntain==* release categories (i.e., the CET end states) are determined by a method 2

similar to that used in NUREG-ll50 studies. Source terms are presented in the IPE submitta! in terms of release fractions for noble gases, Iodine, Cesium, Tellurium, and Strontium. Except for the SGTR release category, the release fractions obtained in the Waterford 3 IPE for the various release categories i seem to be consistent with those obtained in other IPEs. For the SGTR release category, the release fractions obtained in the IPE are based on the availability of water scrubbing. Since water scrubbing may not be available for all SGIR sequences and the release fractions for the SGTR sequences without water scrubbing may be much greater than those with water scrubbing, the release fractions reported in the submittal for SGTR sequences may not be adequate for some SGTR sequences. Although the omission of the source term for SGTR sequences without water scrubbing is not a significant problem in the present IPE because of their small frequency in comparison with those of other sequences that have large releases (e.g., ISLOCA), it is a deficiency nonetheless. It would be desirable to divide the SGTR CRC to two CRCs with and without water scrubbing and to obtain the source terms for both of them. This would assure that significant information is not lost in the IPE process in the future IPE update.

Two types of sensitivity studies are performed in the IPE to determine key assumptions on the final results. De first type of sensitivity studies are probabilistic in nature and address uncertainties in the quantification of the various containment failure modes modeled in the CET. De second type of sensitivity studies involve deterministic analyses using the MAAP code, performed in the IPE to ensure that a broad spectmm of possible outcome are covered in the IPE. De issues investigated in the sensitivity studies of the first type include ex-vessel cooling, RCS depressurization due to hot leg creep rupture, ultimate containment pressure, reactor cavity wall structure failure, frequency of two important PDSs, hydrogen combustion, DCH, and debris bed coolability. De parameters investigated in the sensitivity studies of the somnd type include in-vessel hydrogen production, DCH, debris coolability, and vessel F.. ion radius. De sensitivity studies provided in the Waterford 3 IPE seems to have addressed the issues of significant uncertainties in the IPE analysis. l l

E.4 Generic Issues and Containment Performance Improvements l l

De IPE addresses decay heat removal (DHR). CDF contributions were estimated for the following DHR i methods: secondary cooling (main feedwater, auxiliary foodwater, emergency foodwater, condensate,  ;

turbine bypass and atmospheric dump valves) and primary inventory control (HPSI and charging l systems). Failures of the EFW and HPSI were found to make a major contribution to the total CDF. {

The EFW failures in the most important sequences are dominated by TDEFW pump failure to start, j

MDEFW pump common cause failures, operator failure to provide EFW suction when CSP is exhausted.

lhe HPSI failures are caused by annunan cause of A and B pumps, operator or mechanical failures with I pump AB, failure in the CCW system to provide HPSI pump cooling and HVAC failures.

l De DHR function contributes less than the 3.0E-5/yr criterion for the " acceptably low" DHR contribution in NUREG-1289. Derefore, this issue is considered closed.

No other generic issues are discussed in the submittal.

xiii 1

. , ~ . .

l De CPI recommendation for PWRs with a dry containment is the evaluation of containment and i equipmerit vulnerabilities to localized hydrogen combustion and the need for improvements. Although l the effects of hydrogen combustion on containment insehnty and equipment are discussed ir. the submittal,  !

the CPI issue is not specifically addressed in the submittal. More detailed information on this issue is  !

, provided in the licensee's response to the RAI. According to the response, although no cenWeent  !

walkdowns were conducted specifically for level 2, the Waterford 3 PSA staff has made many triAs k to j the containment and has a good understanding of the geometry of the containment. l l

According to the response, the Waterford 3 nan

• min = ant is a very open design that is not l compartmentalized, and with the possible exception of the reacsor cavity, all parts of the containment  !

atmosphere are expected to be well mixed during an accident scenario. He reactor cavity is the only  !

relatively enclosed volume in the contain= ant Since the reactor cavity volume is surrounded by thick l

' reinforced concrete walls sized to withstand a large break LOCA blowdown and since no equipment is  !

located in this area, hydrogen combustion in the cavity is not expected to affect any safety significant l I

equipment. Additionally, according to the response, hydrogen detonation is not believed to be likely in the Waterford 3 containment. As can be seen in the above description, the discussions provided by the  !

licensee on this issue is qualitative in nature, no quantitative information is provided in the discussion. l

/

E.5 Vulnerabilities and Plasit Improvements I t

De licensee defined a vulnerability as either an extremely high sequence CDF (substantially greater than  ;

1.E-4/yr), a greater than 50% contribution to CDF from a single sequence or an event that contributes j

• in an unusual or substantial way to the risk profile. No vulnerabilities were found.  ;

No credit for plant improvements was given in the IPE. De following proppsed improvements will be resolved as part of the severe accident guidance framework, to be completed by summer of 1997 ,

(guidance for using LPSI for CSS recirculation has already been implemented: l I

Hardware: l

1) Install a portable generator to diarge the AB battery. This will reduce SBO contribution from depletion of this battery which is used to control the TDEFW pump. l i

/

2) Provide feedwater from the fire ptotection system to the steam generator. De fire  !

protection system has its own diesel driven pumps. During SBO or total loss of  !

feedwater, this system could be used provided the SG were depressurized to below 200 l psia, the shutoff head of these pumps. J i

Operating Wures: l i

1) Provide additional chiller /HVAC failure guidance. Room cooling is important as a l cLatributor to the CDF and because it cools HPSI and EFW (MD) pumps. De failures are typically slow acting so the operators have time to respond. Derefore additional l raidance may insure a timely response. i i

l I

i xiv l 1

l

2) Cross-tie of AC power trains. Proceduralize the cross-tie between the A and B trains .

(hardware already exists). Drills have demonstrated the pertinence of this type of I

! recovery. A procedure will make it easier to accomplish it in a shorter time.

• j -

3) Enhance renti of the CSP. CSP drawdown is an important contributor. Emphasizing the i need to monitor level and makeup from the wet cooling tower basins or the CST will j help prevent this from being a contributor.

! 4) Add guidance for aligning LPSI pump for anarninment spray. Containment cooling is j needed in the recirculation phase to insure NPSH of recirculation pumps. Hardware

connections exist for LPSI to take over the recirculation spray function in case of CSS pump failure, however, arrently, LPSI pumps are disabled from reeltculation. His is because they would cavitate if operated together wkh the CSS pumps to take suction from

the matainment sump. Since in this case CSS pumps are not available, LPSI pumps can l take over to provide CHR. His procedure guidance has already been implemented.

l No CDF change from these improvements has been estimated, i

i E.6 Observations Based on the level I review of the Waterford 3 IPE the licensee appears to have analyzed the design and operations of Waterford 3 to discover inarannan of particular vulnerability to core damage. It also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained an

., understanding of the most likely severe accidents at Waterford 3; and implemented changes to the plant l to help prevent and mitigate severe accidents. It is not clear that quantitative understanding was gained j by the licensee due to a number of data problems (see below).

Strengths of the Level 1 IPE are as follows: Dorough analysis of initiating events and their impact, i descriptiors of the plant responses, modeling of accident scenarios, generally reasonable failure data and j common cause factors employed and usage of plant specific data where possible to support the j quantification of initiating events, diesel generator failures and component maintanance unavailabilities.

De flooding analysis seems to have been reasonable and thorough. De effort seems to have been evenly

disenbuted across the various areas of the analysis. He documentation was usually good, and reasonable i

anbet was made to provide RAI responses. Some pessimistic assumptions were employed to offset some

of the optimistic aspects of the analysis.

< De waalrnmaan of the IPE were the following:

• using saamingly low values for some important initiator frequencies (LOOP and small LOCA)

-

• offsite power recovery curve is very optimistic

• omission of some component classes from common cause analysis (air compressors, relays, i switches, check valves, fans, etc.)

)

• omission of the third HPSI pump, the third CCW pump and the third chiller from the common cause analysis on the basis of different operating regimes from the other two trains in the system.

j 3

4 Ky j

1

• HVAC modeling of the shutdown heat exchanger room seems to be optimistic

• shedding of DC loads in station blackout is not modeled

• TDEFW pump run failure rate is low (2 orders of magnitude) compared to the NUREG-ll50 recommended value (but is in line with some other IPEs and apparently some generic data -

sources).

Dere were some aspects of the analyses which may have offset some of the weaknesses: EDG run failures occur at the beginning of the SBO, no credit for TDEFW pump operation with water at inlet, large maimaamace unavailability of the dry cooling tower, no credit for recent. battery upgrades such that load shedding may not be required.

The IPE determined that failures in the AC power, EFW, ACCW, HPSI, CCW and HVAC dominata the risk profile. Loss of offsite power and small LOCA account for about 80% of the total CDF. SBO accounts for about 38% of the CDF. De CDF is dominated by 5 accident sequences (not accounting the ISLOCA which contributes about 3%).

He HRA review of the Waterford 3 IPE submittal and a review of the licensees responses to HRA related questions asked in the NRC RAI, revealed several weaknesses in the HRA as documented, in general, a viable approach (the Dougherty and Fragula method) was used in performing the HRA, but

, several weaknesses in how the analysis was conducted (or at least in the licensees documentation of the conduct of the analysis) were identified. While the wannrnaanma are not severe enough to conclude that the licansaan submittal failed to meet the intent of Generic Larter 88-20 in regards to the HRA, they do s j suggest the licensee may not have learned as much about the role of humaan.during accidents as would have been possible hnportant elements pertinent to this determination include the following:

1) %e submittal indicates that utility personnel were significantly involved in the HRA. Regarding

, the IPE HRA reprenanting the as built, as operated plant, the submittal states that "the HRA task '

served as an integral advisor to other project tasks to assure that relevant humanm' teractions were i

identified and properly incorporated into the logic models." He HRA task was involved during initial na9-ca and modeling efforts and "during this period had the opportunity to review plant and system design information and become familiar with the control room and related operating procedures." While simulator exercises were not conducted, the statamaats discussed above suggest that the HRA analyst was significantly involved thra=Wud the modeling effort. Hus, it appears that Eteps were taken to assure that the HRA represented the as built, as-operated plant.

However, dacamaaration of HRA related walkdowns and observations of simulator exercises would have strengthened the notion that a viable process was used.

2) De subaktal indicsed that the analysis of pro-initiator actions included both miscalibrations and ressorstion faults. An acceptable, but pneamially optimistic analysis was conducted. Events found to be potentially risk significant were analyzed in detail using an *SAIC" method that is "a variant on 'IMERP and is similar to the ASEP HRA procedure.

3) De major limitation of the post-laitiator analysis concerns the extent to which plant specific facsors were considered. While the model itself provides reasonable machmainma for addressing relevant plant - specific facsors, on the basis of examples provided, it would appear that many of the parameters were left at their default values and that potential PSFs were not carefully xvi

considered. He resulting analysis therefore appears to be " generic" rather than plant-specific and may or may not adequately represent the plant.

4) Consideration of dependencies between separate tasks was essentially treated by assuming they are independent. De licensee argues that "between separate tasks independence is provided because many of the tasks are performed by different people, and there is separation in time or

" cognitive space", i.e., cues are independent enough to force subsequent diagnosis." he licensee further states "that context effects were handled by lumping the different sequences into oa event." "%is is done by using a sum average time for the available time parameter for events that are sequence dependent." These statan=*= apparently reflect a " bounding" approach that could lead to pessimistic or optimistic HEPs, dependicg on the circumstances.

5) A list of important human actions based on their contribution to core damage frequency was l

provided in the submittal.

6) The HRA portion of the flooding analysis appeared reasonable and thorough.

The following are the major findings of the back-end analysis described in the submittal:

• De back-end portion of the IPE supplies a substantial amount of information with regards to the  !

subject areas identified in Generic IAtter 88-20.

• He Waterford 3 Steam Electric Station IPE provides an evaluation of all phenomena of importance to severe accident progression in accordance r/ith Append,ix I of the Generic Letter.

• The IPE has identified a plant-specific reactor cavity configuration feature that may affect accident progression. Based on the IPE, it is recommended that the communication between sump and cavity be enhanced. This may be achieved by removing the door in the cavity cooling ductwork to increase the flow of the water in the containment sump to the reactor cavity.

• The containment analyses indicate that there is a 46% conditional probability of containment failure. De conditional probability of containment failure is about 8% for containment bypass, 26% for early containment failure, and 20% for late containment failure.

• %e high early containment failure probability obtained in the IPE submittal (26%) is primarily due to the use of a conservative containment failure probability curve (or contrinment fragility curve). De early failure probshility is reduced to 4% if a containnent failure probability curve

. consistent with that used in ou a IPEs is used.

• De CPI issue is not addressed specifically in the IPE submittal. It is discussed in the licensee's response to one RAI questions. However, the response is qualitative in nature.

xvii 1

NOMENCLATURE

~

ACCW Auxiliary Component Cooling Water ADV Atmospheric Dump Valve /

AFW Auxiliary Feedwater AHU' Air Handling Units ALWR Advanced Light Water Reactor ASEP Accident Sequence Evaluation Program ATWS Anticipated Transient Without Scram BHEP Basic Human Error Probability BNL Brookhaven National Laboratory CCF Common Cause Failure CCW Component Cooling Water CDF Core Damage Frequency CE Combustion Eng*meering CET Containment Event Tree CHR Containment Heat Removal CPI Containment Peformance Improvement CRC Containment Release Category CS Containment Spray

CSS Containment Spray System

~ CST Condensate Storage Tank DHR Decay Heat Removal EDG Emergency Diesel Generator

.EFAS Emergency Feedwater Actuation System I

EFW Emergency Feedwater EOS Equipment Out of-Service GL Generic Letter HEP Human Error Probability HFE Human Failurc /

HPME High Pressure Melt Ejection HPSI High Pressure Safety Injection HRA Human Reliability Analysis HVAC Heating, Ventilating and Air Conditioning IPE Individual Plant Examination ,

ISGTR Induced SGTR ISLOCA Interfacing Systems LOCA ,

LOCA less-ofCoolant Accident  !

140P IAss of Offsite Power LPSI law Pressure Safety Injection MAAP Modular Accident Analysis Package  ;

, MDEFW Motor Driven EFW MFW Main Feedwater MGL Multiple Greek Letter xix

NOMENCLATURE (Cont'd)

NPSH Net Positive Suction Head NRPDS Nuclear Plant Reliability Data System PDS Plant Damage State PORV Power Operated Relief Valve PRA Probabilistic Risk Am=*==mant PSF Performance Shaping Factor , ,

i PWR Pressurized Water Reactor i

RAI Request for Additional Information RCP Reactor Coolant Pump RCS Reactor Coolant System RWSP Refueling Water Storage Pool SAIC Science Applications International Company SBO Station Blackout SDC Shutdown Cooling SGTR Steam Generator Tube Rupture t

SIAS Safety Injection Actuation System SIMS Station Information Management System l t

SLI Success Likelihood Indeces SUPS Static Uninterruptible Power Supplies 4 SUT Stanup Trsasformer .

" TDEFW Turbine Driven EFW TER Technical Evaluation Report l THERP Technique for Human Error Rate Prediction TRC Time Reliability Correlations UAT Unit Auxiliary Transformer j W3 Waterford 3 l i

i i

1 r

xx

I l 1 INTRODUCTION

! ' 1.1 Review Process i

, < Dis technical evaluation report (TER) dammann the results of the BNL review of the Waterford 3 Steam

! Electric Station Individual Plant Examinatinn (IPE) submittal [IPE submittal, RAI Responses). His 1

, technical evaluation report adopts the NRC review objectives, which include the following:

• To ansess if the IPE submittal meets the intent of Generic Letter 88-20, and f ,e To determine if the IPE submittal provides the level of detail rdquested in the " Submittal Guidance Document," NUREG-1335.

A Request of Additional Information (RAI), which resulted from a preliminary review of the IPE submittal, was prepared by BNL and discussed with the NRC. Based on this discussion, the NRC staff submined an RAI to Entergy Operations, Inc. on January 22,1996. Entergy Operations, Inc. responded i to the RAI in a document dated April 30,1996, and to follow-up questions in a document dated August 29,1996 (RAI Responses). His TER is based on the original submittal and the responses to the RAls.

1 i 1.2 Plant Characterization l 'De Waterford 3 Steam Electric Station is a 1153 MWe, 3410 MWth Combustion Engineerbg i pressurized water reactor (PWR). De reactor coolant system (RCS) consists of the reactor vessel, two j U-tube steam generators,4 shaft-sealed reactor coolant pumps, an electrically heated pressurizar and

? interconnected piping. He plant is operated by Entergy Operations, h. ., and started commercial j operation in the Fall of 1985. Dere are no other operating units on site.

l Design features at Waterford 3 that impact the core damage frequency (CDF) are as follows:

j

• There is no feed and bleed capability at this plant. No pressurizer PORV exists and the

HPSI/ charging pumps do not have the requisite head to lift the safety valves.

p i

• De turbine driven main feedwater pumps will continue to run for most transients, as the pump i flow output is automatically matched to the decay heat level.

• Dere are two motor driven (capacity 350 gpm each) and one turbine driven (capacity 700 gpm)

EFW pump. The EFW system is automatically started and controlled. In addition, a manually started AFW pump is also available, should the other three pumps fail (the AFW pump is

normally used during startup/ shutdown operations). According to the submittal and the RAI i ,

responses, the turbine driven EFW pump can be expected to continue to operate with low quality

! steam or even water at the turbine inlet. However, this is not credited in the analysis, and the

TDEFW pump is manu==f failed at the time of battery depletion.

,* De normal EFW suction source is the inventory in the condensate storage pool (CSP), good for about 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. A backup supply are the two wet cooling tower bas *ms, each bolding about the same amount of water as the CSP. A third option is the non-seismically qualified condensate storage tank (CST) and its transfer pump.

1

, , - -v - r

• ne EFW control valves fail open on loss of instrument air, and there is also a backup nitrogen accumulator supply in case of loss of instrument air. De turbine driven EFW pump does not require room ocoling (according to calculations, RAI responses), whereas the motor driven EFW pumps do.

• De DC battery (battery AB) supplying control to the TDEFW pump has a SBO depletion time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> with proceduralized load shedding (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> without load shedding), according to the /

submittal. Since the IPE, the safety related batteries have been replaced with higher capacity batteria (to allow for aging), and a new non-safety battery has been installed to take up the non-safety loadr serviced by the AB battery. Dese modifications have extended the AB battery depletion time to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. .

• Condensate pumps may be used to provide feedwater to the steam generators, provided the secondary system has been depressurized to 500 psia. Dere are three parallel condensate pumps.

De condenser hotwells have enough inventory to supply the condensate pumps for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. l

• Dere are multiple pathways for secondary steam relief: 6 turbine bypass valves,2 atmospheric dump valves and 6 safety relief valves.

• ne RCP seals are the Byron Jackson type, which according to the submittal can sustain loss of CCW for 30 minutes (verified by tests), without tripping the RCPs; the operators are instructed e to trip the RCPs immediately upon loss of CCW. CCW cooling is the only type of cooling for

- these seals (no seal injection provided). Reme of the 4 stage seal design, and the new resistant material for seal faces, no spurious seal failures (i.e., initiating event seal LOCA) are assumed possible with these seals (consequential failures are allowed). .

• Dere are thIee trains of HPSI, CCW, AC safety buses and DC safety buses. He AB buses and AB trains are functionally related, e.g., the AB train of CCW cools the AB train of HPSI, and both are supplied AC power from the AB safety bus. De third HPSI pump must be manually started on 51.

• Dere are also three trains of HVAC chillers. De charging pumps also have three trains (these are considered in the PRA analysis to feed the auxiliary pressurizer spray, for emergency bormion in A'lWS and for RCS inventory control in an SGTR). He other safety equipment has two trains. He two trains of the instrument air compressors are backed up by the three trains of the station air compressors (see below).

• Dere are two EDGs. De EDGs need cooling by CCW, ventilation bi Jalicated fans and DC power provided by the station batteries. A diesel compressor has beo Li to tic plant post-IPE, to help in case of problems with startup compressed air.

• Dere me three plant batteries, A, B, and AB. De AB battery is used for TDEFW pump control in SBO conditions. As stated above, the capacity of this battery has been increased and a non-safety bettery added to pick up non-safety AB loads, such that SBO depletion time of this battery is now 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. De A and B batteries have also been similarly affected, such that their SBO depletion time is now 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> even without load shedding. Each battery is supported by two I chargers.

2

- - , - - - , v , - - -

-. . - - - . - _ - - . . ~ . . . . - ~ - - . - - . - - .

1 l

l

• i Dere is no service water system at this plant. Instead, the ultimate heat sink is provided by the

dry cooling towers. As there are multiple fans in the towers, they can be maintained piecemeal, such that maintenance muld not disable the whole tower (although in the IPE it is conservatively assumed that it does). Also, in case of increased demand (depending on air temperature)'and

. during normal operation there ne additional wet cooling towers which are used to increase the

! heat rejection capacity. De IPE namu== that the wet cooling towers are needed in case of a LOCA, when several types of safety equipenent may be operating simultaneously. He system

, which cools the CCW system and rejects the heat to the wet cooling towers is known as the

auxiliary component cooling system (ACCW), and is only needed in case of LOCAs, as far as

! the IPE is concerned. His system has two pump trains and two wet cooling towers.

De CCW is needed to cool the HPSI pumps, the LPSI pumps, containment spray pumps,

shutdown heat exchangers (also used for containmant spray recirculation cooling), containment j fans, the emergency diesel generators and the central chillers used to provide HVAC cooling for several plant areas.

• De instrument air system is m===ry for operation of the MFW system and the normal pressurizer spray (but not the auxiliary spray, sepplied by the charging pump). All the other i important systems (EFW, CCW, ACCW, containment sump recirculation valves) are provided  ;

, with a backup air or nitrogen accumulator system. Dere are two instrument air compressors, l of which one is sufficient to supply the requisite loads in an intermittent type of operation. In case of failure of both compressors, a cross tie to the station air system automatically opens; the 1 l station air has three compressors. Derefore the compressed air system seems to be relatively )

reliable and the systems affected are relatively few. ,

i i

• Room cooling or ventilation is needed for several important systems: HPSI (not needed during  ;

the RWSP injection phase due to the low temperature of the water pumped), LPSI (not needed  !

j during the injection phase), containment sprays (not needed in the injection phase), MDEFW

pumps, normal pressurizer sprays, emergency diesel generators and the CCW pumps.

i i

• The switchover to recirculation is automatic. However, the operator must manually close the RWSP (refueling water storage pool) suction valves at that time.

• De recirculation spray (using the CSS pumps aligned to the containment sump and the shutdown heat exchangers) is w=ary to provide cooling of the containment sump water.

• LPSI is automatically stopped on switchover to recirculation and HPSI is automatically aligned so the sump (along with the CSS) even if LPSI operated in the injection mode, and even though a LPSI path for recirculation (through the shutdown heat exchangers) exists. De reason is that the LPSI pumps may cavitate when simultaneously taking suction from the containment sump

. with the containment spray pumps. Since the IPE, a hardware modification has been implemented such that the LPSI pumps can be used to provide the recirculation spray in case of failure of the spray pumps.

He Waterford 3 Steam Elearic Station utilizes a large dry containment consisting of a freestanding steel vessel surrounded by a reinforced concrete shield building. Some of the plant characteristics important to the back-end analysis are sn=marized in Table I of this report.

3

S Table 1 Plant and Containment Charaderistics for Waterford 3 Steam Electric Station  ;

Characteristic Waterford 3 Zion Surry Hermal Power, MW(t) 3390 3236 2441 RCS Water Volume, F 11,100 12,700 9200 Containmant Free volume, # 2,680,000 2,860,000 1,800,000 -

f Mass of Fuel, Ibm 223,900 216,000 175,000 Mass of Zircalloy, Ibm 64,100 44,500 36,200 Containment Design Pressure, psig 44 47 45 Median rantainmaar Failure Pressure, psig 135 135 126 RCS Water Volunw) Power, F/MW(t) 3.3 3.9 3.8 Cornalanwd Volume / Power, W/MW(t) 791 884 737 Zr Mass / Containment Volume, Ibm / # 0.024 0.016 0.020 Fuel Mass / Containment Volume, Ibm / # 0.084 0.076 0.097  !

Both the thermal power level and the containment free volume of Waterford 3 are similar to those of Zion. With the exception of the mass of Zircalloy in the reactor system (and thus its ratio to containment volume), the values of other parameters are also similar to those of Zion. It is noted that the parameters presented in the above table provide only rough indications of the containment's capability to meet severe ,

accident challenges and that both the containment strength and the challenges associated with the severe accident involve significant uncertainties.

l De plant characteristics important to the back end analysis are:

• A cavity design whidi facilitates flooding of the reactor cavity. According to the IPE, water can l readily flow from the containment sump to the reactor cavity. Flooding of the cavity is accomplished through a small tunnel that connects to the ductwork that provides reactor cavity ,

cooling. Flooding of the reactor cavity and the low placement of the reactor vessel in the reactor cavity ensures that ex-vessel cooling can occur. i

• A steel shell containment th$t is vulnerable to direct attack by dispersed core debris. However,  ;

based on the consideration of potential debris dispersing paths and MAAP calculations, the ,

Waterford IPE discounts the possibility of direct corium attack on the steel containment wall.  ;

• A reactor vessel wkh no lower head ponerations. His delays the time of vessel failure, but may I cause a more energetic failure with larger bole size.

• De larger amount of Zircalloy in the core assemblies. De amount of Zircalloy in the core assemblies of Waterford 3 is about 40% more than that of Zion. De amount of hydrogen produced during a severe accident is thus more for Waterford 3 than for Zion.

• A small reactor cavity with very little area for ejected core material to disperse to the upper aneminmant region. De cavity is open to the upper compartment through a very small annulus between the vessel and cavity wall.

4 =

i

+

d

• The large containment volume, high containment pressure capability, and the open nature of compartments which facilitates good atmospheric mixing.

d 9

h 9

i 1

d

'l i

i n

i 1 1

i a l 1

N i

1 i

1

, J i

t i

3 3

}  %'

i 2

l s

<t i

• 1 0

t

+

)

l l

5 -

J e

4

-- .m ..,

i i

2 TECHNICAL REVIEW 4

2.1 Licensee's IPE Process i '

j 2.1.1 Completeness and Methodology i . De licensee has provided the type of information requested by Generic Latter 88-20 and NUREG 1335.

i De front-end portion of the IPE is a level 1 PRA. De specific technique used for the Level 1 PRA l was a small event tree /large fault tree, with fault tree linking and it is clearly described in the submittal.

Internal initiating event and internal flooding were considered. Event trees were developed for all classes

of initiating events. Several sensitivity analyses were performed (all basic events with Fussell-Vesely j importance of at least 1% had their failure rate / probability increased by an order of magnitude).

j -Importance (F-V) of basic events was calculated. System importance analysis was also performed. j 4

)

j He submittal information on the HRA process was generally inadequate in scope. Additional i i information/ clarification was obtained from the licensee through an NRC request for additional l information. He HRA process for the Waterford 3 IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response i l

to an accident). De analysis of pre-initiator actions included both miscalibrations and restoration faults.

' A screening analysis was performed and pre-initiator human actions surviving screening were quantified in more detail using the "SAIC method" described in the book Human Reliability Analysis by Dougherty and Fragola. He post-initiator human actions modeled essentially included both response-type (rule-

~ based) and recovery-type actions, but the terminology and categorization was somewhat different. For the post-initiator screening analysis, the modeled sequences were first quantified considering only four top logic post-initiator operator actions. After initial quantification, surviving cutsets were examined and

' appropriate post-initiator operator actions were added. Dese actions, including in- and er.-control room actions were quantified using time reliability correlation approach developed by SAIC and documented in the book by Dougherty and Fragola and in an American Nuclear Society conference paper by Dougherty (1989). In the response to the RAI, the basic form of the TRC is provided along with discussions regarding the relevant inpet parameters for both an in-control room model and an ex-control model (i.e., for actions to be performed outside the control room). Brief discussions of the input parameters were also provided in the submittal. De critical elements for the in-control room model include: the available response time and an estimate of the median response time for the event examined, along with adjustments for type of behavior (verification, rule-based, and response type, see section 2.3.2.1 for descriptions), degree of " crew burden", success likelihood (an index that can be used to re8ect the impact of PSPs), and model uncertainty. For the ex-mntrol room model, similar parameters are modeled, along with adjustments to response time for potential " delaying hazards" outside the control room. De model uncertainty factor can also be adjusted for uncertainty due to other influences or haards. Haard fadors whkb can influence response time include lighting, instrument separation, need for tools, need for protective clothing, and other miscellaneous hazards.

One potential limitation of the post-initiator analysis concerns the extent to which piant-specific factors were considered. While the model itself provides reasonable machankms for addressing relevant plant

-specific factors, on the basis of examples provided, it would appear that many of the p..mrers were leR at their default values and that potential PSFs were not carefully considered. He resulting analysis 7

therefore appears to be " generic" rather than plant-specific and may or may not adequately represent the plant. At a minimum, analysts had to make judgments wae made regarding the extent to which operators are burdened in a particular scenarios and the type of task involved.

i Consideration of dependencies between separate tasks was essentially treated by assuming that they are independent. De licensee argues that 'between separate tasks independence is provided because many .

e of the tasks are performed by different people, and there is separation in time or " cognitive space", i.e.,

, cues are independent enough to force subsequent diagnosis." De licensee further states "that context ,

eNects were handled by lumping the different sequences into one event." " Dis is done by using a sum average time for the available tine parameter for events that are sequence dependent." Dese statements apparently reflect a " bounding" approach that could lead to pessimistic or optimistic HEPs, depending on the circumstances. A list of important human actions was provided and it was noted that several

-c = to plant procedures were ma=ularl A list of the improvements are provided in section 2.6 of this report.

The Waterford 3 Steam Electric Station Individual Plant Examination (IPE) back-end submittal is essentially consistent with respect to the level of detail requested in NUREG-1335. He methodology employed in the Waterford 3 IPE for the Level 2 evaluation is clearly described in the submittal. Plant Damage States (PDSs), which are defined in the IPE by an event tree structure with the parameters important to level 2 accident progression as the top events, are used as the initial conditions for the Level 2 analysis. Quantification of the Level 2 accidant progression involves the development of small top level

, containment event trees (CETs). He top events of the CETs are determined by the fault trees (called logic trees in the IPE submittal). De CETs and the supporting logic trees addressed in detail all the containment failure modes discussed in NUREG-1335. He results of the CET analyses are an extensive number of CET end states which are binned into twelve containment release categories (CRCs). De CET c quantification relies,on review of industry literature, primarily the NUREG-1150 document, and plant specific analyses using MAAP code. Release fractions for the CRCs are calculated in the Waterford 3 IPE by a method similar to that developed in the NUREG-1150 analyses (i.e., the parametric XSOR l l

code).

. ~Ibe IPE was initiated in late 1988. De model re6ects the plant as of July 1,1989. Select plant changes

' made sAnr that cutoff date that could have a significant impact on the model have been incorporated. A review of plant changes from the cutoff date up to July 1,1992 was completed prior to the submittal of the IPE report; none of these changes are expected to have a major impact on the results. Other PRA studies were also reviewed: NUREG-1150 for Zion and Sequoyah, and the Crystal River 3 PRA of 1987.

2.1.2 Multi-Unit Erects and As-Built, AsOperated Status Dere are no other operating units on site.

( A wide variety of upto<iate information sources were used to develop the IPE: FSAR system description, piping and instrumentation drawings, electrical one line drawings, system design basis dae===*, licensee event reports, amonthly operating reports, technical specifications, emergency operating procedures and special studies and analyses. De analysis was applied to the plant configuration as k existed in mid 1989. De data was collected from September 24,1985 to March 31,1989 (for assintaaaace data); the data window was artaadad to December 31, 1991 for the emergency diesel generator failure data. Other components use generic data. Walkdowns were performed if there were 8

l l

l

i 1

! quespons with a specific aspect of modeling (also there were frequent interactions with persons familiar l with various aspects of the plant). Due to the newness of the plant, it is expected that the plant

. documentation, drawings, etc. accurately represent the as built as operated plant (RAI responses). In j addition, a flooding analysis walkdown was performed.

) . De submittal states that "the HRA task served as an integral advisor to other project tasks to assure that relevant human interactions were identified and properly incorporated into the logic models." He HRA

task was involved during initial sequence and modeling efforts and "during this period had the j opportunity to review plant and system design information and become familiar with the control room

! and related operating procedures." While sinnlator exercises were not conducted, the statements

! di==d above suggest that t'ne HRA analyst was significantly involved throughout the modeling effort.

i Rus, it appears that steps were taken to assure that the HRA represented the as-built, as-operated plant.

However, h was not clear that the HRA gave detailed consideration of plant-specific factors in i determining the HEPs. Dere was no mention of any walkdowns of Wet or time consuming operator j actions. Response times for actions outside the control room were based interviews with operators. No j human related multiunit effects were identified.

I Insofar as the back end analyses are concerned, it appears that all the Waterford 3 containment specific

! ~ features are modeled.

I

~ h seems the licensee intends to maintain a "living PRA".

{

j " 2.1.3 Licensee Participation and Peer Review l De licensee contributed 'well over 50% of the total engineering effort (about nine man-years) applied l i

to the project". De licensee contracted with SAIC to develop the PRA and transfer the technology to i

Entergy personnel. SAIC was on board from the start of the PRA in September of 1988 until the PRA development contract expired in December of 1990. Dereafter, Waterford 3 personnel had sole

responsibility for all aspects of the PRA. Initially, the relationship consisted mostly of learning and i

gassistance by utility engineers. Waterford 3 personnel and SAIC shared the initial development of system fault trees, quantification and evaluation. As the project progressed, utility involvement and expertise 4 in all aspects of the PRA increased., Since December of 1990, all analytical work, including additional  ;

development of plant models for both Level 1 and Level 2, data analysis, quantification, and evaluation i of results have been perfonned by Waterford 3 personnel with minor assistance from outside firms. He  ;

j internal flood analysis is the single exception since the bulk of the technical work there was performed  ;

l by ERIN Engineering personnel with Waterford 3 personnel input and assistance. Entergy staff

! participated, particularly during the data collection and plant walkdown, and result review phases of the

. project. Utility engineers were involved in assuring that all the components in affected flood areas were i accounted for and that the I.svel I basic events representing those components were appropriately tagged.

! De Entergy staff were involved in directing the contractor on key assumptions and operator recovery actions that could be credited. Finally, the same staff reviewed and approved the final results of the

analysis to ensure a clear understanding of the analysis details and results by the utility.

De reviews performed for the IPE included both independent in-house reviews and an external review.

j ,Dere were three levels of review: normal engineering quality assurance carried out by the organization

{ (' performing the analysis, which consisted of a qualified individual with knowledge of PRA methods and j plant systems performing an independent review of all assumptions, calculations and results for each task

)

i 9 4

i l

1 I

. . i and system model in the level I analysis (except the internal flood analysis). He second level of review was performed by plant personnel not directly involved with the development of the PRA model and i consisted of individuals from Operations, Engineering, Training and Licensing groups who reviewed the system models and accident sequence description. De third level of review was performed by PRA expens from ERIN hPa-mg. His review was conducted in two phases. During the first phase, the review team concentrated on the overall PRA methodology, accident sequence analysis and system fault .

j trees. He intent was to provide early feedback to the Waterford 3 staff concerning the adequacy and accuracy of the reviewed products. De second phase included Ievel I results, human failure and  !

recovery analysis, preliminary plant damage state cutsets and a preliminary CET (Level 2). He intent of this phase was to identify any modeling inaccuracies, inappropriate failure data, inconsistencies  ;

between cut sets, reasonableness of recoveries and results,' and making sure the cut sets were properly binned into the PDSs. A summary of the major areas of review comments is provided in the submittal.

In addition to the above review, a review was performed by experts from ABB Combustion Engineering for the I.mvel 2 analysis. ,

A slight concern is that the utility did not continue with the original contractor through the end of the analysis. Even though the intent was to transfer knowledge, some continuity may be lost due to imperfect transfer of memory of nuances of the analysis, assumptions, justification for such assumptions, etc. Also the flooding analysis contracsor was different than the original level I contractor. His may be partially offset by hiring an outside contractor to do an early review as the project was progressing.

Another area of concern is that there was apparently no outside independent review of the flooding ,

analysis, as ERIN Engineering both performed the flooding analysis and was involved in the Level 1  !

review work.

De PRA team for the Waterford 3 IPE consisted of Waterford 3 Design Engineering and " Corporate" Engineering penonnel. His was supplemented by Science Application International Corporation (SAIC) ,

and other outside consultant firms experienced in PRA methods and applications. He Waterford 3 i personnel had sole responsibility for the PRA model after Dea =he 1990, when the contract with SAIC expired.

.From the description provided in the IPE submittal it seems that the intent of Generic letter 88-20 is satisfied. ,

l 2.2 Front End Technical Review  ;

i 2.2.1 Accident Segnence Delineation and Systeen Analysis l

l 2.2.1.1 smidader Events ,

t

_ De identification of initiating events proceeded in a two-stage approach: 1) review of existing sources, including other PRAs of similar plants (Calvert Cliffs, ANO-2 and Crystal River 3), EPRI documents (EPRI NP-2230 and NSAC-152), and the NRC accident sequence precnirsor reports (NUREG/CR-3591  ;

and NUREG/CR-4674), and,2) a thorough review of endi frontline and support system at Waterford 3  ;

' to identify failures that could lead to an initiating event.

+

10

l l As a result, a total of 22 initiating events (including i flood) were identified. In addition, the reactor

vessel rupture was not mentioned in the submittal (as part of the 22 initiators), but was later discussed

. in the RAI responses. 'Ibe internal initiators are:

. LOCAs:

Large LOCA Medium LOCA Small LOCA Transients:

Reactor trip loss of condenser vacuum Thrbine trip Loss of feedwater loss of offsite power Steamline break Feedline break upstream of the ma* m feedwater isolation valve 14ss of condensate system IAss of component cool'mg water system Loss of 6.9 kV bus 3Al 14ss of 6.9 kV bus 3B1 Loss of 125 V DC bus 3A Loss of 125 V DC bus 3B '

Loss of 125 V DC bus 3AB Loss of power distribution panel 3014-AB Loss of instrument air Other events:

s Steam generator tube rupture Interfacing LOCA, suction 1.ine to shutdown cooling system Internal flood in tuttine buBding

'Ibe initiating event list seems to be mosdy complete and comparable to events considered in other PRAs.

HVAC failures do not lead to inkiating events because of a low probability of failure of all three chillers, long time scales to reach damaging temperatures and availability of DHR equipment which would not be affected by HVAC failures (turbine driven EFW pump, the AFW pump and the condensare pumps).

. As stated above, spurious failure of RCP seals was not considered a credible initiator (this is usually considered a very small LOCA), due to the nature of the Byron Jackson seals.

It is not clear why a loss of a 4.2 kV bus was not considered as an initiator (as opposed to the 6.9 kV

- bus). Unlike a loss of the 6.9 kV buses, a loss of a non-safety 4.2 kV bus would also cause a loss of the -lead 4.2 kV safety bus. Furthermore, a non-safety 4.2 kV bus is " required" for normal plant operation. 'Ibe RAI responses just reiterate (without explaining) that a loss of this bus would not cause an =*=nmic plant trip due to unspecified " redundancies" in design of the non-safety power system. In 11

any case, based on the reviewer's experience with other PRAs, usually a loss of a 4.2 kV bus is not expected to have a major impact on the CDF.

, A failure of the pressurizer pressure control system was not included as an initiator due to existence of

, control room alarms and perceived low conditional core damage probability. .

Reactor vessel rupture was not included for probabilistic reasons, but in response to the RAls it was stated that WASH-1400 analysis would be accepted. His should result in a pessimistic evaluation of this initiator as the Waterford 3 vessel is made with more fracture resistant materials than older vessels and j there are no in-core detector lower head penetrations, i 2.2.1.2 Event Trees De L'E developed 7 event trees: the general transient event tree, the station blackout event tree, the ATWS ennt tree, the small LOCA event tree, the medium LOCA event tree, the large LOCA event tree 1 and the SGTR event tree. No event tree was developed for the interfacing LOCA, however it was  :

assumed that once the isolation failure in the SDC suction occurred (initiating event), there was a 50% )

chance that there would be a pipe rupture outside the containment, with core melt and containment bypass l resulting (pipe ruptures inside the containment would add insignificantly to the existing LOCA l frequencies). Existing event trees were used for the flooding analysis (a general transient event tree used for the surviving scenario in the turbine building, which causes a loss of offsite power).

De event trees are functional. De mission time used in the core damage analysis was 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, unless

, shorter time was indicated (e.g., LOCA injection phase). ,

' He event tree end ptes are divided into two possible outcomes: success or core damage.

It appears the analysts used core uncovery as the definition of core damage for most initiators, along with ,

the limit on clad temperature for larger LOCAs.

Success criteria are based on review of other PRAs (ANO-2, Crystal River, Zion, etc.), licensing accident analyses presented in the FSAR and more realistic accident analyses previously performed for Waterford

3. De success criteria appear reas6nable and in line with most other PWR success criteria.

Large LOCAs require injection from all three safety injection tanks attached to the intact loops, and injecten from 1/2 LPSI pumps into one intact loop, and injection from 1/3 HPSI pumps into at least 2/3 intact loops. ,

For the recirculation phase of all three LOCAs, containment heat removal via either recirculation sprays or the fan coolers is required.

• Small and medium LOCAs require control rod insertion for reactivity control. Both small and medium LOCAs require HPSI pump injection from RWSP (only large LOCA requires LPSI injection from RWSP).

[ Racirculation for all LOCAs is accomplished by the use of HPSI pumps; LPSI pumps are not used (even

' though the hardware astup exists) due to NPSH probians when taking suction from the contalament sump 12 i

! l i

, in conjunction with operation of the containment spray pumps in recirculation mode (RAI responses).

HPSI pumps can be aligned to either hot leg or cold leg recirculation.

In case of small LOCAs, heat removal through one of the stamm generators is also required, as the break j .

flow is insufficient to remove all decay heat. His can be accomplished by the use of one MFW pump, .

i or one EFW pump, or the AFW pump, or one condensate pump in conjunction with secondary system l l depressurization (using I atmospheric dump valve or one steam bypass to the condenser valve). His l same heat removal criterion is applied to transients, LOSP and long term ANS heat removal.

l De pressure control success criterion for ANS specifies 3700 psia as the limiting RCS pressure. His

! is considered conservative as CE analyses indicate a failure pressure of 4300 psia. De CE analyses j encompassed stress evaluations of all major primary and auxiliary RCS components within the CE

] purview, it was concluded that peak pressures of up to 4300 psia would not jeopardin the integrity or j the operability of equipment needed for safe shutdown. He 3700 psia success criterion is below the i pressure at which CE analyses show that the upper reactor vessel head would lift to relieve pressure.

l Also, CE tests with severely wasted steam generator tubes show that consequential SGTR would not occur l

at these pressures.

l Early operation of the EFW system will help in limiting peak pressures, depending on the moderator i temperature coefficient and operation of the turbine trip function. A potential for common cause failure j , beween the RPS and the emergency feedwater anuatinn system (EFAS) was conservatively modeled; this 4

. does not take into account the existence of a diverse EFAS which has no such commonality. i

, A turbine trip helps to minimize the RCS pressure by maximizing the available inventory in the steam j generators. It is pessimistically assumed that turbine dp will fail if ATWS was due to an electrical failure. Also, no credit was taken for turbine trip as an initiating event (although it was included in the ANS initiating event frequency).

l Long term reactivity control via emergency boration is modeled by operation of (two) charging pumps j taking suction from t boric acid makeup tank; no credit for RWSP suction is given. l j Both pressurizer safety valves have to open in ANS for successful pressure control.

j J

! Pressure control requirmnents are more stringent for transients and SGTR sequences than at other PWRs,

, due to a lack of a feed and bleed capability. In transients, the operator is required to isolate the i

pressurizer heaters and isolate the RCS makeup, while secondary steam relief via turbine bypass valves  ;

! or ADVs is also necessary for censin transients. In case of an SGTR the operator is required to throttle l

! the HPSI flow, in addition to performing the RCS depressurization. Credit is given to operation of 2/3 ,

l charging pumps for inventory control in SGTR (as an alternative to 1/2 pumps) if the RCS is  !

! depressurized sufficiently such that the charging pumps' lower flow rate can provide adequate makeup. l

. An assumption is made that the operators will not wait for the automatic reactor trip on low RCS pressure 4

(15 minutes). A late trip causes a reactor upper head void to grow upon depressurization, possibly

{ interfering with natural circulation. ,

i It is shown that there is enough inventory in the RWSP to last beyond the mission time even assuming

, failure to isolate the fimbed steam genermor. Nevertheless, failures beyond the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> time frame were

! included in the recovery analysis (failure to initiate the SDC, failure to refill the RWSP, etc.).

I i

13 i ,

1

l As stated above, the RCP seals are the Byron Jackson type. It is assumed they would fail only if the operators fail to trip the RCPs within 30 minutes of a loss of CCW.

I Success cnteria for CCW assume that in case of LOCAs the wet cooling tower cooling would be needed (via ACCW) to supplement the dry cooling tower (s) due to an increased heat load. In case of other ,

accidents, either dry cooling tower cooling or wet cooling tower cool'mg can supply the required UHS l

- (the minimum number of fans operating in either type of the cooling tower is specified in the success l l

' criteria for all accidents). ,

De station blackout tree pannimi* Wily assumes that the diesel generator failure to run occurs at the start of the sequence, i.e., no allowance is given to longer core uncovery times later in the accident. This is offset by non-modeling of DC load shedding to preserve the batteries, as claimed in the submittal. The latter non-conservatism has bcen ameliorated recently with installation of new batteries of higher capacity and adding a non-safety battery, such that depletion times have been increased since the IPE, and load shedding apparently does not need to be modeled for the depletion times assumed in the model.

De SBO tree also takes credit for the fact that failure of TDEFW pump to run (before the expiration of the 4 hr battery depletion time) can occur any time between 0 and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />; thus, in case of failure to run, an average running time of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> is assumed, which gives an extended time for core uncovery (1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> vs. 50 minutes at the start of the accident).

2.2.1.3 Systens Analys;s A total of 15 syctamdfunctions are described in Appendix B of the Submittal. Included are descriptions of the fellowing systems: AC power, component cooling water, contai,nment spray, DC power, emergency feedwater, engineered safesy features actuation, high pressure safety injection, instrument air and station air, low presure safety injection, power conversion and main feedwater, pressurizer pressure control, room cooling (HVAC), safety injection tanks, containment cooling (fan coolers) and containment

. isolation system. In addition, the RAI responses contained a more detailed and helpful description of the l HVAC system and its modeling.

. Each system description includes a discussion of the system design and operation, details of modeling and assumptions, system interfaces (support systems), test and maintenance requirements, success criteria and system level initiators.

Also included for many systems are simplified schematics that show major equipment items and important flow and configuration information. ,

System dependencies are sn=marized in a matrix form.

, Section 1.2 of this TER describes the important plant features, f

2.2.1.4 Systems W

. De IPE addressed and considered the follow'mg types of dependencies: shared component,

' instr =naarmian and control, isolation, motive power, direct equipment cooling, areas requiring HVAC, and operator actions. Dere is not auch discussion of environmaatal e5ects, apart from HVAC and 14

- --w

f flooding / spray considerations. De effect of the flood on cable terminal points, such as junction boxes, I was also considered.

I 2

In case of HVAC, RAI responses provided a detailed description of HVAC design, rooms requiring HVAC and HVAC modeling considerations. De HVAC consists cf the three main chillers (cooled by

the CCW system) and the three chiller pumps, providing chilled water to the air handling units in

+

individual rooms / plant areas. Some areas just have vamilpinn %ns, i.e., there are no chilled air handling

! units (e.g., EDG rooms).

De following key rooms have chilled AHUs (all rooms acept for safeguard pump AB room contain two AHUs; the safeguard pump AB room contains only one AHU): .

l 1) control room;

2) control room (mechanical equipment room);

switchgear area, cable vault and battery rooms; 3)

4) CCW heat exchangers (heat transfer from CCW to ACCW);

5) CCW pump AB;

6) CCW pumps;

7) switchgear area

8) safeguard pump AB (contains HPSI pump AB);

9) safeguard pumps A (HPSI, LPSI, CSS pump A);

10) safeguard pumps B; l

11) shutdown heat exchangers; i

12) emergency feedwater pumps; , j

13) charging pumps; l

-14) . charging pump AB. l i

De important areas served by fans only are the HVAC equipment room, turbine building switchgear room and emergency diesel generators rooms.

4 Not all the above rooms require room cooling, however. De following areas do not require room '

cooling: ,

1) TDEFW pump area (reason: SBO hestup calculations, the room is actually a cage in a large area;

2) Battery rooms A, B and AB (reason: temperature calculations for SBO conditions, hydrogen purge function judged unamaawy during an accident);

3) Safeguards pump rooms, during injection of RWSP water ocly (due to low temperature

. of RWSP water), required in recirculation phase;

4) CCW best adianger rooms A and B (reason: valves tasted by manufacturer to well over 300T, wkh only speed of opening / closing affected, CCW temperature is on the order of 100'F or lower);

5) Control room (reason: shutdown of plant in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> if both trains inoperable, slow heatup, existence of remote shutdown panel);

15

i j . .

6) Shutdown heat exchanger room (reason: equipment assumed not affected by high room l'

! temperature);

7) HVAC equipment room (reason: large room, containing relatively few heat loads, cooled by CCW, ventilation fans are assumed not required)- l

. 8) Turbine building swhchgear room (reason: large area, three walls are outside walls, slow l bestup, served by ventilation fans only). '

i Dere seems to have been a relatively complete consideration of HVAC in the model. In case of item 6), d=* lawn best enchangers, there does not seem to be enough justification for not considering HVAC  ;

failures. His would primarily impact LOCA recirculation sequences.

O Table 3.2-5 of the submittal contain the overall system dependency matrix, including both support on- }

support and frontline on-support dependences. ,

2.2.2 Quantitative Process 2.2.2.1 Quantification of Accidait br=ar* Frequencies 3 De IPE used a small event tree /large fault tree todmique to quantify core damage sequences. De event t trees were functional. De CAFTA workstation software package was used for development and ,

iquantification of top event probabilities and accident frequencies. l i

11t appears the cut set truncation limit used was 2.E-9/yr. De truncated residualp are a negligible fraction

)of the CDFs, according to the submittal.

He IPE took credit for various recovery activities, including the recovery of offsite power. De only l diesel recovery modeled are simple recoveries in the air supply for starting the diesels, but this is not significant, according to the submittal. He IPE power recovery curve is given by the equation:  ;

P, ,, = exp( 0.88Y"),

where the time t is given in hours (RAI responses). No reference is given for this equation. Table 2  ;

abows a comparison between the offsite nonrecovery probs* a ility at the times of interest calculated by the j above equation and that given in NSAC-147. De latter EPRI document contains industry average data j on offsite power recovery.

i Table 2 IiPE vs. NSAC-147,7':_ _. , of Offsite Power l

Art Probabinty of menrecovery NSAC-147 probabluty of h h lai h M I of ethite power menrecovery of offsite power 1 0.41 0.46 3.5 0.068 0.17 i 6 0.013 0.12 8 3.7E-3 0.08 ,

16 l

t i

The times of interest are mostly from the SBO event tree considerations: core uncovery occurs at appmmimately I bour after the SBO initiator if the TDEFW pump does not start. If the TDEFW pump starts but fails during its run time, an average core uncovery time of 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the initiator is  ;

calculated. With battery depletion time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and 2 additional hours for core uncovery,6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is l calculated in case the TDEFW pump runs until the battery discharges Finally, 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is given for  !

comparison on how the results diverge at longer times. It can be sen that at 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />, the IPE is l

cptimistic by a factor of 2.5. At 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the underaatimarian of core uncovery probability is almost one  ;

order of magnitude. His may have a significant impact on the results. For example, one of the domlamat sequences is SBOVL (frequency of 2.86E 6/yr, or 17.1% of the present CDF). His is a station blackout, with battery depletion after 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and non-recovery of offsite power in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. In addition, the LOOP nonrecovery within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> has an overall Fussell-Vesely importance of 0.186.  ;

kaising this probability by an order of.T.i.gJEide would mean raising the total CDF by almost a factor of 3 and the above sequence would then be almost 60% of the new CDF.  !

It appears that, in comparison to NSAC-147 data, the offsite power recovery factors are very optimistic and will significantly impact the results.  :

i 2.2.2.2 Point hel==a= and Uncertainty / Sensitivity Analyses Mean values were used for the point estimate initiator frequencies and all other basic events. No uncertainty analysis was performed on the results, importance measures (Fusell-Vesely) are given for systems, basic events, imtiating events, and sequences. De most important basic event are tne following,  ;

each one having a F-V importance > 55: LOOP nonrecovery within 50 minutes, failure of TDEFW

!, pump to start, LOOP nonrecovery within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, EDG failures to run, operator failure to recover from room cooling failures, common cause failure of the EDGs to run, dry cooling tower maintenance  ;

unavailabilities, common cause failure of the containment sump recirculation valves, EDG start failures  !

and ACCW pump failures. i Sensitivity studies were also performed. For each basic event whose F-V importance was greater than

,1%, failure probabilities were arbitrarily and individually increased by an order of magnitude. Certain classes of events were also increased by an order of magnitude (all CCF failures, etc.). De following '

s were components and classes of events to which the CDF was most sensitive and the IPE calculated change in CDF: all motor driven pump failures (610% change in CDF), all common cause failures (278%), all test and maintanance (264%), all operator recovery errors (176%), all pre event human errors i (146%), all MOV failures (115%); EDG fails to start and fails to run (increased failure rates by the error l facsors,508%), EDG fails to run (438%), MDEFW pumps fail to start (228%), LOOP nonrecovery in 50 min (increased P,,,,,,,,to 1.0) and 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (1865), EDG failure to start (173%), ACCW pump failure i to start (155%), various EDG damand failures (142%), dry cooling tower unavailability due to maintannace (111%) and failure to restore AHUs in the switchgear areas (111%). t

. 2.2.2.3 Use of Plant Specific Data Since the ping is relatively new and there hasn't been enough time to develop plant specific data, mostly  !

generic data was used, except for the maintanane* data and the diesel generator failure data, the data collection process period was from September 24,12 to March 31,1989 (for maintenance data); the data window was extended to December 31,1991 for the emergency diesel generator failure data.

17

e

{ For maintenance and test data, the data sources examined were the computerized records of SIMS (station information management system), NPRDS (nuclear plant reliability data system) and the control room i 3

EOS (equipment out of service) log.

- l j While the test and mainmaanana data appear reasonable, k was noted that the error factors presented were  !

too small. De licensee agrees and states that the wc:.ag method was used to antimata. Dere is no -

s kapes on the results. De unavailability for the dry cooling towers was pessimistically estimated such

. est whenever there was malataamar* on a tower fan, the whole multi-fan cooling tower is declared out '

I of service. In reality sections of the tower can be separated from the rest. Bis affects the LOCA sequences.

q J

J De data for the diesel generators was taken from the technical specification surveillance program which i

mandates a certain number of EDG tests. Dere have been 3 start failures in 228 damanda and one run failure in 412 hours0.00477 days <br />0.114 hours <br />6.812169e-4 weeks <br />1.56766e-4 months <br /> of operation. De plant specific EDG data is then obtained by straight division of the appropriate numbers (no Bayesian updating was used).

Table 3 of this review compares the failure data for selected components from the IPE to values typically used in PRA and IPE studies, using the NUREG/CR-4550 data for comparison [NUREG/CR 4550, ,

, Methodology]. Most of the data in the table is generic data.  ;

, Waterford 3 data are generally in agreement with the NUREG/CR-4550 data. De data for circuit breaker failure to transfer and EDG failure to start data is somewhat lower than that used in NUREG/CR-

,a 4550. De turbine driven pump failure to run data is significantly lower. In RAI responses, the licensee  ;

points out that this is an aggregate of 4 generic data sources, all of which have a much small run failure ,

rate of TD pumps than does NUREG/CR 4550. Also, comparison is made to demonstrated reliability  :

ef f.,e TD MFW pumps which have to run continuously. De licensee states that the high 4550 values ,

are due to data from Peach Bottom whidi was an outlier. It is not clear if the TDEFW pump should have the same data as the TDMFW pump, and what is the right value to use for the TDEFW pumps (most other IPEs seem to go with the lower value). De data used for the TD EFW pump can have some impact on the results. If the 4550 data are used for failure to run, it is expected that the SBOVL

=a9=~ contreution would increase by a multiplier of 1.8 (an 80% increase) while the total CDF would [

inneresse by about 13% (reviewer's estimates).

2.2.2.4 Use of Generic Data /

As ana==ad in Section 2.2.2.3 above, most failure data used in the IPE and presented in Table 3 were  ;

actually generic data. De data moody comes from the SAIC generic data base. Sometimes data was  !

aggregated from several sources using the SAIC CARP program. For example in case of turbine driven pumps data from the following sources were aggregated: ASEP data base, NUREG/CR-2886 (IPRD),

NUREG/CR-1205 and the NREP data base. i 3

I8  !

l

Table 3 Comparison of Failure Data l

, Component Failure Mode Waterford 3 Data 4550 Data Turbine duven pump fail to start 2.6E-2 3.0E-2  :

I fail to run 8.9E-5/hr 5.0E-3/hr

} <

Motor driven pump fail to start 4.8E-3 3.0E-3 fail to run 8.4E-5/hr 3.0E-5/hr ,

j [LErument air compressor fail to start 1.3E-1 8.0E-2  !

i fail to run 2.5E-3/hr 2.0E-4/hr l

! Battery charger fails to operate 7.8E4/hr . 1.0E4/hr I f Circuit bresker spurious open 1.9E4/hr 1.0E4/hr j fail to transfer 1.2E-3 3.0E-3 i AC bus fault 1.2E-7/hr 1.0E-7/hr 3

Check valve (AFW) fail to open 1.4E-4 1.0E-4 l'

fail to close 1.6E-3 1.0E-3 MOV fail to 5.5E-3 3.0E-3 close/open spurious open 1.4E4/hr 5.0E-7/hr spurious close 1.5E4/hr 1.0E-7/hr Emergency diesel ger.irator (the fail to start 1.3E-2 3.0E-2 only plant specific data in Table) fail to run 2.4E-3/hr 2.0E-3/hr Notes: (1) 4550 are mean values taken from NUREG/CR-4550, i.e. fmm the NUREG 1150 study of five U.S. nuclear power plants.

(2) Demand failures are probabilities per demand. Failures to run or operate are frequencies expmssed in number of failures per bour.

.f2.2.2.5 ra==aa-Cause Quantification

' De common cause probabilities were based on the procedure presented in NUREGICR-4780 and the data presented in EPRI NP-3%7. It seems that the approach used was the beta factor approach, for most components. He submittal states that no credible data exists to support common cause failure analysis l of components other than pumps, MOVs, EDGs and batteries (although EDG ventilation fans and chillers are also included in the data). Chiller B was assumed not to have CCF with chillers A and AB due to a different mode of operation: chiller B operates continuously, while chillers A and AB alternate monthly, therefore the same wear would not be experienced. His is not a very compelling argument (chiller failure is a relatively important contributor to the CDF). He check valve CCFs were neglected

, probabilistically (check valves have lower failure probabilities than components they are in series with, e.g. MOVs, pumps). Only EDG fans CCF was modeled (CCF factors for other fans were not available at the time of the IPE); the other HVAC fans will have lower common cause failure rates than the naarrietari diillers. De licensee states that there is no evidence in the data reviewed for Waterford 3 of CCFs for circuit breakers (other than reactor trip breakers), electrical switchgear, air operated valves, air compressors, inverters, relays, transminars (except miscalibration which is modeled in the HRA) (RAI responses). Other PRAs have included these failures.

19

CCF of pressurizer safety valves was not considered because failure of only one valve in the stuck open mode would cause a small LOCA. Likewise, in an A'IWS, failure of one safety valve to open would be a failure of the pressure control function.

De memon cause failure between the TDEFW pump and the two MDEFW pumps was not considered credible due to a different driver (the pump parts are similar, though the TDEFW pump is somewhat .

- larger). Bis is not -W to have a major induence on the resuhs or the conclusions of the study (RAI responses). De licensee also states that the AFW pump is of a totally different design and thus not subject to CCF with the EFW pumps. However, there could be common problems such as steam binding. Also note that the MDEFW pump CCF is by about a factor of 2 lower than the 4550 escommended values. EFW is an important system, contributing about 30% to core donage, thus it is important that it be modeled correctly. Failures of pumps with different drivers (common cause) have ,

been modeled in PRAs and are included in EPRI documaats (for example the ALWR requirements dr t

base).

it is not clear if common cause failure of all three HPSI pumps or ail three CCW pumps was considered (no CCF factors are provided and this does not appear in dominant sequences). If not, this may have a significant impact on the results.

A comparison of effemive # factors in the submittal vs. those sucested in NUREG/CR-4550 (" reference

1. factor") is presented in Table 4.

The tr*sle shows general consistency between the Waterford 3 CCF data and that recommended in  ;

NUREG/CR-4550. Most of the CCF faaors are in agreement, except the MDEFW pumps' and the CSS

, pumps' CCF factors are lower by a factor of 2 in the IPE. De MDEFW CCF may have some measurable impact on the results.

In conclusion, the CCF analysis, while mostly reasonable, may have had a measurable effect en the results in the direction of understating the contributions to the CDF at Waterford 3. .

s Table 4. Comparison of Common-Cause Failure Factors i

Component Submittal $ factor Reference # factor  :

HPSI pumps, IESI pumps 0.17 0.21 HPSI 0.15 IESI  !

n=an====t spray pumps 0.05 0.11 Challer pumps, MDEFW pumps, 0.03 0.026(SW)0.056 EFW CCW pumps, ACCW putaps Chillers 0.11 j MOV CCF of 2 valves 0.08 0.088 Bettery 0.05 g EDG v==hh fans 0.13 ,

Diesel Generator, CCF of 2 EDGs 0.05 0.038 i 20

l i

l 2.2.2.6 Initiating Event Frequency Quantification l

De initiating event frequencies were calculated by three methods: Waterford 3 specific experience, l i generic industry daa (but specified to Waterford specific design) and fault tree modeling of Waterford i . 3 systems using generic industry data. No Bayesian updating was used.

6 l De plant specific experience was used for the reactor trip, turbine trip, loss of feedwater. Plant specific '

l j

fault trees with generic failure data were used for loss of instrument air and loss of PDP 3014-AB.

! Generic data were used for all other initiators; for loss of offsite power, the generic data were adjusted i j for plant specific features.

De initiating event frequencies used in the IPE are presented in Table 5. l i l

De inaiating event frequencies generally asem romana=Me and are comparable to other PRA studies. The '

l large LOCA, small LOCA and LOOP frequencies seem lower than expected.

I i j De large LOCA employs a leak before break consideration which reduces it to an order of magnitude )

below that of NUREG/CR4550 recommendations. Other studies are quoted which have this frequency j at 1.E4/yr before leak before break considerations. An estimate from NUREG/CR4290 is quoted for j a large guillotine break at CE plants of 5.E-14/yr. In any case this is not expected to have a large impact

! , on the CDF results as large LOCA now presents about 1% of the total CDP.

! i

.De small LOCA frequency is lower than the NUREG/CR small 14CA (1.E-3/yr) plus very small LOCA j j g(1.3E-2/yr) combination, by about a factor of 3. His frequency was calculated by dividing the two  ;

, applicable industry events to this category by the total number of PWR years. He two events assigned  ;

i to the small LOCA category were at Robinson on 3nnt and Zion on 12/31n3. Dere are no PORV  !

l contributions at this plant (no pressurizer PORVs), and the RCP seals are judged to be sturdy enough l such that spurious RCP seal LOCA is not deemed credible.

l The ANO-1 RCP failure event (along with 4 others quoted in NUREG/CR-4550) is dismissed as

! Inapplicable, due to improvements in seals or a different seal design. It is also stated that the ANO-1 1

' event was not a LOCA as the leak rpte was within the charging pump makeup capacity ("according to '

the ANO engineers"). Also, the pressure never fell to the SIAS seapoint, according to the RAI responses.

However, NUREG/CR4550 (Vol. 3, Rev.1, Part 2, App. D.2) quotes a leak rate of 400 gpm for that i event (which the RAI responses states was an overestimate), with a total spillage of 60,000 gallons. His event, whidi occurred in 1980, plas the one at Oconee 2 in 1974 (leak rate 90 gpm, total leakage 50,000 i gallons) seem to have wM in 1)yron Jackson RCP seals, and both were spurious failures (not caused by loss of seal cooling / injection), according to NUREG/CR4550.

It is possible that there have been substantial improvements in seal design and materials since that time.

. However, NUREG/CR4550 accounts for that by doing a Bayesian updatmg of early failures in the period

, 1974 through 1980 with lack of failures in the period 1981-1988. His yields an estimate of 3.9E-3/yr

for spurious RCP seal LOCAs.

Alao. other categories of very small LOCAs are estimatad in NUREG/CR4550 to have a frequency of

1.7E-3/yr for very staall thCA pipe breaks and 7.6E-3/yr for component boundary failures. Events with leakage rates greater than 15 spm were counted, which occurred during startup or power operation, and,

21 l

l 1

l

for pipe breaks, ratio of LOCA sensitive piping to all other piping of 18% for Westinghouse plants was used.

' k is true that the effects of a spurious RCP seal IDCA (usually considered a very small LOCA) would

% probably be bounded by the small LOCA accident sequence logic (i.e., the conditional core damage probability of a small LOCA is probably latter than that of a very small LOCA). Since the small LOCA .

N frequency at Waterford 3 of 4.5E-3/yr is a few times larger than that recommended in NUREG/CR 4550 (1.0E-3/yr), and considering lack of PORVs and . '.y.w In RCP seal design, the total impact of small LOCAs on the plant risk profile is probably not severely underestimmead (from the standpoint of initiator frequency). There is probably some underestimatian, based on the state of our knowledge of these phenomena. .

De 140P frequency of 0.032/yr seems somewhat W, but is in line with most other IPEs encountered by this reviewer. His is calculated by culling from 14 generic data base events deemed inapplicable to the plant, based on the switchyard design, weather patterns, etc.

De licensee states that the generic data base includes events such as ice storms,m' applicable to the site (RAI responses). k is stated that generic data base also includes hurricanes in the North East, and there would probably be a precautionary shutdown in the event of a hurricane, which is usually slow moving (RAI responses). It is stated that tornadoes should be less frequent than in the Midwest, and the responses disagree with the RAl's characterization of the site as being subject to " severe weather f relatively frequently". De switchyard design includes two switchyard buses, fed by seven transntission

~ lines, feeding two separate startup transformers, which then feed the 4.2kV safety and non-safety buses.

No LOSP events on site have occurred, but there have been 5 partial LOSP events.

~

It seems the methodology used for specializing the industry occurrence data to the plant specific aandirians, tends to' underestimate the LOOP frequency. De data appears to include shutdown time in e the calculation of the total reactor years, and there may be cases (as in plant centered LOOP) where

, inappropriate reactor years are not adequately screened out. In any case, the LOOP frequency should

' not rise by more than a factor of two, which would translate into a correspondigly higher LOOP caused y.CDF. Since LOOP is already a primary CDF contributor, the conclusion as to LOOP significance to the CDF won't dange, but the numerical values will. Also, the observation above on the power nonrecovery

. factors (they seem low) would bias the LOOP CDF contribution in the same direction as the relatively low IDOP frequency.

1 In addition, some of the error factors quoted for the initiating events seem low, and sometimes do not i make sense when compared on a relative basis (some relatively rare events have a smaller error factors l than some relatively frequent events). For i==rmare, the error factor for loss of offsite power is 1.33 (meaning that this munber is known with a high degree of certainty), while the error factor for a turbine  ;

trip, derived from plant specific occurrences, is 5.20. However, this should have no impact on the  ;

results as uncertainty analysis was not performed. ,

t 22  !

i l

i f

Table 5 initiating Event Frequencies for Waterford 3 IPE 1

Initiating Event Frequency (/yr)

Reactor Trip 2.6 l

Loss of r*~ Vacuum 0.14 Turbine Trip 0.40 Loss of Feedwater 1.0 Loss of Offsite Power 3.16E-2 Steamline break on SG2 5.60E-3 Feedwater line Break Upstream of the Feedwater Isolation Valves 5.60E-3 Imss of r*** System I.00E-2 loss of CCW/ACCW 5.00E-3 Iess of 6900 V bus 3.94E-4 Loss of DC Bus 3.94E-4 loss of PDP 3014AB 2.57E-2 Loss ofInstrument Air 4.67E-2 Small LOCA 4.47E 3 Medium LOCA 1.00E-3 Large LOCA 5.00E-5 l Reactor vessel rupture 2.7E-7 Steam Generator Tube Rupture 8.94E-3 Interfacing System LOCA (suction valves of shutdown cooling) 9.72E-7 '  !

Internal Flooding (Turbine Building, circulating water pipes) ,

3.05E-3

)

2.2.3 Interface Issues 2.2.3.1 Front-End and Back-End Interfaces

'Ibe IPE assumes that containment heat removal is m=ary for core heat removal when recirculation is required. Also, LPSI pumps cannot be used in conjunction with CSS pumps. Both CSS pumps and containment fan coolers require CCW cooling; also CSS pumps require room cooling in recirculation.

Section 2.4 provides more information on level 2 considerations.

23

m . . _ _ . _ _ _ _ . _ _ _ _ .~ _ _ . . _ . _ _ _ . _ . _ _ _ . . _ _ _ _ _ _ _ _ _ . _ _ _

2.2.3.2 Hamman Facters Interfaces la case of a fast dead bus transfer (from the auxiliary transformer to a startup transformer) after a plant

' trip, the failure of this automatic amion can be recovered by the operators, either from the control room, or locally, at the breakers. De HEP for the local action is 4.5E-3, the one in the control room (event ZMANTRAN) is on the order of 1.E4, which seems very low, and they seem to have been assumed -

independent. His will have an impact on the LOOP frequency, or, for some initiators, the SBO frequency.

Section 2.3 provides more information on HRA considerations.

2.2.4 Internal Mooding 2.2.4.1 hetennel Mooding Methodology De methodology used to perform the flooding analysis consisted of five major steps:

1) Preliminary flood scenario development;

2) Plant walkdown;

3) Initial flood scenario frequency screening;

4) Refinement of analysis bases and assumptions;

5) Detailed quantification of important flood scenarios.

De final two steps were performed iteratively until each scenario was determined to be below the established scremaing frequency or until the scenario frequency was as low as reasonably achievable using the screening methods of this study. His process may result in a substantial residual not being reported in the Anal results.

De screening criterion was 1.E4/yr.

De development of flooding scenarios was supported by a plant walkdown. De effect of the flood on equipment cable terminal points (e.g. junaion boxes) was deduced from automated plant cable data bases and Appendix R equipment cable tables obtained from the Waterford 3 design engineering electrical group. Pipe whip and steam impingement werejudged as being beyond the scope of the analysis. Liquid jets and sprays were not considered as to the exact patterns of impingement, but were assumed to fail all the equipment in the initiation flood area.

Propagation of flooding to oeber areas (including open doors, stairwells, elevator shafts, drains, and duough gaps in closed doors) and lealatian of the Soods were considered. Fire doors are not water tight.

Sumps are manumad to overSow with sump pumps unable to keep up with the deluge flood flow. Drain plugging was apparently not considered. However, a deluge flood would seek large o alogs such as stairways and elevator shafts to propagate to lower levels. Isolation oflarge floods in 20 minne= with a probability of 0.01 is assumed. Inadverten amustion of the Sre suppression equipment and malaranance induced Soods are " implicitly part of the data base", i.e., were not separately developed to uncover any  ;

plant spectSc vulnerabilities. C-:-g-: failures considered which could cause flooding were pipe and valve ruptures, pipejoints, Sanges, tanks, etc. Internal flooding data from PLG-0624 of May 1988 were ,

used, and calculation of flood source density in different areas was performed. l 1

24

- _- - - - . _ . - - - - - - - --_ - - - - - - - ~ - - - - --

In the detailed analysis, minimum water levels to induce equipment damage were considered in the flood propagation zones.

Surviving flood scenarios were quantified using internal events event trees with flood induced failure

. tagged in the fault trees. Flood revised HEPs were used for recovery actions.

Only one Sood scenario survived, the turbine building break in the circulating water system. His causes a loss of offske power and a loss of the MFW/AFW and condensate systems; the TDEFW fails to start.

De result is a dammad on the EDGs to power the EFW system located in the reactor aux building. De -

initiating event frequency for this scenario is 3.05E-3/yr.  ;

k should be noted that scenarios in the reactor aux bids that propagate to the basement where the EFW equipment is located are screened out due to the large floor areas such that the flood water spreads out and will likely not affect the EFW equipment.

2.2.4.2 Imeermal Mooding Results De tutt>ine building flood scenario CDF is 1.12E4/yr. De residual of the screened scenarios has an upper bound of 3.49E4/yr (this is estimated using pessinaistic screening quantification).  :

It seems that the flooding analysis was reasonable.

2.2.5 Core Damage Sequence Results 2.2.5.1 Denniannt Core Dennese E n = .

He results of the IPE analysis are in the form of funaional sequences, therefore NUREG-1335 screenmg I criteria for reporting of such sequences are used. De point estimate for the core damage frequency from internal events is 1.68E-5/yr (this does not include a minor contribution from the reactor vessel rupture,

, 2.7E-7/yr), with internal flooding contributing an additional 1.12E4/yr. Accident types and their percent kontribution to the CDF, are listed in Table 6. De most important initiators are given in Table 7. .

Five dominant sequences and one ISLOCA containment bypass sequences were described in detail (two LOCAs,2 station blackout,1 general transient, one ISLOCA). Each of these important sequences has a frequency greater than 1.E4/yr, except ISLOCA, which is greater than 1.E-7/yr. De important sequences are summarized below in Table 8. System importances are presented in Figure 1.

De RCP anal LOCA contribution is negligible. De SBO contribution is 37%. De LOOP events and the smallIDCA are the most L r 6aut s events. His is expected due to the design of the plant (no feed and bleed capability, relatively fast core uncovery, EDG dependencies on CCW, HVAC and DC power,

. dependence of HPSI on CCW and ACCW, and HVAC, dependencies of MDEFW on HVAC).

l

$b

1 l

Table 6 Acddent Types and Their Contribution to the CDF Initiating Event Group Contribudon to CDF (/yr)  %

l

• 8.69E4 51.9 I Transients

. LOCAs 6.62E4 39.5 Internal Flooding (not included in (1.12 4) (6.7) .

TOTAL)

Steam Generator Tube Rupture 8.26E-7 4.9 Interfacing Systems LOCA 4.86E-7 2.9 ATWS 1.30E-7 0.8 TOTAL INTERNAL CDF 1.68E-5 100.0 Table 7 Dominant Initiating Events and 'Iheir Contribution to the CDF Initiating Event Contribution to CDF (/yr)  %

Loss of Offsite Power 7.58E4 45.3 Small LOCA 5.30E4 31.6 Medium LOCA 1.14E4 6.8 Steam Generator Tube Rupture 8.26E-7 4.9 Feedline Break Upstream of Feedwater 5.18E-7 3.1 Isolation Valves ISLOCA (V event) 4.86E-7 2.9 Loss of Feedwater 3.91E-7 2.3 Large LOCA 1.82E-7 1.1 A*IWS 1.30E-7 0.8 26

1 J

Table 8 Dominant Core Damage Sequences i

) . Initiating Event Dominant Subsequent Failures in hp=== l 5 5 mall ;;. ;. LOCA safety Ingection Failure dunng ugection anode (caused by CCW 23.4 }

failure te provide HPSI pump coohng (caused by wet or dry l 3 coohng tower problems), or caused by smechanical failures in tiu A or B HPSI pumps, or operator failure with the AB HPSI l

, pump .

{ Loss of offsite power (blackout) Imalure of both ElXis lendag to station blackout, failure of the 20.2 l turbes driven EFW pump (both EDG end TDEFW failures l oculd be due to failures of theos aa pa===*= themselves or j failures of the DC system, e.g., comanon cause failme of all j ilwee beatenes), failure to restore offsite power in 50 minutes l Less of offsite power (blackout) Indure of both EDUs leading to station blackout, ===== of the 17.1 l TDEFW pump, failure to restore offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, l battery depletion leads to eventual failure of the TDEFW pump

) Transsent (donunent are loss of vanous types of faalutes disable all three r.rW pumps and the 14.6 l offsite power and foodwater line AFW pump, in addition to the MFW pumps beint, disabled by l break upstream of the feedwater the initiator (feedline break initiator disable both MFW and j isolation valve) AFW); the failures are either pump failures (to start, run, l comunon cause, ==iana===~), or due to problems with suction 4

(problems with nandaa==ta storage pool, operator failure to l switch to CST and/or the wet cooling tower); failure to j - _ ,- -- _ ;ae and use aanda===t* pumps

! Sanll Break LOCA , failure of HPSI to switchover to recirculation (caused by B.6 l common cause failure of SI sump suctaon valves, or much less j '

frequently , - Mt failures of the two valves). Much lower in probability are HPSI recirculation failures due to failure of tho RWSP low level instransats, plugging of the SI pump and HVAC failures of the HPSI pump room or switchgear room l coohng i High/ low pressure boundary failure 2.9 i (ISLOCA initiator, primarily gross low pressure piping failure outsule the contaia=aat (with a l failure of the two series MOVs in probability of 0.5)

{ ibe almedown coohng suction line)

I i

}

1 .

l l

1 i

1, 27 4

i 4

4

50 45 8

l""R

R A

E

• N*M l -

m ..

og

'1m .

L ,

• L / ww ' acc. ' mi , ' ww ' uvac " oc .

71gm I systen heportance 2.3 Human R'eliability Analysis' Technical Review 2.3.1 Pre-Initiator Hurnan Actions Errors in the performance of pre-initiator human action (such as failure to restore or properly align

. equipment after testing or maintenance, or miscalibration of system logic instrumentation), may cause E- c:- ", trains, or entire systans p be unavailable on demand during an initiating event. 'Ibe review of the human reliability analysis (HRA) portion of the IPE examines the licensee's HRA process to determine the extent to which pre-initiator human events were considered, how potential events were identified, the effectiveness of any quantitative and/or qualitative screening processes used, and the processes used to account for plant-specific performance shaping factors (PSFs), recovery factors, and dependencies among multiple actions.

2.3.1.1 Types of Pre-Initiator Hamman Adices Consideral The Waterford 3 IPE considered both of the traditional types of pre-initiator human actions: failures to restore systems after test, malatanance, or surveillance activities and instrument miscalibrations.

Consistent with other HRA methads, " slips" wwe the only pre-initiator enor mode modeled.

28 l

_ _ _ _ _ _ . _ _ _ __ _ _ _. _ _ .~. _ _ ___.___ _ _ .. _ ... _ _ _ _ _ _ ._. _ . _ _

j i I

i . .

5 2

2.3.1.2 Process for Identincation and Mr*iaa of Pre-Initiator Human Adions I

' De submittal indicates that the "quantification as well as the identification and qualitative assessment of human failure events (HFEs) follows an SAIC technique (Dougherty and Fragola,1988) that is nearly

. identical to SHARPl." In the licaaaaas response to the NRC's request for additional information (RAI), k was stated that the pre-initiator events were included during the development of the system fault i trees by reviewing the various failure modes of the systems and accounting for human induced failures.

i

! Huw.a interactions with the equipment were examined and operating, calibration and surveillance l procedures were reviewed. While discussions with plant personnel on the interpretation and i I

9mplamantarian of procedures were not explicitly mentioned, a reasonable set of pre-initiators were listed in the submittal and it appears that relevant information sources were examined.

2.3.1.3 Screening Freesus for Prw-laitiator Hannan Adions A screening value of 0.003 was assigned as the basic probability of a slip involving a single train of equipment, e.g., failing to restore equipment in HPSI train A. De screening probability of a slip affecting multiple trains was set at 0.0003 (e.g., miscalibration of all four SG-1 pressure sensors), which is a train or " beta factor" of 0.1. *IMERP was cited as the source from which these values were derived.

. Apparently, no pre-initiators were actually screened out. All events initially considered were inciuded in the fault tree used for final quantification. However, events " surviving" screening were analyzed in more detail.

2.3.1.4 Quantafication of Pre-laitiator Human Actions A " time-indgendent" technique was used to quamify all " slips", which is assumed to be the only failure mode for pre-iniuator events. He subminal states that the technique is a variant on THERP and is similar to the ASEP HRA procedure. De tachat- assumes a basic human failure probability (BHEP) of 0.003 l and a " multiple component beta factor" to (essentially) account for common cause slips across trains.

For two train systems, a multiplier (or beta factor) of 0.1 is used and for three or more trains, a beta f

famor of 0.01 is assigned. Dus, the common cause failure probability for three or more pressure sensors could be 3.0E-5, but is usually evea less due to credit for recovery by a checker etc. While this approach provides a reasonable treatment of, dependencies across trains, the use of a BHEP of 0.003 is not necessarily " conservative" as was asserted in the response to the NRC's RAI. He licensee argues that "the use of the 'IMERP single task value (0.003) as the probability of any slip on the train, is equivalent to assuming that all tasks involved with the train are completely dependent on the first task undertaken."

his erstanant, however, is inaccurate. k is usually the case that a failure on any c,f several tasks related to the train will lead to its failure on dammad. Derefore, the probability of failing on each of the critical tasks should be added together. If the single task BHEP is 0.003 and there are four critical tasks, then the total failure probability would be 0.012 (4 x 0.003), at least before recovery credit is given. Rus,  :

there was nothing particularly " conservative" about the technique used and in some cases it could be

. argued that the HEP values obtained for some events are apet-i *lc. On the other hand, credit for .

redundam crew members (e.g., an independent post-mainemanac* deck) was taken for only one checker and moderate dependency was aman =ad (a value of 0.14 was assigned in all cases). On the basis of recovery credit allowed in marhads such as ASEP, the amount of credit is not unreasonable and could be somewhat pessimistic. r khe response to the RAI states that no PSFs were considered in using the time-independent technique and thit resoradons across trains were assumed to be independent. While the latter assumption is reasonable 29 t

l

(and defended in the response to the RAI), the lack of consideration of any plant-specific PSFs, coupled whh the more or less " generic" approach used to quantify the pre-initiator events, results in a HRA that may or may not provide a good repramanentian of the actual plant. Nevertheless, at least both restoration

' and miscalibration events were modeled and the assigned HEPs were not unreasonable. Derefore, the i

pre inkisear analysis provided at least some opportunity to identify potentially important events, even if

+ les usefulness is limited by the lack of conskleration of plant -specific factors. .

2J.2 Fest-Initiator Husman Actions Fest-initiator human amions are those required in response to initiating events or related system failures.

Akhough different labels are often applied, there are two impostant types of post-initiator human actions est are usually addressed in PRAs: response anions and recovery amions. Response actions are generally distinguished from recovery amions in that response actions are usually explicitly directed by emergency operating procedures (EOPs). Alternatively, recovery amions are usually performed in order to recover a specihc system in time to prevent undesired aan==p . Recovery actions may entail going beyond BOP directives and using systems in relatively unusual ways. Credit for recovery actions is normally not  :

taken unless at least some procedural guidance is available.

De review of the human reliability analysis (HRA) portion of the IPE determines the types of post-Inhimnr human actions considered by the licensee and evaluates the processes used to identify and select, screen, and quantify the post-initiator actions. De licensees treatment of operator action timing, depaarlancies among human actions, consideration of accident context, and consideration of plant-specific PSFs is also examined.

2.3.2.1 Types of Pest-laitiator Hannan Actions Ceasidered ,

De Waterford 3 IPE categorizes human actions as either human failure events (HFEs) or recovery actions. De distinmion is simply " functional" in the sense that HFEs are included in the fault or event

, trees, while recovery actions are applied at the cutset level. HFEs included both pre- and post-initiator

. events, but only a few (apparently four) post-initiator events were included in the " top logic." De rest

[pof the human actions were labeled recovery actions because they were applied to the cutsets after initial

,i quantification. Dus, the traditional distinction between response and recovery tyim actions was not made in the Waterford 3 submittal.,

Dree criteria were identified for s.wcay actions: 1) the equipment to accomplish the recovery must smist and be available, 2) time to acconnplish the action must be available, and 3) the action must be in procedures, taught in training, or otherwise be obvious to the operators. Given these criteria, the recovery anions could include both response and recovery actions as described in the traditional sense. However, a distInreinn was made between potemial rul04ased mistakes (procedure 4ased) and " response mistakes" which were described in the response to the RAI as mistakes "in on-the-spot, general diagnosis and response in the =hamaca of rules." Dese two categories appear to roughly fit the traditional distinction between response and recovery actions, but in the Waterford usage, the " response" actions are the ones that may not be proceduralized. A third type, verification mistakes, was also discussed. Verification mistakes were described as mistakes in launaliate actions found in the emergency procedures. Dese three different types of actions were treated in the analysis by assignment of different " type" factors (diar ===i further below). When considered independently from other factors, verification actions were

. more likely to succeed than rule 4ased, which were in turn were more likely to be successful than

- response actions.

30

In any case, at least some of the actions modeled were not proceduralized. His is defended in the limaw's response to the RAI on the grounds that the operators are trained to respond to accidents and recover critical safety functions and that credit for such actions were only taken in long-term scenarios.

~ la many cases, the Technical Support Center would be available to assist the operators. A review of the "respome" amions listed in the submittal did not suggest that extraordinary behavior was being asked of the operators, but information on the events was minimmt.

2.3.2.2 Preemas for Identification and 'h of Post-Initiater Hamman Actions he submittal and the response to the RAI indicate that all but a few of the post-initiator human ac.: ions were selected by manually reviewing cutsats and determining if operator, actions could mitigate tis aequence. De mdwaktal states that "the HRA task served as an integral advisor to other project tasks to meure that relevant buman interazions were identified and properly incorporated into the logic models."

De HRA task was involved during initial sequence and modeling efforts and "during this period had the opportunity to review plant and system design information and become familiar with the control room and related operating procedures." While simulator exercises were not conducted, the statements docussed above suggest that the HRA analyst was significantly involved throughout the modeling effort.

Dus, k appears that steps were taken to assure that appropriate human action identification and selection occurred.

2.3.2.3 Screening Process for hat-Imitiator Response Actions he response to the RAI states that screening values were used for " post-initiator top logic mistakes" and for post-initiator slips. Only two post-initiator slips were modeled and, as was done with pre-initiator

slips, they were assigned a w ' 4 value of 0.003. De response to the RAI.did not make clear exactly why these " slips" were modeled. He actions apparently involve operator failure to align the alternate AC power source following failure of the normal AC power source for Static Uninterruptible Power Supplies (SUPS). The licensee states that the screening value is Es+ Ale because the realistic failure rate for these events is ==*M to be lower. De licensee also argues that "these SUPS recoveries are of no importance" (see page 2-14 of response to RAI), so it is not clear exactly why they were modeled, particularly as slips. In any case, all sequences containing these events were truncated and the events were left at their screening value.

As for the top logic events modeled, rule based actions with "no burden" were assigned a screening value of 0.1. Rule-based actions "with burden" were screened at 0.2 and non-rule-based actions (response) were screened at 0.4. In the response to the RAI, the licensee argues that with a truncation value of 1.0E-9, these values are high enough to ensure that no important sequences were eliminated. De argument would be true as long as only one action was credited, but not necessarily so if multiple actions whh dependencies were present. Nevertheless, since only a few top logic events were actually modeled and the cutsets were namlant after initial quantification, the screening approach is probably reasonable. l

. Moreover, apparently all the top logic events modeled were later quantified in detail. j 2.3.2.4 Quanti 5 cation of hat-Imitiator n- Actions j De quantification of all post-laitiator human actions (except the two slips discussed above) was based on the h W system of time reliabilky correlations ('I1tCs) developed by SAIC and documented

• in the book by Dougherty and Fragola and in an American Nuclear Society conference paper by Dougberty (1989). De submittal states that the TRCs art similar to the HCR and RMIEP TRC methods.

l 31

- - - - - - - . . - - - . - - ~ . - - .- - . - - - - - ---

in the response to the RAI, the basic form of the TRC is provided along with discussions regarding the relevant input parameters for both an in-control room model and an ex-control model (i.e., for actions to be performed outside the contro! m). Brief discussions of the input parameters were also provided

. in the submittal. De critical elemer.s for *.he in-control room model include: the available response time

,and an animmee of the median response time for the event anaminad, along with adjustments for type of -

behavior (verification, rule based, and response type, see section 2.3.2.1 above for descriptions), degree of "mw burden", success likelihood (an index that can be used to reflect the impact of PSFs), and model j cocertainty. De model uncertainty faaor is fixed at 1.68, apparently to reflect that the model uncertainty is distributed lognormally about the mean.

For the ex-control room madal, similar p  : . are modeled, along with adjustments to response time for potential " delaying hazards" outside the control room. De model uncertainty factor can also be adjusted for uncertainty due to other influences or hazards. Hazard factors which can influence response time include lighting, instrumaar separation, need for tools, need for protective clothing, and other miscallamarm hazards. Gu*wlance is provided for how much time to add due to the hazards, but the basis for the selected times to be added was not provided. De model uncertainty factor can be adjusted with a multiplier for the number of hazards involved. The hazards considered for this adjustment include need for rannote coordmation, securky access, noise, and availability of tools. he basis for the multipliers for ,

this parameter were not provided enher. In addition, two assumptions are made for the ex-control room. ,

First, when available time is equal to mean response time, the failure probability is set to 0.5. Second, .

the reliability of ex-control roorn actions with 3 minutes response time is comparable to in-control room actions, if no other hazards (other than performance outside the control room) are present.

While it is impossible at this point to determine the overall basic validity of the method briefly described

_ %ve and used in the Waterford 3 IPE (the "SAIC method"), the basic TRCs are apparently consistent with those used by other methods and the approach does attempt to provide mechanisms for addressing [

various factors that should influence operator performance. However, as with all HRA methods, the validity of the results can be no better than the quality of the analysis on which the analysts base their judgments. For example, to what extent were plant-specific PSFs considered and how accurate were the enrimaram of the timing parameters? These and other aspects related to the quality of the Waterford HRA pre di-ad below.

De response to die RAI indicated that all the success likelihood indices (SLis) except two were left at their default values. Dat is, PSFs were assumed to have no effect on all but two events. For these two events, the SLI was increased to reflect expected improved performance. In one case for good training and in the other for many more hours being available than was assumed. By leaving the SLis for the remaining events at their default values, the analysts are basically assuming Waterford is an " average" plant in terms of its PSFs. Other than the fact that two events were examined in enough detail to determine that the HEPs should be lower, there was no evidence that plant specific PSFs were examined for other events. De resulting analysis therefore appears to be somewhat " generic" rather than plant-

, specific and may or may not adequately represent the plant. At a mlaimum, judgments were made l

l ' regarding the estaat to which operators are burdened in a particular scenario and the type of task j involved.

,.ne NRCs RAI requested that examples of the application of the two calculation techniques be provided l sbat exercised all the parameters in the techniques. On the basis of the examples provided, it would i

ippear that many of the parammars were left at their default values. One specific example requested in

, the RAI was to provide a description of the application of the method to operator action ZMANTRAN, 32

I . .

which is the action to manually transfer (from the control room), the 6.9 and 4.16 KV buses from the l UATs to the SUTs following failure of the auto fast transfer. On reason this action was selected was

! har== of the relatively low HEP of 7.5E-6 listed for this event in the submittal. Given the values of the parameters applied, appaready the mean=gvian of a rule based type action in the context of 60 minutes of available time, produces relatively low HEPs in the SAIC method. No other special considerations i were necessary to obtain such a value other than the operator being assumed unburdened and an j ,

assumption of " average" SLI., ]

i in general, the way in which the SAIC HRA method was applied in the Waterford IPE did not appear j i to violate its basic teosts and the resulting HEPs would not in most cases be considered excessively low, l De main concern in regard to the general application of the method is the extent to which plant-specific i l

i PSFs were considered. De information provided suggests that in most cases " default" values were i j assumed and there was no evidence that detailed analyses were performed to assure that the " generic" l i values were appropriate. However, the HEP values themselves would not suggest that identifcation of buman action vulnerabilities was necessarily precluded. Another important factor that relates to the l

j adequacy of the application of the method is the determination of timing parameters. This aspect is i discussed next.  !

2.3.2.4.1 Ensiments and Considunnien ngf Opunner Regense nue De determinarian of the time available for operators to diagnose and perform event related actions is a critical aspect of HRA mahads which rely on "IRCs to assess the probability of operator failure. In order to appropriately use the SAIC TRCs, the est available time for an operator to respond must be determined by considering the appearance of cues, such as control room alarms or other indications, that signal the

, operators that a particular response is required. In many cases the time at which operators receive the relevant mes is significandy later than when the event to be responded to actually occurred. Rus, if the point at which the relevant cues occur is not considered in determining available time, the resulting estimates could be significantly greater than the actual time available. Moreover, if significant, the time needed to perform a certain action must be subtracted from the total available time before the TRCs are tused. For example, if the actions necessary to accomplish a particular task, such as the switebover to recirculation, require 15 mime = and only 30 mimman total time is available, then the operators have only

' 15 minutes available. Thus,15 minutes rather than 30 minutes should be used with the TRC equation and the result is non4rivial (e.g., an order of magnitude in difference).

De submittal itself did not discuss the approach used to determine or estimate the thne available for operator actions. However, the licensee's response to the NRC RAI did provide some insight. "In general, the available time was determined from applicable system response analyses. In some cases

, engineering judgment was used to deterndne the available time given the most limiting sequence."

Furthermore, the response to the RAI states "that in most cases, a mininum available thne is used to avoid differentiating between sequences." Obviously, such a bounding approach will produce somewhat pennimimic HEPs for some cases, but at least will not preclude identifying potentially hnportant events.

De response to the RAI furtbar indicates that the tempord occurrence of indicators was considered in determining avaliable time. However, somewhat surprisingly, the licensee indicates that "no delay in the receipt ot' the cue to act was assumed." In response to a follow-up RAI on this issue, the licensee indicated that delays in receipt of indications in the control room were assually carefully ===laad, but 1st relative to the time available for the events of interest, the delay was insignificant and tbmefore not considered. While this may be appropriate for the events modeled in the Waterford IPE and clear 33

examples were provided by the licensee, many other IPEs have tended to find it necessary to account for delays in the occurrence of relevant cues. For actions inside the control room, the time to execute the response was also assumed negligible. Finally, a default median response time of four minutes was aman-M for all of the in-control room actions modeled and adjusted ucrding to the type of behavior 1 involved in the task. De licensee states that the default value was de ived from the norninal diagnosis

~*

f curve from THERP. .

I Regarding ex-control room actions, the licensee states that the " human reliability" is assumed to bo "

damlased by the actions taken outside the control room, not on the decision-making process; therefore I

"only the time required h the assion to be carried out outside the control room is included in the ex-control room model." However, in response to a follow up RAI, the licensee indicated that while the  :

statement that only the time required for the actions to be carried out outside the control are included in i the ex-control room model was true wkh regard to the user inputs to the anodel, the model itself, and the resultant HRA failure probabilities are calibrated to a *IRC presented in NUREG/CR-2787 (Interim Reliability Evaluation program (IREP) - Analysis of Arkansas Nuclear One, Unit One Nuclear Power l Plant), which incluJes all required actions to perforin the recomy. Rus, the licensee argues that the

'IRCs used to determine the HEPs do take the diagnosis and decision time into account.

]

A list of the response times assumed h the ex-control room actions and additions to response times based on delay hazards was presented in the licensee's response to the RAI. De response times were determined "from interviews with operators' and "the presence of hazards which could influence the response time and uncertainty was natural outcome of these operator interviews." Exactly how many operators were interviewed and the approach h soliciting the estimates were not dimand. Other methods, such as '11tERP have argued that time estimates obtained from operators should be doubled, but Ibis is not mentioned by the licensee. W.'thout additional detail, it is difficult to determine whether or not the response times used are reasonabic. Regardless, the total time assumed available tends to be substantially longer than the estimarM response time and the HEPs do not in general appear to be excessively low.

re 323.2.4.2 Onber Perfenmener Shaping Feeners r===w d Other than those dia==M above, there was no evidence of any other PSFs being considered.

23.2.4.3 Considernden gf Dependt s Two basic types of dependencies are normally considered in quantifying post 4aitiator human actions:

1) thne dependence and 2) dependencies between amitiple actions in a sequence or cut set. One type of time depaadan~ is ananarned wkh the fact that the time needed to perform an action influences the time i

available to recognize that a problem has occurred and to diagnose the need for an action. His type of ,

thne -f+;- ' e is handled by the Dougherty and Fragola inethod by using TRCs which reflect the e likelihood of operators diagnosing amt performing the related actions in a particular time window. In  :

essence, the method aman =an that the probability of errors in performing in control room actions is neglighie compared to the potential h diagnosis failure. Moreover, the response times for ex control scom actions are assened to be damlanead by the actions taken outside the control room, not on the

-f+ ' ":-g process. De validity of this assumption is certainly debatable. i Analber aspect of time -fC '-- e is 6st when sequential actions are considered, the time to complete  :

one action will hupact the time available to complete another. Similarly, the sooner one action is l

34 l

1

g _ _ __ _ _ _ . _. _ . _ ._ ___ _ _ _ _ _ _ . _ _ _ _ _ _ _ . _ _ _ _ _ .

I i

1 . .

l

!' performed, the slower or quicker th: condition of the plant changes. His type of time dependence is j normally addressed by inaking conservative assumptions with respect to accident sequence definitions.

! One aspect of this w uech c is to let the timing of the first action in a sequence initially minimim the time i window for subsequent actions. De occurrence of cues for later actions are then used as new time origins. His type of dependence was apparently handled in the same way as other context effects and is

{ diamacad below.

J

De second type of dependence considers the extent to which the failure probabilities of multiple human j actions wkhin a sequence or cutset are related. Dere are clearly cases where the context of the accident j and the pattern of-- and failure can in8uence the pmbebility of human error. Dus, in many cases i k would clearly be inappropriate to assume that multiple human actions in a sequence or cut set would

be independent. Furthermore, context effects should be araminad even for single actions in a cut set.

While the same basic action can be asked in a amnber of different aequences, different contexts can l obviously lead to different likelihaada of success. Dependence among multiple human actions was handled l in the Waterford submittal manaati=Ily by assuming that they are independent. De licensee argues that j *between separate tasks independence is provided because many of the tasks are performed by different j people, ud there is separation in time or " cognitive space", i.e., cues are independent enough to force j , subsequent diagnosis." De licensee further states "that context effects were handled by lumping the l different sequences into one event." " Dis is done by using a sum average time for the available time

{ parameter for events that are sequence dependent."

i l 2.3.2.4.4 Quaanificeden ofRecomy Type Aselens l

l De submittal indicated that all post-initiator human actions were quantified with the approach described l above in section 2.3.2.4. Different TRC parameters were used to quantify hon-rule-based as opposed j to rule-based actions.

i l 2.3.2.4.5 Human Acalens in Ae flooding Analysis i 4 i In the Waterford 3 IPE, human actions and human recovery of several flooding scenarios were modeled.

j buring initial quantification (screening) all ex-control actions were set to fail. In addition, in-control

room actions for those flood scenarios that started or propagated through the control room were also '

j assumed to be failed as considered. .All the actions modeled initially were identical to those modeled in i the level 1 analysis and the flooding analysis " caused no special requantification of level I human  !

I

arvinna." After the initial screening, consideration was given as to whether any human recovery actions j which were set to 1.0 could be assumed to be performed under conditions of the flood. Any human i arvinna (inside or outside the control room) with some dependency on flood or flood disabled equipment i

were simply assumed to fail. Other wise, the Level 1 HEPs were used. Apparently during the early l tounds of-~*=*ina, a flood recovey value of 0.01 was applied to large flood scenarios. IJter, three l new recoveries were created for the flooding analysis and were quantified using the EPRI draft report j . on "Modeling of Recovery Actions in PRAs " De actions included: 1) isolating the flood before ex-

! control room actions or equipment are disabled,2) a local action to recover an in control failure (or i inability) to align the CST to the CSP as an inventory makeup source, and 3) a local action to recover

an in-control failure (or inability) to stop the RCPs within 30 minutes of the loss of seal cooling.

i i De quanti 6 cation of these actions was dommanead in the response to the RAI and appeared reasonable.

j '

Per the EPRI method, time available, training, task complexity, and environmental factors were all i

I

} 35 l

l l

considered. 'the treatment of human actions in the flooding analysis was relatively thorough and reasonable.

2.3.2.4.6 Runen Atelons in abe Emei 2 Analysir i

'Ibe licensee states that human actions were not credited in the Waterford 3 Level 2 analysis. .  !

2.3.2.5 Insportant Human Actions f l

t

'Ibe Waterford 3 adunimal presents a list of basic event kuportance e determined by Fussell-Vesely (F-V) measures. Operator actions with F-V values greater than 0.01 (1% of CDFJ are presented in Table 9 below, along with their F-V values and their HEPs. 'Ibe sensitivity analysis performed by the licensee .

also examined which cut sets fell below the reporting criteria due to human recoveries. 'Ibe operator actions identified included the lairl=*ian of cooldown for a SGTR, the stopping of the RCPs within 30 minutes of a loss of seal cooling (loss of instrument air initiator), and the closing of miniflow valves j t

during recirculation mode for medium and large LOCAs and for the loss of instrument air initiator.

'Ibble 9 Important Human Actions ,

Event Description F-V HEP Operator fails to recover from rcom cooling failure (ZHFHVACREC) 8.01E-02 5.0E-01 Operator failure to align HPSI pump train AB (ZHFOPALNAB) 4.68E-02 9.8E-02 -

Operator fails to align EFW suction to WCT (Recov. Action) 3.38E-02 1.6E-01  ;

(ZEFWWCT) ,

Operator fails to align EFW suction to WCTs following LO LVL 2.43E 02 1.5E-02 i (ZEFWWCT-1) ,

Operator fails to restore air cooling unit after test /maint 1.57E-02 3.0E-03 (UHF25AREST)

Operator fails to restore air cooling unit after test /maint 1.57E-02 3.0E 03 ,

(UHF30AREST)

Operator fails to restore air cooling unit after test /maint 1.28E 02 3.0E43 i

, (UHF30BREST)

Operator falls to restore air cooling unit after test /maint 1.28E-02 3.0E-03  :

(UHF25BREST)

• Operator fails to manually initiate RAS small/large LOCA 4.98E 03 1.5E-01 ,

(ZMANRASA-S) 1 36

i

, 1 l 2.4 Back End Technical Review ,

l l 2.4.1. Containment Analysis /Citaracterization l

]

! 2.4.1.1 Front-End Back-End W

/

De interfaces between the front-end and back end analyses are provided in the IPE by the definition of l

10 plant damage states (PDSs). An event tree structure (called Level I to Level 2 bridge tree in the IPE

submhtal) is used in the Waterford 3 IPE to sort out Level I core damage sequences and combine them l with cormninment system status for PDS de6aition (Secsion 4.3 of the IPE submittal). De parameters used

in the IPE to define the PDSs include

i i

• AC Power Availability, i

• Containment lategrity Status, l

• RCS Pressure,

• Core Melt Timing, j = Containment Mitigating Systems.

! Except for SBO and bypass PDSs, the PDSs defined in the Waterford IPE are based on RCS pressure, j which depends on the type of accident sequences (or accident initiators), the time of core melt, which

! depends on whether core cooling is lost during the injemion or the recirculation phase, and the availability

of containment systems. De conditional probabilities for the PDSs at various RCS pressures (or types i of accidents) are: 39% for PDSs with medium RCS pressure (from small or medium break size LOCAs I or transiem initiated events with stuck open pressurizer safety relief valves); 15% for PDSs with high

! pressure PDS (from total loss of all feedwater transient); and 1% foi PDSs with low pressure PDS (from j large LOCAs). In addition to the above PDSs, the conditional probability for SBO sequences is 38%, the

conditional probability for SGTR sequences is 5%, and the conditional probability for ISLOCA sequences

is3%.

I

? For individual PDSs, the most probable PDS is PDS IH (21% CDF), a PDS with medium RCS pressure, 4

early core melt, and failure of containment heat removal. His is followed by a SBO PDS with early core melt (21%), a SBO with late core melt (17%), and PDS IIIB (15% CDF), a transient with early core melt, but with containment heat rem' oval.

The PDSs defined in the Waterford 3 IPE are of sufficient detail to provide a proper account of the front <nd and back-end dependencies and adequate information for back-end accident progression analysis.

. 2.4.1.2 r'h Event Tese Development l

Probability quantification of severe accident progression is performed in the IPE by the use of containment event trees (CETs). De development of the CETs is discussed in Sections 4.5 of the IPE pdunin#. Four different CErs are developed for (1) transients and LOCAs (a " normal" CET), (2) SBO, (3) SGTR, and (4) ISLOCA. De CETs includes the following top events:

1. Plant damage state,

, 2. ECS depressurized before vessel breach,

3. Coolant recovered in-vessel before breach ,

37 l

i .

l 4. In-vessel steam explosion,

{ 5. No vessel failure, '

6. No early containment failure,

7. Coolable debris formed ex-vessel,

~

8. AC power recovered late

9. No late coneninment failure, .

10. Fission product removal. ,

Pisures 4.6-1 abrough 4.64 of abe submittal show the structures of the four CETs. In general, the CETs developed in the Waterford 3 IPE are well structured and easy to understand. De top events of the CET ower abe important issues that determine the RCS integrity, coneminment response, and eventual release from the enntainmant Fauk trees (called logic trees in the IPE mh=letal) are used in the IPE to quantify the top events of the CETs. De logic trees used for CET quantification are very detailed and address all phenomena and systems important for Level 2 accident progression. De quantification of the basic events in the logic trees is based on the review of the ladustry literature and plant-specific analyses using MAAP code.

According to the IPE submittal, the values used in the quantification are ' relative values" meant to provide insights on containment performance during a sever accident. De basic events are assigned probability values based on the likelibood of occurrence. For example, a basic event is assigned a probability value of 0.8 if it is judged likely to occur. In general, the quantification process used in the PE is systematic and traceable. Although the values assigned in the IPE seem adequate, their adequacy cannot be verified in this todmical evaluation report because of the limited scope of this evaluation. Some kams that are of interest are discussed in the following.

in-VesselRecowry .

De Waterford 3 IPE considers in-vessel recovery due to the injection of low pressure systems after RCS 4- :-4 De marhanin== for RCS depressurization considered in the IPE include that from hot

,ileg or surge line creep rupture. Hot leg temperature calculated by MAAP, as well as information nhemined from NUREG-1150, are used in the IPE to determine the probability of hot leg failure. In addirianal to the above in-vessel recovery machaniam, the logic trees for in-vessel recovery also include basic events for RCS depressurization and recovery of injection systems by operator actions. However, credit is not taken for these events in CET quantification.

Besides the recovery of low pressure injection, prevention of vessel breach by ex-vessel cooling is also j considered in the IPE. According to the IPE submhtal, the reactor cavity will be filled with water prior to vessel failure in almost all cases. His will submerge the rancsor lower head and may prevent vessel failure. De probability of successful ex-vessel cooling (such that vessel breach is avoided) is assigned i values of 0.75 to 0.9 in the IPE. A sensitivity study with the probability values changM to 0.20 shows dist while the probabilities for both early and late failures increase with the decrease of ins essel recovery by ex-vessel cooling (due to the higher probability of vessel failure), the effect is not significant (Response to RAI IAvel 2 Question 2).

Earfy Contahrnent FaGure Enriy annemin= ant failure is defined in the Waterford IPE as that occurs at or shortly after vessel breach time. De failure marhania== addressed in the CET logic trees for early anneminmant failure, include:

38

j i 4

l In-vessel steam explosion (alpha mode failure), l

• Ex-vessel steam explosion, j * ,

Early leak due to small isolation failure or missiles,  !

Early rupture due to large isolation failure, l j -

• Early rupture due to reactor vessel blowdown (rocket),  !

l Steam overpressure before core melt (no best removal),

• l i

High pressure melt ejection (HPME) effects, such as DCH, ,

• Reactor cavity wall failure, and l

• Combustion of hydrogen prior to or during vessel breach.

i 4

De above list includes all the important early comminmant failure modes discussed in NUREG-1335.

1 Quantification of comminmaar failure for the above failure modes is based on data available in the

{ Iiiarmure, primarily those manneistad wkb NUREG-1150 analyses, and plant-specific results from MAAP f

code calculations. Resuits of sensitivity study on some of the awhanle== that involve significant uncertaintian (e.g., hydrogen burn and DCH) are reported in the IPE submittal and the licensee's response 3

to RAI level 2 Questions.

Dere are a few Waterford 3 plant-specific features that may affect the probability of early containment I failure. A key feature of the Waterford 3 reactor vessel is that all core instrumentation is routed from the l

~

top o' the vessel and there is no instrumantation tunnel to provide access from the reactor cavity to the l upper containment volume. De reactor cavity of Waterford 3 is open to the upper containment through the vay small annulus between the vessel and the cavity wall and to the steam generator compartments througu the RCS pipe penetrations through the cavity wall. Besides these areas, the reactor cavity also communicates with the comminmant volumes through a relatively small tuqnel which connects to the l ductwork that provides reactor cooling. His area, according to the IPE, allows the water collected in the  ;

meninmant sump to flood the reactor cavity. In addition to the above plant-specific features, the use of a steel shell containment, which is vulnerable to direct attack by the bot core debris, and the greater '

amount of Zircalloy in the Waterford 3 fuel assemblies (than in the NUREG-1150 plants), which result in the production of more hydrogen, are other plant-specific features that may affect the probability of containment failure.  ;

Of the plant-specific features dia==ad above, the lack of bottom head penetrations makes a circumferential failure of the vessel hannm band more likely, and as a result, the challenge to containment integrity due to high pressure melt ejection may be more severe. On the other hand, the tight reactor cavity of Waterford 3 tends to link the amount of debris expelled to the marain= ant air space. For other early challenges, the amount of hydrogen in the Waterford 3 comminment during a severe accident is greater than that in the NUREG-1150 containnets because of the greater amount of Zircalloy in the

, Waterford 3 core assemblies and the longer tinw to vessel failure for Waterford 3 due to the lack of instrumes penetrations in the lower head. De effects of these special features on containment failure are addressed in the IPE.

Omssimment Bypasr amt inducat beam Generator 1kbe hpture GSG7R)

Temperature induced SGTR (ISGTR) is considered in the IPE both as a aantninmant failure manhaniam and a RCS depressurization manhaniam. However, ISGTR as a marminmant failure manhaniam is not Idiscussed in the IPE submittal, it is discussed in the licensee's response to RAI (level 2 Question 6).

'According to the response, a separate SG1R PDS, not reported in the IPE submittal, is used for ISGTR.

De ISGTR PDS is created in the IPE by performing a logical AND operation of the ISGTR probability 39

with the level I transient seguences that involve high RCS pressure and dry secondary side. Since it is considered in the IPE that it is much more likely that the hot leg wul rupture before the steam generator tubs, a relatively high probability of the tubes remaining intact is used in the IPE. De Waterford 3 IPE also does not differentiate the induced tube rupture probabilky between RCPs running or not running.

k is argued in the response to the RAI that, with the RCPs run:.ing, the hot leg would also beat up faster -

ao that the relative probability of hot leg rupture versus SGTR is expected to ransin about the same.

Debris Cnotability andlate Contalmnent Failure ,

De fauure machanimma addressed in the CET logic trees for late matalamant failure include:

Iate rupture due to:

• Hydrogen combustion, and

• Reactor cavity wall failure (caused by CCI),

Late Iaak due to:

• Steam generation,

• Non-condensable gas generation,

• High temperature failure of elastomer penetration seals, and

• Basemat melt-through.

De above list includes all the important late coarniamaat fauure modes discussed in NUREG-1335.

Similar to early containment failure, quantification of contalammar fauure for the above failure modes is based on data available in the literature, primarily those associated with NUREG-1150 analyses, and plant @ analysis results using MAAP code. Results of a sensitivity study on debris coolability are reported in the licensee's response to RAI level 2 Question 11.

In the Waterford 3 IPE, three basic events are used to address the probabilities of debris coolability under the fouowing conditions: HPME, ex-vessel steam explosion (EVSE), and no-HPME and no-EVSE. The

' probabilities of debris coolability used in the Wataford 3 IPE for the above three conditions are 0.6, 0.5, and 0.8, respectively. k is therefore assumed in the Waterford 3 IPE that the debris is more likely to be in a coolable condition if HPME and EVSE do not occur. His order is not consistent with that obtained in Ibe NUREG-1150 study. In NUREG-1150, the core debris in the reactor cavity is more likely to be coolable for HPME and EVSE (0.8 coolable probability) than for cases with no HPME and no EVSE (0.35).

According to the Waterford IPE, the probability of debris cootability is lower for HPME and EVSE ,

because fragmentation of the debris by HPME and EVSE causes the debris to break up into small

• particles, which can group tighter together to form a solid mass that water cannot penetrate as easily as f

for large partides. In NUREG 1150, in addition to particle size, abe effect of spreading the debris outside

~of the reactor cavity is also considered. In is noted abat, in comparison, debris dispersing is more restricted in Waterford 3 than in the NUREG-1150 plaats because of the lack of an instrument tunnel and a tigbeer reassor cavity for Waterford 3.

Core concrete lateraction (CCI) occurs if ex-vessel debris is not cootable. De matalamant failure h considered in the IPE for CCI include those manacIntad with non-condensable gas generation 40 l

l

i

and basemat melt-through. A containment failure probability of 0.005 is assigned to both of these

] me&anisms in the Waterford 3 IPE. According to the licensee's response to RAI (i.evel 2 Question 11),

i the amount of the noncondensable gases generated by CCI is not sufficient to challenge containment integrity even if the basemat is penetrated, and basemat melt-through is also not likely to occur because of the thickness of the baanmar (about 10 feet above eneminmant liner) and the low penetration depth j predicted by MAAP within a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time.

l

De most important late containmant failure mode in the Waterford IPE is that by steam generation.

l According to the IPE, containmant fails by steam pressurization within the mission time if both

enntainmant spray and mntainmaw fan coolers fail. Furthermore, the water collected in the reactor cavity j from lost RCS inventory is sufficient to pressurize the cantalamant to failure pressure.  ;

Fission Product Remont Credit is taken in the IPE for all fission product removal marhaniama considered in NUREG-1150 (i.e.,

those isceiporated in the XSOR code).

2.4.1.3 r'a=ta3====t Failure Modes and Tisdag l I

De Waterford 3 containment ultimate strength evaluation is described in Section 4.4.2 of the IPE submittal. The ultimate containment failure pressure for the Waterford 3 IPE is estimated by hand calculation of stress at I% strain level and comparison to existing analyses of structural capacity for similar plants. De ultimate pressure obtained for the Waterford 3 containment is 135 psig. De 3 containment failure pressure distribution used in the Waterford 3 IPE is a log-normal distribution with  ;

a medium failure pressure of 135 psig and a coefficient of variation of 0.15.. I la comparison with the distributions obtained and used in NUREG-1150, the pressure distribution used in Waterford 3 IPE is much flatter. De distribution provided in Figure 4.4-1 of the IPE submittal for ,

failure probability versus pressure (i.e., the fragility curve) is almost linear from 40 psig (approximately the design pressure) to 135 psig (the mean failure pressure). De use of this distribution seems to contribute to the relatively high containment failure probability for early containment pressure loads predicted in the IPE. For example, according to Table 4.6-3 of the submittal, the containment failure probability is 0.286 for a containmant pressure load of 89 psia. According to the licensee's response to the RAI (Ievel 2 Question 7), a change to the probability curve was made subsequent to the submittal of the IPE, and the new curve is more consistent with that used in NUREG-1150 and other IPEs.

According to the new curve, the mntainmant failure probability for a 89 psia pressure load is 0.005. De licensee's response to the RAI also presents the containmant failure results (in terms of containment release category, CRC) obtained fme the use of the revised distribution curve. (Ibc containmant failure distribution provided in the licensee's response to RAI Question 7 is incorrect. De correct distribution is provided in the licensee's response to a follow-up RAI.)

De meninmant failure pressure obtained in the Waterford 3 IPE and the revised distribution curve reported in the RAI response seem to be consistant with those obtained in other IPEs. De original distr #=mina curve presamad in the IPE =dunin=1 seems to be overly pessimistic in predicting containment overpressure failure probabilities.

41

2.4.1.4 f'a=8mi====8 Isolation Failure Containment isolation failure is evaluated in the Waterford 3 CET under top event CFE (Containment fails early) and is addressed in the ==aei=*ad logic trees. It is stated in the submittal that "De probability is determinad by solving a separate fault tree for failure to isolate these penetrations." (p4.6-7) However, the fault trees for isolation failure are not provided and details are not discussed in the IPE submittal. .  ;

According to the IPE submittal, both small and large isolation failure are considered in the IPE. De -

main small isolation problem is the failure to close small valves, e.g., the primary sampling system anatninmant isolation valves. Overall, the probability of small isolation failure is less than 2E-5 per year (1.88E-5 in the IPE). Large isolation failures include aantainmaar panatrations that are 2 inches in diameter or larger. De dominant large isolation problem is mechanical failure of the penetration itself. ,

A conservative high screening value of IE-3 per year is used in the IPE.

Since details on containmant isolation failure are not presented in the IPE submittal, a question is asked in the RAI (level 2 question 10). In the response to this RAI question, the licensee discusses the analysis t

of containment isolation failure performed in the Waterford 3 IPE in terms of the five areas identified in the Generic Iatter. According to the descriptions provided in the IPE submittal and the licensee's response to the RAI, all five areas identified in the Generic Ianter regarding the evaluation of containment isolation failure are addressed in the IPE.

2.4.1.5 System /Hunan B-pa===

1 Although the logic trees include basic events for RCS depressurization and recovery of injection systems l j

.by operator amions, credit is not taken for these events in the CET quantification. On the other hand, AC power recovery is the primary reason that only 50% of all SBO sequences res* ult in containment failure. l In the IPE, the values used for power recovery are based on the same AC power recovery curve used ,

in the level 1 analysis. For the level 2 analysis, two additional decisions are included in the SBO CET for (1) AC power recovery before vessel breach, and (2) AC power recovery before conta* m ment failure.

,De treatment of the additional time for AC power recovery in the IPE seems reasonable.

I 14.I.6 Radia==41de Release Characterisation De end states of the CET (defined as contain= ant release categories, or CRCs, in the Waterford 3 IPE ,

submittal) are discussed in Section 4.6.4 of the IPE submittal. De following issues are used to define l a CRC:

1. Did the reactor vessel rammina intact?

2. Did HPME occur at vessel breach? '

3. Did the containment fail at all?

4. Did the containment fail any time before, or soon after vessel breach?

w 5. Did the matnin=aar fait long after vessel breach?

6. Was the aantainmaar failure sudden or gradual, i.e., a leak or a rupture?

7. Was any ea-vessel debris cooled?

8. Did sprays wash fission products out of the aaatsin=aar atmosphere?

' Dese cover the vessel failure status, the containment failure mode, CCI, and fission products scrubbing by containment sprays. A total of 76 CRCs are defined in the IPE (Table 4.7-2 of the submittal) and 42

l d

i source terms are defined for 60 CRCs (Table 4.7-3). CET results show 11 CRCs with non-zero l l frequencies (Table 4.8-1). From the description provided in the IPE submittal it seems that the CET end

! state grouping for source term definition in the Waterford 3 IPE is adequate.

. . De CET quantification results provided in Table 4.8-1 of the IPE submittal show 11 CRCs. Among the l 11 CRCs are one bypass CRC, which can be further divided to one, CRC with SGTR and another with 2

ISLOCA, 4 early failure CRCs, 5 late fdure CRCs, and one no failure CRC. De percentage

}

contributions of thew CRCs to toe mal CDF are 46% for no failure,20% for late failure,26% for early i failure, and 8% for bypass failua. Er bypass failure, the conditional probability of SGTR is about 5%,

j primarily from SGTR as an initiating event, and the conditional probability of ISLOCA is 3%.

1 .

) Source terms for the CET and states are determined by accident progression analyses using a method similar to that used in NUREG-1150 studies. Source terms obtained in the IPE are presented in Tables

4.7-3 and 4.8-3 of the IPE submittal. Source terms are presented in these tables in terms of release

! fractions noble gases, lodine, Cesium, Tellurium, and Strontium.

j l De release fractions predicted in the IPE for the SGTR sequences (CRC DP-ESA) are much less than j . those for some early failure sequences. His is because of the assumed availabil;ty of water scrubbing for l the SG'IR nat== in source term calculation. Since water scrubbing may not be. available for all SGTR i sequences, the release fractions reported in the submittal for SGTR sequences raay not be adequate for l .~ some SGTR sequences. According to the licensee's response to RAI (Level 7 Question 16) there are SGTR sequences where water scrubbing is not available, and contribution fron: these SGTR sequences

is not significant. However, P *=tivel data on the relative contributions from the different SGTR

} sequences are not provided in the response. Since the release fractions for the SGTR sequences without

! water scrubbing are expeced to be much greater than those with water scrubbing, the omission of the

! source term for SGTR wahout water scrubbing is very optimistic. Although it is not a significant problem l l in the present IPE because of their small frequencies in comparison with those of other sequences that l l have large releases (e.g., ISLOCA), it is a deficiency nonetheless, it would be desirable to divide the l SGTR CRC to two CRCs with and without water scrubbing and to obtain the source terms for both of i them. This would assure that significant information is not lost in the IPE process in the future IPE update.

l 2.4.2 Accident Progetssion an'd Containment Petfonnance Analysis ,

2.4.2.1 snare Amidst r.,. _ --

l In the Waterford 3 IPE, the MAAP code was used to develop information to assign basic event and l

containment failure probabilities. De sequences that are calculated by the MAAP include those

associated with (1) large break LOCA, (2) small break LOCA, (3) total loss of feed water, and (4) j containmant bypass. In general, the sequences selected for MAAP calculations are the dominant Level l

- 1 a=T== in the PDSs. According to the licensee's response to RAI (Ievel 2 Question 3), there is not i

mudi difference in the Level 1 sequences within a PDS because of the way the Waterford 3 PDSs are constructed.

l .De sequences selected for source term analyses and the source terms definition used in the IPE seem to j t be adequate.

i

)

i l 43 j

2.4.2.2 rha-3===t Centrhdors: Consistency with IPE Insights Containment release categories (or containment failure modes) and their frequencies obtained from the Waterford 3 CET quantification are discuemad in Secsion 4.8 of the submittal. Table 10, below, shows a comparison of the conditional probabuities for the various coneniniaaat fauure modes obtained from the Waterford 3 IPE with those obtained from the Surry and Zion NUREG-1150 analyses. .

Two sets of data are pramantad in Table 10 for Waterford 3: one from the IPE submittal based on the us of a very conservative eaatainsaaat fraguity curve, and the other from the licensee's response to the RAI using a revised containiaaar fragility curve more consistent with those used in other IPEs.'

Table 10 r neatn.nane Philure as a Pereuntage of Total CDF ramealsunent Waterford 3 Waterford 3 IPE Surry Zion Failure Mode IPE+ Udpate+ + NUREG-1150 NUREG-il50 Early Failure 26 4 0.7 1.4 Late Fauure 20 25 5.9 24.0 Bypass 8 8 12.2 0.7 Isolation Failure latact 46 63 81.2 73.0 CDF (1/ry) 1.7E-5 1.7E-5 4.0E-5 3.4E 4

+ The data pressated for Waterford 3 are based on Table 4.8-1 of the IPE subenittal.

++ Data paamnend in this cohann are those ahemiaad from using a revised -*=la-* fragility curve (reported in the response to a follow ep RAI).

• laciudad in Eady Failure, approni==saly 0.02%.

y " Included in Early Failure, approxiantely 0.5%.

A "* Included in Eady Failure, approminianaly 0.1%.

As shown in the above uble, the c$nditional probability of contalaraant bypass for Waterford 3 is 8%

of total CDF. Of the 8% bypass probability,5% comes from steam generator tube rupture and 3%

comes from ISLOCA. De contribution from ISGTR is small and not reported separately in the IPE submittal. ,

De conditional probability of early matalasaamt fauure presented in the IPE submittal is about 26% (of ,

total CDF), the nuijor threat to early anarminiaant failure is a loss of matalainaar best removal during an accident where the RCS is at high pressure. Since the anaeminsamat is at elevated pressure due to steam generation a high pressure melt ejection (HPME) can challenge cantalasamme lategrity. His scenario occurs during SBO and small IJOCA with loss of both safety lajiection and aantalasaaar best removal (CHR). Of the 26% early failure probability, over 13% is from SBO sequences and over 11% is from small1DCA segmences. On a anadirianal basis, about 35% of SBO sequences result in early failure and about 30% of small IDCA segmences :ssult in endy failure. According to the licensee's response to RAI fouow<sp questions, although the probability of early containment failure is significantly reduced by the 44

i

]

use of a revised containment fragility curve (from 26% to 4%), the dominant sequences that lead to early 4

containment failure remain the same as that described in the IPE submittal.

j De conditional probabuity oflate namainment failure presented in the IPE submittal is 20%. De major contributor to late containmant fauure is steam c rs_=-i 40s when CHR is lost. SBO does not

contribute as much to late aantaiamaat failures because of the high likelihood of AC recovery (before anmainmant failure). Of the 20% late fauure probability about 15% is from small LOCA,4% from SBO, i and 1.3% from other transients. On a conditional basis, about 39% of small LOCA sequences,12% of

] large IDCA sequences,10% of small IDCA sequences, and 95 of other transients result in late failure.

According to the licensee's response to the RAI, the conditional probability of late containmaat failure j increased from 20% to 25% when the revised containment fragility is used. .Since detailed data are not provided in the kAl responses, contributions from the various accident sequences to late containment l fauure canant be obtained. It seems that the increase in late anatalamant feitare probability is primarily j due to the decrease of early cantaiamaat fauure probability, and the dominant sequences that lead to late aantalamant failure remain the same as that described in the IPE submittal.

t 2.4.2.3 Characterisation of rheaE====t Perfonnance l t ,

! As shown in Table 2, for Waterford 3 Steam Electric Station, the core damage frequency (CDF) is lower  !

j than that obtained in NUREG-IISO for Zion and Surry. Except for early containment failure, the

} conditional probability of other containment failure modes are consistent with those obtained in  !

NUREG-1150 for Surry and Zion. De high early failure probability can be partially attributed to the l more pessimistic containment failure probability distribution used in the Waterford 3 IPE.

l De C-Matrix, which shows the conditional probabilities of CET end states (or containment failure l t

j modes) for the plant damage states (or PDSs), can be obtained from the data presented in Table 4.8-1.

4 i i 2.4.2.4 kapact on 5% ';-- Behavior  !

! De ebets of harsh environment conditions on the operation of comminment fan coolers are addressed

• in the II'E by a few basic events in the CET logic trees. De conditions that are considered in the IPE for the operation of fan coolers include those due to hydrogen burns, HPME, and post core uncovery ,

envirowaant De effect of envirnamamal conditions on containmant spray is also considered in the IPE,

! but its effect is considered only for the determination of fission product removal and not for late  ;

! 'natainmaar failure. According to the licensee's response to RAI (Level 2 Question 12), the failure of l matalamaat spray due to harsh.enviran=antal conditions is considered credible only very late in an  !

l recident in the fission product release phase. It is not considered for debris cooling and containment failure because the barsh environment is not expected to affect the CS pipe until the stress forces have  !

l ,

l wtded on the pipe for a long time.  !

l . 2.4.2.5 twestainties and Sensitivity Analysis

Sensitivity studies are discussed in Section 4.9 of the IPE submittal. De sensitivity studies provided in

the IPE submittal address the uncertainties manaclatant with the following phenomena

i f a Hia'stemperature rupture of the bot leg during medium pressure scenarios, i

• Ex-vessel cooling,

• Ultimate containment pressure,

{

I j 45 1

i 3

a

. . . 1

• Reactor cavity wall structure failure during HPME, and

• Frequency of dominant PDSs IH and SBO.

In addition to the above sensitivity analyses, Waterford 3 also performed some sensitivity analyses with the MAAP code to ensure that a bmad specsrum of possible outmmes were cavered (p4.2-3). 'Ihe issues that were investigated by MAAP analyses include (1) in-vessel hydrogen production, (2) direct ,

nantainmant beating, (3) debris bed coolability, and (4) vessel failure penetration radius. General results -

of these sensitivity analyses are diamenart in Section 4.2.3 of the IPE submittal. Results from the sensitivhy cases are presented in the submittal to show the uncertainty of individual issues on some namninmant parameters (e.g., the uncertainty of DCH on containmaar pressure load). Recognizing the uncertainty in various severe accident phenomena and bow the accident psogression can be affected, Waterford 3 performed some sensitivity analyses with abe MAAP code to ensure that a broad spectrum of possible outcomes were covered (p4.2-3). The issues that were investigated by IAAP analyses include (1) in-vessel hydrogen production, (2) direct aantninmant beating, (3) debris bed coolability, and (4) vessel failure penetration radius. General results of these sensitivity analyses are discussed in Section 4.2.3 of the IPE submittal. Results from the sensitivity cases are presented in the subauttal to show the

• uncertainty of individual issues on some containment parameters (e.g., the uncertainty of DCH on containmet presure load). However, their effects on containment release profiles are not discussed in the IPE submittal but are addressed in the licensee's responses to RAI questions. Additional sensitivity  !

analyses reported in the licensee's response to RAI questions include those associated with the challenges to enmainment integrity by hydrogen combustion, DCH, ex-vess?,1 debris coolability, and hot leg creep rupture for high pressure scenarios.

'Ibe sensitivity studies prwided in the Waterford 3 IPE seem to have addressed the issues of significant ,

uncertainties in the IPE analysis. ,

l 2.5 Evaluation of Decay Heat Removal and Other Safety Issues  ;

2.5.1 Evaluation of Decay Heat Removal 12.5.1.1 Examiention of DHR The IPE addresses decay beat remoyal (DHR). DHR is defined as those systems required for primary and secondary inventory control and beat transfer from the RCS to an UHS following shutdown of the reactor for transients and small LOCAs. Several methods of DHR are mantinned, including the main feedwater system, the auxiliary feedwater system, the EFW system, the condensate system (in conjunction ,

wkb secondary depressurization using the turbine bypass or the stroospheric dump system) and HPSI, for small LOCA inventory control.

DHR function loss contributes 1.4.E-5/yr to the CDF and is thus below the 3.0E-5/yr criterion used to define acceptably low DHR failure frequencies in NUREG-1289.

l l , Comartution to DHR-loss CDF from the DHR frontline systems and their support systems is calculated and presented in RAI responses. Contr#=rian of nampanmes and support systems to each DHR system's unavailabilky is not calmlated or readily available. The DHR system contribution to DHR loss CDF is as follows (not including support system failure): EFW (40.2%), HPSI (19.8%), MFW (0.6%), main i

steam (0.1%) and charging (0.1%). The support system contribution is as follows: AC power (68.1%),

46 ,

i 1

ACCW (15.1%), CCW(13.9%), HVAC (8.2%), DC power (2.2%), ESFAS (2.2%) and instrument air

, (0.2%). Dese percentages from RAI responses are somewhat at odds with Figure 1 as far as absolute numbers are concerned.

- 2.5.1.2 Divene Means of DHR l

De IPE evaluated the diverse means for DHR, including: MFW, AFW, EFW, condensate, steam relief, l HPSI and diarging. Cooling for the RCP seals was taken into account. In addition, containment cooling was addressed.

2.5.1.3 Unique Festuns of DHR f .

He unique features of Waterford 3 that pertain to the DHR function are as follows:

i

• Dere is no feed and bleed capability at this plant. No pressurizer PORV exists and the HPSI/ charging pumps do not have the requisite head to lift the safety valves. l

• De turbine driven main feedwater pumps will continue to run for most transients, as the pump flow output is automatically matched to the decay heat level.

• %ere are two motor driven (capacity 350 gpm each) and one turbine driven (capacity 700 gpm)

EFW pump. De EFW system is automatically started and controlled. In addition, a manually started AFW pump is also available, should the other three pumps fail (the AFW pump is l normally used during startup/ shutdown operations). According to the submittal and the RAI responses, the turbine driven EFW pump can be expected to continue (o operate with low quality steam or even water at the turbine inlet. However, this is not credited in the analysis, and the TDEFW pump is assumed failed at the time of bhttery depletion.

• De normal EFW suction source is the inventory in the condensate storage pool (CSP), good for l about 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. A backup supply are the two wet cooling tower basins, each holding about the same amount of water as the CSP. A third option is the non-seismically qualified condensate storage tank (CST) and its transfer pump.

• De EFW control valves fail open on loss of instrument air, and there is also a backup niticgen j accumulator supply in case ofloss of instrument air, ne turbine driven EFW pump does not

require room cooling (according to calculations, RAI responses), whereas the motor driven EFW

pumps do.

t

• Apparently the TDEFW pump can operate with low quality steam or even water at the turbine inlet. His is not credited in the analysis.

{

• De DC battery (battery AB) supplying control to the TDEFW pump has a SBO depletion time of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> with proceduralized load shedding (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> without load shedding), according to the

submittal. Since the IPE, the safety related batteries have been replaced with higher capacity batteries (to allow for aging), and a new non-safety battery has been installed to take up the non-safety loads serviced by the AB battery. Dese modifications have extended the AB battery depletion time to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

~

47

• Condensate pumps may be used to provide feedwater to the steam generators, provided the secondary system has been depressurized to 500 psia. Dere are three parallel condensate pumps.

De condenser botwells have enough inventory to supply the condensate pumps for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

'* Dere are multiple pathways for secondary steam relief: 6 turbine bypass valves,2 atmospheric dump valves and 6 safety relief valves. .

• - De RCP seals are the Byron Jackson type, which according to the submittal can sustain loss of

• CCW for 30 =I=d= (verified by tests), without tripping the RCPs; the operators are instructed to trip the RCPs inunediately upon loss of CCW. CCW cooling is the only type of cooling for Ibase seals (no seal injection provided). Because of the 4 stage seal design, and the new resistant material for seal faces, no apurious seal failures (i.e., initiating event seal LOCA) are assumed l possible with these seals (=n;: N failures are allowed).

• Dere are three trains of HPSI, CCW, AC safety buses and DC safety buses. De AB buses and AB trains are functionally related, e.g., the AB train of CCW cools the AB train of HPSI, and ,

both are supplied AC power from the AB safety bus. De third HPSI pump must be manually started on St. ,

• Dere are also three trains of HVAC chillers. De charging pumps also have three trains (these are considered in the PRA analysis to feed the auxiliary pressurizer spray, for emergency boration in A*IWS and for RCS inventory control in an SGTR). Other safety equipment has two trains. 1 De two trains of the instrument air compressors are backed up by the three trains of the station j air compressors (see below). l

• Dare are two EDGs. De EDGs need cooling by CCW, ventilation by dedicated fans and DC power provided by the station batteries. A diesel compressor has been added to the plant post-IPE, to help in case of problems with startup compressed air.

k* Dere are three plant batteries, A, B, and AB. De AB battery is used for 'IVEFW pump control e in SBO conditions. As stated above, the capacity of this battery has been increased and a non-

' safety battery added to pick up non-safety AB loads, such that SBO depletion time of this battery is now 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. De A and B batteries have also been similarly affected, such that their SBO depletion time is now 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> even without load shedding. Each battery is supported by two chargers.

• Dare is no service water system at this plant. Instead, the ultimate best sink is provided by the dry cooling towers. As there are amitiple fans in the towers, they can be maimale=1 piecemeal, such that =aiwan=== would not disable the whole tower (although in the IPE it is conservatively

====ad that it does). Also, in case of increased damami (depending on air temperature) and during normal operation there are additional wet cooling towers which are used to increase the i heat rejection capacity. De IPE assumes that the wet cooling towers are needed in case of a l LOCA, when several types of safety equipment may be operating simultaneously. De system I which cools the CCW system and rejects the best to the wet cooling towers is known as the auxiliary componset cooling systen (ACCW), and is only needed in case of LOCAs, as far as the IPE is concerned. His system has two pump trains and two wet cooling towers.

l

---

w --

,m.w-9 y. s- ,

-# y , . . _ - .

4 L , ..

1

• The CCW is needed to cool the HPSI pumps, the LPSI pumps, containment sprey pu:nps,

, shutdown heat exchangers (also used for containment spray recirculation cooling), containment l fans, the emergency diesel generators and the central chillers used to provide HVAC cooling for

several plant areas.

i e ne instrument air system is necessary for operation of the MFW system and the normal / l 4 pressurizer spray (but not the auxiliary spray, supplied by the charging pump). All the other important systems (EFW, CCW, ACCW, containment sump recirculation valves) are provided j wkh a backup air or nismgen accumulator system. Dere are two instrument air compressors, of g which one is sufficient to supply the requisite loads in an intermittent type of operation. In case of failure of both compressors, a cross tie to the station air system automatically opens; the station i air has three compressors. Derefore the compressed air systen seems to be relatively reliable j and the systems affected are relatively few.

i

• Room aaoling or ventilation is needed for several important systems: HPSI (not needed during the RWSP injection phase due to the low temperature of the water pumped), LPSI (not needed during l

i the injection phase), containment sprays (not needed in the injection phase), MDEFW pumps,

! normal pressurizer sprays, emergency diesel generators and the CCW pumps.

\

j

• De switchover to recirculation is automatic. However, the operator must manually close the j RWSP (refueling water storage pool) suction valves at that time.

\

• De recirculation spray (using the CSS pumps aligned to the containment sump and the shutdown

! heat exchangers) is necessary to provide cooling of the containment sump water.

4

• LPSI is automatically stopped on switchover to recirculation and HPSI is automatically aligned l to the sump (along with the CSS) even if a LPSI operated in the injection mode, and even though

LPSI path for recirculation (through the shutdown heat exchangers) exists. De reason is that the

LPSI pumps may cavitate when simultaneously taking suction from the containment sump with j the containment spray pumps. Since the IPE, a hardware modification has been implemented such j that the LPSI pumps can be used to provide the recirculation spray in case of failure of the spray l pumps. ,

i

! 2.5.2 Other GSIs/USIs Addressed in the Submittal

! No other USIs and GIs are addressed in the submittal.

i

, 2.5.3 Response to CPI Program Bea=====datta==

i i

? De CPI recommendation for PWRs with a dry containment is the evaluation of containment and l

equipment vulnerabilities to localized hydrogen combustion and the need for improvements. Although i the effects of hydmgen combustion on aaseminawat integrity and equipment are discussed in the submittal, the CPI issue is not specifically addressed in the submittal. More detailed information on this issue is l provided in the licensee's response to the RAI (Level 2 Question 13). According to the response,

ahhough no anneninaw=e walkdowns were conducted specifically for Level 2, the Waterford 3 PSA staff

! has made many trips into the containment and has a good understanding of the geometry of the containment.

J 49 4

l i

b l According to the response, the Waterford 3 containment is a very open design that is not compartmentalized, and with the possible exception of the reactor cavity, all parts of the containment atmosphere are expected to be well mixed during an accident scenario. De reactor cavity is the only j relatively enclosed volume in the containment. Since the reactor cavity volume is surrounded by thick

. reinforced concrete walls sized to withstand a large break LOCA blowdown and since no equipment is located in this area, hydrogen combustion in the cavity is not *W to affect any safety significant equipment. Additionally, according to the response, hydrogen detonation is not believed to be likely in -

the Waterford 3 marzinnnant As can be seen in the above description, the discussions provided by the  ;

licensee on this issue is qualitative in nature, no quantitative 'mformation is provided in the discussion.

2.6 Vulnerabilities and Plant Improvetnents -

De vulnerability criteria used for the IPE by the licensee are as follows:

1

1) A mean core damage frequency of 1.E-4/yr or greater for any sequence.

2) A sequence that contributes more than 50% to the total CDP.

3) A single failure or a common cause failure or an operator Tailure which has an unusual or significant effect on the CDF.

4) A support system failure which causes multiple frontline system failures and thereby has 1 an unusual or significant effect en the CDF.

Based on these criteria no vulnerabilities were found.

De IPE did not take credit for any potential improvements. He potential improvements shown below

'(except for LPSI employment for recirculation spray which has been implemented) have not been evaluated yet, but are scheduled for di position within the framework of the severe accident management pideline preparation effon, scheduled for completion by summer of 1997.

No impact on the CDF of any improvements has been evaluated.

De following are the improvements considered as a result of the IPE: ,

t Hardware:

1) lastall a portable generator to charge the AB battery. His will reduce SBb contribution i from depletion of this battery which is used to control the TDEFW pump.

4

2) Provide feedwater from the fire protection system to the steam generator. De fire 1 I

protection system has its own diesel driven pumps. During SBO or total loss of feedwater, this system could be used provided the SG were depressurized to below 200 ,

psia, the shutoff head of these pumps. l 50  :

i 1

i i

. .e o i

1 j Operating procedures:

1) Provide additional chiller /HVAC failure guidance. Room cooling is important as a j contributor to the CDF and because k cools HPSI and EFW (MD) pumps. De failures j - are typically slow acting so the operators have time to respond. Herefore additional

{ guidance may insure a timely response. ,

i

2) Cross-tie of AC power trains. Proceduralize the cross 41e between the A and B trains (hardware already exists). Drills have demonstrated the pertinence of this type of recovery. A procedure will make k easier to accomplish it in a shorter time.

3) hhance refill of the CSP. CSP drawdown is an important contributor. sY-izing the l

need to monitor level and makeup fraa the wet cooling tower basins or the CST will help prevent this from being a contibutor.

4) Add guidance for aligning LPSI pump for containment spray. Conta'mment cooling is l needed in the recirculation phase to insure NPSH of recirculation pumps. Hardware connections exist for LPSI to take over the recirc spray function in case of CSS pump failure, however, currently, LPSI pumps are disabled from recirculation. His is because they would cavitate if operated together with the CSS pumps to take suction from the containment sump. Since in this case CSS pumps are not svailable, LPSI pumps can take over to provide CHR. His procedure guidance has already been imple nented.

De following changes wae made in response to the SBO rule: ,

i

1) Stripping of DC loads was added to the procedure for SBO coping. His stripping allows the AB battery to last 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. His was credited, but not analyzed in the IPE (i.e., no HEPs assigned);

i

2) All three safety batteries were replaced with batteries of increased capacity to allow for ,

aging. His was not credited;

3) A new non-safety battery was installed in the turbine bids to remove non-safety loads i from the AB battery. His change greatly increases the duration of the AB battery in SBO conditions. His was not credited (came aAer IPE submittal);

4) Hermometers were installed in certain plant areas to confirm the initial temperature

, assumed in SBO calculations. His change does not affect the IPE;

5) A diesel power air compressor was installed which allows recharging of the EDG air

- starting system. Starting air can be supplisd to restart the EDG if previous starting assempts have =h==*M the compressed air supply from the starting system. .

l No CDF impact of these changes is evaluated.

51

- ( ,

'the following additional back end potential plant improvements are disctosed in the IPE submittal:

1. Enhance communication between sump and cavity - A bardware change (e.g., removal the door in the cavity cooling duct work) may be i= fur :.3 to increase the flow of the water in the containment sump to the reactor cavity.

2. Provide water fro:n the fire protection system to the containenant sump - This can Provide water to the reactor cavity to prevent vessel breach by allow *mg ex-vessel cooling.

9 e

b I

/

i 5

l l

, l 52

4 4

i

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS 1

j  !

5 ,

Ramt on the I.evel I review of the Waterford 3 IPE the licensee appears to have analyzed the design and j j operations of Waterford 3 to discover inarannan of particular vulnerability to core damage. It also appears l 1

that the licensoe has: developed an overall appreciation of severe accident behavior; gained an j l , understanding of the most likely severe accidents at Waterford 3; and implemented changes to the plant l 1 to help prevent and mitigate severe accidents k is not clear that quantitative understanding was gained t by the licensee due to a number of data problems (see below).

l Strengths of the Level 1 IPE are as follows: Dorough analysis of initiating events and their impact,

dauhiis of the plant responses, modeling of accident scenarios, generally reasonable failure data and i common cause factors employed and usage of plant specific data where possible to support the quantification of initiating events, diesel generator failures and component maintenance unavailabilities.

De flooding analysis seems to have been reasonable and thorough. De eNort seems to have been evenly

distributed acmss the various areas of the analysis. De documentation was usually good, and reasonable effort was made to provide RAI responses. Some pessimistic assumptions were employed to offset some j of the optimistic aspects of the analysis, i

he weaknesses were in using seemingly low values for some important data

LOOP and small LOCA ,

, initiating event frequencies, power recovery curve, somewhat low CCF for MDEFW pumps and omission I l of some CCFs. De TDEFW run failure number is low compared to the NUREG/CR4550 1 recommended value. Shedding of DC loads was not modeled. Dere is uneven modeling of common j cause failures and some common cause fcilures are omitted from the analysis: It is not clear if CCF of

! all three HPSI pumps or all three CCW pumps was considered. HVAC modeling of the shutdown heat

exchanger room is not clear. Dese comments may have a moderate to large (in case of power recovery factors) impact on the results. However, they may be somewhat offset by some pessimistic assumptions:

, EDG run failure occurs at the beginning of the SBO, no credit for TDEFW operation with water at inlet,

large maintenance unavailaiblity of the dry cooling tower, and no credit for recent battery upgrades such l

? that low shedding may not be required.

De IPE determined that failures in the AC power, EFW, ACCW, HPSI, CCW and HVAC dominate the

risk profile. Loss of offsite power and small LOCA account for about 80% of the total CDP. SBO i l accounts for about 38% of the CDF. De CDF is dominated by 5 accident sequences (not accounting l the ISLOCA which contributes about 3%).

i

De HRA review of the Waterford 3 IPE submittal and a review of the licensees responses to HRA

o related questions asked in the NRC RAI, revealed several weaknesses in the HRA as documented. In i general, a viable approach (the Dougherty and Fragola method) was used in performing the HRA, but

! several weaknesses in how the analysis was conducted (or at least in the licensees documentation of the 4

eonduct of the analysis) were identified. While the weaknesses are not severe enough to conclude that the linanmaan submittal failed to meet the intent of Generic Letter 88-20 in regards to the HRA, they do j scggest the licaname may not have learned as much about the role of humana during accidents as would

! have been possible. Important elamanta pertinent to this determination include the following:

j 1) De submittal indicates that utility personnel were significantly involved in the HRA. Regarding

the IPE HRA representing the as-built, as-operated plant, the submittal states that "the HRA task 4

l 53 4

J

served as an integral advisor to other project tasks to assure that relevant human interactions were identified and properly incorporated into the logic models." De HRA task was involved during initial sequence and modeling efforts and "during this period had the opportunity to review plant and system design information and become familiar with the control room and related operating procedures." While simulator exercises were not conducted, the statements discussed above suggest that the HRA analyst was significantly involved throughout the modeling effort. Dus, it appears that steps were taken to assure that the HRA i,i:: ~-^a the as built, as-operated plant.

However, dommaatmian of HRA related walkdowns and observations of simulator exercises would have strengthened the notion that a viable process was used.

2) De submittal indicated that the analysis ofin '-13.ies maions included both miscalibrations and ressoration faults. An acceptable, but potentially optimistic analysis was conducted Events found to be potentially risk significant were analyzed in detail using an "SAIC" method that is "a variant on THERP and is similar to the ASEP HRA procedure.

3) De major limitation of the post-initiator analysis concerns the extent to which plant-specific  !

thesors were considered. While the model itself provides reasonable mechanisms for addressing relevant plant - specific factors, on the basis of examples provided, it would appear that many of the parameters were left at their default values and that potential PSFs were not carefully considered. De resulting analysis therefore appears to be " generic" rather than plant-specific and may or may not adequately represent the plant.

l

4) Considerauon of dependencies between separate tasks was essentially treated by assuming that they are independent. De licensee argues that "between separate taris independence is provided because many of the tasks are performed by different people, aw' ). ore is separation in time or "cogmtive space", i.e., cues are independent enough to force subsquent diagnosis." De licensee ,

further states "that context effects were handled by lumping the different sequences into one event." "This is done by using a sum average Gne h the available time parameter for events that are sequence dependent." Dese stmamanet apparently reflect a " bounding" approach that could lead to pessimistic or optimistic 14EPs, depending on the circumstances.

5) A list of important human actions based on their contribution to core damage frequency was  ;

provided in the submittal. /

6) De HRA portion of the flooding analysis appeared reasonable and thorough.. 1 De IPE uses small containment event trees (CETs) for Level 2 analysis. De quantification of the CET in the Waterford 3 IPE is based on review of industry literature and plant-specific calculation using the MAAP code.

De interface between the Level 1 and Level 2 analyses is accomplished by the development of a set of 10 plan damage states. De Level I core danuge sequences are grouped in the plant damage states based on RCS pressure, core melt timing, and the availabilky of maalaman mitigating systems. Separate CETs are used for bypass PDSs, SBO PDSs, and other PDSs. De definition of the PDSs for the Level 1 and Level 2 interface seems adequate. De CErrs used in the IPE provide a reasonable coverage of the .

huportant back-end phenomena. De quantification of the CETs also seems adequate. j i

1 i

i

k i

e De important points of the tedmical evaluation of the Waterford 3 IPE back-end analysis are summarized

l below

!

• De back end portion of the IPE supplies a substantial amount of information with regards to the

. subject areas identified in Generic latter 88-20.

}

• De Waterford 3 Steam Electric Station IPE provides an evaluation of all phenomena of importance to severe accident progression in accordance with Appendix I of the Generic Letter.

l

• De high early maniamane failure probability obtained in the Waterford IPE submittal is partially l due to the use of a conservative containment fragility curve. He conditional early failure

! probability is reduced from 26% to 4% when a revised fragility curve more consistent with those i used in other IPEs is used.

i

)

• Despite the use of a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time late containment failure occurs if both containment

spray and containment fan coolers fail. On the other hand, because of the use of a mission time, j the probabilities of containment failure by noncondensable gases and basemat melt-through are

assumed to be low even if the debris is not coolable.

• De IPE has identified a plant specific reactor cavity configuration feature that may affect accident

! progression. Based on the IPE, it is recommended that the communication between sump and

cavity be enhanced. His may be achieved by removing the door in the cavity cooling duct work l to increase the flow of the water in the containment sump to the reactor cavity.

i i e 3

4 4

E

}

i o

O

{

I ,

i l i

l i

),

f 55 i

I 1

l

mw4._ -. e. ---2-na _w..a _,aA.1a me,,L-- A A a-a, . , , . _ gA a. ,mm-u-.,,&.> k-- mal --~m-.amAAa,x__O- - s&s-pn._m:.-4 -.2m--.w&4s,4J-A- -*b= m m.x. r Q

8 4 4

e a

2 s

. ,a ?

REFERENCES 1

A flPE} Individual Plant Examination Submittalfor the Waterford 3 Nuclear Powr Plant, Entergy Operations, Inc. and SAIC, August 1992.

, . (RAl Responses) Response to NRC Requestfor Additional irgfonnation on Waterford 3

, Steam Electric Station IPE Submittal, Attachments one through four to j letter from JJ. Fisicaro, Director of Nuclear Safety, Energy Operations, inc. to U.S. Nuclear Regulatory Commluion, April 30,1996.

2 i Response to NRC Questions on Water)brd 3 iPE, Attachment to lAtter from J. J. Fisicaro, Director of Nuclear Safety, Energy Operations, Inc.

i to U.S. Nuclear Regulatory Commlation, August 29,1996. (Follow-up j RAI responses)

(Book} E.M. Dougherty and J.R. Fragola, Hanan Reliability Analysis: A Systems Engineering 4pmade with Nuclear Pour Plant 4plications, NY: John j Wiley & Sons,1988.

l . fNUREGICR-1278} A.D. Swain and H.E. C*mnn, Handbook ofHuman Reliability Analysis with Emphasis on Nuclear Pour Applications : Techniquefor Human

{ Error Rate Prediction, NUREG/CR-1278, U.S. Nuclear Regulatory j Commission, Washington D.C.,1983. .

(NUREGICR-4772} A.D. Sw11n, Accident Sequence Emluation Program Human Reliability Analysis Procedure, NUREG/CR-4772, U.S. Nuclear Regulatory l Commission, Washington, D.C., February,1987.

I

l Article} E.M. Dougherty , An Ex-Control Room Human Reliability Model, Transactions of the 1989 Winter Meeting of the American Nuclear l Society, TANSOA 60, 1-792, November 28,1989.

(NUREGICR-4834} D.W. Wbitehead, Recowry Actions in PRA for the Risk Methods integration and Emluation Program (RMIEP), Volume 2: Application of the Data-based method, NUREG/CR-4834, U.S. Nuclear Regulatory Commission, Washington D.C., December 1987

[NUS-5272} P. Moleni, et al. Modeling ofRecowry Actions in PRAs. Report APG #15 (NUS-5272) for Electric Power Research Institute (Draft), April 1991.

[NUREG/CR-2787] GJ. Kolb, et al., " Interim Reliability Evaluation Program - Analysis of Arknaama Nuclear One, Unit One Nuclear Power Plant," NURE/CR-2787, Sandia National Laboratories, June 1982.

57