Text

TER on IPE Front End Analysis
	ML20138F081
Person / Time
Site:	Arkansas Nuclear
Issue date:	11/27/1995
From:	Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML20138F088	List: ML20138F081; ML20138F092; ML20138G522; ML20138K043; ML20138K056; ML20138K062;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-94-2336-010, SEA-94-2336-010:A-3, SEA-94-2336-10, SEA-94-2336-10:A-3, NUDOCS 9607250042
	Download: ML20138F081 (46)
	v • d • e

. . . - . - . . _ . - - _. .. _- - . . - . . -. - _ . . . - . .

i l

SEA 94-2336 010:A-3 i November 27,1995 l

i l

1 1

i

! Arkansas Nuclear One - Unit 2 Technical Evaluation Report on the Individual Plant Examination Front End Analysis j t

I NRC-04 91066, Task 36 i

I l

Willard Thomas Science and Engineering Associates, Inc.

l l

i Prepared for the Nuclear Regulatory Commission A1 ENCLOSURE 4A

-Fd

?

khDO k)

e l '

l

\

l l TABLE OF CONTENTS .

l E. EXECUTIVE

SUMMARY

. . . . ................................. 1 l

E.1 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 l E.2 Licensee's IPE Process ................................. 2 !

l E.3 Front End Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 '

l E.4 G e n e ric iss u e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 :

E.5 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . 5 E.6 O b s e rvatio n s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 l

8

1. I N T R O D U C TI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l 8 j j

1.1 R eview P roce s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ;

2. TEC H N I C AL R EVI EW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 l 2.1 Lic e n s e e's I P E P roce s s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.1.1 Comoleteness and Methodology ..................... 10 J 2.1.2 Multi-Unit Effects and As-Built. As-Ocerated Status . . . . . . . . 10 '

2.1.3 Licensee Particioation and Peer Review . . . . . . . . . . . . . . . . 11 2.2 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . 12 2.2.1 Initiatina Eve nts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 )

15 :

2.2.2 E ve n t Tre e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.2.3 Svstems An alvsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.2.4 System Deoendencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 i 2.3 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 l l

2.3.1 Quantification of Accident Seauence Frecuencies . . . . . . . . . 18 2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analvse.g ...... 18 19 2.3.3 Use of Plant-Soecific Data .......................,. 1 l

21 2.3.4 U s e of G en e ric D a1a . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22 2.3.5 Common-Cause Quantification ......................

24 2.4 I nte rf ac e i s s u e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.4.1 Front-End and Back-End Interf aces . . . . . . . . . . . . . . . . . . . 24 i 2.4.2 Human Factors interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.5 Evaluation of Decay Heat Removal and Other Safety issues . . . . . . . 25 25 2.5.1 Examination of D H R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26 l 2.5.2 Dive rse Me ans of DH R . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26 l

2.5.3 Uniaue Features of DHR . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.5.4 Other GSl/USIs Addressed in the Submittal . . . . . . . . . . . . . 26 '

l 2.6 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 27 2.6.1 Internal Floodina Methodoloav . . . . . . . . . . . . . . . . . . . . . . . 28 2.6.2 Internal Floodina Results .......................... .

2.7 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 l !

29 i

! 2.7.1 Dominant Core Damaae Secuences . . . . . . . . . . . . . . . . . . 32 l i 2.7.2 V ulne rabilitie s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 ;

~

i 2.7.3 Prooosed imorovements and Modifications . . . . . . . . . . . . . .

l l

l l..,

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS .. ........ ... 35 i I

4. DATA

SUMMARY

SHEETS ..... ...................... ... ... 36 i i

i REFERENCES................................................ 41 l l

l i

l 1

i i

l

]

i h

111 l

l

l l

l

\

l LIST OF TABLES .

I Table 21. Summary of Front-End Sensitivity Analyses . . ... ........ ... 19 Table 2 2. Plant-Specific Component Failure Data . . . . . . . . ...... ... .. 20 l

Table 2-3. Generic Component Failure Data ..... ............. ... .. 21 l

Table 2-4. Comparison of Common-Cause Failure Factors . . . . ...... 23 l

Table 2 5. Classification of DHR Vulnerability . . . . . . . . . . . . . . . . . . . . . . . 25 l

Table 2-6. Accident Types and Their Contribution to Core Damage Frequency . 29 j

Table 2-7. Initiating Events and Their Contribution to Core Damage Frequency . 30 Table 2-8. Dominant Functional Sequence Groups . . . . ............. . 31 Table 2-9. Subgroupings for Sequence TBF , . . . . . . . . . . . . . .......... 31 l

l

{

be IV l

i I E. EXECUTIVE

SUMMARY

J This report summarizes the results of our review of the front-end portion of the i 1 Individual Plant Examination (IPE) for the Arkansas Nuclear One-Unit 2 (ANO-2). This

review is based on information contained in the IPE submittal (IPE Submittal) along j with the licensee's responses [RAI Responses) to a request for additional information j

! (RAl).

E.1. Plant Charactedzation j

The Arkansas Nuclear One-Unit 2 (ANO 2) plant is a Combustion Engineering l

pressurized water reactor (PWR). Bechtel Corporation was the Architect / Engineer i (AE) for this plant. ANO 2 first began operation in March 1980.

j Design features at ANO-2 that impact the core damage frequency (CDF) relative to

other PWRs are as follows

. Ability to oerform feed and bleed once-through coolina. The plant has a once-l' through feed and bleed capability even though it has no power-operated relief valves (PORVs). Once-through cooling can be accomplished by opening the pressurizer emergency core cooling system (ECCS) vent valves (high point vent line) or Low Temperature Overpressure Protection (LTOP) valves, and injecting coolant via the high pressure safety injection (HPSI) pumps. This design feature lowers the CDF by providing an alternative method of core cooling given l unavailability of feedwater. ;

Transfer of non-essential oower sucolv from the unit auxiliarv transformer to a startuo transformer on olant trio. The unit auxiliary transformer (AT) powers plant loads during normal operation. On a plant trip, power is transferred from the AT to one of two startup transformers (STs). This design feature tends to increase the CDF, bece.use the f ailure of successful transfer to an ST will result in a LOSP condition. l

= Lack of a reauirement for HPSI oumo external coolina during iniection mode.

The HPSI pump seats require cooling water only in the recirculation mode. This j design feature tends to decrease the CDF.

. Robust desian of reactor coolant oumo (RCP) seals. The RCP seals are of a special design stated to be highly resistant to leakage in the event external seal cooling water is lost. This design feature lowers the CDF.

. Automatic switchover of ECCS from inlection to recirculation. This design i feature tends to decrease the CDF over what it would otherwise be with a manual system.

1

. Eight hour batterv lifetime. The batteries appear to have 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months lifetimes, even without the benefit of manual operator load shedding actions. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery lifetime is longer than at some other PWRs.. This design feature tends to lower the CDF.

. Deoendencv of emergencv feedwater (EFW) oumos on heatina. ventilatina. and air conditionina (HVAC). This design feature tends to increase the CDF.

. Service water backuo to EFW oumos suction. The service water system provides an additional means of supplying water to the EFW pumps. This design feature tends to lower the CDF.

. Reactor buildina cooling units (RBCUs). Four RBCUs are available to provide containment cooling, and indirectly help maintain core cooling. The RBCUs provide a means of performing containment cooling that is independent of the containment spray system. This design feature tends to decrease the CDF. ;

Monitorina of low oressure safety iniection (LPSI) check valve cerformance.

Pressure monitors are installed in the LPSI injection paths to reduce the potential for an interfacing systems loss of coolant accident (ISLOCA). This design feature tends to lower the CDF.

E.2 Licensee's IPE Process '

The licensee began planning a probabilistic risk assessment (PRA) project in late 1987, prior to issuance of Generic Letter 88-20, though with knowledge that an IPE l

request was pending, included in the primary objectives of this project were the development of a tool to evaluate planning and operational decisions on a risk basis, and to satisfy the pending Generic Letter request to perform an IPE.

Utility personnel provided over 50% of the total engineering effort applied on this ,

project. Support was obtained from two outside contractors, Science Applications International Corporation (SAIC) and ERIN Engineering and Research, Inc (ERIN).

Plant walkdowns were performed to support the analysis.

Major plant-specific documentation used in the IPE included: the Updated Final Safety Analysis Report (UFSAR), piping and instrumentation diagrams (P&lDs), electrical one-line diagrams, system design basis documents, system training manuals, l Technical Specifications, and procedures. PRA analyses for other plants were also l ;

l reviewed, including Interim Reliability Evaluation Program (IREP) studies for ANO-1 '

and Calvert Cliffs, and PRA studies for Waterford and Oconee.

i i Independent reviews were made by licensee and SAIC staff of analysis elements as i they were developed. In addition, a separate independent review was performed.

The composition of the independent review team consisted of licensee and ERIN i

2 1 I

l 3

personnel. ERIN coordinated the independent review by assigning personnel with expertise in the various PRA areas.

I The licensee intends to maintain a "living" PP A model.

i E.3 Front-End Analysis

)

l The methodology chosen for the front-end analysis was a Level 1 PRA, the small event tree /large f ault tree technique with fault tree linking was used and quantification was performed with the Cutset and Fault Tree Analysis (CAFTA) software.

The licensee appears to have used a cladding temperature of 2,200 deg. F as the threshold for core damage. The success criteria were based on a number of sources, including the ANO-2 UFSAR, the Waterford PRA, the Calvert Cliffs IREP study, and various CE analyses. The success criteria are generally consistent with success criteria used in other PWR IPE/PRA studies. l The IPE quantified 22 initiating events exclusive of internal flooding: 6 generic or typical transients,9 plant-specific support system failures,3 loss of coolant accidents (LOCAs), steam generator tube rupture (SGTR), and 3 interfacing systems LOCA l j

(ISLOCA) events. The IPE developed 8 functional event trees to model the plant response to each of these initiating events. A total of 78 initiating events were used to !

analyze internal flooding.

The IPE used plant-specific data where possible to quantify component failures and maintenance unavailabilities. . The time window used for the collection of plant-specific data was from August 1985 through July 1990. Generic data were used when sufficient plant data were unavailable.

A " beta" factor method was used to quantify common cause failure events within systems. The common cause events were incorporated into the fault tree models.

The number of categories of equipment items considered in the common cause analysis was more limited compared to some other IPE/PRA studies.

The submittal does not provide an overall estimate of the flooding CDF, though all flooding sequences are stated to be less than 1E-06/yr.' A CDF contribution from the flooding analysis was not combined with the CDF from other internal events scenarios for several reasons, including the fact that the flooding results were judged to be much more " conservative" than the results for the remainder of the IPE analysis.

' As used here and in other portions cf this report, the terrn 'yr* refers to reactor-year.

3 I

i

l The point estimate CDF for ANO-2 (exclusive of flooding) is 3.4E-05/yr. The dominant 2

initiating event contributors to CDF are as follows:

29 % I Loss of DC Bus 2001 Reactor trip 17% ;

Loss of 4,160 VAC Bus 2A3 9% l Turbine trip 8% i Total loss of service water flow 6%

Loss of offsite power (LOSP) 6% i Medium LOCA 5%

Small LOCA 5%

Large LOCA 4% )

Loss of DC Bus 2D02 3%

Loss of power conversion system (PCS) 3% i ISLOCA 1%

The contribution to CDF by accident type is listed below:

Transient (not including station blackout) 84%

LOCAs 8.1%

Station Blackout 3.5%

Anticipate Transient Without Scram (ATWS) 3.0%

ISLOCA 1.0%

Steam Generator Tube Rupture (SGTR) 0.15%

internal Flooding screened out i Dontinant event contributors to CDF include: operator failure to align offsite power to 4,160 buses after failed post-trip auto-realign, operator fa!!ure to trip RCPs after component cooling water (CCW) loss, discharge of battery 2D11, operator failure to realign DC buses to swing battery charger, and passive faults of EFW pump train A (turbine-driven).

The Level-1 endstates were collapsed into a set of representative plant damage states (PDSs) to support the back-end analysis.

E.4 Generic issues The licensee addressed the loss of decay heat removal (DHR) using a classification scheme based on preliminary guidance used by NRC staff that involves the frequency of core damage due to failure of the DHR function. The CDF contribution from sequences that meet the NRC's definition of DHR is 3E-05/yr, and thus falls into

> category 2 (between " acceptably small" and " prompt action" required) of the NRC's 8

Only the most dominant initiating event contributors are listed here. A cornplete set of initiating event CDF contributors is provided in Table 2-7 of this report.

4

4 j

vulnerability classification scheme. With credit for plant improvements (in particular a !

l :

j new on site power source) the DHR contribution to CDF is significantly reduced. A sensitivity study showed that the new power source reduces the total CDF by l j

approximately 50%, and reduces the DHR contribution to roughly 1.5E-05/yr, within j the " acceptably small" range. Consequently, the licensee concluded that ANO 2 has

no unique DHR vulnerabilities. .

l l- )

The IPE was used to resolve two GSis beyond USl A-45, specifically GSI-23,'

l l i " Reactor Coolant Pump Seal Failures" and GSI-105, " Interfacing System LOCA at i LWRs."

i

}

E.5 Vulnerabilities and Plant improvements i The licensee selected the following definition of a plant-specific vulnerability:

i I . Front-end sequence groups with a' valid mean CDF greater than 1E-04/yr, or s

. Containment event tree (CET) endstate groups involving containment 1 j

i failure / bypass that have a valid mean CDF greater than 1E-05/yr.

i No vulnerabilities were identified for either the front-end or back end portions of the analysis. :

l j

Plant improvements and enhancements were suggested in conjunction with the IPE.

The licensee provided the current status of each -of these improvements, and was also able to provide CDF impact estimates for two of the improvements. The (PE took i credit for only one improvement, specifically the installation of an auxiliary feedwater (AFW) pump. The proposed plant improvements, current status (and CDF impact if available) are summarized below:

1 i i~

Potential Procedural imorovements

. Modifv Loss of Service Water Procedure to Avold Containment Failure From Unnecessarv Ooeration of Containment Sorav and LPSI Pumos. The service water system provides room cooling for the containment spray and LPSI pumps. This enhancement is currently under evaluation.

. _ Modify Shutdown Coolina System Procedure to include an Additional Check

~

-That the Shutdown Coolina Suction Line Isolation Valves Are Closed. This enhancement was implemented on March 15,1993.

8 The NRC has recently decided to drop any further rufemaking activities related to RCP seal LOCAs [GI 23 Memo). As a result, this item has been eliminated as a Generic issue.

5

. Modifv Station Blackout Procedure to Assure that a 3/4" Line in the Containment Atmosohere Monitoring System is isolated During a Station Blackout This enhancement was implemented on March 3,1993.

. Modifv Emergencv Ocefatina Procedures (EOPs) for EFW Flow Control to Avoid Isolation of EFW Pumo Discharae From Both Steam Generators. This enhancement was implemented on February 15,1993.

. Modifv Degraded Power Procedure To Assure That a 2" Containment Vent Header Line is isolated Followino a Loss of " Red" Train AC Power. This enhancement was evaluated on March 3,1995 and determined to have already been incorporated into existing procedures. Therefore, no additional procedure changes were required.

. Fuel Transfer Tube Seal Protection to Prevent Potential Containment Failure During Hiah Pressure Melt Election Events. A follow-up review determined that failure of the fuel transfer tube seals does not lead to containment failure, and this item is no longer considered risk-significant.

Potential Hardware Imorovements

. Removal of Reactor Vessel Cavity Check Valve Internals to Imorove Coolina Communication Between Molten Core Debris and Water on Containment Floor.

This potential modification is currently under evaluation.

. Additional CCW Relief Caoacity to Mitigate RCP Seal Cooler Tube Ruoture.

This modification was completed in October 19,1992.

. New Alternate AC (ACC) Power Sourch This improvement was implemented in December,1994. The licensee estimates that this new power source will decrease the CDF by 43%.

. New Auxiliarv Feedwater Pumo. This improvement was implemented in April 1991. The licensee estimates that this new pump will decrease the CDF by 2%.

While the IPE identified the alternate power source described above as a potential improvement, the installation of this power source was actually made in response to the station blackout rule. No other plant changes were made in response to the station blackout rule. Finally, while the IPE also identified the new AFW pump described above as a potentialimprovement, actual pump installation was made in response to GI-124, " Auxiliary Feedwater System Reliability."

6

E.6 Observations The licensee appears to have analyzed the design and operations of ANO-2 to discover instances of particular vulnerability to core damage, it also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at ANO-2; gained a quantitative understanding of the overall frequency of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.

Strengths of the IPE are as follows: The evaluation and identification of plant-specific initiating events is thorough compared to some other IPE/PRA studies.

Weaknesses of the IPE are as follows: The number of equipment types analyzed in the common cause analysis is more limited than in some other IPE/PRA studies.

Significant level-one IPE findings are as follows:

. Loss of a DC bus represents a relatively large contributor to CDF because this condition (1) can lead to loss of all main feedwater, (2) causes partial loss of EFW, and (3) completely fails feed and bleed, as power from both DC buses is required to open the ECCS vent valves or LTOP valves.

. Station blackout is a relatively small contributor to CDF because of (1) an RCP seal LOCA model' that excludes the possibility of RCP seal seal LOCAs occuring during station blackout conditions, (2) an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery life, and (3) diesel generators that are an order of magnitude more reliable in their starting function compared with generic data.

I

. Without credit for feed and bleed cooling, the CDF would increase by 536%

(from 3.4E-05/yr to about 2.1E-04/yr). l l

' The IPE RCP seal LOCA model is based on several factors. including previous test results, plant experience at CE reactors. and the fact that each of the four seats in a given RCP is designed for full l

reactor coolant system (RCS) pressure conditions.

7

l i

l

1. INTRODUCTION 1.1 Reviety Process This report summarizes the results of our review of the front end portion of the IPE for ANO-2. This review is based on information contained in the IPE submittal (IPE Submittan along with the licensee's responses (RAI Responses] to a request for additicral information (RAl). i 1.2 Plant Characterization The Arkansas Nuclear One-Unit 2 (ANO-2) plant is a Combustion Engineering i

pressurized water reactor (PWR). The reactor coolant system (RCS) has two heat transfer loops connected in parallel with the reactor vessel. Each loop contains a i steam generator and two reactor coolant pumps. Bechtel Corporation was the Architect / Engineer for this plant. ANO-2 has power ratings of 2,815 MWt and 912 MWe, and first began operation in March 1980. (p.1.2-1 of submittal]

The ANO-2 facility is located on a peninsula in Dardanelle Reservoir on the Arkansas River in Pope County, Arkansas. The plant site is approximately six miles from Russellville, Arkansas. Co-located on the plant site is the Arkansas Nuclear One-Unit ,

1 (ANO 1) plant, a Babcock and Wilcox (B&W) PWR. (p.1.2-1 of submittal]

San Onofre Units 2 and 3 are similar to ANO-2 with respect to the reactor and Nuclear Steam Supply System (NSSS) designs. Calvert Cliffs Units 1 and 2 have reactor coolant system (RCS) designs similar to ANO-2. Finally, the UFSAR notes that Bechtel served as the Architect / Engineer for all of these plants and was also responsible for the containment design. (p.1,3-1 of UFSAR]

4 Design features at ANO-2 that impact the core damage frequency (CDF) relative to other PWRs are as follows: [pp. 3.1-2, 6-13, A 3, C-4 of submittal, p. 8.3 82 of UFSAR)

- Ability to oerform feed and bleed once-through cooling. The plant has a once-through feed and bleed capability even though it has no power-operated relief valves (PORVs). Once-through cooling can be accomplished by opening the pressurizer emergency core cooling system (ECCS) vent valves (high point vent line) or Low Temperature Overpressure Protection (LTOP) valves, and injecting coolant via the high pressure safety injection (HPSI) pumps. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of feedwater.

Transfer of non-essential oower sucolv from the unit auxiliarv transformer tq_a startuo transformer on olant trio. The unit auxiliary transformer (AT) powers plant loads during normal operation. On a plant trip, power is transferred from 8

l the AT to one of two startup transformers (STs). This design feature tends to increase the CDF, because the failure of successful transfer to an ST will result l in a LOSP condition.

. Lack of a reauirement for HPSI oumo extemal coolina during iniection modL The HPSI pump seals require cooling water only in the recirculation mode. This design feature tends to decrease the CDF.

. Robust desian of reactor coolant oumo (RCP) seals. The RCP seals are of a !

special design stated to be highly resistant to leakage in the event external seal cooling water is lost. This design feature lowers the CDF.

. Automatic switchover of ECCS from iniection to recirculation. This design feature tends to decrease the CDF over what it would otherwise be with a ,

manual system. !

. Eight hour batterv lifetime. The batteries appear to have 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months lifetimes, even :

without the benefit of manual operator load shedding actions. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months l battery lifetime is longer than at some other PWRs. This design feature tends to lower the CDF.

. Decendencv of emeroency feedwater (EFW) oumos on heatina. ventilatino. and air conditionina (HVAC). This design feature tends to increase the CDF.

. Service water backuo to EFW oumos suction. The service water system provides an additional means of supplying water to the EFW pumps. This l

design feature tends to lower the CDF.

. Reactor buildina coolina units (RBCUs). Four RBCUs are available to provide containment cooling, and indirectly help maintain core cooling. The RBCUs l provide a means of performing containment cooling that is independent of the ,

l containment spray system. This design featura tends to decrease the CDF.

l Monitorina of low oressure safety inlection (LPSI) check valve oerformance.

j ;

l Pressure monitors are installed in the LPSI injection paths to reduce the l

potential for an interfacing systems loss of coolant accident (ISLOCA). This design feature tends to lower the CDF. l l

i I

9 i

a

i 1

4 2. TECHNICAL REVIEW i i

2.1 Licensee's IPE Process l y

We reviewed the process used by the licensee with respect to: completeness and methodology; multi unit effects and as-built, as-operated status; and licensee .

participation and peer review,

) 2.1.1 Comoleteness and Methodology.

j The submittalis complete with respect to the type of information requested by Generic j j Letter 88-20 and NUREG 1335. [pp.1.5-2,1.5-3 of submittal) l 4 '

j The front-end portion of the IPE is a Level 1 PRA. The specific technique used for the ;

Level 1 PRA was a small event tree /large fault tree technique. Internalinitiating

events and internal flooding were considered. Event trees were developed for all l l

j classes of initiating events. Support systems were modeled with fault trees and linked '

j with the appropriate frontline system fault trees. An importance analysis was

performed and described in the submittal. Sensitivity analyses were performed for the front-end portion of the analysis. An uncertainty analysis was performed on the overall

CDF estimate.

I 2.1.2 Multi-Unit Effects and As-Built. As-Ocerated Status.

I

! Co-located on the plant site with ANO 2 is the Arkansas Nuclear One-Unit 1 (ANO 1) !

plant, a B&W PWR, Shared facilities or equipment include Startup Transformer 2, the l

d control room, the emergency cooling pond, and a variety of non-safety related structures and facilities. As stated in the submittal, the safety of either unit will not be

. impaired by the failure of a shared system or facility. [p.1.2-2 of submittal]

1

) Startup transformer 2 is available to either unit as a standby transfonner for the l respective unit auxiliary or startup transformers. The control room equipment for each j unit is physically separated by glass doors that are open at the top to allow sharing of i

ventilation systems. The emergency cooling pond contains sufficient water for I dissipating the total combined heat transferred from both units during a design basis LOCA in one unit and a normal plant shutdown of the other unit. The UFSAR states l-that in an emergency, cross-connections can be made between the Unit 1 and 2

~

instrument and service air systems, and between the Unit 1 and 2 service air systems.

i However, the IPE does not take credit for the cross-connection of Unit 1 and 2 l

instrument or service air systems. [pp.1.2-8 through 1.2-11 of UFSAR,1,2 2 of

{

i submittal]

i Based on information contained in the submittal and UFSAR regarding shared facilities 4 and systems, it appears that the IPE analysis has properly accounted for multi unit i interconnections and shared systems.

1 a

10 2

h

A variety of plant specific information was used to support the IPE including: the UFSAR, piping and instrumentation diagrams (P&lDs), electrical one line diagrams, system design basis documents, system training manuals, Technical Specifications, and procedures. [pp. 2.4-1 to 2.4-3 of submittal)

Walkdowns were preformed for the flooding analysis, as well to confirm the accuracy of plant system modeling for other purposes. PRA analysts interviewed plant

. operators and maintenance personnel to develop an understating of recovery actions i and maintenance practices. Most of the PRA system analysts were familiar with their 2 respective systems through past ekperience as design, performance, and safety analysis engineers in support of ANO. (p. 2.4-3 of submittal)

Credit was taken for equipment installed up to the time the IPE results were issued, which was August 28,1992. (p. 9 of RAI Responses) i The licensee intends to maintain a "living" PRA model. (pp. 3,6 of RAI Responses, p.

2.4 3 of submittal) 2.1.3 Licensee Particioation and Peer Review.

The licensee established a PRA group in the Nuclear Engineering Design Department that was responsible for developing the IPE. Two contractors supported the IPE, specifically Science Applications International Corporation (SAIC) and ERIN Engineering and Research, Inc (ERIN). Over 50% of the total engineering effort applied to the project was contributed by utility personnel. [pp. ii,5-1 of submittal]

At the beginning of the project, SAIC provided overall task delineation, the overall project plan, and individual work task development plans. During this initial phase, SAIC engineers were assigned as task leaders, with ANO PRA Group personnel i l

assigned as assistants to facilitate the transfer of PRA technology. By the end of the 1 effort, ANO had assumed total responsibility for the analysis effort and contractor support was only required on a supplemental as-needed or review basis. The licensee acquired the Modular Accident Analysis Program (MAAP) code that was used by the ANO PRA Project Team members. As a result of the IPE project,licersee 4 personnel are now capable of performing MAAP analyses. The IPE project has

- resulted in the formation of an on-site PRA group that is integral to the ANO Nuclear Engineering Design Department. [pp. 5-1,7-1 of submittal]

' i Independent reviews were made by licensee and SAIC staff of analysis elements as they were developed. In addition, a separate independent review was performed.

The composition of the independent review team consisted of licensee and ERIN personnel. ERIN coordinated the independent review by assigning personnel with expertise in the various PRA areas. ERIN also conducted two training sessions for ANO members of the independent review team prior to the review effort. Topics covered in these training sessions included the IPE objectives, the key aspects of PRA technology, and modeling techniques. [pp. 5-5,5-6 of submittal) 11

The submittal summarizes the nature of the independent review comments and actions taken. The independent review of the front end portion of the analysis uncovered only relatively minor discrepancies or errors. [pp. 5 8 to 5-10 of submittal) 2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies provided in the submittal.

l 2.2.1 Initiatina Events. !

The specific categories of initiating events included in the analysis are listed below:

[pp. 3.1-4 to 3.1-15, 3.1-42 to 3.1-54 of submittal).

I Generic or Typical Transients:

1 Turbine Trip Loss of Power Conversion System Loss of Offsite Power ,

i Excessive Feedwater Steamline/Feedline Break Reactor Trip '

Front-line System / Support System Transients- !

Total Loss of Service Water Flow Loss of Service Water Pump P4A Train Loss of Service Water Pump P48 Train Loss of DC Bus 2001 Loss of DC Bus 2002 Loss of 4,160 VAC Bus 2A3 Loss of 4,160 VAC Bus 2A4 Loss of 4,160 VAC Bus 285 Loss of 4,160 VAC Bus 286 LOCAs:

Small LOCA (0.3" to 1.9 " equiv. dia.)

Medium LOCA (1.0" to 4.3" equiv. dia.)

Large LOCA (greater than 4.3" equiv. dia.)

Others:

SGTR ISLOCA via LPSI system injection lines ISLOCA via shutdown cooling suction line ISLOCA via RCP seal cooler tube rupture Internal Flooding:

78 seoarate initiating events (per Table 3.6-3 of submittal) 12

Various categories of front-line and support system initiators were evaluated to determine if their failure could cause or require a reactor trip, coincident with a degraded state of the affected system. The initiator categories specifically evaluated for this purpose included: [pp. 3.18 to 3.1 10 of submittal)

Containment isolation system Containment cooling system Service water and component cooling system Engineered Safeguards Features Actuation System (ESFAS)

In.strument Air System Electric Power System (AC and DC)

Heating, Ventilation and Air Conditioning (HVAC)

Emergency Feedwater System (EFW)

Loss of either service water pump train will eventually cause a reactor trip due to inadequate flow to either the CCW loads or miscellaneous turbine plant loads that are cooled by the Auxiliary Cooling Water (ACW) system. The submittal states that losses of CCW or ACW by themselves will only lead to the loss of PCS following a reactor trip and are therefore included in the Loss of PCS initiating event category. While loss of CCW would disable cooling to the RCP thermal barrier, the IPE assumes *. hat RCP seal LOCAs will not occur if the operators trip the RCPs within 40 minutes from the time CCW is lost. Further, the IPE assumes that RCP seal LOCAs will not occur at all during station blackout conditions, which involve both the loss of CCW and tripped RCPs. [pp. 3.1-10, 3.1-23 of submittal]

The licensee determined that a spurious ESFAS signal willisolate CCW and ACW and shed non-vital electrical loads. These actions would consequently lead to the loss of main feedwater, the condensate pumps, and instrument air. As a result, the possibility of a spurious ESFAS signal was accounted for in the Loss of PCS initiating event. (p.

3.1-10 of submittal]

It was determined that loss of instrument air could lead to a reactor trip as a result of failures in main feedwater components. The possibility of loss of instrument air was included in the Loss of PCS initiating event. [p. 3.1-10 of submittal)

Two cases were identified where a DC bus failure could result in a plant trip. These two DC buses were modeled with separate initiating events. Likewise, the licensee

. identified four cases where the failure of a 4,160 VAC vital bus could result in a plant trip. These four AC buses were modeled with separate initiating events. The licensee also examined 120 VAC inverters and uninterruptible 120 VAC buses in the search for initiating events. The licensee concluded that the failure of a 120 VAC inverter or uninterruptible bus 120 VAC would cause single channel trips in the plant protection system (PPS) but not result in a plant trip. [pp.10,11 of RAI Responses) 13

The IPE does not include a separate category of initiating events representing loss of HVAC. However, the licensee did evaluate HVAC-induced plant trips, and determined that the only systems impacted by loss of HVAC would be electrical systems, specifically losses of DC and 4,160 VAC and buses. These HVAC-induced transients have been accounted for in the frequencies of the corresponding electricalinitiating events. The licensee states that an evaluation of equipment operability was done for the electrical equipment rooms that contain the AC and DC buses. This evaluation indicates that electrical equipment would remain operable at the maximum temperatures attained in these rooms for up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months following loss of HVAC. If the electrical buses indeed remain operable following loss of HVAC, it is not clear why a l

plant trip would occur following loss of electrical room HVAC. This aspect of the IPE model appears to be pessimistic compared to the approach taken by many other i

' IPE/PRA studies5 . [pp.1,11,12 of RAI Responses, pp. 3.1-11, 3.1-12 of submittal] l i

Spurious actuation of the emergency feedwater actuation system (EFAS) was identified as an initiator that could potentially lead to a reactor trip. However, this i failure is not expected to lead to any additional f ailures and was therefore included in the Reactor Trip initiating event category. (p. 3.1-12 of submittal]

1 l The rupture of the steam supply line to the turbine-driven EFW pump was not included as an initiating event. This event was omitted as an initiator because the main feedwater system has the capability to provide additional flow to compensate for the l

inventory lost out the break. (p.12 of RAI Responses]

Plant-specific data were used to suppor1 the quantification of initiating event frequencies. The following three initiating events were entirely based on plant-specific l data: turbine trip, loss of power conversion system, and reactor trip. Generic data were used to quantify 13 initiating events, including LOCAs and SGTR. A fault tree ,

l logic model was used to generate the three initiating events associated with loss of service water.' Both generic and plant specific data were used to quantify the ISLOCA initiating events. Generic data were used to estimate the internal flooding initiating events, though plant-specific data were selectively used to judge the applicability of the generic data. The initiator frequencies are generally consistent with other PRA and IPE studies. [pp. 3.3-5, 3.3-6, 3.6-14, 3.3-23, Appendix C of submittal]

The quantification of bus loss initiating events is consistent with generic data, it is not clear what fraction of the bus loss initiating event frequencies was intended to represent HVAC failures.

The licensee states that the use of fault tree analyses to predict initiating event frequencies tends to produce "over conservative" results. in the next mode update, the licensee plans to replace the service water failure initiator frequencies with generic estimates from NUREG/CR-5526. (p. 3.3-6 of

' submittal]

14

i I

l 2.2.2 Event Trees.

The following eight functional event trees were used in the analysis: {pp. 3.1-16, '

Appendix B of submittal]

Transient l

Small Break LOCA Medium Break LOCA Large-Break LOCA Steam Generator Tube Rupture ;

Turbine Trip with Failure to Scram (ATWS)

Loss of Main Feedwater with Failure to Scram (ATWS)

Loss of Offsite Power with Failure to Scram (ATWS)

The basic front-line success criteria used in the analysis (except for ATWS events) are listed in Table 3.1-4 of the submittal. The success criteria were heavily based on a review of the following: the ANO-2 UFSAR, the Waterford PRA, the preliminary San Onofre PRA [ SONGS PRA), and the Calvert Cliffs IREP study. The success criteria ,

for feed and bleed are based on CE analyses. The assessment of the ATWS conditions was largely based on an ANO-1 ATWS scoping report [ANO-1 Calc) and a l CE ATNS analysis [CE 591). The front-end analysis considers the status of containment cooling in instances where it is required to support core cooling. [p.10 of RAI Responses, p. 3.1-17, Table 3.1-4, Appendix B of submittal]

The submittal has used two terms, core damage frequency (CDF) and core melt frequency (CMF), to describe the front-end results. While these terms are used interchangeably, it appears that the licensee is actually referring to CDF.

The mission time used in the analysis was 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . The licensee appears to have used a cladding temperature of 2,200 deg. F as the threshold for core damage. [pp.

3.1-17, 3.1-20, A-44 of submittal]

i Credit was taken for once-through feed and bleed cooling of the primary system.

i While the ANO-2 plant does not have pressurizer PORVs, the plant does have primary depressurization capability via the ECCS vent valves or LTOP valves. Analyses performed for the CE Owners Group (CEOG) demonstrated that one HPSI pump and one ECCS vent path or one LTOP path would be sufficient for decay heat removal.

l The licensee states that the ECCS vent path valves have an environmental qualification (EO) rating more than sufficient to withstand the expected conditions during feed and bleed. The LTOP relief paths contain contains both EO and non-EO valves that are ASME Section til Nuclear Class 1 (N Stamp). The valve operators i were purchased to meet the requirements of 10CFR50 Appendix B (Quality Assurance Criteria) and are powered from class 1E sources. The licensee uses these LTOP system design features as the basis for concluding that LTOP relief paths would be reliable for feed and bleed operations. The licensee did not adjust ECCS and LTOP 15

l 1

i failure data to account for expected p~erformance in feed and bleed operations. The licensee implies that increased credit could have been given to reliability of the ECCS l vent path because its EO rating is more than sufficient to withstand expected feed and i bleed conditions. [pp. 9,10 of RAI Responses, pp. 6-13, A-70, Table 3.1-4 of submittal) :

Unlike some other PWR IPE studies, the ANO-2 IPE does not take credit for the use of primary system depressurization via the secondary system so that low head safety injection can be used to mitigate a small LOCA condition. [pp. 6-13, A-70, Table 3.1-4 of submittal)

The RCP seals used at ANO-2 are stated to be very resistant to seal leakage. The 4 licensee cites several reasons to support this statement, including previous test l l

results, plant experience at CE reactors, and the fact that each of the four seals used l

in a given RCP is designed for full RCS pressure conditions. The IPE assumed that

' RCP seal LOCAs will not occur during station blackout conditions, and that seal failure could be induced only by operating the RCPs in excess of 40 minutes without CCW cooling. Plant emergency procedures direct the operators to trip the reactor and all ;

RCPs if seal cooling is lost for more than 10 minutes. The ANO 2 IPE assumptions regarding the resistance of RCP seals to leakage are more optimistic than l

assumptions used in some other PWR IPE studies. However, it is noteworthy that the l pes for some other CE reactor sites have used similar assumptions. (pp. 3.1-21 through 3.1-23 of submittal) i CCW supplied to the RCP thermal barriers represents the only means of providing external seal cooling to the ANO-2 RCPs. Other RCP designs often have two external i seal cooling systems, specifically seal injection from the chemical volume and control

system (CVCS) and thermal barrier cooling from the CCW system.

Credit was taken for recovery of offsite power. The IPE non recovery data are based on average industry data reported in an Electric Power Research institute (EPRI)-

sponsored study [NSAC 144). The licensee used a convolution integral technique to calculate cutset-specific probabilities that off-site power would not be recovered in time to prevent core damage. [pp. 8,9 of RAI Responses]

2.2.3 Svstems Analvsis.

The submittal provides descriptions for 15 systems, including HPSI, LPSI, service water, CCW, containment spray, instrument air, and electrical power. Each system description includes a brief statement of the system function, along with discussions of system design and operation, success criteria, major assumptions, and system interf aces. Also included are simplified system schematics that show major equipment items and important flow and configuration information. (Appendix A of submittal]

16

2.2.4 Svstem Deoendencies.

The IPE addressed and considered the following types of dependencies in the following categories: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, HVAC, and operator actions. A summary of system dependencies is provided in Table 3.2-6 of the submittal. Additional discussions of dependencies are contained in the system descriptions. (p. 3.2 23, Appendix A of submittal]

The IPE models HVAC dependencies for the following: (Appendix A of submittal]

Emergency diesel generators Containment spray pumps (required during recirc. only)

Emergency feedwater system (required for either pump)

HPSI pumps (required during recire. only)

LPSI (required for all modes of operation) ;

HVAC is also used to support equipment in the switchgear rooms, electrical equipment rooms, and control room. However, HVAC dependencies for these plant areas were omitted from the analysis. The licensee states that an evaluation of equipment operability was done for the switchgear and electrical equipment rooms. This evaluation indicated that equipment would remain operable at the maximum temperatures attained in these rooms for up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Control room HVAC was omitted as a dependency in the IPE based on the following factors: (1) all engineered safety features (ESF) component actuations other than an ECCS recirculation actuation signal (RAS) will occur within the first few seconds of an accident, (2) the control room will initially be at a relatively low temperature and the heat capacity of the surroundings (for example, air, walls, floor) suggests that any significant heatup would not occur until well after any ESF actuations have occurred, (3) a very " conservative" evaluation of loss of control room HVAC demonstrated that the control room temperature would not exceed 115 deg. F, and (4) the effect of control room heatup on instrument accuracy would not be significant. (p.1 of RAI Responses]

The IPE modeled service water as a required dependency for HPSI pump seal and bearing cooling only during the recirculation phase of an accident. The omission 7 of this dependency for the injection phase was based on testing and analysis . HPSI pump seal failures are not expected during the injection mode, since the HPSI suction source is the refueling water tank (RWT), which contains relatively cool water. The IPE assumed that the containment spray pump seals would require service water cooling for both the injection and recirculation phases. Also, loss of service water to

' As documented in a licensee letter to the NRC [ANO Letter), the HPSI pumps can run without service water cooling with RCS temperatures as high as 280 deg. F. This feature is stated to be an element of the ANO-2 design basis, 17

I the LPSI pump bearing and stuffing boxes was assumed to cause pump failure in all l operating modes. (p.13 of RAI Responses, p. A-52 of submittal]

i l

The analysis appears to have properly accounted for system dependencies. l l

j l 2.3 Quantitative Process l This section of the report summarizes our review of the process by which the IPE l

quantified core damage accident sequences. It also summarizes our review of the l

data base, including consideration given to plant-specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed were also reviewed.

2.3.1 Quantification of Accident Seauence Freauencies.

The IPE used a small event tree /large-fault technique with fault tree linking to quantify 3

core damage sequences. Functional event trees were used. Fault tree models were j developed for systems depicted in the event tree top logic and their support systems, i

The event trees were functional. The PC-based Cutset and Fault Tree Analysis 3

(CAFTA) software package was used to generate the accident sequence analysis.

Accident sequence cut sets were developed to the level of specific component failures or basic events. [pp. 1.3 1, 3.5 1 through 3.5-4 of submittal]

The effective accident sequence cut set truncation value was less than 1E-09/yr for LOCA and SGTR accidents, and 1E-11/yr for transients. These truncation values are consistent with other IPE/PRA studies. The licensee states that future updates to the IPE will use even lower accident cut set truncation values. However, the use of lower i

truncation values is not expected to have any significant impact on the analysis results. With few exceptions, post-accident operator recovery actions were applied to accident sequence cut sets after the truncation process had been applied. [pp.1-3 of RAI Responses, p. 3.5-3 of submittal]

l.

2.3.2 Point Estimates and Uncertaintv/ Sensitivity Analyses. 1 f

j l Mean values were used to represent the fault tree hardware and human failure event !

probabilities. While not explicitly stated, it appears that the maintenance unavailabili

' and initiating event data used and presented in the analysis are also mean values.

The overall CDF results are presented in terms of a point value estimate. A total CDF l

uncertainty distribution was also generated, exclusive of ISLOCA, ATWS, and flooding i events. [pp. 3.5-11, 3.5-57 of submittal]

k The licensee made 12 different types of front-end sensitivity analyses. These 4

l sensitivity analyses and associated CDF impacts are summarized below in Table 2-1.

of submittal]

[p. 4 of RAI Responses, pp. 3.5-5 to 3.5-8, 3.5-34, 3.5-35 !

18 4 -

Table 21. Summary of Front End Sensitivity Analyses Type of Sensitivity Analysis l Impact on CDF (see notes 1,2 below)

Replace plant-specific failure data with generic data 39% decrease in CDF (from 3.3E-05/yr to l from SAIC database 2.0E-05/yr)

All test and maintenance unavailabilities reduced by a 6% decrease in CDF (from 3.3E-05/yr to 3.1E- j factor of 10 05/yr) j All test and maintenance unavailabilities increased by 58% increase in CDF (from 3.3E 05/yr to !

a factor of 10 5.2E-05/yr)

All common cause beta factors reduced by a factor of 6% decrease in CDF (from 3.3E-05/yr to 3.1E- J 10 05/yr)

All common cause beta factors increased by a factor 54% increase in CDF (from 3.3E-05/yr to ,

I of 10 5.1 E-05/yr)

Recovery potential of offsite power increased by a 5% decrease in CDF (from 3.3E-05/yr to 3.1E-factor of 10 05/yr) .

Recovery potential of offsite power reduced to that 41% increase in CDF (from 3.3E-05/yr to ]

' typical' of NRC PRAs 4.6E-05/yr)

HRA values still at screening values increased by a 1% increase in CDF (from 3.3E-05/yr to 3.3E-factor of 10 05/yr)

Once-through-cooling operator recovery events 536% increase in CDF (from 3.3E-05/yr to assumed not available 2.1 E-04/yr)

Addition of new ACC power source (plant 47% decrease in CDF (from 3.3E 05/yr to l enhancement) assume increase in offsite power 1.7E-05/yr) recovery potential by a factor of 10 Recovery potential of offsite power reduced to that 43% decrease in CDF (from 3.3E-05/yr to

' typical" of NRC PRAs, and addition of new ACC 1.9E-05/yr) power source (plant enhancement) assume increase in offsite power recovery potential by a factor of 10 For SGTR, no credit taken for isolation of affected 2% increase in CDF (from 3.3E-05/yr to 3.4E-steam generator by using values other than the MStVs 04/yr)

Notes: (1) The CDF impact data for each of the reported sensitivity analyses are not additive.

(2) The baseline CDF of 3.3E-05/yr does not include ATWS or ISLOCA contributions. The total CDF including ATWS and ISLOCA is 3.4E-05/yr.

2.3.3 Use of Plant-Soecific Data.

Data sources examined for the development of component failure rates and maintenance unavailabilities were: the Site Information Management System (SIMS),

l the Nuclear Plant Reliability Data System (NPRDS), the Generation Availability Data l

Reporting System (GADRS), and Limiting Condition for Operation (LCO) data l

contained in the plant operator's log. The time window used for the collection of plant-specific data was from August 1985 through July 1990. Sufficient plant data were available to quantify failure rates for a number of major component types, including diesel generators, pumps, valves, batteries, and battery chargers. Unlike a number of other IPE studies, it appears that the licensee did not Bayesian update the plant-19 i

l l

. specific data with generic data, or Bayesian update generic data with plant-specific data. (pp. 3.3-2, 3.3-3, 3.3-4, 3.3-20 of submittal)

Table 2-2 of this review compares plant specific failure data for selected components from the IPE to values typically used in PRA and IPE studies, using the NURE6/CR- !

4550 data for comparison.

f l Table 2-2. Plant-Specific Component Failure Data' l Component IPE Mean Value NUREG/CR 4550 Mean Estimate Value Estimate Turbine Driven EFW Pump 7.3E 03 Fail to Start 3E-02 Fail to Start 6.5E-03 Fail to Run SE-03 Fall to Run

! Motor Driven 2.BE-04 Fail to Start 3E-03 Fail to Start Pump 1.0E-04 Fail to Run 3E-05 Fail to Run Motor Operated Valve 5.8E-03 Fail to Operate 3E-03 Fail to Operate Check Valve 2.2E-04 Fail to Operate 1E-04 Fail to Open Battery Charger 3.0E-05 No output 1E 06 Fall to Operate Battery 3.8E-06 Failed 1E 06 Failure (unspecified mode) l Inverter 5.1E-05 No output 1E-04 Failure (unspecified l- mode)

Circuit Breaker 1.7E-03 Fail to Operate 3E-03 Fail to Transfef Diesel Generator 3.1E-03 Fail to Start 3E-02 Fall to Start 4.1E-03 Fail to Run 2E 03 Fall to Run Notes: (1) Failures to start, open, close, operate, or transfer are probabilities of failure on demand. The other failures represent frequencies expressed per hour.

Table 2-2 shows that the plant-specific probabilities for diesel generator and motor-l driven pump start failures are one order of magnitude lower than the corresponding NUREG/CR-4550 data. On the other hand, the plant specific probability for a motor-driven pump run failure is approximately a factor of three higher than the NUREG/CR-l 4550 data. The plant-specific failure probability for the steam-driven AFW pump to start is about a factor of 4 lower than NUREG/CR-4550 data. Most of the other plant l

data listed in Table 2-2 are consistent with NUREG/CR-4550 data.

l As previously discussed in Subs .. tion 2.2.1 of this report, plant-specific data were also used to support the quantification of initiating event frequencies.

4 I

P 20

2.3.4 .Use of Generic Date.

I Generic data were used when plant specific data could not be obtained. The

-assignment of generic data was based on a set of data previously assembled by SAIC for use in commercial nuclear power plant PRAs.' (pp. 3.3-1, 3.3-2 of submittal]

We performed a comparison of IPE generic data to generic values used in the NUREG/CR-4550 studies (NUREG/CR 4550, Methodology). This comparison is summarized in Table 2-3. [pp. 3,3-14 to 3.3-19 of submittal)

Table 2-3. Generic Component Failure Data' i

NUREG/CR 4550 Mean Value l Component IPE Mean Value Estimate Estimate :

Turbine Driven Pump 2.6E-02 Fail to Start 3E 02 Fail to Start 8.9E-05 Fail to Run SE-03 Fall to Run 4.8E 03 Fail to Start 3E-03 Fall to Start Motor Driven 8.4E-05 Fail to Run 3E-05 Fail to Run l Pump 6.0E-03 Fail to Close 3E-03 Fail to Operate Motor Operated Valve 5.1E 03 Fail to Open l Check Valve 1.4E-04 Fail to Open 1E-04 Fail to Open f 7.8E 06 No output 1E 06 Fail to Operate l Battery Charger 1.9E 06 No Output 1E 06 Failure (unspecified mode)

Battery 2.9E-05 No output 1E 04 Failure (unspecified mode) inverter !

1.2E-03 Fail to Operate 3E-03 Fall to Transfer 9ircuit Breaker 1.8E 02 Fail to Start 3E-02 Fail to Start Diesel Generator 2.2E 03 Fail to Run 2E-03 Fail to Run 1.2E-05 Plugs 3E-05 Plugs Service Water Strainer 2.1E-06 Fault 2E 06 Short or Open Transformer (KV) 1.5E-06 Fail to Respond 1E-06 Fall to Operate Transmitter 1.8E-06 Fall High/ Low (Temp. transmitter)

Notes: (1) Failures to start, open, close, operate, or transfer are probabilities of failure on demand. The other failures represent frequencies expressed per hour.

The data in Table 2-3 show that the generic failure probability for a turbine-driven pump to run is over an order of magnitude lower than the NUREG/CR-4550 data. The generic failure probability for an inverter is approximately a factor of three lower than the NUREG/CR-4550 data. The remaining generic and NUREG/CR-4550 data listed in Table 2-3 are consistent.

The submittal does not provide a formal reference for the SAIC databasa.

21

Generic maintenance unavailabilities were estimated by assuming that the maintenance unavailability of a particular component was 10 times the catastrophic failure rate used in NUREG/CR-4550. Table 3.3-2 of the submittallists all of the maintenance unavailability data, both generic and plant-specific. However, the specific data sources (plant-specific or generic) are not provided for the entries in this table.

The analysis applied unavailabilities in the system fault. trees at the train level, since maintenance on a component in a given train will typically cause the entire train to become unavailable. [pp. 3.3-4, 3.3-10 to 3.3-13 of submittal) l As previously discussed in Subsection 2.2.1 of this report, generic data were also used to support the quantification of initiating event frequencies.

2.3.5 Common Cause Quantification.

The beta factor method was used to quantify common cause failures. The estimation f l

of common-cause failure probabilities was based on the procedure presented in NUREG/CR-4780 and data presented in an EPRI report [EPRI 3967). As noted in the submittal, the EPRI reference document (EPRI 3967) does not provide sufficient detail to allow the estimation of a beta factor for each failure mode of interest. Rather, this data source only provides a generic component beta factor that was assumed to be applicable to each failure mode. The common cause events used in the modeling process were incorporated into the f ault tree models. [pp. 3.3 5, 3.2-7, 3.3-4, 3.3-5 of submittal]

Common cause beta factors were determined for the following component groups:

diesel generators, motor-driven pumps, motor operated valves (MOVs), and batteries. ;

However, the IPE did not include common caur.e failures of some other component '

groups that have been modeled in some other iPE!PRA studies, specifically: circuit breakers, electrical switchgear, air-operated vabes (AOVs), check valves, fan cooler units, ventilation fans, and air compressors. Also, the IPE does not include a common cause event representing the failure of service water or other pumps to restart (such as following the loss of norroal power). [pp. 5-7 of RAI Responses, p. 3.2 7 of submittal, p. 3-58 of NUREG/CR-4780)

The licensee states that common cause failures of circuit breakers, electrical switchgear, air-operated va;ves (AOVs) and air compressors were not modeled because these components are not listed in the NUREG/CR-4780 database of generic beta factors. Thus, the lack of common cause data for these components strongly suggests that they need not be modeled. (p. 6 of RAI Responses]

The licensee further states that check valves, chillers, fans and the re-start of service r water pumps will be included in the ANO-2 living PRA model. However, the licensee does not expect that these additional common cause events will identify vulnerabilities l j

or significantly increase the CDF. For example, common cause failures of check l valves are not expected to be risk significant because: (1) check valves generally 22

occur in series with either a pump or MOV, (2) common cause failures have been _

modeled for both pumps and MOVs, and (3) the random failure rate of check valves is much smaller than the failure rate for pumps or MOVs. Commo'1 cause failures of

chiller units or room coolers are not expected to be significant contributors to risk because: (1) the only room coolers required for success in the IPE model were those

, in the shutdown heat exchanger (SDHX) rooms, (2) each of the 2 SDHX rooms has 3 j redundant coolers, (3) 2 of the redundant coolers supporting a SDHX room is J autcmatically actuated, while the third is manually actuated, and (4) all 6 fan coolers would have to fail as only one is required for success. Common cause failures of l containment fan cooler units are not expected to be risk significant because: (1) failure l

of 3 of 4 fan cooler units would be required to disable the containment fan cooler function, and (2) the containment spray system provides redundancy to the

{-

containment fan cooler units with regard to containment heat removal. Finally, the l

common cause failure of service water pumps to restart is not expected to be risk

significant because: (1) the potential for pump re-start failures will only occur during l

accident conditions involving loss of normal power, (2) pump re-start failure l

probabilities are expected to be significantly lower than pump standby start failure, as j pumps awaiting re-start are not subject to passive failures that would occur during a prolonged standby state. [pp. 6,7 of RAI Responses]

f We performed a comparison of IPE common cause beta factor:: with generic values

used in the NUREG/CR-4550 studies. This comparison is summarized in Table 2-4.

I Table 2-4. Comparison of Common-Cause Failure Factors Component IPE Beta Factor From Submittal NUREG/CR 4550 Mean Value Table 3.3.4.1 Beta Factor SWS Pump 0.03 Fail to Run 0.026 (2 of 2) Fail to Start CCW Pump 0.03 Fail to Run 0.026 (2 of 2) Fail to Start LPSIPump 0.11 (2 of 2) Fail to Start d.15 (2 of 2) Fail to Start 0.11 (2 of 2) Fall to Run HPSIPump 0.17 Fail to Start 0.21 (2 of 2) Fail to Start 0.17 Fail to Run Containment Spray Pump 0.05 (2 of 2) Fail to Start 0.11 (2 of 2) Fail to Start 0.05 (2 of 2) Fail to Run 0.008 Fail to Open 0.088 (2 of 2) Fall to Open MOV 0.008 Fall to Close Diesel Generator 0.05 (2 of 2) Fail to Start 0.038 (2 of 2) Fall to Start 0.05 (2 of 2) Fail to Run As shown in Table 2-4, the common-cause beta factors used in the IPE are generally consistent with NUREG/CR 4550 data.

23 I

I

, 4

l l

I 2.4 Interface issues This section of the report summarizes our review of the interfaces between the front-end and back end analyses, and the interfaces between the front end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.

2.4.1 Front End and Back End Interfaces.

The ANO-2 plant has 4 reactor building cooling (RBC) units and 2 containment spray trains that provide containment cooling functions. The RBC units receive external cooling from the service water system. Heat from the containment spray system is also removed via the service water system during containment spray flow through the shutdown cooling heat exchangers. The front-end analysis considers the status of containment cooling in instances where it is required to support core cooling. [pp. A-18 to A-24, A-109 to A-111 of submittal]

The Level-1 endstates were collapsed into a set of representative plant damage states ;

(PDSs) for investigat!cn of containment response. A bridge tree approach was used to support the PDS binning process. The PDS binning process appears cors: stent with other IPE/PRA studies. A set of 32 collapsed PDSs were utilized in the back-end portion of the analysis. [pp. 3.1-38, 3.1-39, 4.3-1, 4.3-12 of submittal]

2.4.2 Human Factors Interfaces.

Human actions important to the analysis based on the Fussell-Vesely importance measure include: failure to accomplish actions to restore offsite power, failure to trip RCPs in 30 minutes after CCW lo'ss, and failure to re-align 125 VDC bus 2002 or 2D01 to the swing battery charger. Another human event important to the analysis is failure to initiate feed and bleed (once-through cooling). [p. 3.5-36, Table 3.4-1 of submittal)

The contribution of SGTR is estimated to be 9.5E-08/yr, or 0.28% of the CDF. In other PWR IPE/PRA studies, the SGTR CDF contribution typically ranges from 1% to 5%. The licensee states that the comparatively low SGTR CDF may be attributed to credit taken for isolating the affected steam generator by using valves other than the MSIVs.' If credit for this method.of steam generator isolation is not taken, the ANO 2 SGTR CDF contribution would be about 2.65% of the CDF. The event representing this alternate isolation activity, "QOTHERSDBC" was quantified with a failure

' In the event MSIV isolation of the fai!ed steam ganerator is not accomplished, downstream secondary system valves (such as the turbine bypass valve) would be used to peorm the MSIV isolation function. The good steam generator would be used to perform a reactor coofdown such that the pressure in the failed steam generator falls below the secondary side relief valve set points. Once this condition is reached, the f ailed steam generator will be completely isolated. [NRC Phone Conv.]

24

probability of 2.25E-02. [p. 4 of RAI Responses, pp. 3.1-36, 3.4-9, Table 3.1-4 of submittal]

A general flood non recovery human error of 1.0E-02 was applied to all large floods (greater than 1,000 gpm) during the refinement of scenarios with frequencies above the screening threshold. This non-recovery factor is stated to account for operator actions to stop a large flood during the 0 to 20 minute time frame after flood initiation but before a critical set of equipment is f ailed leading to core damage. (p.- 3.6-7 of submittal]

2.5 Evaluation of Decay Heat Removal and Other Safety issues This section of the report summarizes our review of the evaluation of Decay Heat Removal (DHR) provided in the submittal. Other GSI/USls, if th: were addressed in the submittal, were also reviewed.

. 2.5.1 Examination of DHR.

The licensee selected a classification scheme to rank DHR vulnerability. This scheme was based on preliminary guidance used by NRC staff in NUREG-1289 (p. 2-7) that involves the frequency of core damage due to failure of the DHR function. [NRC Phone Conv.] The ranking scheme used by the licensee is summarized below in Table 2-5 of this report. [pp. 3.7-10 to 3.7-12 of submittal]

Table 2-5. Classification of DHR Vulnerability DHR Vulnerability Classification Criteria for mean CDF due to Category DHR failure Acceptably small or reducible to an < 3E-05/yr 1

acceptable level by simple improvements Performance characteristics intermediate >3E-05/yr but <3E-04/yr 2

between Categories 1 and 3 Prompt action to reduce DHR-related CDF >3E-04/yr 3

is necessary The CDF calculated per the NRC's definition of DHR is 3E-05/yr, and thus falls into category 2 of the NRC's vulnerability classification scheme. With credit for plant improvements (in particular a new on-site power source) the DHR contribution to CDF is significantly reduced. A sensitivity study showed that the new power source reduces the total CDF by approximately 50%, and reduces the DHR contribution to roughly 1.5E-05/yr, within the " acceptably small' range. Consequently, the licensee concluded that ANO-2 has no unique DHR vulnerabilities. [p. 3.7-12 of submittal]

25

1 l

2.5.2 Diverse Means of DHR.

The IPE considered the diverse means for accomplishing DHR, including: use of the power conversion system, feed and bleed, auxiliary feedwater, and ECCS. Cooling for the RCP seals was considered. In addition, containment cooling was addressed.

2.5.3 Uniaue Features of DHR.

The unique features at ANO-2 that dire , impact the ability to provide DHR are as follows: [pp.6-12 of submittal]

. Ability to oerform feed and bleed once-throuah coolina. The plant has a once-through feed and bleed capability even though it has no power-operated relief valves (PORVs). Once-through cooling can be accomplished by opening the pressurizer emergency core cooling system (ECCS) vent valves (high point vent line) or Low Temperature Overpressure Protection (LTOP) valves, and injecting coolant via the high pressure safety injection (HPSI) pumps. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of feedwater.

Automatic switchover of ECCS from iniection to recirculation. This design feature tends to decrease the CDF over what it would otherwise be with a manual system.

. Service water backuo to EFW oumos suction. The service water system provides an additional means of supplying water to the EFW pumps. This design feature tends to lower the CDF.

. Reactor buildina coolina units (RBCUst Four RBCUs are available to provide containment cooling, and indirectly help maintain core cooling. The RBCUs provide a means of performing containment cooling that is independent of the containment spray system. This design feature tends to decrease the CDF.

2.5.4 Other GSI/USIs Addressed in the Submittal.

The IPE was used to resolve two GSts beyond USl A-45, specifically GSI-23,

' Reactor Coolant Pump Seal Failures' and GSI-105, " Interfacing Systems LOCA at LWRs."

The licensee concludes that installation of the new alternate AC power source makes I the contribution of RCP seat-related CDF acceptably low to resolve GSI-23. This conclusion is based on a comparison of analysis results with NRC generic goals,

The NRC has recently decided to drop any further rulemaking activities related to RCP seal

' !!t, this item has been eliminated as a Generic issue.

LOCAs [Gi-23 Memo). As a re 26

along with the fact that the RCP seal failures represent a small contribution to the overall plant CDF. [p. 3.7-15,3.7-26 of submittal]

Regarding GSI 105, the licensee estimates that the total mean frequency of an ISLOCA is 3.3E-07/yr, or approximately 1% of the overall plant CDF. To further reduce the ISLOCA contribution from RCP seal tube rupture, the licensee willinstall a relief valve to provide a path for RCS inventory to be directed inside rather than outside containment. With this enhancement, the total ISLOCA contribution is expected to drop to 1.3E-07/yr. The licensee uses Nuclear Management and Resource Council (NUMARC) guidance {NUMARC 91-04] to conclude that the ISLOCA accident frequency is low enough to resolve GSI-105. [pp. 3.7-15 through 3.7-19 of submittal) 2.6 Intemal Flooding This section of the report summarizes our reviews of the process used to model internal flooding and of the results of the analysis of internal flooding.

2.6.1 Internal Floodina Methodoloav.

The flooding analysis included consideration of adverse effects from submergence, liquid Jets, and spray. Other hazards were specifically stated as being outside the scope of the analysis, for example pipe whip, and steam impingement. Plant walkdowns were used to support the analysis. [p. 3.6-2 of submittal]

The development of flooding scenarios was based on flooding sources, flood l

propagation, and key equipment locations. Because of the lack of sufficient plant-

! specific data, industry data were used to develop flood zone initiation screening frequencies. Scenarios with a quantitative preliminary screening or cutoff frequency greater than 1.0E-06/yr were further evaluated. Refined analysis bases and l

assumptions were used in this additional evaluation, including the use of historical flood data that included flood events due to human error as well as pipe breaks. The final scenario frequency screening involved a number of activities, including additional studies of liquid height versus time, and additional flood-specific recovery actions. The plant was divided into 78 distinct flood zones to support the flooding study. The turbine trip initiating event tree structure was utilized in the flooding analysis. [pp. 3.6-1 through 3.6-8 of submittal]

The licensee extracted frequencies for inadvertent actuation of fire protection systems l

i from NUREG/CR-5580. The submittal does not appear to identify the data sources used to quantify other flood related initiating events. {p. 3.6-5 of submittal]

A general flood non-recovery human error of 1.0E-02 was applied to alllarge floods (greater than 1,000 gpm) during the refinement of scenarios with frequencies above the screening threshold. This non-recovery factor is stated to account for operator 27

i actions to stop a large flood during the 0 to 20 minute time frame after flood initiation but before a critical set of equipment is failed leading to core damage. [p. 3.6-7 of submittal}

2.6.2 Internal Floodina Results.

Only one flood scenario remained greater than the 1.0E 06/yr CDF screening value after the preliminary screening analysis. This scenario involves a flood originating in zone 2040 JJ, a large area of the reactor auxiliary building located one level above the auxiliary building basement. The CDF estimate of flooding in this zone was further reduced to 5.2E-07/yr through further analysis refinements. This flood scenario involves a turbine trip followed by the loss of all feedwater and loss of feed and bleed cooling. [pp .3.6-12, 3.613 of submittal]

While the initial flood fmquency screening was performed with generic failure rates, I

applicable plant specific data were used in the final quantification of the flooding scenario for zone 2040-JJ described above. It is the judgment of the ANO-2 IPE analysts that the insights of the flooding analysis would not significantly change with a more extensive use of plant-specific data. A limited comparison of CDF frequencies for selected zones demonstrated that the impact of using plant-specific data was generally a CDF increase ranging from a factor of near 1.0 to 2.5. [p. 3.6-14 of submittal] \

The submittal does not provide an overall estimate of the CDF related to internal flooding. In addition to the dominant flooding scenario described above, the submittal lists 67 other sequences that have estimated frequencies less than 1E-06/yr. An additional 10 sequences have frequencies listed as zero. [pp. 3.6-34 to 3.6-37 of submittal)

The CDF values from the flooding screening analysis were not added to the CDF contributions from the other internal event scenarios in the IPE. This decision was '

made for the several reasons, including the following: [p. 3.614 of submittal]

No new sequence types were identified as a result of the internal flooding study !

+ !

= The internal flooding results were judged to be much more " conservative" than results for the remainder of the IPE analysis

. The level of detail used in the flooding analysis is sufficient to conclude that the flooding-related CDF is !:>w.

2.7 Core Damage Sequence Results This section of the report reviews the dominant core damage sequences reported in the submittal. The reporting of core damage sequences- whether systemic or functional- is reviewed for consistency with the screening criteria of NUREG-1335.

The definition of vulnerability provided in the submittal is reviewed. Vulnerabilities, 28

enhancements, and plant hardware and procedural modifications, as reported in the submittal, are reviewed. ,

2.7.1 Dominant Core Damaae Secuences.

The IPE utilized functional event trees, and reported results using the screening criteria from Generic Letter 88 20 for functional sequences. The total point estimate CDF for ANO-2 is 3.4E-05/yr, excluding internal flooding. As previously explained in Subsection 2.6.2 of this report, internal flooding was screened from the analysis. [pp.

3.5-11, 3.7-1, 3.7-22 of submittal]

Accident types and initiating events that contributed the most to the CDF, and their percent contribution, are listed in Tables 2-6 and 2-7. The data in Table 2 6 were derived from results presented in Figure 1.4-1 of the submittal. The data in Table 2-7 were extracted from submittal Tables 3.3-6,3.5.4-7A, and B.31 (for ATWS initiating event data). [p.' 4 of RAI Responses, pp. 3.3-23, 3.5-59, 3.7-21 B-5, B-24 of submittal}

Table 2-6. Accident Types and Their Contribution to Core Damage Frequa" /

Accident Type CDF (per yr) % Cont. to r 2.9E-05 84 Transient (non-SBO) 2.8E 06 8.1 LOCAs 1.2E-06 3.5 Station Blackout 1.0E-06 3.0 ATWS 3.4 E-07 1.0 ISLOCA 5.1 E-08 0.3 SGTR screened out screened out intemal Flooding >

The contribution of SGTR is estimated to be 9.5E-08/yr, or 0.28% of the CDF. In other PWR IPE/PRA studies, the SGTR CDF contribution typically ranges from 1% to 5%. The licensee states that the comparatively low SGTR CDF may be attributed to credit taken for isolated the affected steam generator by using valves other than the MSIVs." If credit for this method of steam generator isolation is not taken, the ANO-2 SGTR CDF contribution would be about 2.65% of the CDF. [p. 4 of RAI Responses, pp. 3.1-36, 3.4-9, Table 3.1-4 of submittal]

" In the event MSIV isolation of the failed steam generator is not accomplished, downstream secondary system valves (such as the turbine bypass va've) would be used to perform the MSIV isolation function. The good steam generator would be used to perform a reactor cooldown such that the pressure in the failed steam generator falls below the secondary side relief valve set points. O this condition is reached, the failed steam generator will be completely isolated. (NRC Phone Conv.)

29

4 1 l l I

s Table 2-7. Initiating Events and Their Contribution to Core Damage Frequency e

I initiatina Event CDF (per vr) % Cont to CDF j Loss of DC Bus 2001 9.8E-06 29 Reactor Trip 6.0E 06 17 Loss of 4,160 V AC Bus 2A3 3.2E-06 9 j

]

i Turbine Trip .. 2.9E-06 8 l

1 Total Loss of Service' Water Flow 2.1 E-06 6 Loss of Offsite Power 2.0E-06 6

,)

Medium LOCA 1.7E-06 5 3

Small LOCA 1.7E 06 5 1.4 E-06 4 Large LOCA

't 1.1 E-06 3

Loss of DC Bus 2002 Loss cf Power Conversion System 1.0E-06 3 i j' !

~

ISLOCA 3.4E-07 1 Loss of Service Water Pump 2P4A Train 2.1E 07 0.6 f

Loss of Service Water Pump 2P4B Train 2.0E-07 0.6 1.9E 07 0.6 ;

Loss of 480 VAC Load Center 285 f 1.2E 07 0.3 -

1 j

! Loss of 480 VAC Load Center 286

! 9.5E-08 0.3 SGTR Loss of 4,160 VAC Bus 2A4 5.8E-08 0.2 i

1.9E 09 0.005 l Excessive Feedwater I 1.1E-09 0.003 1 Steamline/Feedwater Line Break Loss of a DC bus represents a relatively large contributor to CDF because this f l

! condition (1) can lead to loss of all main feedwater, (2) causes partial loss of EFW, and (3) completely falls feed and bleed, as power from both DC buses is required to j l

open the ECCS vent valves,or LTOP valves. [pp. 3.7-2,3.7-3 of submittal) t Station blackout is a relatively small contributor to CDF because of (1) an RCP seal l' LOCA model that excludes the possibility of RCP seal LOCAs occuring during stauon j blackout conditions, (2) an 8-hour battery life, and (3) diesel generators that are an order of magnitude more reliable in their starting function compared with generic data.

i A list of the functional core damage sequences is provided in Table 3.7-1 of the j submittal, in decreasing order of CDF contribution. These sequences represent the 7

functional groups that were judged by the licensee to meet at least one of the 1

30 t

screening criteria for reporting per Generic Letter 88 20. These 7 functional sequences are summarized below in Table 2-8 of this report. [pp. 3.7-1 to 3.7-7, 3.7-21 of submittal]

Table 2-8. Dominant Functional Sequence Groups initiating Event / Functional Sequence Dominant Subsequent % Contribution to identifier Failures in Sequence Total CDF Transient (TBF) Loss of secondary heat removal, failure of 74 once-through cooling in injection phase Transient (TBX) Loss of secondary heat removal, failure of 6 once-through cooling in recirculation phase Medium LOCA (MX) Loss of heat removalin the recirculation 4 phase Transient (TQX) Induced LOCA, loss of heat removalin the 4 recirculation phase Large LOCA (AU) Failure to obtain adequate coolant injection 3 Loss ot aeat removal'in the recirculation 3 Small LOCA (SX) phase ISLOCA (ISLOCA) Loss of effective inventory makeup from the 1 containment sump As shown in Table 2-8, the dominant functional sequence (TBF) involves a transient initiator with subsequent failuru of core heat removal, including the failure of feed and bleed in the injection phase. The licensee has divided sequence TBF into subgroups as shown below in Table 2-9. [pp. 3.7 2,3.7-23 of submittal]

Table 2-9. Subgroupings for Sequence TBF Initiating Event, Sequence Dominant Subsequent Approx. % of TBF Identifier Failures in Sequence Sequence Independent failure of the unaffected EFW train 48 Loss of a DC Bus (TBF-1)

Depletion of station batteries leading to failure of 20 Loss of AC Bus (TBF 2)

EFW Failure of the offsite power fast transfer and 28 Transient (TBF 3) ,

failure of associated EDG leading to depletion of station batteries which induces failure of EFW Loss of MFW followed by failure of a 480 VAC 1 Transient (TBF-3A) bus with depletion of station batteries leading to failure of EFW ;

Unspecified Transient (TBF-4) Station blackout sequences involving EDG failure, 3 r

EFW failure and once tt. rough cooling failure l

l 31 i i

I

The transient sequence TBF-3 listed in Table 2 9 involves a reactor trip and subsequent loss of offsite power. As previously noted, the unit auxiliary transformer (AT) powers plant loads during normal operation. On a plant trip, power is transferred from the AT to one of two startup transformers (STs). The failure of successful transfer to an ST will result in a LOSP condition. Transfer to an ST can be disabled if circuit breakers do not function properly.

i Finally, the licensee performed a Fussell Vesely importance analysis of non-initiating

events. The dominant events from this importance measure are listed below: [pp.

3.4-8, 3.4-9, 3.5-36, A-29 of submittal]

. Operators fail to align offsite power to 4,160 VAC Bus 2A1 or 2A2 after failure of post trip auto-realign

. Operator fails to trip RCPs in 30 minutes after CCW loss

. Battery 2D11 discharged

. Operator fails to realign 125 VDC Bus 2D02 or 2D01 to swing battery charger

. EFW pump train A (turbine-driven) fails to deliver flow (passive faults) 2.7.2 Vulnerabilities.

The licensee adopted the NUMARC methodology [NUMARC 91-04] for vulnerability screening. Based on this methodology, the licensee selected the following definition of a plant-specific vulnerability:

. Front-end sequence groups with a valid mean CDF greater than 1E-04/yr, or

. Containment event tree (CET) endstate groups involving containment ;

failure / bypass that have a valid mean CDF greater than 1E-05/yr. j 1

No vulnerabilities were identified for either the front-end or backend portions of the j analysis. [pp. 3.7-8 through 3.7-10,4.9-6 of submittal]

2.7.3 Prooosed Imorovements and Modifications.

Plant improvements and enhancements were suggested in conjunction with the IPE.

The licensee provided the current status of each of these improvements, and was also able to provide CDF impact estimates for two of the improvements. The IPE took credit for only one improvement, specifically the installation of the AFW pump. The proposed plant improvements, current status (and CDF impact if available) are summarized below: [pp. 9,18 of RAI Responses, pp. 6-1 to 6-18 of submittal]

Potential Procedural imorovements

. Modifv Loss of Servict ..ar Procedure. The main objective of this enhancement would be to avoid containment f ailure in the event service water l

32 1

f

I is lost by avoiding unnecessary operation of containment spray aad LPSI l pumps to limit room heatup rates. The service water system provides room cooling for these pumps. This enhancement is currently under evaluation. )

)

. Modifv Shutdown Coolina Svstem Procedure. This enhancement would include an additional check (local verification) that the shutdown cooling suction line isolation valves are closed. This action would reduce the potential for an ISLOCA via this path. This enhancement was implemented on March 15,1993.

. Modifv Station Blackout Procedure. This enhancement would assure that a l small unisolated leak path (3/4'line) in the containment atmosphere monitoring system does not remain open in the event a station blackout occurs. This line I has two remotely operated valves in series that fail open on the loss of power.

The proposed procedure modification would be to add a requirement that a manual isolation valve in this line be closed. This enhancement was implemented on March 3,1993.

. Modifv EOPs for EFW Flow Control. The purpose of this modification would be to compensate for the arrangement of power and control to EFW pump discharge valves. In some failure combinations, the EFW isolation valves can be isolated to both steam generators from the only operating EFW pump. This enhancement was implemented on February 15,1993.

. Modifv Dearaded Power Procedure. This modification would assure that a small unisolated leak path (2' line) in the containment vent header line to the waste gas surge tank does not remain open in the event a loss of ' red' train AC power occurs. This line has two remotely-operated valves in series, an MOV and AOV. The MOV will fail open on loss of " red' train power, while the AOV is designed to close on loss of instrument air or DC power to its solenoid. ]

The independent failure of the AOV to close would result in a containment l l

bypass path. The proposed procedure modification would be to add a requirement that the MOV or a manual isolation valve in the line be manually closed. This enhancement was evaluated on March 3,1995 and determined to have already been incorporated into existing procedures. Therefore, no !

additional procedure changes were required.

. Fuel Transfer Tube 5eal Protection (Severe Accident Manaaement Guidelinest ,

The potential for a high temperature induced failure of the fuel transfer tube flange seals was identified as a concern for severe accidents involving high pressure melt ejection events. One option suggested in the submittal would involve flooding the tube in the event of a core damage event. This action would help cool the transfer tube flange and its seals. A follow-up review determined that failure of the fuel transfer tube seals does not lead to containment failure, and this item is no longer considered risk-significant.

33

J Potential Hardware (morovements l l

= Removal of Reactor Vessel Cavity Check Valve Internals. A reactor cavity '

check valve provides a means of ensuring that water inadvertently introduced into the vessel cavity does not pool up below and around the reactor vessel. !

' Water buildup below and around the reactor vesselis a potential pressurized j thermal shock concern. Removal of the check valve internals would improve the potential for cooling communication between molten core debris in the l bottom of the cavity and water on the containment floor. However, this potential modification would have to be weighed against any pressurized thermal shock !

concerns. This potential modification is currently under evaluation.

. Reconfiaure CCW lsolation Valve or Additional CCW Relief Caoacitv. This enhancement would address the potential for an ISLOCA caused by the rupture of a RCP seal cooler CCW tube. In the present configuration, the inboard '

containment isolation valve is oriented such that high RCS pressure will force the valve off its seat preventing the valve from holding RCS pressure. A re-orientation of the inboard isolation valve may be desirable to oppose potential flow from the RCS. The installation of additional relief capacity between the inboard isolation valve and the containment penetration could also reduce the j

potential for an ISLOCA condition. A modification (apparently involving additional relief capacity) was completed in October 19,1992. l

. New Attemate AC (ACC) Power Source. This improvement was implemented ;

in December,1994. This power source is independent of service water (alt ,

~

cooled) and has separate batteries. The licensee estimates that this new power ;

source decreases the CDF by 43% This power source will help decrease the !

frequency of accidents involving LOSP, including the transient induced LOSP events previously described in Table 2-9 of this report. j

. New Auxiliarv Feedwater Pumo. This improvement was implemented in April l i

1991. The licensee estimates that this new pump will decrease the CDF by 25 While the IPE identified the. alternate power source described above as a potential j

improvement, the installation of this power source was actually made in response to the Station Blackout Rule. The licensee states that no other plant changes were j

made in response to the Station Blackout Rule. Finally, while the iPE also identified l

the new AFW pump described above as a potentialimprovement, actual pump installation was made in response to GI-124, " Auxiliary Feedwater System Reliability." l 1

34 i

s l

i

. 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS l This section of the report provides an overall evaluation of the quality of the IPE based on this review. Strengths and weaknesses cf the IPE are summarized. Important l assumptions of the model are summarized. Major insights from the IPE are presented. j Strengths of the IPE are as follows: The evaluation and identification of plant-specific initiating events is thorough compared to some other IPE/PRA studies.

Weaknesses of the IPE are as follows: The number of equipment types analyzed in the common cause analysis is more limited than in some other IPE/PRA studies. i Based on our review, the following aspect of the IPE modeling process have an impact on the overall CDF ,

a RCP seal LOCAs will not occur during a station blackout.

l This aspect of the analysis tends to reduce the CDF.

l Significant findings on the front-end portion of the IPE are as follows. l 1

. Loss of a DC bus represents a relatively large contrib' utor to CDF because this condition (1) can lead to loss of all main feedwater, (2) causes partial loss of EFW, and (3) completely fails feed and bleed, as power from both DC buses is required to open the ECCS vent valves or LTOP valves.

. Station blackout is a relatively small contributor to CDF because of (1) an RCP seal LOCA model'8 that excludas the possibility of RCP seal seal LOCAs occuring during station blackout conditions, (2) an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery life, and (3) diesel generators that are an order of magnitude more reliable in their starting function compared with generic data.

. Without credit for feed and bleed cooling, the CDF would increase by 536%

(from 3.4E-05/yr to about 2.1E-04/yr).

i

The IPE RCP seal LOCA model is based on several factors, including previous test results, plant experience at CE reactors, and the f act that each of the four seats in a given RCP is designed for fu!!

reactor coolant system (RCS) pressure conditions.

35

N

4. DATA

SUMMARY

SHEETS This section of the report provides a summary of information from our review.

Initiatina_ Event initiating Event Frequency per Year Turbine trip 0.76 Loss of power conversion system 0.25 Loss of off-site power 5.84E-02 Excessive feedwater 9.4E-04 Steamline/feedwater line break 1.10E-03 Reactor trip 2.03 Totalloss of SW flow 5.45E-03 Loss of SW pump 2P4A train 7.38E-02 Loss of SW pump 2P4B train 7.38E-02 Loss of DC bus 2D01 3.94E-04 Loss of DC bus 2D02 3.94E-04 Loss of AC bus 2A3 3.94E-04 Loss of AC bus 2A4 3.94E-04 Loss of 480V Load Center 2B5 1.04E 03 Loss of 480V Load Center 2B6 1.04E-03 Small LOCA 5.00E-03 Medium LOCA 1.00E-03 Large LOCA 1.00E 04 Steam generator tube rupture 9.77E 03

)

l Overall CDP The total point estimate CDF for ANO-2 (exclusive of flooding) is 3.4E 05/yr. The internal flooding CDF contribution was screened from the analysis.

Dominant Initiatina Events Contributina to CDF'8

)

1 Loss ot DC Bus 2D01 29%

Reactor trip 17%

Loss of 4,160 VAC Bus 2A3 9%

Turbira trip 8% i Totalloss of service water flow 6%

" Only the most dorninant initiating event contributors are listed here. A complete set of initiating event CDF contributors is provided in Table 2-7 of this report.

36 l

l Loss of offsite power (LOSP) 6%

Medium LOCA 5%

Small LOCA 5% .

Large LOCA '4%

Loss of DC Bus 2D02 3%

L Loss of power conversion system (PCS) 3*i ,

ISLOCA 1% '

l Dominant Hardware Failures and Ooerator Errors Contributina to CDF ,

Dominant hardware failures contributing to CDF include: ;

Battery 2D11 discharged l EFW turbine-driven pump fails to deliver flow (passive faults) l 4,160 AC breaker 152-122 fault module l Diesel generator 2DG1 fails to run !

Dominant human errors and recovery factors contributing to CDF include: j

, Failure to align offsite power to 4,160 buses after failed post-trip auto-realign l Failure to trip RCPs after CCW loss Failure to realign DC buses to swing battery charger {

Dominant Accident Classes Contributina to CDF j i

! Non SBO Transient 84 % J i

LOCAs 8.1 %

Station Blackout 3.5% ;

ATWS 3.0% !

ISLOCA 1.0% l SGTR O.15% - i internal Flooding screened out Desion Characteristics Imoortant for CDF l

. Ability to perform feed and bleed once-throuah coolina. The plant has a once-through feed and bleed capability even though it has no power-operated relief '

valves (PORVs). Once-through cooling can be accomplished by opening the pressurizer emergency core cooling system (ECCS) vent valves (high point vent line) or Low Temperature Overpressure Protection (LTOP) valves, and injecting coolant via the high pressure safety injection (HPSI) pumps. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of feedwater.

i i

k 37 i

!- g

f 1

1 . Transfer of non-essential oower sucolv from the unit auxiliarv transformer to a !

} startuo transformer on clant trio. The unit auxiliary transformer (AT) powers ;

j plant loads during . normal operation. On a plant trip, pcwer is transferred from j the AT to one of two startup transformers (STs). This design feature tends to ,

increase the CDF, because the failure of successful transfer to an ST will result ;

in a LOSP condition. ,

( +

I . Lack of a reauirement for HPSI oumo external coolina during iniection mode. i The HPSI pump seals require cooling water only in the recirculation mode. This design feature tends to decrease the CDF.

[

1 1 l

) . Robust desian of reactor coolant oumo (RCP) seals. The RCP seals are of a l~ special design stated to be highly resistant to leakage in the event external seal l 2 . cooling water is lost. This design feature lowers the CDF. l

., ?

! l

. Automatic switchover of ECCS from inlection to recirculation. This design ;

i j feature tends to decrease the CDF cver what it would otherwise be with a j manual system. j

. Elaht hour batterv lifetime. The batteries appear to have 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months lifetimes, even

! without the benefit of manual operator load shedding actions. The 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months j battery lifetime is longer than at some other PWRs. This design feature tends ;

! to lower the CDF. j i i

. . Deoendency of emeraency feedwater (EFW) oumos on heatina. ventilatina. and i air conditionina (HVAC). This design feature tends to increase the CDF. i

!- . Service water backuo to EFW o_ umos suction. The service water system l l

provides an additional means of supplying water to the EFW pumps. This ;

design feature tends to lower the CDF. 1

! 1

. Reactor buildina cooling units (RBCUs). Four RBCUs are available to provide

}

! containment cooling, and indirectly help maintain core cooling. The RBCUs

j. provide a means of pedorming containment cooling that is independent of the )

containment spray system. This design feature tends to decrease the CDF.

l.

~

! . Monitorina of low oressure safetv inlection (LPSI) check valve nerformance.

Pressure monitors are installed in the LPSI injection paths to reduce the potential for an interfacing systems loss of coolant accident (ISLOCA). This l

design feature tends to lower the CDF.

! Modifications j Plant improvements and enhancements were suggested in conjunction with the IPE.

] The licensee provided the current status of each of these improvements, and was also i

! 38 )

l' l l

' \

able to provide CDF impact estimates for two of the improvements. The IPE took l credit for only one improvement, specifically the installation of the AFW pump. The proposed plant improvements, current status (and CDF impact if available) are summarized below: i Potential Procedural Imorovements j i

= Modifv Loss of Service Water Procedure to Avoid Containment Failure From Unnecessarv Ooeration of Containment Sorav and LPSI Pumos. The service l water system provides room cooling for the containment spray and LPSI pumps. This enhancement is currently under evaluation.

l e Modifv Shutdown Coolina Svstem Procedure to include an Additional Check That the Shutdown Cooling Suction Line Isolation Valves Are Closed. This enhancement was implemented on March 15,1993.

. Modifv Station Blackout Procedure to Assure that a 3/4" Line in the l Containment Atmosohere Monitorina System is isolated Durina a Station Blackout This enhancement was implemented on March 3,1993. !

)

. Modifv Emeroency Ooeratina Procedures (EOPs) for EFW Flow Control to ,

Avoid Isolation of EFW Pumo Discharoe From Both Steam Generators. This enhancement was implemented on February 15,1993. j e Modifv Dearaded Power Procedure To Assure That a 2" Containment Vent Header Line is isolated Followina a Loss of " Red' Train AC Power. This >

enhancement was evaluated on March 3,1995 and determined to have already been incorporated into existing procedures. Therefore, no additional procedure ,

changes were required.

. Fuel Transfer Tube Seal Protection to Prevent Potential Containment Failure i

Durina High Pressure Melt Election Events. A follow-up review determined that failure of the fuel transfer tube seals does not lead to containment failure, and this item is no longer considered risk-significant.

. 1 Potential Hardware Imorovements ,

. Removal of Reactor essel Cavity Check Valve Internals to Imorove Coolina ;

i Communication Between Molten Core Debris and Water on Containment Floor. !

This potential modification is currently under evaluation.

l Additional CCW Relief Canacity to Mitiaate RCP Seal Cooler Tube Ruoture. }

This modification was completed in October 19,1992.

l 39 :

. New Alternate AC (ACC) Power Source. This improvement was implemented in December,1994. The licensee estimates that this new power source will decrease the CDF by 43%

. New Auxiliarv Feedwater Pumo. This improvement was implemented in April 1991. The licensee estimates that this new pump will decrease the CDF by 2%

While the IPE identified the alternate power source described above as a potential improvement, the installation of this power source was actually made in response to the Station Blackout Rule. No other plant changes were made in response to the Station Blackout Rule. Finally, while the IPE also identified the new AFW pump described above as a potential improvement, actual pump installation was made in response to GI-124, " Auxiliary Feedwater System Reliability."

Other US!/GSis Addressed The IPE was used to resolve two GSis beyond USl A-45, specifically GSI-23,"

" Reactor Coolant Pump Seal Failures' and GSI 105, " Interfacing Systems LOCA at LWRs.'

Sianificant PRA Findinas Significant findings on the front-end portion of the IPE are as follows:

. Loss of a DC bus represents a relatively large contributor to CDF because this condition (1) can lead to loss of all main feedwater, (2) causes partial loss of EFW, and (3) completely fails feed and bleed, as power from both DC buses is required to open the ECCS vent valves or LTOP valves.

. Station blackout is a relatively small contributor to CDF because of (1) an RCP seal LOCA model" that excludes the possibility of RCP seal seal LOCAs occuring during station blackout conditions, (2) an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery life, and (3) diesel generators that are an order of magnitude more reliable in their starting function compared with generic data.

. Without credit for feed and bleed cooling, the CDF would increase by 536%

(from 3.4E-05/yr to about 2.1E-04/yr).

" The NRC has recently decided to drop any further rulemaldng activities related to RCP seal LOCAs (GI-23 Memo). As a result, this item has been eliminated as a Generic issue.

" The IPE RCP seal LOCA modelis based on several factors, including previous test results plant experience at CE reactors, and the fact that each of the four seals in a given RCP is designed for full reactor coolant system (RCS) pressure conditions.

40

'e

. . _ . - .__ . . . . .. . . ~ _ _ _ _ _ . . . _ . _ _ _ _ . _ _ _ _ _ _ _

l

REFERENCES L r j [ANO Letter) ANO Letter 2CAN108109 from D. C. Trimble (AP&L) to R. A. Clark (NRC), dated October 21,1981. j' l

[ANO 1 Calc) ANO-1 ATWS Scoping Report, Calculation 89-E-0047-26, Rev. O, July 24,1991. ;

l [ANO1 IREP] Interim Reliability Evaluation Program: Analysis of the Arkansas Nuclear '

l One-Unit 1 Nuclear Power Plant, NUREG/CR-2787, June 1982.

[Calvert Cliffs IREP) Interim Reliability Evaluation Program: Analysis of the Calvert .

Cliffs Unit 1 Nuclear Power Plant, NUREG/CR 3511, March 1984.

l

[CE 591) Best Estimate ATWS Scenarios and Success Criteria, CE NPSD-591-P, l October 1990. .

[DAEC IPE) Duane Arnold Energy Center Individual Plant Examination, November 1992.

[EPRI 801] ATWS: A Reappraisal Part 111: Frequency of Anticipated Transients, prepared by SAIC, EPRI NP-801, Interim Report, July 1978. i 1

[EPRI 2230) ATWS: A Reappraisal, Part 3: Frequency of Anticipated Transients, EPRI i l NP 2230, Interim Report, January 1982.

L [EPRI 3967) Classification and Analysis of Reactor Operating Experience involving ,

l Dependent Failures, EPRI NP-3967, June 1985.

[lPE Submittal) ANO-2 IPE Submittal, August 28,1992. 1 j [NRC Phone Conv.) Phone conversation on November 16,1995 between NRC RES l

! staff and Mike Lloyd (ANO 2). )

l

[GI-23 Memo) Issuance of Proposed Rulemaking Package on GI 23 Reactor Coolant Pump Seal Failure, Intemal Memo from John C. Hoyle (Secretary) to James M. Taylor (Executive Director for Operations), SECY-94 225, March 31,1995. j

[

l [NSAC 144] Losses of Off site Power at U. S. Nuclear Power Plants , All Years Through 1988 EPRI (Nuclear Safety Analysis Center), NSAC-144.

[NUMARC 91-04) Severe Accident issue Closure Guidelines, NUMARC Document i- 91-04, January 1992.

1 I

41

, i l.-.. - . -. . - , . - _ _ _ - . _ , -- !

[NUREG-1289 Regulatory and Back fit Analysis: Unresolved Safety issue A-45,

' Shutdown Decay Heat Removal Requirements, NUREG 1289, November 1988.

[NUREG/CR 5526] Analysis of Risk Reduction Measured Applied to Shared Essential Service Water Systems at Multi Unit Sites, NUREG/CR 5526, June 1991.

[NUREG/CR 4550, Methodology] NUREG/CR-4550, Vol.1, Rev.1, Analysis of Core Damage Frequency: Internal Events Methodology

[NUREG/CR 4550, Sequoyah] NUREG/CR-4500, Analysis of Core Damage Frequency: Sequoyah, Unit 1, Internal Events, Vol. 5, Rev.1, Part 2, April 1990.

[NUREG/CR 4780] Procedures for Treating Common Cause Failures in Safety and Reliability Studies, NUREG/CR-4780, Vols.1 and 2, January 1988.

[Oconee PRA] Oconee PRA: A Probabilistic Risk Assessment of Oconee Unit 3, NSAC-60, June 1984.

[RAI Responses] Letter from D. C. Mims, Entergy Operations, Inc., to NRC, 2CAN109502, October 2,1995.

[ SONGS PRA) (San Onofre 2 &3 PRA listed as under development in response to NRC Generic Letter 88-20 -material eventually used for SONGS IPE)

[UFSAR] Updated Final Safety Analysis Report for ANO-2

[Waterford PRA) Watedord Steam Electric Station Unit 3 Probabilistic Risk Assessment, Draft,1990. ,

e 42 t

a B

i APPENDIX B ARKANSAS NUCLEAR ONE, UNIT 2 !

TECHNICAL EVALUATION REPORT (HUMAN RELIABILITY ANALYSIS) l 1

i f

r i

i a

9 l

l

, i

CONCORD ASSOCIATES,INC. cura 94-o19-37 i

Systems Performance Engineers

ARKANSAS NUCLEAR ONE STATION UNIT 2

! TECHNICAL EVALUATION REPORT

. ON THE IPE SUBMITTAL

HUMAN RELIABILITY ANALYSIS i

i

FINAL REPORT !

l

) _ . . . . _ _ .. . ._ _

l J

by ;

j P.M. Haas

! l Prepared for U.S. Nuclear Regulatory Commission

] Office of Nuclear Regulatory Research Division of Systems Research 1

1 Draft Report, December,1994 Final Report, November,1995 e

11915 Cheviot Dr. 725 Pellissippi Parkway 6201 Picketts Lake Dr.

Herndon,VA 22070 Knoxville,TN 37932 Acworth,GA 30101 (703) 318-9262 (615) 675-0930 (404) 917-0690 t 4

ML20138F081

Contents

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20138F081

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search