Text

Technical Evaluation Rept of IPE Submittal & RAI Responses for Three Mile Island,Unit 1
	ML20138G346
Person / Time
Site:	Three Mile Island
Issue date:	05/10/1996
From:	Forester J, Lehner J, Musicki Z; BROOKHAVEN NATIONAL LABORATORY
To:	; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML20138G356	List: ML20138G346; ML20138H589; ML20138H667;
References
	CON-FIN-W-6449 NUDOCS 9611130065
	Download: ML20138G346 (66)
	v • d • e

, _ _ _ _ . .. _ . . . _ . . _ - _ _. . . _ _ _ _ _ _ _ _ __. . _ _ . -

e j TECHNICAL REPORT i FINW-4449 05/10/96

}

i i

TECHNICAL EVALUATION REPORT i

i ~

OF THE IPE SUBMlTTAL AND i

RAI RESPONSES FOR i

i THREE MILE ISLAND, UNIT 1 i

l l l Zoran Musicki i i

i John Lehner 1 l

John Forester l l '

i i

j Department of Advanced Technology, Brookhaven National Laboratory Upton, New York 11973 l 4 i

ummmmmmmmmmmmmmmmme i

Prepared for the U.S. Nucteer Regulatory Commission Omco of Nucasar Reguistory Reneerch 4

Cortract No. DE-AC02-76CH00016 4

4 k6f /)30065 . . -- _. -. . _ - .

O 8

4 l

a e

i 4

I I

n l .

}

8e

CONTENTS Page Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.2 . Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I

2. Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1 I ir=w's IPE Proce=s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 -

2.1.2 Multi. Unit Effects and As.Duilt, As-Operated Status . . . . . . . . . . . . . . . . . . . . . . 6 2.1.3 Iacensee Participation and Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Front End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.1 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . . . . . . . . . . . 8 2.2.2 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 I 2.2.3 Interface issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.4 Internal Floodmg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.5 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.3 Human Reliability Analysis Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.3.1 Pre. Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.3.2 Post Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.4 Back End Technical Review . . . . . . . . . . . . . . . . ...............................32 2.4.1 Contamment Analysis / Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.4.2 Accident Progression and Contamment Performance . . . . . . . . . . . . . . . . . . . . 38 2.5 Evaluation of Decay Heat Removal and Other Safety issues and CPI . . . . . . . . . . . . . . 41 2.5.1 Evalaation of Decay Heat Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.5.2 Other GSIs/USis Addressed in the Submittal . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.5.3 Response to CPI Program RF ==Vm . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.6 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.6.1 Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.6.2 Proposed Improvements and Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

3. Contractor Observations and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 m

TABLES Page Table E-1 Accident Types and Their Contribution to the CDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Table E-2 Dominant Initiating Events and Their Contribution to the CDF . . . . . . . . . . . . . . . . . . . . . . x Table E-3 C*-W Failure as a Percentage of Total CDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Table 1 Plant and Containment Characteristics for Three Mile Island Unit I . . . . . . . . . . . . . . . . . 4 Table 2 Companson of Failure Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Table 3 Companson of C==aa-Cause Failure Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Table 4 Initiating Event Frequencies for TMI-l IPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...... I8 Table 5 Accident Typi.s and Their Contnbution to the CDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Table 6 Dommant Initiating Events and Their Contribution to the CDF . . . . . . . . . . . . . . . . . . . 21 Table 7 Dominant Core Damage 9= . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Table 8 Dominant System Fussel-Vesely Importance Measures . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Table 9 Important Operator Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Table 10 Contamment Failure as a Percentage of Total CDF . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . 39 iv

~ . . __ __ _ _ .. -_.

4 EXECUTIVE

SUMMARY

This ~ hnical Evaluation Report (TER) documents the findings from a review of the Individual Plant Exammation (IPE) for Three Mile Island, Unit 1. The primary intent of the review is to ascertam whether or not, ,

and to what extent, the IPE submittal satisfies the major intent of Generic Letter (GL) 88 20 and achieves the four IPE sub-objectives. The review utilized both the information provided in the IPE submittal and additional 1 information (RAI Responses) provided by the beensee, the GPU Nuclear Corporation, in the response to a request

, for additional information (RAI) by the NRC. :

l E.1 Plant Characterization The TMI-l Nuclear Power Plant is a 786 MWe,2568 MWth, Babcock and Wilcox pressurized watenactor (PWR). The reactor coolant system (RCS) consists of the reactor vessel, two vertical once-through steam generators,4 shaft-scaled reactor coolant pumps, an electrically heated pressurtzer and interconnected piping.

He plant is operated by GPU Nuclear (GPUN), and started commercial operation in September 1974. There are no other operating units on site (TMI-2 has been d==missioned).

Design features at TMI l that impact the core damage frequency (CDF) relative to other PWRs are as follows:

1) The turbine driven main feedwater pumps will continue to run for most transients, as the pump flow output is automatically matched to the decay heat level.

2) The turbine driven EFW pump has a mechanical linkage for control, thus is not dependent on DC power for long term control in station blackout scenarios. However, the IPE takes no credit for this feature according to a discussion in Appendix B.1 which considers power recovery models. !

3) There are two motor driven and one turbine driven EFW pump. The EFW system is automatically i started and controlled. Tests done by GPUN show that none of the pumps need the bearing cooling l system for a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months operation. j

4) The normal EFW suction source is the inventory in the condensate storage tanks (CSTs). Backup l sources of EFW water are the river water, the demmiralized water storage tanks and the condenser hotwell, however none of these sources were credited in the analysis.

5) One pressurizer PORV and two safety valves can be utilized for makeup /HPI cooling (i.e., feed and bleed). This gives TMI-l a diversity of options for makeup /HPI cooling. The PORV b10ck valve is usually open. The PORV only depends on DC power and does not depend on instrun ent air or compressed nitrogat. De three makeup pumps (which are also the HPI pumps) can be used with either the PORV or safety valves.

6) %e normally operating makeup (high pressure injection) pump (1B) is cooled by the Nuclear Services Closed Coohng Water (NSCCW) system, while the other two pumps are normally cooled by the Decay Heat Closed Coohng Water (DHCCW), with backup provided by the NSCCW. The normally operating makeup pump does not have backup cooling. The intermediate closed cooling system consists of two trains which, among other loads, provide thermal barrier RCP seal cooling. The Intermediate Closed Cooling Water (ICCW) coolers are cooled by the NSRW system. Thus there is redund.mey in RCP seal cooling / injection systems, however loss of Nuclear Services River Water (NSRW) will cause at least a V

_m ._. _ _ _ . _ . _ _ _ _ _ _ . _ _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ _ _ _ . _ _ . . _ _

i.

2 i

)

' temporary loss of all seal cooling / injection, as the NSRW is the ultimate heat sink for the NSCCW system.

l 1 7) Fire water can be used as backup coohng of the makeup /HPI pumps, by cooling the DHCCW to support .

j operation of an HPI pump for seal injection. i

8) The NSCCW is used to cool the RCP motor bearmg; thus the operators are required to trip the RCPs f i

followmg a loss of the NSCCW in order to prevent a seal LOCA. Note that NSCCW will be lost on steam /feedwater line break in the reactor building due to isolation upon reaching the 30 psig reactor bakhng (RB) pressure setpomt. ICCW (providing thermal barrier cooling) will also be isolated in the same initiator and for the same reason

9) RCP seal injection valve MUv-20 will close on loss ofinstrument air, as will the ICCW isolation valves (IC V3 and V4) wiuch are in the path for thermal barrier cooling, i.e., all seal injection and cooling is lost and the RCPs will automatically trip. The operators are instructed to reopen or hold open MUV-20 on loss ofinstrument air.

I

10) De RCP seals use new high to.v wure O-rings which show a significantly reduced leakage potential followmg a loss of all seal moling and injection.

The closed cycle cooling consists of three trains of the NSCCW (cooled by the three train NSRW 11) system) and two trains of the DHCCW (cooled by the two-train DHRW system). (In addition, the ;

i secondary CCW and River Water (RW) systems cool the MFW pumps). Thus there is considerable redundancy in these systems ne NSCCW and the NSRW system provide cooling to the RB fan motors 1

and RB fan cooler units, makeup pump 1B motor (and backup cooling to the makeup pump i A and 1C motors), control building AC chillers and the intermediate service heat exchangers. He DHCCW and the DHRW systems provide mohng to the DHR coolers and the DHR pumps, the RB spray pumps and makeup pumps I A and IC (as well as backup cooling to makeup pump 1B).

l

12) De caergmey powcr system at TMI l consists of three emergmcy diesel generators, including the EDG from Unit 2, added in response to the station blackout rule and called the SBODG. The SBODG has to be started manually, upon failure of the two regular EDGs, and can supply full power reqmrements ,

of one train of engineered safety features Cross ties exist between emergency buses

13) The emergency diesel generators are air cooled, thus reducing daaaadaacy on support systems. The SBODG needs ventilation and also is depandant on firewater for cooling. The SBODG has dedicated 125 V batteries for starting, however, it needs station battery A in order to load onto either emergency ,

bus.

14) De two staban battenes have a depletion time of b hours, with proceduralized load sheddmg (assumed to always occur). Without shedding, a battery life of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months results, for which a sensitivity study was done. Cross ties exist between DC buses Each battery is caned to two chargers, two of which are normally operating.

15) De emergency and normal AC power trains are normally aligned to the 230 kV switchyard via the two auxthary transformers,rather than to the output of the main generator, thus obviating the need for a fast transfer on a generator trip. His reduces the probability of a consequential LOOP, given an initiating event. One auxiliary transformer can supply all :.ormal plant loads; therefore upon failure of one

auxiliary transformer, the non cmergency plant loads connected to it will " fast transfer" to the other auxahary transformer, while the ESF loads will be supplied by the corresponding diesel generator, which !

l will have started automatically,

16) Recirculation switchover is accomplished manually.

i 17) BWST refdl (in cases of SGTR and small LOCA) is a proceduralized action. In addition, it is not clear !

if the Unit 2 BWST can be used (there are references in the text to this option, but reviewers comments i and resolution thereofindicates that this option may no longer be available). I l

18) Instrument air is supplied by three w,+ s at TMI-1. Two of the compressors are on the emergency buses, and key plant loads are backed-up by a two-hour air bottle system (including the EFW flow l controlvalves)? l i

1

19) De six turbine bypass valves have a total capacity of 22% of the full power load. Each steam generator has one atmospheric dump valve.

1 The TMI-l reactor is housed in a large dry reinforced concrete (post-tensioned) containment. The submittal states that the TMI-l containment has many similarities with other containments of this type and, as noted below,

the TMI-l level 2 analysis relics heavily on the similarity of the TMI-l containment with the Oconee containment. Among the plant-specific features important for accident progression at TMI-l are the following

1) De TMI-l contamment contains three large fan cooler units, each capable of removing 80 million BTUs per hour. Two fan coolers are sufficient to remove the full decay heat approximately two to three minutes after scram. De fan coolers contain filters and the IPE assumes that under accident conditions these filters would fait due to debris buildup and pressure differential, but they would still pennit the fan i cooling operation to continue. l

2) De TMI l containment spray system itselfis only capable of providing post-accident fission product scrubbing, not containment cooling. Contamment cooling could be provided by the spray system in I conjunction with containment sump recirculation cooling but no credit is taken for sump recirculation i coolingin the Level 2 analysis. l

' The TMI l reactor cavity geometry is relatively confming and the analysis assumes that significant 3) 4 corium dispersal out of the cavity is unlikely for most accident scenarios. Relatively deep debris pools (thicker than 20 inches) are likely to be formed in the cavity after vessel failure.

l

4) The TMI l containment is constructed of limestone concrete and this results in significant anamadancible gas production if the concrete is attacked by core debris.

E.2 Licensee's IPE Process -

De licensee has provided the type ofinformation requestM by Generic letter 88 20 and NUREG 1335.

De front-cod porton of the IPE is a level 1 PRA. The specif c technique used for the level 1 PRA was a large event tree /small fault tree approach, and it is clearly described in the submittal.

vii

a

\

l; he IPE level 1 model (initiated in 1989) is an update of an earlier TMI-l level 1 PRA, which was submitted

in December 1987 and reviewed by the NRC. The comments from the NRC review are addressed in the IPE.

Model updates reflect the plant modifications and data since 1987. The freeze date for the analysis was mid 1991.

l The submittal does not cxplicitly indicate whether the licensee intends to maintain a "living" PRA, although 1 reference is made to fut we use of the TMI l IPE models in ongoing risk management activities.

j I h personnel were involved in all aspects of the analysis. In-plant expertise was already existent due to l the previous TMI-l PRA study. Specialized help for aspects of level 1 analysis r.nd employment of the RISKMAN soRware package was provided by PLO, Inc. Level 2 assistance was provided by Duke Engmeenng Services,Inc., and B&W.

5 The reviews performed for the IPE included both 391 in-house reviews and an external review. The i miernal review was extensive and consisted of work by managers and semor engmeers from key orgamzations j of the utility. External peer revww was performed by Karl Fleming of PLO, Inc. The comments and disposition of such from both of these reviews are hW t

The submittal indicates that a GPU Nuclear Corporation employee had primary responsibility for the HRA

> portion if the IPE. Procedure reviews, discussions with operations and training staff, walkdowns of operator l i

actions, and observations of simulator exercises helped assure that the IPE HRA represented the as-built, as-operated plant. An independent, in-house technical review of the PRA was performed by managers of key l organizations. In addition , an external review was performed by the consultant from PLG, Incorporated.

? Documentation of the external review i*atai that the HRA was reviewed. Both pre-initiator actions (performed l I

during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an

! accident) were addressed in the IPE. Important human actions and potential human performance related !

enhancements / improvements were ide .afied and discussed. l 4

De TMI-l level 2 PRA was developed using a template approach based on the Oconee analysis. The submittal !

states that "Since the containment and contamment system design of TMI l and Oconee are similar, a comparison 1

with the Oconee analysis p...r.was made and a new TMI-l specific analysis was developed that eliminated i significant duplications of generically similar analyses." Duke Engmeenng Services, Inc., and B&W were l mstrumental in developing the level 2 template and in assisting with the quantification of the containment event l tree.

l Two in+p=Nt reviews of the level 2 study were performed: One by an i&t in house group made up ofmanagers and smior engmeers, and one by an extemal consultant from EPRI, Dr. Edward Fuller. The results of these reviews are p.avided in Appendix IV of the Le cel 2 part of the submittal.

i From the description provided in U4 IPE submittal it seems that the intent of Genetic letter 88-20 is satisfied. l 1

E.3 IPE Analysis E.3.1 Front-End Analysis De methodology chosen for the front cnd analysis was a level 1 PRA using the large event tree-small fault tree method. The computer code used for modeling and quantification was RISKMAN.

siii

I-

- l r

The IPE quantified the following initiating event categories: 6 LOCAs,15 transients and 7 flooding initiators. l The IPE developed 6 event trees or event ==- diagrams to model the plant response to these initiating events. j The floodmg analysis was a screening analysis. ;

l Success criteria were based or existmg information (e.g., UFSAR, the 1987 PRA) supplemented by calculations, !

as needed Like some other PWR IPEs, the YMI-l IPE assumes that core flood tanks are not needed in large and medium

- LOCAs. The containment heat removal systems are needed.

1 The RCP seal coohng model assumes two possibilities for a seal LOCAs: loss of NSCCW (used to cool the motor 4

bearings) in combination with operator failure to trip the RCPs, or loss of all seal injection and cooling. The stardard seal leak model for the new high temperature seal material installed at TMI-I is used.

1 The data mH~+= process period was from initial commercial operation (September 1974) through mid-1991, with a 6 year break, 1979-1985 for an extended shutdown, f311owing the accident at Unit 2.. Plant specific component failure data were used to update generic data with the use of Bayesian techniques.

TMI l data are gen: rally consistent with the NUREG/CR-4550 data. Some of the initiating event frequencies (LOOP, LOCAs) seem low.

The multiple Greek letter (MGL) approach was used to characterize common cause failures. The CCF ;

l parameters used are generally consistent with the NUREG/CR-4550 recommended values. The process used to arrive at these values follows established procedures, specializing the generic occurrences to the plant specific design and configuration.

De intemal core damage frequency is 4.2E-5/yr. The 5th,50th and 95th percentile of the intemal events CDF is, respectively,1.8E-5/yr,3. lE-5/yr and 8.0E-5/yr. It should be noted that the distribution is tight (small error factors) for a core damage frequency distribution. He flooding contributes an additional 3.0E-6/yr, or about 7%.

Le internal accident types and initiating events that contribute most to the CDF and their percent contributions are listed below in Tables E-1 and E-2:

Table E-1 Accident Types and Their Contribution to the CDF Initiating Event Group Contribution to CDF (/yr) %

Transients 2.5E-5 59.9 LOCAs 1.8E-5 37.5 Internal Flooding (not included in (3.0E-6) (7.1)

TOTAL)

Interfacing System LOCA 9.2E-7 2.2 Steam Generator Tube Rupture 1.7E 7 0.4 TOTALINTERNAL CDF 4.2E-5 100.0 ix

1-1 4

Table E-2. Dominant Initiating Events and Their Contribution to the CDF 4

Initiatinz Event Contribution to CDF(/yr) %

4 SmallLOCA 7.8E-6 18.8 l

loss ofNSRW 6.0E-6 14.4 tw of DC bus 1 A 3.3E-6 7.9 i

Very smallLOCA 3.0E-6 7.1 l

2.8E-6 6.7 Larae LOCA Loss ofinstrument air 2.2E 6 5.3 Medium LOCA 2.lE-6 4.9 loss of offsite power 1.8E-6 4.4 f

Turbine trip 1.8E-6 4.3 4

1.5E-6 3.6

! Ioss of River Water (intake screen pluoping)

Other 9.5E-6 22.6 E.3.2 Human Reliability Analysis f

l 'Ihe HRA process for the TMI l IPE addressed both pre-initiator actions (performed during maintenance, test, i surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). The analysis of pre-initiator actions inchuled both miscalibrations and restoration faults. With the exception of a qualitative saeemng implanented during the human action eterhan process, all pre-initiator human actions were eventually quantified in dmail. 'Ihe IPE states that the basic error rates used to quantify the pre-initiator human actions were derived from the NRC Human Reliability Handbook [NUREG/CR-1278]. The discussion in the submittal

indicates that an appropriate set of HEPs were adopted from Chapter 20 of the handbook.

Post-initiator human actions modeled included both response-type and recovery-type actions Although a smemung analysis was initially implemented, the early quantification " rounds" were apparently used more as an invatigative tool wluch resulted in some human actions being added to the models. The submittal indicates that all modeled human actions were eventually analyzed in detail with systematic application of existing HRA techniques. It was reported that several different sources of human performance information was used in the analysis of dynanuc (response-type) human actions. They included expert opinion summaries of human error estanates from previous PRA studies (the Oconee PRA was cited), the NRC handbook [NUREG/CR-1278], and the human cognitive reliability (HCR) model for control room crew nonresponse probability (as presented in EPRI NP-3838). A generalized operator action event tree, adopted from the Operator Action Trees (OATS) methodology, was used to represent operator behavior in accident scenarios and the different quantification techniques were used to quantify poemtial outcomes 'Ihe TMI l HRA was somewhat unique in that it attempted to ideritify potetial operator nusdiagnosis events through the use ofconfusion matrices, and assess their potent 3

impact on other events. Plant-specific performance shaping factors and Wies (such as those among x

~

multiple actions in a sequence) were apparently thoroughly considered for both response and recovery actions.

Human errors wese idettfied as important contributors in accident sequences leading to core damage and several potential human performance related =hawats were identified.

E.3.3 Back-End Analysis The TMI l Level 2 PRA was developed using a template appach based on the Oconee analysis. The methodology for plant damage state development, the Containment Event Tree (CET) development, the CET

^T-=6, and the source term development are all based on the Oconee PRA level 2 analysis. According

. to the TMI-l Submittal the Oconee and TMI-l designs were compared to identify significant differences in plant characteristics Then, the Oconee CET model and its quantification were rodified to reflect these differences and formulate a plant specific model for TMI-1. The submittal states that Since the Oconee and TMI-I nantainment system designs are very similar,little change needed to be made to the Oconee model in the TMI-l IPE the interface between the front end and back end analyses consists of a set of plant damage states (PDSs). The PDS are dermed in terms of three characteristics: the core melt bin, the containment safeguard state, and the contamment isolaban state. It should be noted that the PDS dermition does not explicitly ,

i contain the status of electncal power, i.e. whether it is available or not. Simplifying assumptions are made to infer the availability of power from the PDS definition by linking it to the availability of the spray pumps, for mstance,which is part of the PDS dermition. On the whole, the PDSs dermed in the TMI-l IPE submittal seem reasonable and provide a proper accounting of the front-end and back-end dependencies as well as adequate information for back-end accident progression analysis.

'Ihe approach used in the TMI-l IPE for the development of a containment event tree is the same as that of the Oconee analysis: a small event tree, supported by large decision trees, is used. The only questions included as top events in the contamment event tree (CET) are those that have an effect on ilm release timing, energy, h=% or fission product fractions. Each CET end state represents a separate release category. Some of the CET top events are developed further with decision trees using success logic. These decision trees contain the detail that is needed for the IPE analyst to quantify the CET event.

The TMI l isolation system model considers the various pathways which could significantly contribute to contammet uolaban failure, the signals required to isolate the contamment penetrations, the availability of the needed power for signal generation, the applicable operating and maintenance procedures as well as technical specifications, and common cause failures. The likelihood of failing to isolate contamment is'quite small and represents only 0.2% of the total CDF.

'Ihe submittal provides figures of the CET and associated logic as well as tables with the quantification values of the basic events, but vesy little discussion in terms of accident progression, such as wluch failure mechanisms were found to be most important. Table E-3 below provides the summary values for the TMI l failure modes and compares them with analyses for Oconee and other Babcock and Wilcox plants..

xi

J .

a

! Table E-3. Containment Failure as a Percentage of Total CDF 4

1 Containment Failure Mode TMI-1 Oconee ANO-1 CR3* Davis-Besse Early Failure Large 3.10 .91 5.7 2.95 6.3 1 Small 0.07 i

4 a Late Failure Large 17.0 74.4 12.2 62.6 7.5 4

leakage 46.0 i

i Bypass 3.50 negligible 0.43 4.84 2.6 l Isolation Failure 0.002 .22 0.5 0.67 negligible

Intact 30.3 24.4 81.2 28.9 83.6 CDF(1/ry) 4.49E-5 2.30E-5 4.88E-5 1.53E- 6.6E-5 4

Crystal River 3 l

1 As indicated in Table E-3, the TMI-l contauunent failure probabilities are in general consistent with those found l

! for other large dry containments Total late failures are quite high but most of the contribution is from the leakage i category (46% of CDF).

j 'lhe late source term releases, which give ample warning and evacuation time, represent 63% of CDF, while the i early source term releases, which according to the submittal still give a warning time of at least two hours, represents approximately 7% of CDF.

~

"Ihe worst release is stated to be from containment bypass scenarios, and these would have a source term with i.

j greater than 10% of the Csl inventory.

The TM1-1 IPE submittal does not address uncertainty in the back end results. The only exception is the l

! likehhood of the survival of the reactor building fan coolers in post core melt conditions for which a sensitivity analysis was reported in response to a question generated during peer review of the submittal.

4 With regard to the CPI reco.m.cr.dations, the submittal states that for a local hydrogen burn in a large dry containment like TMI-l's it is believed that the pressure rise due to a local burn would not present a threat to containmet insegnty. As basis the submittal cites the TMI-2 accident. It is acknowledged in the submittal that a local bum may damap equipment which is used in ace: dent mitigation and recovery. However, the submittal

- further states that the scenarios analyzed in the IPE did not involve recovery post core damage and none of the

' semanos involve any operatenal ECCS system in the reactor building, i.e. containment, except the fan coolers and these are located in the basement where hydrogen accumulation or burning is not expected The sensitivity analysis regarding the probability of fan cooler survival post accident, discussed above is also cited in the submittal response to the CPIissues 1

i l

I 2

E

- - - - _ - -... - . - - . - - = - - . _ . - - . ____.- ---.-.

E.4 Generic Issues and Containment Performance Improvements )

The IPE addresses decay heat removal (DHR). CDF contributions were estimated for the following DHR awharia: energency feedwater, main feedwater, feed and bleed (" makeup /HPI cooling"), and DHR (both LPI and closed loop DHR, including operator depressurization).1%t failures of the HPI were found to make a mqjor contribubon to the total CDF. A major contnbutor to the DHR systems failures was failures in the support systems.

The boensee states that the design of the MFW (rampback post trip), EFW (two motor driven (MD) and one no "sepport nace===y" turbine driven ( TD) pump) the HPI system (three pumps wiuch can be used with safety valves) and the use of OTSGs with their smaller inventory contribute to the DHR contributions to the CDF.

The following genene issues are also di--A in the submittal:

1) PressurizedThermalShock

2) Failures ofInstrument Air

3) Failures ofICS and Nc.. Nuclear Instrumentation

4) RCP Seal LOCA (GI 23)

5) Loss of CCW leading directly to core damage (GI 65)

6) RCP seal performance during loss of all cooling conditions

7) System Interactions in Nuclear Power Plants (A-17).

E.5 Vulnerabilities and Plant Improvements For the level 1 analysis the becmsee defined a vulnerability as any core damage sequence exceedmg 1.E-4/yr. No vulnerabilities were found.

The IPE took credit for some plant modifications and improvements that have not been implemented.

The improvements considered were accident management guidelines for post LOCA recirculation switchover (throtthng LPI in advance of switchover and venfymg closure /ching stop check valves MLY-14 whic.h establish the path to BWST) and post SGTR recovery actions (isolation of affected SG and cooling down using the other OTSG aAer loss of HPI, and refilling the BWST). None of the improvements have been implemented, however their CDF contribution is noted.

In addition, important operator actions will be periodically included in the operator training program.

'Ihe tr==e did not consider adding a procedure for firewster recovery of HPI cooling in case ofloss of NSRW.

His may be a worthwhile option to consider, as NSRW loss is the second largest contributor to CDF (14.4%

from this initiator) and this procedure already exists in case of loss of all RW. Cooling of HP1 pumps is xiii

., i unportant for mamtairung RCP seal integrity. The normally operating makeup /HPI pump does not have backup cooling from the DHCCW/DHRW systems.

The TMI-I defmition of vulnerability applicable to the back end analysis is the identification of"any containment bypass or large early containment failure sequence that exceeds 1.E-6 per reactor year." The level 2 study did not identify any vulnerabilities and no " hardware is-sw.dations are made." The submittal states that the Level 2 PRA will be used as a major input to the development of accident management guidelines.

E.6 Observations Based on the level I review of the TMI-l IPE the licensee appeam to have analyzed the design and operations of TMI-l to discover instances of pedicular vulnerability to core damage It also appears that the licensee has-developed an overall appreciation ofsevere accident behavior; gamed an understandmg of the most likely severe accidents at TMI-1; gamed a quantitative understandmg of the overall frequency of core damage; and considered implementing changes to the plant to help prevent and mitigate severe accidents.

Stragths of the level 1 IPE are as follows: Thorough analysis ofinitiating events and their impact, descriptions of the plant responses, modeling of accident scer.arios, reasonable failure data and common cause factors employed and usage of plant specire data where possible to support the quantification of initiating evenits and component unavailabilities. The effort seems to have been evenly distributed across the various areas of the analysis.

No major weaknesses of the level i IPE were identified, other than in the low frequencies of certain initiating events, which should not have a large impact on the results. Also, the CDF uncertainty distribution seems tight.

'Ihe IPE determined that failures in the HPI system (caused by hardware failures), the Decay Heat River Water and Closed Cooling Water systems and the recirculation from the reactor building sump (hardware failures) dommate the risk. The CDF is not dominated by any single initiating event or an accident sequence The most likely ways to experience a severe accident involve loss of river water and closed cooling water systems coupled with losses of HPl. Other likely ways involve LOCAs with failure to establish long term recirculation. 'Ihe study found that losses ofinstrument air are an important but not major contributor to core damage frequency The !

study also shows that losses of offsite power are an important but not major contributor. All of these conclusions l 1

seem reasonable with respect to the design features of the plant.

As was noted previously, several improvements have been contemplated, but none have been implemented as a result ofinsights from the IPE. The CDF impact of these improvements is small.

The HRA review of the TMI-l IPE submittal did not identify any significant problems or errors. A viable l approadi was used in performing the HRA and nothmg in the licensees submittal indicated that it failed to meet the intent of Generic Letter 88-20 in regards to the HRA. Important elements pertinent to this detenmnation include the following:

1) The submittal mdicates that utility personnel were involved in the HRA and that the walkdowns, Ameen reviews and simulator observations represented a viable process for confirming that the HRA portions of the IPE represent the as-built-as operated plant.

xiv

! l

j. 1 l 2) The analysis of pre-initiator human actions included both miscalibrations and restoration faults. Potential {

! dependencies between two or more pre initiator operator actions and potential miscalibration common cause i falums were considered. While details regarding the basis for assuming the presence, absence, or degree of dependency or common cause effects wwe on'j- briefly discussed, an examination of the pre-initiator human )

I actions modeled and their HEPs failed to detect any obvious inappropriate treatment of Wics or

[ common cause effects. The HEPs assigned to the modeled pre-initiator human actions appeared to be ramaaaahle and other aspects of their derivation was remnanahly well documented.

k j 3) Post-imtiator human actions modeled included both response-type and recovery-type actions. A generalized i operator action event tree, adopted from the Operator Action Trees (OATS) methodology, was used to l h.r a operator behavior in ~:cident scenarios. The trees model the diagnosis and action phases of an i operator reponse and provide opM for redignosis/ redirection prior to an unsuccessful end state. The likalihaad of an incarnet dmanosis, a fakse to diagnose, and a " nonviable" action given a correct diagnosis

. are all considered (at least in principle) as potential failure modes leadmg to unsuccessful end states. As i described, the HRA modeling approach adopted for the TMI-l IPE, was relatively thorough and more i detailed than has been found for many of the other IPEs examined.

I j 4) Plant-specific performance shaping factors (PSFs) and Wies were appropriately considered.

j 5) One potential shortcoming of the overall quantifi:ation approach used in the TMI-l IPE is that in spite of i the fact that the action execution phase is represented in the generalized operator action tree, there was no i evidence that this phase of the action was actually quantified for the different operator actions modeled.

2 While this is an explicit characteristic of the HCR quantification model that has been defended on the i groimds that the execution phase is addressed through the une of estimates of median response time, it was a not made clear that the approach used for time-!Wt events appropriately considered the respons.

phase. Ano*her limitation was the use of expert judgment in the quantification of some events, in particular the recovery events. While thejudgments were said to be based on previous PRAs and the selected values ;

i and gudelines for their application was documented, additional detail on the basis for the selected HEPs and

evidence of peer review would have strengthened the submittal. Nevertheless, given the thus # a and

thoughtfulness of the HRA conducted for this IPE and the apparent reasonableness of the assigned HEPs, ;

at worst these are minor weaknesses. l J

I i 6) A list ofimportant human actions based on their contribution to core damage frequency was provided in the i submittal.

The level !. unalysis in the TMI l IPE was a template approach based on the level 2 Oconee IPE analysis, rmbusly reviewed by the NRC. The important points of the technical evaluation of the TMI l IPE back-end analysis are:

1) The back end portion of the IPE supphes a substantial amount ofinformation with regard to the subject areas identifiedin Generic Letter 88 20.

2) 1he IPE provuks an evaluation of all phenomena ofimportance to severe accident progression in accordance with Appendix I of the Generic Letter.

3) The IPE has identified some plant specific features for accident progression such as the cavity configuration an.J concrete composition, and has made an attempt to account for them in the analysis modified from Oconee xv

5) A smsitive study as that described in NUREG-1335 was not performed in the IPE. The IPE does not provide l any quantitative information on how contamment failure probabilities would change if uncertainties on !

mntainment phmomma are considered. De lack of a sensitivity study and the insights that may be obtained )

from the sensitivity study is a significant weakness of the level 2 TMI l IPE. I I

7) Contamment isolation failure is thoroughly discussed and the IPE seems to have addressed all five areas identified in the Genenc W regarding containment isolation. I

8) De r w=' ions of the CPI program are discussed in terms of the Oconee IPE. l The TMI-l level 2 analysis appears to meet the requests of GL 88-20. However, because the entire level 2 analysis is a reproduction of the Oconee analysis with slight modifications, it is very difralt to ascertain from the submittal how much the hcensee actually learned regarding severe accident progression at TM1-1. The total lack of a sensitivity analysis adds to the concern that the TMI-l level 2 IPE exercise any not have produced as l much understanding orcontanmmt parfonnance as could have been +=3W from a more iPt analysis. l l

I i

i e

, 1

1. INTRODUCTION 1.1 Review Process his techrucal evaluation report (TER) hments the results of the BNL review of the Three Mile Island Unit I Individual Plant Examination (IPE) submittal [IPE, RAI Responses). This technical evaluation report adopts

. the NRC review objectives, which include the following:

. To assess if the IPE submittal meets the intent of Generic Letter 88-20, and

. To determine if the IPE submittal provides the level of detail requested in the " Submittal Guidance

, h-t," NUREG-1335.

A Request ofAdditional Informaton (RAI), which resulted from a prelimmary review of the IPE submittal, was ,

prepared by BNL and discussed with the NRC on June 6,1995. Based on this discussion, the NRC staff l 1 submitted an RAI to the GPU Nuclear Corporation on August 3,1995. GPU Nuclear Corporation responded l l to the RAl in a document dated December 6,1995. This TER is based on the original submittal and the response ;

to the RAI(RAI Responses).

l'

, 1.2 Plant Characterization The TMI-l Nuclear Power Plant is a 786 MWe,2568 MWth Babcock and Wilcox pressurized water reactor

] (PWR). The reactor coolant system (RCS) consists of the reactor vessel, two vertical once-through steam generators,4 shaft-scaled reactor coolant pumps, an electrically heated pressurizer and interconnected piping.

i The plant is operated by GPU Nuclear (GPUN), and started commercial operation in September 1974. There 1 are no other operating units on site (TMI 2 has been dammmissioned).

1 he reactor is housed in a large dry reinforced concrete (post-tensioned) containment. The submittal states that

! the TMI-l contammmt has many similarities with other contamments of this type and, as noted below, the TMI l

. Level 2 analysis relics heavily on the similarity of the TMI l containment with the Oconee containment.

l Design features at TMI l that impact the core damage frequency (CDF) relative to other PWRs are as follows:

l

1) The turbine driven main feedwater pumps will continue to run for most transients, as the pump flow output is automatically matched to the decay heat level.

2) De turbine driven EFW pump has a mech =iral linkage for control, thus is not dependent c.n DC power for long term control in station blackout scenarios. However, the IPE takes no credit for this feature according to a discussion in Appendix B.1 which considers power recovery models.

3) There are two motor driven and one turbine driven EFW pump. The EFW system is automatically started and controlled. Tests done by GPUN show that none of the pumps need the bearmg cooling system for a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months operation.

4) The normal EFW suction source is the inventory in the condensate storage tanks (CSTs). Backup sources of EFW water are the river water, the deminiralized water storage tanks and the condenser hotwell, however none of these sources were credited in the analysis.

I

l 4

5) One pressurizer PORV and two safety valves can be utilized for makeup /HPI cooling (i.e., feed and l bleed). This gives TMI-l a diversity of options for makeup /HPI cooling. Le PORV block valve is l . usually open. The PORV only depends on DC power and does not depend on instrument air or

compressed nitrogen. De three makeup pumps (wiuch are also the HPI pumps) can be used with either 4 the PORV or safety valves.

I

6) De normally operating makeup (high pressure injection) pump (1B) is cooled by the Nuclear Services Closed Coohng Water (NSCCW) system, while the other two pumps are normally cooled by the Decay l

Heat Closed Cooling Water (DHCCW), with backup provided by the NSCCW. Thus, the normal j makeup /HPI pump does not have backup cooling. The intermediate closed cooling system consists of two trains winch, among other loads, provide thermal barrier RCP seal coohng. De Intermedisse Closed Coohng Water (ICCW) cooless are cooled by the NSRW system Thus there is redanda. icy in RCP seal coohngfugection systems, hawever loss of Nuclear Services River Water (NSRW) will cause at least a temporary loss of all seal coolingfmjection, as the NSRW is the ultimate heat sink for the NSCCW system.

Fire water can be used as backup coohng of the makeup /HPI pumps, by cooling the DHCCW to support 7) operation of an HPI pump for seal injection

8) The NSCCW is used to cool the RCP motor bearmg; thus the operators are required to trip the RCPs following a loss of the NSCCW in order to prevent a seal LOCA. Note that NSCCW will be lost on steam /feedwater line break in the reactor building due to isolation upon reaching the 30 psig reactor bakhng (RB) pressure setpoint. ICCW (providing thermal barrier cooling) will also be isolated in the same initiator and for the same reason

9) RCP seal injection valve MUV 20 will close on loss ofiastrument air, as will the ICCW isolation valves (IC-V3 and V4) which are in the path for thermal barrier cooling,i.e., all seal injection and cooling is lost and the RCPs will automatically trip. The operators are instructed to reopen or hold open MUV-20 l

onloss ofinstrument air.

De RCP seals use new high temperature O-rings which show a significantly reduced leakage potential l 10) followmg a loss of all seal cooling and injection. l

11) The closed cycle cooling consists of three trains of the NSCCW (cooled by the three train NSRW system) and two trains of the DHCCW (cooled by the two-train DHRW system). (In addition, the l ma% CCW and River Water (RW) systems cool the MFW pumps). Bus there is considerable sedundancy in these systans ne NSCCW and the NSRW systern provide cooling to the RB fan motors and RB fan cookr units, makeup pump 1B motor (and backup cooling to the makeup pump i A and 1C motors), control building AC chillers and the intermediate service heat exchangers. De DHCCW and the DHRW systems provide coohng to the DHR coolers and the DHR pumps, the RB spray pumps and makeup pumps I A and IC (a well as backup cooling to makeup pump IB).

12) De asnergency power syntan at TMI-l consists of three emarymcy diesel generators, including the EDG from Unit 2, added in response to the station blackout rule and called the SBODG. De SBODG has to be started manually, upon failure of the two regular EDGs, and can supply full power reqmrements of one train of engmeered safety features. Cross ties exist between emergency buses.

2

13) The emergency diesel generators are air cooled, thus reducing '-g='=-ry on support systems. The SBODG needs ventilation and also is dependent on firewater for cooling. The SBODG has dedicated 125 V batteries for starting, however, it needs station battery A in order to load onto either emergency bus.

14) The two staton batsmes have a depletion time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , with proceduralized load sheddmg (assumed to always occur). Without sheddmg, a battery life of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months results, for which a sensitivity study was done. Cmas ties exist between DC buses. Each battery is WM to two chargers, two of which are normally operstmg

15) The energency and normal AC power trains are normally aligned to the 230 kV switchyard via the two auxahary tranafarnurs, rather than to the output of the main generator, thus obviating the need for a fast transfer on a generator trip. This reduces the probability of a consequential LOOP, given an initiating event. One auxiliary transformer can supply all normal plant loads, therefore upon failure of one auxiliary transformer, the non emergency plant loads WM to it will " fast transfer" to the other mouliary transfonner, while the ESF loads will be supplied by the correspi eding diesel generator, which will have started auta-W!!y.

16) Recirculation switchover is accomplished manually.

17) BWST refdl(in cases of SGTR and small LOCA) is a proceduralized action. In addition,it is not clear if the Unit 2 BWST can be used (there are references in the text to this option, but reviewers comments and resolution thereofindicates that this option may no longer be available).

18) Instrummt air is supplied by three compressors at TMI-1. Two of the compressors are on the emergency buses, and key plant loads are backed-up by a two-hour air bottle system (including the EFW flow control valves).

19) The six turbine bypass valves have a total capacity of 22% of the full power load. Each steam generator has one atmospheric dump valve.

The TMI-l reactor is housed in a large dry reinforced concrete (post-tensioned) containment. The submittal states that the TMI l contamment has many simdarities with other containments of this type and, as noted below, the TMI l I.evel 2 analysis relies heavily on the similarity of the TMI-l contamment with the Oconee contammet. Among the plant-specific features important for accident progression at TMI-l are the following:

1) The TMI l contammmt contans three large fan cooler units, each capable of removing 80 million BTUs per hour. Two fan coonas are suf5cient to remove the full decay heat approximately two to three minutes after scram. The fan coolers contain filters and the IPE assumes that under accident conditions these filters would fait due to debris buildup and pressure differential, but they would still permit the fan coohng operation to continue.

2) 1hc TMI l containment spray system itselfis only capable of providing post-accident fission product scrubbing, not containment cooling. Contamment cooling could be provided by the spray system in conjunction with containment sump recirculation cooling but no credit is taken for sump recirculation coolmgin the level 2 analysis.

3

l

3) The TMI-l reactor cavity geometry is relatively confining and the analysis assumes that significant corium dispersal out of the cavity is unlikely for most accident scenarios. Relatively deep debris pools (thicker than 20 inches) are likely to be formed in the cavity after vessel failure. j

4) The TMI-l containment is constructed of limestone concrete and this results in significant ruwWsible gas production if he concrete is attacked by core debris.

Some pertinent containrwr4 r Trameters for TMI l compared to some other, oftm referenced, large dry containments are given in Table 1. l Table 1 Plant and Containment Characteristics for Three Mile Island Unit 1 Characteristic TMI-I Oconee Zion Sury Thermal Power, MW(t) 2568 2568 3236 2441 Contamment Free volume, f13 2,000,000 1,860,000 2,860,000 1,800,00 Containme Design Pressure, psig 55 59 60 45 Median Containment Failure Pressure, psig 144 144 135 12'.,

Contamment Volume / Power, 779 724 884 737 4

l e

2. TECHNICAL REVIEW 2.1 Licensee's IPE Process ne process used by the licensee was reviewed with respect to: completeness and methodology; multi unit effects and as-built, as-operated status; and licensee participation and peer review.

2.1.1 Completeness and Methodology The bcensee has provided the type ofinformation requested by Generic letter 88-20 and NUREG 1335.

i De front-cnd portion of the IPE is a level 1 PRA. The specific technique used for the Level 1 PRA wr a lan ge event tree /small fault tree method, and it is clearly described in the submittal. ,

Inkunal initiatmg event and intemal floodmg were considered. The internal flooding analysis was of a screcrung type. Event trees were developed for all classes ofinitiating events. An uncertainty analysis was performed that provided a probability distribution for the plant damage state bins. Several sensitivity analyses were performed (with regard to the RCP seal LOCA model, battery depletion time, power recovery curve, EDG recovery, and increased power recovery ume). System importance and HEP importance analysis was also performed.

The IPE level 1 model (initiated in 1989) is an update of an earlier TMI-l Lc. vel 1 PRA, which was submitted in December 1987 and reviewed by the NRC. The comments from the NRC review are addressed in the IPE.

Model updates reflect the plant modifications and data since 1987. Other PRA studies were also reviewed:

NUREG-1150 for Surry, PRAs for Diablo Canyon, South Texas, Oconec, Beaver Valley 2 and Crystal River 3.

The submittal information on the HRA Process was generally complete in scope. Some additional informabon/clarificabon was obtamed from the licensee through an NRC request for additional information. The HRA process for the TMI-l IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). The analysis of pre-initiator actions included both miscalibrations and restoration faults. The basic error rates used to quantify the pre-initiator human actions were derived from the NRC Human Reliability Handbook [NUREG/CR-1278).

De discussion in the submittal indicates that an appropriate set of HEPs were adopted from Chaper 20 of the handbook.

Post initiator human actions modeled included both response-type and recovery-type actions. Although a screenmg analysis was initially implemented, the early quantification " rounds" were apparently used more as an investigative tool which resulted in some human actions being added to the models. The submittal indicates that all modeled human actions were eventually analyzed in detail with systematic application of existing HRA techniques. It was reported that several different sources of human performance information was used in the analysis of dynamic (response-type) human actions. ney included expert opinion summaries of human error cutimates from previous PRA studies (the Oconee PRA was cited), the NRC handbook [NUREG/CR-1278], and the human cognitive reliability (HCA) model for control room crew nonresponse probability (as presented in EPRI NP-3838). A generalized operator action event tree, adopted from the Operator Action T. N (OATS) methodology, was used to represent operator behavior in accident scenarios and the different quanu".ication techniques were used to quantify poten&l outcomes De TMI-l HRA was somewhat unique in that it attempted to identify potential operator misdiagrni., events through the use of confusion matrices, and assess their potential impact on other events. Plant-specific performance shaping factors and dependencies (such as those among 5

~ '

amitiple actens in a sequence) were apparently thoroughly considered for both response and recovery actions.

Human avers were identified as important contributors in accident sequences leading to core damage and several j potential human performance related enhancements were identified.

'!he 'I1see Mile Island Unit 1 Individual Plant Exammaten (IPE) back-end submittal is essentially consistent with f

? respect to the level of detail requested in NUREG-1335.

j 'Ilie TMI l level 2 PRA was developed using a template approach based on the Oconec analysis. The submittal states that "Since the contamment and contammet systan design ofTMI-l and Oconee are similar, a comparison with the Oconee analyas parametess was made and a new TMI I specific analysis was developed that eliminated significant duplications of generically similar analyses."

'the methodology for plant damage state dW=^. the Contamment Event Tree (CET) devataa-* the CET .

l 7 T=h and the source term development are all based on the Oconee PRA level 2 analysis Accordmg j to the TMI-l Submittal the Oconee and TMI-l designs were compared to identify significant differences in plant !

characteristics. '! hen, the Oconee CET model and its quantification were modified to reflect these differences j l and formulate a plant specific model for TMI-1. The submittal states that Since the Oconee and TMI-l :

i I containment systan designs are vay similar, little change needed to be made to the Oconee model. As examples j i the submittal notes that the number of pumps as well as design flow rates of the contamment spray system are

the same, as is the number of fans, cooling units and heat removal capability of the reactor building emergency i j cooling systems While the TMI-l and Oconee contamments are of similar design, their dunensions and post tensioning tendons

[ l

. are quite differait. However, based on ar analysis in Appendix ! of the submittal, the licensee claims that these i differences can be accounted for so that the Oconee ultimate capacity curves and the Oconee assumptions on i failure modes can be utilized directly in the TMI-1 analysis.

2.1.2 Multi Unit Effects and As-Built, As-Operated Status l !

1 j There are no other operating units on site. The only impact of the shutdown Unit 2 is the use ofits diesel l i

I generator as the station blackout diesel (SBODG) for Unit 1. It seems that the use of the Unit 2 BWST is no longer applicable, according to comments from the internal review, concurred to by the analysts. However, references to this recovery action still exist in the report A wide variety of up-testate information sources were used to develop the IPE. Examples are the Updated Final Safay Analysis Report (UFSAR), operaten plant manual, anticipated transient procedures, system surveillance, abnormal and operstmg procedures, piping and instrumait diagrams and electrical diagrams, transient assessment rgarts, mauerience work ordas and switching and taggmg requests, *hl data reports and thermal hydraulic c:altmlahnns, mnMir ahrwilists and 10CFR50.59 reports. 'Ihe analysis was applied to the plant configuration as it existed in 1991. 'Ihe data was calta*d from Sgtember 2,1974 (beginning of commercial operation) through June 30,1991, but exclading the exteded shutdown frein Fdruary 17,1979 to October 2,1985. Since the TMI-1 IPE was based on an update of a previous PRA, the TMI-l PRA update team performed walkdowns of the plant at vanous points in the projen to assure corted =~i i% of the plant and its systems. A videotape of the reactor vessel cavity area was made and used for reference during the level 2 analysis. Many plant walkdowns were performed: general walkdowns for initial familiarization with the plant, systems walkdowns, human action walkdowns, plant model walkdowns, intemal floodmg walkdowns and a containment walkdown. ,

6

l*

i i*

j The submittal does not explicitly indicate whether the licensee intends to maintain a "living" PRA, although 1 reference is made to future use of the TMI-l IPE models in ongoing risk management activities.

Procedure reviews, plant walkdowns, A==iaris with operations and training staff, and observations of simulator 4

training sessions helped assure that the IPE HRA represented the as-built, as-operated plant. Credit was l appanndy taken for a loss ofinstrument air procedure change that directs the operators to manually open RCP j seal return valve (MUV-20). His assures continuation of RCP seal injection during loss of air scenarios. It was

unclear as to whether credit was tal en for any other proposed anh=caments.

i i 2.1.3 Licensee Participation and Peer Review 1

1 j I n-me partnpmina in the IPE process and review activities are discussed briefly in Ws 1.2 and 1.5 of the IPE submittal summary, while the review process, comments and disposition of these comments are described l

in enaniawable detail in AWw D of the Main Report. I le personnel were involved in all aspects of the i

analysis. In-plant expertise was already existent due to the previous TMI 1 PRA study. Specialized help for l

aspects of Level 1 analysis and employment of the RISKMAN software package was provided by PLO, Inc.

! Level 2 assistance was provided by Duke Engmeenng Services,Inc., and B&W.

The reviews performed for the IPE included both independent in-house reviews and an external review. The j internal review was extensive and consisted of work by managers and senior engmeers from key organizations

' of the utility. External pear review was performed by Karl Fleming of PLG, Inc. The comments and disposition of such from both of these reviews are documented in Appendix D of the report l

The submittal indicates that a GPU Nuclear Corporation employee had primary responsibility for the HRA -

j portion if the IPE. Procedure reviews, discussions with operations and training staff, walkdowns of operator actions, and obser ations of simulator exercises helped assure that the IPE HRA represented the as-built, as-

) operated plant. An i%t, in-house technical re' iewvof the PRA was performed by managers of key i organizations. In addition , an external review was performed by the consultwit from PLG, Incorporated.

Docummtation of the external review ide*d hat t the HRA was reviewed. Both pre-initiator actions (performed

! during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident) were addressed in the IPE. Important human actions and potential human performance related l

enhancements / improvements were identified and discussed.

i

' Duke Engmeenng Scrvices,Inc., and B&W were instrumental in developing the level 2 template and in assisting j with the quantification of the contamment event tree.

l Two i%t reviews of the level 2 study were performed: One by an iahpendaat in-house group made up

! ofmanagers and smior engmeers, and one by an external consultant from EPRI, Dr. Edward Fuller. Le results

! of these reviews are provided in Appendix IV of the level 2 part of the submiital.

i j From the description provided in the IPE submittal it seems that the intent of Generic letter 88-20 is satisfied.

5 i

).

l 7

i

,# I 2.2 Front End Technical Review i

! 2.2.1 Accident Sequence Delineation and System Analysis

! 2.2.1.1 inMaaing Evener

)

i

The identification of initiating events proceeded in a three-stage approach: 1) review of existing sources, i

includag othar PRAs ofsimilar plants, (e.g. the Oconee PRA initiator list was reviewed) and the EPRI data base;

2) a thorough review of each system at TMI-l to identify events that could be of a unique nature or that would j not be well characterned by analyses or operating experience of other plants; 3) examination of the operstmg experience for TMI-I to determine if it suggested any additional types of events that were not identified elsewhere.

I' As a result, a total of 21 initusmg events were id-efiari in addition,7 floodmg scenarios survived the screening process, and are described in the floodmg secten of this report. De internal initiators are:

i LOCAs:

Large LOCA l

Medium LOCA Small LOCA ,

j Very small LOCA 4 Interfacing Systems LOCA (V event via DHR)

Steam Generator Tube Rupture

]

Transients:

' Steam and Feedwater Line Breaks in Turbine Building i Steam and Feedwater Line Breaks in Intermediate Bldg Steam and Feedwater Line Breaks in Reactor Building Excessive Feedwater Flow

) Totalloss ofmain feedwater Reactor trip Turbine trip r

Ims of air system Ims of DC powertrain A l Ims ofoffsite power Ims ofNuclear Sevices Closed Cooling Water Ims ofNuclear Services River Water loss ofRiverWater Loss of 4 kV bus ID ES 14as of 4 kV bus !E ES Internal floods.

Break in NSRW system in aux. bldg zone AB-FZ 1 Break in aux steam in aux bidg zone AB-FZ-5 Break in makeup / letdown in zone AB-FZ 4 NSRW break in intake screen and pump house bldg zone ISPH FZ-1 NSRW break in intake screen and pump house bldg zone ISPH-FZ 2 ICCW break in zone AB-FZ-7 Main steam line break in RB zone RB-FZ-1D 8

-. - - - - .. - -- - ~ - - -

- -. - - . - - . - - - = _ - -

t

(.

j The initiating event list seems to be complete and comparable to events considered in other PRAs. HVAC

falures do not lead to initaiting events, haran=e tests of HVAC in various zones have shown the equipment will

not reach damaging temperatures on loss of HVAC.14ss of DC bus IB, or of either 120V ac vital bus would j i

not cause a plant trip (venfied on sunulator). Iass of any 4 kV or 480 V emergency bus would not cause a plant trip or a manual shutdown (verified on simulator). However, loss of a single emergency AC bus, coupled with

other failures before the bus was restored, could conceivably cause a plant trip, therefore losses of the 4 kV

! emergency buses were retaned as initiators A spunous HPI actuation would not cause an automatic trip, at least l

not for many nunutes (verdied on =im"t*-). The plant would eventually shut itself down when enough borated i water had been added, Operator action would be expected to termmate the HPI flow, well before any problems i developed. Hence, inadvertent HPI actuation was not included as an initiator. )

2.2.L2 Enant Treer l

. 1 1

} The IPE developed 6 event trees or event sequence diagrams (ESD) to model the plant responses to internal 4 initiating events: support systems event tree, general transient early response ESD, general transient long term

! response ESD, SGTR early response ESD, SGTR long term response ESD, large and medium LOCA ESD. Note .

j that the large and medium LOCAs are treated together, with adjustments made in logic rules for split fractions. !

j The small and the very small LOCAs are treated in the general transient module. l t

) No event trees were developed for interfacing systems LOCAs, since a consenative analysis (no credit for l iaal=#=) was done in Appendix B3. Reactor vessel rupture was treated as part of the general transient model, j

i i.e., h*= lad analysis was performed to develop a split fraction RV rupture caused by pressunzed thermal shock l (PTS) concems PTS analysis is presented in Appendix B.4. ATWS was treated as part of the existing event l

{ tree structure, i.e., failure of the reactor scram system is queried. Flood scenarios do not use event trees, as a j scressung analysis was done, however calculation of split fractions from systems modules may have been used.

. The event trees are systemic. The mission time used in the core damage analysis was 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unless a shorter l time is indicated (e.g., LOCA injection phase).

4 De evcat tree end states are divided into two possible outcomes: success or core damage (which is then put into the appropriate plant damage bin).

i

/ It appears the analysts used core uncovery as the definition of core damage for most initiators.

j Success criteria seem to be based on the 1987 level 1 PRA, the UFSAR, thermal hydraulic calculations, and i possibly, actual data on plant response to transients The success criteria appear reasonable and in line with most other PWR success criteria.

{ l i

De core flood tanks are apparently not mentioned anywhere in the submittal, therefore they are not modeled for j l

i large and medium LOCAs. His would not have an appreciable impact on the results.

Large and medium LOCAs require low pressure recirculation fmm the sump while all other LOCAs require "isigAd" or HP recarenlata For very small LOCAs and SGTR initiators, the break size is small enough that BWST makeup can be used to avoid the need of going to recirculation.

Large, mediurn and small LOCA break sizes are large enough to remove decay heat through the break alone. For very small LOCAs (RCP seal failures, etc.) and SGTR sequences, additional heat removal is necessary. It could be provided by 8% of main feedwater, or one train of EFW feeding one SG, in conjunction with steam relief 9

i.

provided by I safcty valve per SG, or one ADV per SG or 2 TBVs. In case of ATWS, one EFW train to one SG j in conj =wm with two safety valves per steam generator is necessary. Altematively, for non-SGTR scenarios,

HPI cooling can be effected (i.e., feed and blood with one HPI pump and one pressurizer safety valve or the l PORV). In SGTR scenanos, the HPI cooling method must use the PORV, otherwise the RCS pressure will

! renam high (at the safety valve setpoint) and the RCS inventory will be lost out the break. MFW is not credited 1 in any ATWS sequences, h*=e, given a turbine trip there is a mismaxh between reactor power and the l capability of the turbine bypass valves, causing loss of excess steam from the secondary side. Then the main j feedwater would eventually be lost due to loss ofinventory (CST: makeup is modeled only for the EFW system).

1

'!he pressure control sumens aitaia for ATWS require both pressurizer safety valves to open and the moderator

' crw&==r to be suf5ciently negative. Also, two HPI pumps must be available for inventory control and decay beat removal functmas.

For large and medium LOCAs, there is a requirement to prevent excessive boron precipitation (i.e., hot leg recircu!ation).

It should be noted that medium LOCA requires reactivity control, either by insertion of at least 59 of 61 control rods or by starting one HPI train taking suction from the BWST within 10 minutes (the same success criterion applies to transients). For all other i OCAs, the sucassful operation ofinventory control systems in combination with voiding in the core will ensure timely reactivity control.

Operation of reactor building cooling ystems is required for all LOCA sizes. The RB spray is used in the mjection phase of an accident. In the recirculation phase, operation of one train of DHR and its associated heat exchanger, or operation of two trains of fan coolers is required.

'!he RCP seal LOCA model employs data for the new high temperature O ring material used in TMI-l seals (a sensitivity study was done to see the impact of using the old seal model). The seal integrity requires that either seal injection or thermal barrier cooling be operable. It appears the model assumes a seel LOCA possibility if both cooling methods are lost. For that reason, a backup cooling method exists for cooling the HPI pumps which provide seal injection. This is accomplished by using firewster to cool DHCCW, which is one of two systems available for coohng the HPI pumps Another way tojeopardize the RCP seal integrity is to lose cooling for the !

RCP motor beenngs, thus inducing vibrations. The system providing this cooling is the NSCCW. Presen ation ci seal integrity in this case involves stopping the reactor coolant pumps, which is directed by operating procedures uponloss ofNSCCW.

2.2.U SynnansAnalysis A total of 20 systems / functions are described in Appendix F of the Submittal. Included are descriptions of the following systems: ciectnc power, engmeered safeguards actuation, nuclear services river and closed cooling water, decay heat river and closed semces water, control budding ventilation (deleted), reactor protection, turbine trip, main steam, main foodwater and ICS, emergency feedwater, pressure control, high pressure injection, low pressure injection /DHR, reactor building isolation, reactor building emergency cooling, reactor bui! ding spray, astrument air, secondary services river and closed cooling water, and fire service.

Each system description includes a discussion of the system design and operation and details of modeling and assumptions.

10

_._._ _ . . _ . . _ . _ _ . ~ . _ ._ _ . . _ _ __._ _.__._ _ _.

2 4

1 Also included for many systems are simplified schematics that show major equipment items and important flow and configuration information.

) Success criteria are described in the event tree description portion of the report. System dependencies are i summarized in a matrix form.

See Section 1.2 of this TER for a description ofimportant plant features.

2.11.4 Syssen Dqpendencier i

. The IPE addromed ar. amsidered the following types of Ag=>=<ies: shared component, instrumentation and

control, isolation, motive power, direct equipment cooling, areas requiring HVAC, operator actions and l environ =awal effects. Tests have shown that the HVAC system is not needed for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to support any imputant system operation f

i Tables 7.3-1 and 7.3-2 of the submittal contain the overall system W matrices, including both support-on-support and frontline-on-support Wies.

l

2.2.2 Quantitative Process t

i 2.2.2.1 Quantificonion ofAccident Squence Frquencies

! 'Ihe IPE used a large event tree /small fault tree technique to quantify core damage sequences The event trees

were systemic. The RISKMAN software package was used for developrc.ent and quantification of top event probabilities and accident frequencies.

It appears the cut set truncation limit used was 1.E-10/yr, with estimates provided of the residual for each

initiating event category. The estimated residuals are a negligible fraction of the category CDFs.

i The IPE took credit for vanous recovery activities, including the recovery of offsite power and recovery of diesel

gecrators The IPE power recovery curve is based on responal experience and is consistent with average industry data cited in an Electric Power Research Institute (EPRI)-sponsored study (NSAC-147). No recovery of diesel

! generators is allowed after battery depletion.

2.12.2 Mnt Endmares and Uni-_ySensinidry Analyses i Mean values were used for the point estimate initiator frequencies and all other basic events. A formal msdwmahcal uncertainty analysis was performed on the results, using Monte Carlo simulations and employing the RISKMAN computer code. Uncertainty distribution, as well as point estimates are given for the total core damage frequency, plant damage states and split fractions, importance measures (Fusell-Vesely) are given for sysiczns, split fractions, plant damnge states,initiatmg events, sequences and operator actions. For split fractions, in a&btion to the F-V importance, the following importance measures were also computed: risk achivement and risk reduction worths, and derivative importance Five non-HRA sensitivity studies were also performed. All five sensitivity studies explored modeling

! uncertamties related to station blackout and LOOP scenarios, specifically impacting the power recovery times and the power recovery model. It should be noted that station blackout is only a mmor contributor in the base i case CDF results (about 3% of the total CDF), while LOOP in totality contributes only about 4.4%. The 4

4 11 m y , .,

sessivity studies dealt with the RCP seal leakage model, the allowable recovery time, the battery depletion time, the offsite power recovery facto 9 ar'd the diesel generator restoration model. In addition, an HRA sensitivity study was performed, not described in this section.

In the RCP seal sensitivity sti dy, the leakage model for the old seal design (i.e., from NUREG/CR-4550, Vol.

2) was used. The CDF increase was only about 1%.

In the alkmable recovery time sesitivity study, four dificset scenanos were explored. In the first two scenarios, f f i the recovery time was increased by one hour and by six hours, to model the range ofiacrease in time available ifvessel penetration rather than core unevay was the mamon for deternumng available time. In these two cases the CDF decrease was 2% or loss. In the third scenano related to power recovery time considerations, steam generator depressurization was included in the model for SBO sequences This would decrease the RCP seal leakage rates due to RCS cooldown and increase allowable recovery times in sequences wbre EFW was -

operating (provided the sequence was limited by the RCP seal leakage rather than by battery depletion time).

Currently, the procedures do not insamot the opsators to do SG dgressunzation following a blackout. The result from this sensnivity study was a very small(less than about a 0.1%) decrease in the CDF. In the final sensitivity study related to the allowable recovery time, the old recovery time from the 1987 TMI l PRA was used, which was 9.1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months from the start of station blackout. The result was a negligible change in the CDF, The third sensitivity study dealt with the battery depletion time. The model assumes that core uncovery occurs i 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months aAar battery depletion in station blackout sequences, i.e., no credit is taken for =ach=le=1 linkage control of the TDEFW pump (it is not explained in the submittal how loss oflevel instrumentation impacts control of i l

this pump). Also, no credit is taken for cross-connecting the batteries to extend the depletion time. The battery j

depletion time sensitivity will impact the blackout sequences with EFW running, and will not impact other sequeces The base case battery depletion time in the model is 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , with proceduralized operator sheddmg l ofde loads, which must occur within one hour of SBO. The model assumes that operators always perform this l action (rchabdity of 1). In the smsitivity study, depletion times of two hours and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are assumed. The two hour depletion time models the case where no sheddmg of de loads occurs (perfect unreliability of operators to shed de loads), while the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months depletion time models taking perfect credit for the operation of the TDEFW pump past the bettery W time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (or ~*=*ag this time by other means). In both cases the CDF change was minor,i.e.,"less than 5%".

The fourth case ek= sad the offsite power recovery factors from the experiential ones used in the study, to the ones r+--- = C in the NUREG-1032 model (which are actually more optimistic, by a factor of about 20%).

The resulting reduction in the CDF was nunor (less than 1%).

The fiAh case dealt with the diesel generator restoration model. Three different assumptions were tried for this ann =hvity study. First the diesel restoration times sugi;ested in the NRC review of the 1987 TMI I PRA were used,whdi are =hanh=Hy longer than the times used in the base case. The base case times are generated from review ofindustry exponence, taking into consideration that most repairs are not completed under the urgency conditions of a station blackout, and taking 'mto account the varying complexity of recovering &om different hardwse causes of diesel sacrator failure. In the base case, no credit was taken for restoration of the SBODG, which would be the diesel started manually aAer the two regular EDGs had failed. When the reviewer suggested restoration times were used, the resultant increase in non-recovery factors was 120% in sequences with EFW available and 50% in sequmas with EFW unavailable. Even so, the impact on the total core damage frequency was small,i.e., a 2.7% increase, The second case explored the possiblity that no credit is taken for on-site power recovery, in which case the total CDF rose by 6.3%. In the third case, the assumption was made that all die 12

Q generator failure occur at the same time, when die offsite power was lost. The rc:sulting increase in the total CDF j was only 0.8%.

)

j In conclusion, none of the assumptions related to the modehng of LOOP and SBO sequences have a major impact

!' on the total core damage frequency.

2.2.2J Use ofPtentSperfac Denn The data cahchmi process period was from September 2,1974 through June 30,1991,(with interruption from l

February 17,1979 to October 2,1985) for most important components and initiators.

Both demand and time related failurcs were addressed. The sources of plant specific failure data were work

) requests andjob tickets Demand data sources were the periodic test procedures and the plant operating i procedures, as well as reactor plant turbine unit startups and shutdowns in combination with plant operating procedures The operatmg hours were derived from the operations surveillance OPS-094 and periodic tests. For test and maintenance unavailability data, switching and tagging orders and shift foreman log books were consulted.

j!

'Ihe plant specific +5-xst failure data were used to updat.: generic data wit the use of Bayesian techniques.

Bayesian updating of generic data was used even for maintenance unavailability data, in wl.ich maintenance 4 frequmcy and maintenance mean duration were separately qviated For NSRW pumps, a log normal distribution muld not be used for mean mamtenance duratson, henz two distributions were developed, one for short duration i maintenance activities, the other for long duration maintenance activities.

a The submittal shows both the generic data and plant specific data used for a component, along with the plant

' specific experience (e.g., number of failures and total runrung time in hours) for that component. The generic data used were those from the 1987 TMI-l PRA.

i Table 2 of this review compares the plant specific failure data for selected components from the IPE to values typically used in PRA and IPE studies, using the NUREG/CR-4550 data for comparison [NUREG/CR 4550, Methodology].

TMI-l data are generally in agreement with the NUREG/CR-4550 data. Th: reported failure rates seem to be i supported by the exhibited plant data and the generic priors used. Note that in case of air compressor failure to start and the TDEFW pump failure to run, the generic priors used were lower than the ones i&+r= +d in NUREG/CR-4550. In case of the TDEFW pump one would expect the failure to run rate to increase by a factor i of 5 ifNUREG/CR 4550 data were used as the prior. This is not expected to have a major impact on the results.

Note that in Table 2, some failure rate data uncler the TMI-l column are generi:, i.e., there was insuIicient plant specific experience (e.g., circuit breakers, air compressor failure to start).

a 13 T

- . . . _ - -.. - ~ . . _ . - - . . _ - . - . - . _ . - - - ~ . - . - - _ - _ . -

i ,

i Table 2 Comparison of Failure Data Component TMI-l 4550 l

Normally op. MD Pump failto start 2.2E-3 3.0E-3 fail to run 6.1E-6 3.0E-5 Standby MD Pump fail to start 8.9E-4 3.0E 3 failto run ..

3.8E-5 3.0E 5 TDEFW Pump . ,

fail to start 3.3E 2 3.0E-2 l fail to run 7.9E-4 5.0E-3 TDMFW Pump failto start 1.9E-2 3.0E-2 failto run 2.9E-5 5.0E-3 River Water Pump (stnby) !

fail to start 2.4E-3 '3.0E-3 fail to run 5.1E-5 3.0E-5 1AS Compressor fail to start 3.3E-3 8.0E 2 fail to run 8.2E-5 2.0E-4 Battery Charger Failure 1.8E-5 1.0E-6 Battery Failure 1.1E-5 1.0E-6 Circuit Breaker (>480 V) failto remam closed 8.3E-7 1.0E-6 fail to close 1.6E-3 3.0E-3 fail to open 6.5E-4 3.0E-3 Circuit Breaker (<480 V) failto remain closed 2.7E-7 1.0E-6 failto close 2.3E-4 3.0E-3 AC Bus Fault during operation 5.0E-7 1.0E-7 Check Valve (RiverWater) failto open 1.4E-4 (2.0E-3) 1.0E 4 failto close 1.4E-4 (2.0E 3) 1.0E-3 14

i Component TMI-1 4550 MOV fail to open/clo'se 2.6E-3 3.0E-3 fail to remain closed 9.3E-8 5.0E-7 fail to remain open 9.3E 8 1.0E-7 I

Air Operated Valve failto open/close 2.4E-3 2.0E-3 spurious closure 2.2E-7 1.0E-7 spurious open 2.2E-7 5.0E 7 Solenoid Valve fail to operate 2.4E 3 2.0E-3 Hydraulic valve fail to operate 1.5E-3 2.0E 3 Pressurizer PORV fails to open 3.9E-3 2.0E-3 fails to reclose, steam 1.7E-2 2.0E-3 fails to reclose,Iqd 1.0E-1 2.0E-3 Ventilation fan l fails to start 2.4E-3 3.0E-4 fails to run 2.3E-5 1.0E-5 Emergency Diesel Generator fails to start fails to run 1st hr 9.5E-3 3.0E-2 l fails to run after 1st hr 1.6E-2 2.0E-3 :

. 2.5E-3 2.0E-3 Notes: (1) 4550 are mean values taken from NUREG/CR-4550,i.e., from the NUREG-1150 study of five U.S. nuclear power plants.

(2) Demand failures are probabilities per demand. Failures to run or operate are frequencies expressed in number of failures per hour.

2.2.2.4 Use ofGeneric Data As discussed in Section 2.2.2.3 above, generic data from the 1987 PRA were used.

2.2.2.5 Common-Cause Quanhficadon Redundant cuuycisits were sy*mahally exammed to address potential common-cause failures. The approach used was the multiple Greek letter approach (MGL). The p and (if applicable) the y factors are reported in the 15

-m - _ _ _ . _ _ . _ __ __ _ _ _ . - ._ . . ._._ ________ _

I

! submittal, with discrimmation based on failure modes (e.g., in general, different values of MGL parameters are given for failure to start as opposed to failure to run).

4 He methodology followed that described in PLG-0500 (" Data Base for Probabilistic Risk Assessment of Light Water Nuclear Power Plants"). De events in the data base were reviewed for applicability to TMI-1, and the l

applicable common cause factors calculated. The same common cause factors were used as in the 1987 PRA.

1 A number of categories of components were modeled in the common cause analysis, including: all kinds of pumps, most kinds of valves (including pressurizer safety valves, MOVs, stop check valves and relief valves),

i strainas, heat exchangers, ventilatiac 11ers, ventilation fans, dampers, relays, bistables, air compressors, emergency diesel generators, and circua eakers. CCF of battenes is not considered, but miscalibration of chargers is part of the HEP analysis.

4 The common cause failures between all three EFW pumps were considered, even though they use different drives, la that case common cause failure to run for the pump portion only was calculated. Failure to start (FTS) is rnostly ==arised with the driver,hence no common cause failures were considered for FTS for the three EFW

' pumps. Also, common cause failures of all three diesel generators were considered (RAI responses), even though the SBODG is of a slightly different design. However, the y factor is not shown in the common cause table.

A compenson of effective p factors in the submittal vs. those suggested in NUREG/CR-4550 (" reference p factor")is presented in Table 3. NUREG/CR-4550 reports only fr.ilure to start p factors.

< The " effective" p factor means the p factor, calculated from the MGL parameters, which would be used in a p factor method to arrive at the same conditional probability of common cause failure as that calculated from the MGL factors in this way, wo.pisisen can be made between the two different ==aehmialogies, since NUREG/CR-

" l 4550 used the p factor method whereas the submittal used the MGL approach. For example, the " effective" p factor for failure of three components would be calculated by multiplying the p and the y factors in the MGL method.

1 Table 3. Comparison of Common-Cause Failure Factors Failure Submittal p Reference p Comnonent Mode factor factor Normally operating MD FTS 0.056 0.026 21 .

pumps,2 pumps FTR 0.014 N.O. MD pumps,3 FTS 0.014 0.014 10 pumps FTR 0.007 Standby MD pump,2 FT; 0.162 0.15-0.21 pumps FTR 0.034 (AFW:.056)

Standby MD pump,3 FTS 0.059 0.10

p= =a= FTR 0.008 TD pump, CCF of 2 FTS 0.024 NS oumps FTR 0.032 16

e

\

l l 1 .

Failure Submittal p Reference p Comnonent Mode factor factor J

N.O. RW pump,2 FTS 0.056 0.026 pumps FTR 0.014 N.O. RW pump,3 FTS , 0.014 0.014 ,

pumps FTR 4.007 I

S.B. RW pump 2 pumps FTS 0.056 0.026 FTR 0.014 MOV, CCF of 2 Valves FTC/FTO 0.081 0.088 MOV, CCF of 3 valves FTO/FTC 0.016 0.054 Diesel Generator, CCF FTS 0.049 0.038 i

of 2 EDGs FTR 0.041 1

Diesel Generator, CCF FTS NS 0.018

, of 3 EDGr FTR NS i

Pressurizer Safety FTO 0.05 0.07 Valves FTRC 0.05 NS De table shows general consistency between the TMI-I CCF data and that recommended in NUREG/CR-4550.

a 2.2.2.6 inidadng Event Frequency Quantyicadon The initiating event frequencies were calculated by Bayesian updating of generic data with plant specific expencnce and by plant specific analyses. The plant specific analyses were used for the following initiators: loss of river water, loss of NSCCW, loss of NSRW, loss ofinstrument air,ISLOCA, loss of 4 kV buses ID and 1E and the floods. For SGTR, loss of DC power and loss of offsite power, generic data bases were reviewed for applicability ofevents in order to arrive at the pnors. De excessive feedwater IE frequency was determined from review of B&W operating experience to obtain the prior, i

' The initiating event fnquencies used in the IPE are presented in Table 4. Note that the frequencies in the Table are per calendar year, i.e., would be further reduced when considering the capacity factor.

The initiating event frequencies generally seem reasonable and are comparable to other PRA stadies. The

^

question arises as to how Bayesian updating of rare events with weak plant experience leads to non-negligible rue= in initiating event frequencies. This is observed in LOCAs, SGTR, loss of DC bus and loss of offsite

- power. It seems that approximately a factor of 2 reduction in these initiators is effected by Bayesian updating with 0 events in 10 years. While the CDF importance across initiators is reasonably flat, this reduction in IE frequency, if unjustified, may lead to a 15-20% reduction in total CDF. In addition, the very small LOCA frequerry is small w egd to theNUREG/CR 4550 value of 1.3E-2/yr. The licensee states that the very small LOCAs include failures of the RCP seals, for which the frequency used is comparable to the correspodmg part of the NUREG/CR-4550 very small LOCA frequency. The licensee states that evidence for inclusion of other parts (pipe breaks and 9- y-at boundaty failures) is weak. In any case, it is not expected that there would be an overwhelming effect on the results from these considerations.

17

~

l Table 4 Initiating Event Frequencies for TMI l IPE - 1 initiatine Event Freauenev (/vr) l Large LOCA 1.4E-4 l

Medium LOCA 3.6E-4 i Small LOCA 2.3E 3 Very small LOCA 3.6E-3 Steam and FW line break in Intermediate Bldg. 4.2E-3 Steam and FW line break in TB 4.2E-3 Steam and FW line break in RB 1.5E-3 J SGTR 6.7E-3 Excessive feedwater 7.3E-2 Totalloss of MFW 0.131 l Reactor trip 0.927 l Turbine trip 1.15 Loss of air system 3.9E-3 loss of Nuclear Services River Water 6.3E-3 Loss of DC power train A 1.9E-2 j Loss of Offsite power 5.7E-2 5.9E-3

_Lors of Nuclear Services CCW Loss of River Water 1.2E-4 ISLOCA 1.8E-7 loss of 4 kV bus ID 1.2E-3 loss of 4 kV bus IE 1.2E-3 Flood in AB-FZ-1 1.0E-6 Floodin AB-FZ-5 1.0E-6 Flood in AB-FZ-4 3.0E-7 FloodinISPH FZ-1 1.0E-6 Flood in ISPH-FZ-2 1.0E-6 Flood in AB-FZ-7 1.0E-6 Flood in RB-FZ-ID 8.0E-6 18

b -

1 2.2.3 laterface Issues i

i 2.23.1 Front-EndandBata-Endinnerfaca

. De IPE assumes that containment heat removal is necessary for core heat removal in certain LOCA scenarios. :

! Section 2.4 provides more information on level 2 considerations.

b 2.23.2 Hunnen Federsinnerfeca f

l wiaa 2.3 provides more information on HRA considerations.

4 1 2.2.4 Internal Mooding i

l 2.2,4.1 innernalMooding Mahodology i

I The methodology used to perform the floodmg analysis consisted of three major steps:

I a

i 1) Identification of potential floods and areas affected (flood zones),

2) Identification and initial screening of flooding scenarios, and l

[ 3) Quantification ofimportant floodmg scenarios.

The development of floodmg scenarios was supported by extensive plant walkdowns 1

De finarimg analysis was a screemng type analysis, so no event tree quantification was employed. Propagation of floodmg to other areas (including open doors, and through gaps in closed doors) and isolation of the floods were considered. Component failures considered, which could cause flooding, were pipe and valve ruptures.

t Spray effects were considered. Floodmg and spray from the fire suppression systems was considered.

! Protection of electncal equipment against spray effects was included in the analysis, while some equipment was j assumed resistant to spray without any protection.

i

. As part of the anal,' sis, steam environments were also considered.

Once the failure modes were identified. they were usually quantified very conservatively (e.g. guaranteed core

, damage). There may have been some rough quantificatia of fault trees for some scenanos The results are i

ei to be conservative (based on the scenarios identified). Generic industry data regarding flooding events and pipe break frequencies was also reviewed and used.

. 2.2.4.2 innernalFlooding Resuk The total CDF from finnrimg evcats is estunated to be 2.9E-6/yr. With the floodmg scenarios below the 1.E-7/yr 1

cutoff, the total floodmg induced CDF rises to 3.0E-6/yr. This frequency is not included in the total internal events CDF of 4.2E-5/yr, because the floodmg analysis was a very broad brush, screemng type of analysis.

4 4

19 4

I i

i Seven scenarios were identified wluch survived the screemng cnteria:

l l 1) AB-FZ-1 (heat exchanger vault in the auxiliary building). This scenario results from a pipe break in the

!- NSRW system, assumed to lead directly to core damage All makeup, nuclear service and nuclear river systems are assumed lost. 'Ihe CDF of 1.E-6/yr includes the oprator failure probability to isolate the flood j of 0.01.

2) AB-FZ 5, pipe rupture in auxahary steam in the aux. bldg., failing all switchgear 480V-ESV-1 A,1B and 1C l

ese to the steam envuonmet. 'Ihe CDF of 1.0E-6/yr includes an operator error probability of 0.1 to isolate j the source of steam. This, an 8" line with 6 psig steam pressure, is the only steam line in the auxiliary

! building and an operator is on watch 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months a day at elevation 305'. ,

l 3) AB-FZ.4, makeup letdown pipe break, results in a steam enviranawar, failing all makeup, traia B of NSRW, j switdigner 480V-ESV-1 A and IB, PORV and RB spray sysica. Opsator isolation error probability of 0.03 is assumed for this scenario (the leak rate is very small). This results in the CDF of 3.0E-7/yr l

s l 4) ISPH FZ-1, large break (common discharge header) in NSRW in the intake screen and pump house bldg,

with the spray / flood /-..ed.g the DHRW components. The flood propagates through open doors to zones ISPH-FZ-2 & ISPH-FZ-3. The CDF of 1.0E-7/yr includes a value of 0.1 for the operator failure to align firewater to cool the HPI pumps.

5) ISPH-FZ 2, same scenano as above, except the pipe rupture is initiated in fire zone ISPH-FZ-3.

6) AB-FZ.7, spray / flood from a break in the intermediate closed coolung system, failing the ICCS and DHCCW.

The CDF of 1.0E-7/yr includes an HEP of 0.1 assigned to mitigation failure.

7) RB-FZ ID, main steam line break inside the secondary shield in the reactor building,with the steam and the pipe whip damagmg the following systems: MFW to loop A, EFW (partially disabled), makeup system and RCP seal piping. A similar break on the B-loop is not as important due to availability of two makeup pumps on the A-Loop. The initiator frequency is 8.0E-6, resulting in a CDF of 2.9E-7/yr.

2.2.5 Core Damage Sequence Results 2.2.5.1 Dominent Core DamageSequences

'Ibe results of the IPE analysis are in the form of systemic sequences, therefore NUREG-1335 screemng criteria for reportug of such wp-aree are used. The reint estimate for the core damage frequency from internal events is 4.2E-5/yr, with internal flooding contributing an aciditional 3.0E-6/yr. The 5th,50th and 95th percentile of the internal events CDF is, respectively,1.8E-5/yr,3.lE-5/yr and 8.0E-5/yr. It should be noted that the estribution is unusually tight (small aror factors) for a core damage frequency distribution. Accident types and their pesent contribution to the CDF, are listed in Table 5. The most important initiators are given in Table 6.

Ten dominant sequences and two contamment bypass sequences were described in detail (four LOCAs,6 transists,one ISLOCA, one SGTR). Each of these important sequences has a frequency greater than 1.E-7/yr.

The important sequences are summarized below in Table 7.

I 20 I i

l

4 Note that in swuences with loss ofNSRW, the operator recovery by firewater conting is not credited (as opposed to m- with loss of all River Water). This is due to the lack of procedures for this action in case ofloss of

NSRW. Since loss of NSRW is a significant initiator (14.4% of CDF or second largest) it may be worthwhile for the licensee to consider implementing this procedure for loss of NSRW, in addition to loss of all RW. The j normally operating makeup /HPI pump does not have backup cooling via DACCW/DHRW.

Table 5 Accident Types sad Their Contribution to the CDF 1

Initiatin, Event Group Contribution to CDF Uvr) %

Transients 2.5E-5 59.9 LOCAs 1.8E.5 37.

Internal Floodmg(notincluded in (3.0E-6) (7.1)

TOTAL)

Interfacing System LOCA 9.2E-7 2.2 Steam Generator Tube Riipture 1.7E-7 0.4 TOTALINTERNAL CDF 4.2E-5 100.0

! Table 6. Dominant Initiating Events and Their Contribution to the CDF i

Initiatine Event Contribution to CDF Uvri %

Small LOCA 7.8E-6 18.8 i Ioss ofNSRW 6.0E-6 14.4 l Loss of DC bus I A 3.3E-6 7.9 Very small LOCA 3.0E-6 7.1 Large LOCA 2.8E-6 6.7

?

Ioss ofinstrument air 2.2E 6 5.3

Medium LOCA 2.1E-6 4.9 Loss of offsite power 1.8E-6 4.4 Turbine trip 1.8E-6 4.3 1.5E-6 3.6 less of River Water (intake screen plugging) 9.5E-6 22.6 Other 21

i i

3 Table 7. Dominant Core Damage Sequences l l

I Initiating Event " "*"" " ((' * "'" " p Ims ofNSRW loss of HPI, due to hardware failure in trains 5.0 j j !

A and C (train B failed by initiator), results

) in unmitigated RCP seal LOCA, recovery via ,

fuewater cooling ofHPIpump B not l t

proceduralized.

Large LOCA recirculation failure (hardware, indep. failure 4.8 ofboth recirelines) 3 l small LOCA failure of decay heat removal, due to failure 2.8 of both trains of DHRW system L

i Ims ofNSRW loss of DHCCW, results in unmitigated RCP 2.6 i seal LOCA

! Small LOCA recirculation failure (hardware, indep fail of 2.2 both recire lines)

! Loss ofinstrument air failure of HPI, via ! Pat failure of all 1.8

3 HPI trains, subsequent RCP seal LOCA i (initiator fails ICCW which supplies thermal i barrier cooling) i Very small LOCA HPl failure, due to indep. failure of all 3 1.7 trains ofHPI !

Ims of all riverwater(intake) failure to trip RCPs prior to seal LOCA, no 1.5 mitigation possible, not enough time to recover by firewater cooling of HPI pumps.

ims ofoffsite power failure of all three diesel generators (station 1.4 blackout), with failure to restore offsite power and failure to restore EDGs prior to battery depletion resulting in loss of control over the TDEFW DumD 22

. l i

4 ,

l Dominant Subsequent Failures in % of Initiating Event Seavence CDF a

. Loss of DC train A f lure of DHRW train B (independent 1.3 hardware failure), thus (together with initiator) resulting in failure of both trains of DHR, MFW,while EFW MD pump 2A is 4

failed byloss of DC 1 A; the MDEFW pump 2B and theTDEFW pump 1 A fail 1

i%tly,thus failing all feedwater, thus increasing RCS pressure; PORV failed 4

by initiator, safety valves on pressurizer lift and fail to reclose, creatmg an unmitigated -

medium LOCA l failure of DHR dropline isolation valves, 0.43 ISLOCA releases into auxiliary bldg first j

failure of HPI (hardware failure of all 3 0.26 SGTR trains), failure to isolate the bad steam generator and failure to depressurize to DHR entry conditions a

'Ihe SBO contribution is about 3% of the CDF. The RCP seal LOCA contribution is about 45% (not including the 7% contribution from the very small LOCA initiator). Reactor vessel rupture contributes about 1% of the CDF while ATWS sequences contribute less than 0.1%. System importances are calculated and they are presented in Table 8. The relative importance of systems seems reasonable for the design of the plant.

i Table 8 Dominant System Fussell-Vesely importance Measures I' System Descrintion Percent CDF HPI Pump Trains 40 q

Decay Heat River Water 32 Reactor Building Sump Recirculation 24 DHCCW system 20 17 DC power f

15 AC power Dway Heat Removal system 12 12

Emergency feedwater 23

I 4.

! 2.3 Human Reliability Analysis Technical Review t

2.3.1 Pre-Initiator Human Actions l

Enors in the performance of pre-initiator human actions (such as failure to restore or properly align equipment

aAer testag or maintenance, or miscalibration of system logic instrumentation), may cause components, trains, or entire systems to be unavailable on demand during an initiating event. The review of the human reliability l

i analysis (HRA) portion of the IPE examines the licensee's HRA process to determine the extent to which pre-

' intiator human events wise 44 how potential events were identified, the effectiveness of any quantitative i

and/or qualitative screening processes used, and the processes used to account for plant-specific perfonnance i shaping factors (PSFs), recovery factors, and Wies among multiple actions l 2J.1.1 7) par ofhe-hdeister Human Adoor Considsrsd 1

The 'Ihree Mile Island 1 IPE considered both of the traditional types of pre-initiator human actions: failures to l l i restore systems aAer test, maintenance, or surveillance activities and instrument miscalibrations i

4 I j

23.1.2 hocessforidengficaeion andSeiedon ofhe.hdeinter Human Adons i' The IPE stated that the " systems analysis activity included the identification of system miscalibration or l

nusabgnment errors "It was also stated that "the identification of operator actions to be modeled is made on the i

basis of a review of the operating procedures, the systems analyses, and the development of the plant models.

Dumptions of the systems analysis process noted that plant procedures (maintenance, testing, operational, l abnormal) were reviewed and that the TMI-l team member responsible for the update of the human action j analysis task performed walkdowns of the operator actions modded in the study. Instrumentation calibrationl l

j testing procedures were reviewed to determine the admmatrative controls that were in place to prevent or mininuze the chances of human error. Numerous meetmas and telephone conversations were held with both l j

heansed and nalw perators o to determme the appropriate human action assumptions. Finally, comparisons l l with other " industry data" were made to ensure that important pre-initiator human actions were included.

Identified pre-initiator actions were not modeled if the error would not " materially alter the system alignmej '

a way that degrades the ability of the system to perform itt intended function." In addition, misalignment er were " neglected... if the impact of the misalignment is the same as some other equipment failure mode clearly more frequent by an order of magnitude or more." The process used in the IPE for identifying and selecting pre-initiator human actions seemed thorough and reasonable. Relevant information sources were examined and factors wiuch could influence the probability of human error in pre-initiator actions were considered.

l 23.13 Seresnin hacessfor he-Initiator Human Adons With the exception of the qualitative screenmg implemented during the selection process (discussed abov does not appear that a systematic scronung process was used for pre-initiator events in the TMI-l IPE. I 6.2.1 of the Waal it is stated that the basic error rates used were derived from NUREG/CRl stated that"since .thc general approach used to evaluate these actions was later refmed and applied again to finallist of routine actions considered, details of the preliminary assessment are not provided here." In response to an NRC RAI regarding the " preliminary assessment" it was ia&=W that the genenc HEPs from NUREG/CR-1278 wese initially applied and that"some modifications dictated by circumstances specific to ea 24 i

4 i

' ~

system or event"were made later. However, the values originally used from NUREG/CR-1278 were nominal as opposed to screening values and the modifications appeared to reflect changes for 4r= '=les and credit for verificahons etc. Regardless, since all the actions originally modeled were apparently considered during the refinement, all pre-initiator actions were analyzed in detail and none were "sw~..cd."

2.3. M C L _3_& ofPhr iniainter Human Andons The IPE states that the basic error rates used to quantify the pre-initiator human actions were derived from the NRC Human Reliability Handbook [NUREG/CR-1278]. The escussion in the submittal in& cates that an appropnate set of HEPs were adopted from Chapter 20 of the hannar* Both errors ofcommission and errors ofomission were addressed. The existence of checkoff provisions in the procedures and the number ofitems in a proce&se list were factors ana==hal(per NUREG/CR-1278) in descrmming the HEPs. Potential Ag='=-ies between two or more pre-initiator operator actions were considered and the NUREG/CR-1278 hr-ahaey arpahaam was applied to obtain the relevant HEPs for situations identified as having haaahacies. In addition, potential miscalibration common cause failures were considered. Details regardmg the basis for assuming the presenm, absence, or degree of haaah=ay or common cause effects were dae-tod briefly in Appendix E.

An examination of the pre-initiator human actions modeled and their HEPs failed to detect any obvious inappropriate treatment of Wies or common cause effects. The HEPs assigned to the modeled pre-initiator human actions apaa.ared to be reasonable.

Finally, the quanMadaa of the pre-initiator events apparently involved the use of time %t unavailability equations (as suggested in NUREG/CR-1278) to take credit for recovering a ccmponent over time. For nusahgnment and nuscalibrauon related events, the frequency of being in each " misalignment" was " determined 1 by researching the operation, maintenance, and test procedures for operator interaction with the system." Plant data were reviewed for incidents of misalignment (the results were well documented in the submittal) and "the duration of being in each misalignment was determined by analyzing the checks, tests, and operator interactions that would detect the misalignment and the intervals between them." Thus, the fraction of time that the system ;

would be expected to be misaligned was considered in determming its unavailability. l l

2.3.2 Post-Initiator Human Actions j Post initiator human actions are those required in response to initiating events or related system failures.

Although different labels are often applied, there are two important types of post initiator human actions that are usually addressed in PRAs: response actions and recovery actions. Response actions are generally distinguished ,

from recovery actions in that response actions are usually explicitly directed by emergency operating procedures (EOPs). Alternatively, recovery actions are usually performed in order to recover a specific system in time to prevent undesired consequences. Recovery actions may entail going beyond EOP directives and using systems in relatively unusual ways. Credit for recovery actions is normally not taken unless at least some procedural guidance is available.

The review of the human reliability analysis (HRA) portion of the IPE determines the types of post-initiator human actions considered by the licensee and evaluates the processes used to identify and select, screen, and quantify the post-initiator actons. 'Ihe luxnsee's treatment ofoperator action timing, Wies among human actions, consideration of accident context, and consideration of plant-specific PSFs is also exammed.

25

i j

~

1 .

( M2.1 Types ofP>st-Inidator Human AaMons G.~<idered j The Three Mile Island 1 IPE addressed both response and recovery type post-initiator human actions. The submittals definition ofresponse type human actions (referred to as dynamic actions) was, in general, consistent with that described above. The submittal states that dynamic human actions are those the operator performs to ,

supplement automatic responses of plant systems for event mitigation, actions that he may take that change or detract from the automatic mf~.w of plant systems, and specific actions to restore previously failed systems l

j by realigning the system to bypass the failed equipment, e.g., isolate a leaking heat exchanger. The actions of j interest are smerally "those involving key steps in the anticipated transient procedures or procedurally directed i recoveries involving the use of back-up systems or cross-ties." Recovery actions were exclusively defined as l actions required to restore previously failed systems. The relevance of procedures to taking credit for recovery ,

of failed systans was (apparently) notAm=M in detail in the submittal, but procedural gnuhar* training, and

, l i

experience were considered in evaluating recovery actions. In the TMI-l IPE. The time available for restoration l

was the most determmmg factor in dxiding whether or not a system could potentially be recomi. When the ;

potential for restoring a system was identified, detailed analyses were **M to determine the likelihood of i

j l

recovery. De treatment of recovery actions is discussed in more detail below in section 2.3.2.4.4 ,

The submittal states that human actions were evaluated for both frontline and support system top events. For ,

some top events, no human actione were evaluated, for others, multije actions could be considered.

l

! M 2.2 Processfor Identificeaion andSeleaalon ofPont-Inlaintor Human Anions i

i

%e submittal states that "the identification of operator actions to be modeled is made on the basis of a review

of the operating procedures, the systems analyses, and the development of the plant models." Event sequence i l

diagrams (ESDs) were drawn which defined the possible sequences involving operator actions and allowed "one to focus on the types of plant information required and the factors that afTect operators in their performance "

Sy*rna and human interaction information was also developed by review of plant-specife simulator training an j mwh expenence and this information was compared with the sequences identified in the ESDs. Operator-plant status confusion matnces were also develcped to help identify possible operator mistakes. The confusion matrix l documents " judgments about whether the operators could misdiagnose one event as another and the effect o misdiagnosis on the operators subsequent actions experience." The above approach was apparently primarily used to idatify the dynamic human actions. He submittal indicates that identification of recovery actions was j accomplished by reviewing the highest frequency core damage sequences for additional success paths not i maaviered in the basehne event tree models. Thus, Nuir-W of recovery actions occurred after initial accident i sequence quantification.

I ne subnuttal also states that the human action analysis task included performance of walkdowns of the operator actions to be modeled, which would lend further justification for whether or not certam actions should be i

modeled. It appears that a systematic and thorough approach was used in the TMI-l IPE for identifying the human actions to be modeled.

u23 Sereening ?>ocessfor Pont-Inininter Response Amiens During the initial accident sequence quantification " rounds," the dynamic human actions were "judgme assigned e A.;.wy mean failure rates" by a five mesnber team. The team had a diverse background, bu i some " hands-on operational experience" %e submittal states that the team's judgments were " based on i experience in the development of human action error rates for previous stuoies and by comparisons 4

assessments made by others," e.g., the Oconee PRA. While the goal of this initial analysis was to identify

< 26 4

i- >

i

.I . i i

inost important human actmns for detailed daa-aantation, the submittal indicates that important new human i actions were idmefied in this process and that t!.e complete list of human actions was later reevaluated using the ,

j methods presented in the subrnitial and described below. 'Ihus, it would appear that the screemng analysis was ;

used more as an investigative or discovery tool and that all modeled human actions were eventually analyzed in )

detail with syd-'ia application of existing HRA techniques. A list of the initial human actions modeled and I

' their " screening" HEPs were not presented, but this is not important as long as all actions were eventustly 4

modeled in detail. l 1 '

j 2J.2.4 L ~'+ efAsss-ImMaser#mmen Amiens

! The TMI-l muhminal reported that several different sources of human performance inforrnmelan was used in the analysis of dynamic human actions. They included expert opinion summaries of human error estimates from

! presus PRA studus (the Oconee PRA was cited), the NRC handhaak [NUREG/CR-1278], the human cognitive rel.iEtr(HCR) madel for control room crew nonresponse probability (as p. .; d in EPRI NP-3838), and in one da Bayesian treatmait ofone enanario(operators fail to stabilize high pressure injection) using historical

! evi M oe." A generalized operator action event tree, adopted from the Operator Action Trees (OATS) metnodology, was used to iW.; operator behavior in accident scenarios and the different quandfication

{

techniques were used to quantify potential outcomes. The trees model the diagnosis and action phases of an j operator response and provide oyycitunity for radiagnosis/ redirection prior to an unsuccessful end state. The i likelihand of an incorrect diagnosis, a failure to diagnose, and a " nonviable" action given a correct diagnosis are all considered (at least in principle) as potential failure modes leadmg to unsuccessful end states. A nonviable action is essentially an incorrect action in the context of a correct diagnosis. Once the prcbabilities of arriving i at particular end states for an operator action is detemuned, end states with " appreciable frequency" are mapped back .nto the plant model event trees to complete the overall plant sequence frequency. As described, the HRA l

j =*ad Har approach adopted for the TMI-l IPE, was relatively thorough and more detailed than has been found j for many of the otherIPEs exanuned i

j In the kortw..a.tation of the approach, the probabilities of nonviable actions (including slips) were assumed to i

i be small enough to be adequately represented in the values for nonresponse and mcorrect diagnosis. The l probability of not respondmg (failure to diagnose) under time dapaad at conditions was quantified using the HCR time-reliability correlation (TRC). As applied in the submittal, this approach considers the allowable l

! response time and the median or best estimate of actui response time to deternune the lincelihood of failure. As

' allowable time increases relative to the estimate or actual response time, failure probability goes down. In addition, the type of costitive processing (skill, rule, or knowledge based) and the impact of several other j performance shaping factors (PSFs) are considered in detemumng the HEP for a particular operator action (see section 2.3.2.4.2 for more detail).

i

! The probability of failing to diagnose under time iadaaaadaat conditions was apparently based on expert i

! judgment. "Ihe analysts were concerned that extrapolating the HCR model to conditions where substantial time j- was available could be overly optimistic and thought that a lower limit on long time-frame human actions was i necessary. Five classes of dynamic actions were identified and the associated HEPs were assigned with an

! " attempt to be consistent withjudgments made by analysts in other PRA studies". An event would be assigned an HEP ca the basis of which class it most appropriately fit. The classes identified and the assigned HEPs (rangirig from 1.0E-2 to 1.0E 3) were presented in the IPE and they appeared to be reasonable. In addition, for the time :=daaaadaar events, credit was given for rediagnosis (recovery of failed diagnosis) after the arrival of additional staff (e.g., emergency respo se team) and/or fcn S mwrexe of new plant status indications.

Negative influence factors were added for poor plant interfaces with tly 9p-rating crew. In determing the final HEP for the time iadaaaadaat events, the HEP given by the time-dependent HCR model would be added to the 27

b*

i

(.

! HEP obtained using the expert judgment approach. While the approach described apparently did not have the j benefits of a peer review, the selected values were reasonable and the analysts point regarding the need to set a

! lower limit was well taken. A more detailed discussion for the basis of the selected values would have j strengtherua the HRA section.

'Ihe potential for misdiagnosis was quantified with values fmm tables in the handbook [NUREG/CR 1278]. The l "IMI-l IPE is unique in the effort spat to account for potential misdiagnosis errors. Confusion matrices (Potash

! et al.,1981) were developed to help identify potential errors in misdiagnosis wiuch might create additional plant j problems or prevent operators from respondmg correctly. Na-iiag on analysts' judgments regarding the

!' potential for confusion (high, medium, or low), HEPs ranging from 2.6E-2 to 3.6E-3 would be assigned,

'-- ej incrossmg the pmbabdsty of fashng a particular event. On page 6.2-19 of the submittal, it is indratad i j that all initial misdiagnoses were assumed to eventually be correctly radiagnosed. Thus, a misdiagnosis might ]

l affem the success likelihood of a particular action or actions, but not in itselflead to core damage *r ne likelihood j of a misdiagnosis was quantified and analystjudgment was used to determine which of the top events would be l

adversely affector' by the misdiagnosis. The failure probability of a potentially affected top event was adjusted j by cscs4ng amther failure mode for that event with an HEP of either 0,0.001,0.01, or 0.05, <taa Mag on the 4 estWod po'antial for the initial misdiagnosis, i.e., negligible, low, medium, or high. The HEP values assigned

were appermily based on expertjudgment and were "in the same range as those chosen in the Oconee PRA for i j s==lar events " However,if a misdiagnosis evet wasjudged to affect multiple top events, a new top event could l

] be added to the appropriate cent tree to account for the new <taa-t y. "In this way, a misdiagnosis leadmg i j to an entirely different sequence may be quantified."In Appendix E of the submittal, a brief summary of the

{ errors of misdiagnosis is presented. Apparently, only a few potential misdiagnoses were assumed to have a i sipruficant adverse impact, and they were assumed to have only very small impacts. A tube rupture mistaken for

! t.,nall LOCA was one.

s j One potential shortcommg of the overall quantification approach used in the TMI-l IPE is that in spite of the l fact that the action execution phase is represented in the generalized operator action tree, there was no evidence l

l that this phase of the action was actually quantified for the different operator actions modeled. While this is an i explicit characteristic of the HCR model that has been defended on the grounds that the execution phase is ;

i addressed through the use ofestunates of median response time, it was not made clear that the time indaa-teat l l approach had appropriately considered the response phase. Nevertheless, given the level of analysis conducted for this IPE and the apparent reasonableness of the assigned HEPs, at worst this would only be considered a minnr wa. css of the IPE.

2.3.2.4.1 Estlanates and Consideration of Operator Response Time In spite of the reliance of the HCR model on reliable estimates of allowable time and response dme, detailed !

A==inan of the deriwition of the timing for the variou, events was not provided in the submittal. In response ;

to an NRC RAI reganhng the detemunstion of evet tmung, a table was provided which presented (as requested) l the time required to accomplish an action (recognize, diagnose, and perform), the time available for the action to be ==pidad in ords to prevet an unwanted change in plant status (available time), and the basis for the time estimates. Engineermg j4 was always cited as the basis for the time estunates, but in most cases the l "agmemogjudgmmts" were verified by either "PCTRAN" ==aa* runs, calculational estimates, walkdown j observations, industry data, operating expenence, or some combination of the listed options. A review of the an=nnus for time requued suggested that in a few cases the estunates might be considered optimistic and in some 4 I

cases the time available was short enough that an overly optimistic estimate could have had an impact on the derived HEP. However, in most cases the time estimates were supported by calculations or computer runs and 28

i l-1

~

i. .

the obtained HEPs did not appear to be unreasonabic. It should be noted, however, that there appears to be an i =nnamenry betwee the descriptions of the different times in the response to the NRC and those in Appendix i E of the submittal. The times listed are identical in the submittal and the RAI, but the time referred to as the

" time sequired"in the RAI,is i~uW as being the " median estimate of the time to diagnose"in Appendix E.

1 De times are most likely estimates of the median response times, because that is what is needed for the HCR l model and the estunates are consistent with this assumption.

6 2.3.2.4.2 Other Performance Shaping Factors Considered I in adddian to the type of cognitive processing (skill, rule, or knowledge based) and the time requirements for a particular post-initiator action, the impact of several other performance shaping factors (PSFs) were considered j in applyng the HCR =adel Dey included operator experience, stress level, and the quality of the operator / plant

micrface Fwmaive questionnaires were filled out describing each event and ratings for all of the relevaat PSFs I wese ahtainad Coefficusts were selected for the HCR TRC , the basis of the ratmas and the associated HEPs 4

were calculated. De coefficients were presented in Tao v 6 .-6 and 6.2-7 of the submittal.

a

) As noted above, several PSFs were also considered in determining time indanandant HEPs (see table 6.2 10 of j the subauttal). Credit was given for rediagnosis (recovery of failed diagnosis) efler the arrival of additional staff.

< Ifskill or rule based procesm were involved, eedit for the anival of the STA was given. For knowledge based a processes, credit was taken for the arrival of an offsite emergency response team. The occurrence of new plant i status indications over time was also credited. Negative influence factors were added for poor plant interfaces l with the operating crew.

i 2.3.2.4.3 Ceesideratine of Dependencies t'

As discussed above, &;='=--ies related to the impact of time on the crew's ability to complete important actions and to recover failures was addressed in the IPE.

l i

Another type.of dependence concerns the extent to wluch the failure probabilities of multiple human actions l

within a sequence are related. Dere are clearly cases where thc context of the accident and the pattern of I successes and failure can influence the probability of human error. Dus, in many cases it would clearly be

mappropnate to assume that multiple human actions in a sequence or cut set would be i%t. Furthermore, j matext effects should be exammed even for single actions in a sequeace or cut set. While the same basic action can be asked in a number ofdifferent sequences, different contexts can obviously lead to different likelihoods of success i

Tb=='== among multiple human actions was addressed in the IPE. The submittal indicates that each of the i human actions in the system models were reviewed in the context of the accident scenarios to whic14 they would I contribute, in order to deternune if any of those actions were dependent. Analyst judgment (apparently with guidance from the handbook [NUREG/CR-1278]) was used to assess the degree of W and the associated equations from the haridhad were used to calculate the HEPs. Detailed discussions of the basis for l

assummg W or iW ofevents in venous sanarios are provided in Appendix E of the submittal.

! Multiple HEPs were mM for several events as a function of scenario context. The assessment of potential l misdiagnosis and the construction of confusion matnces facilitated the consideration of Wies.

i i

i 29 i

l.

- = - - - - --- . -, x n

i 4

1 .

1.3.2.4.4 QaaottAcation of Recovery Type Actions I

l As noted above, when the potential for restoring a system was identified, detailed analyses were conducted to j

determine the likelihood of recovery. The recovery analysis was accomplished by creating " recovery modules" i that could include hardware failures, dynamic human actions, and recovery actions. The modules apparently j nindalad multiple ways in which systems could fail and the associated recoveries. The recovery actions to restore i or repair systems were quantified " by reviewing historical data from a variety of plants". One example is i provided in Appendix E of the submittal to illustrate the process. The recovery of DHR cooling included the use j of Svc dynamic human =chana wluch was used in conjunction with two recovery actions to account for recovery

of all the many ways in wiuch the DHR pumps can fail. The dynamic human actions appeared to %,wa the Aagna== processes,(e.g., HREl I which models the decision to attempt to repair the DHR or DHCCW pumps)

]

with the recove;y ar*iana addressing the actual repair or restoration, (e.g., HRE13A which is to repaar a pump train within six hours). If the example provided in Appendix E is representative, the overall analysis of recovery j was thorough. While the actual derivation of the HEPs for the repair actions was (apparently) not well dar=nanaad in the submittal, the HEP values for these actions did not appear unreannamhle. For example, the HEP for HRE13A (repair DHR , 1ump train within six hours) was 0.4. The mean HEP for failing to decide to repair the pumps (HREI1) was 1.27E-3. One limitation of the discussion of recovery actions was the extent to which I procedures played a role in diagnosis. A review of the documentation of the quantifcation of these actions in Appendix E indicated that " full surmort" would available to help with the diagnosis.

2.3.2.4.5 Human Actions la the Flooding Analysis Human action modeling for the floodmg analysis was not discussed in the HRA sections of the submittal. A review of the section on floodmg in the submittal (section 10) found muumal discussion of operator actions 4 related to floodmg scenarios. Apparently, operator actions to isolate the flood sources were modeled, with the HEPs based on judgment. For example, operator action to isolate a pipe tweak in the nuclear river system was assigned an HEP of 0.02. In nother case the value was 0.03. While the basis for these values was not provided, they are not inconsistent with the values used for similar actions in other IPEs.

2.3.2.4.6 Hamaa Actions la the invel 2 Analysis Four human actions are discussed in the TMI-l CET basic events descriptions. These human actions were identified and selected based on the Oconee Nuclear Station Unit 3 PRA. hi response to an NRC RAI, it was stated that the description and quantification of these human actions were modified to reflect TMI-l specific design, emergsacy procedes, and plant damage stateslhe response to the RAI also states that the method used to assign the probabilities is explained in Section B.5.1 and Table B-5-1 of the TMI-l IPE level- 2. Section B.5.1 from the Summary Report volume of the submittal states that the probabilities used in the level 2 analysis were" hased on information gathered from contamment % codes such as MAAP, hand calculations, previous studies, and other literature. No specific information regarding the derivation of the HEPs is provided.

All four of the human actions modeled in the level 2 analysis were assigned an HEP of 0.01. 'Ihe four actions were:

. Operators open the PORV prior to SGT failure.

- Operators start the RCPs

Operators depressurize steam generators 30

4

~

b r

!

Operators manually open pressurizer

{ t

23.2.5 inqpersantHumanAntons ,

"Ihe top six lasnan actions in terms of their contribubon to CDF were listed in Table 3.2-3 of the submittal. These !

were the only human actions with a greater than 1% contribution to CDF. The six operator actions are briefly ,

j described below in Table 9, along with their percentage contribution to CDF and their HEP values.

i Table 9 Important Operator Actions f

l Human Error l Event Description (percent contribution to CDF) Probability (HEP) '

! Failure to switch over to reactor building sump recirculation followmg a large 1.5E-2 LOCA. The timing involved is limited (from BWST level of 6'4" to pump l cavitation and assumed damage) and tends to drive tis contribution to CDF. (5.3%)

i Failure to refill the BWST given a steam generator tube rupture or very small 1.2E 1 LOCA. This was the only recovery action with a contribution to CDF greater than j 1%. (3.7%)

l Failure to throttle HPI flow aAer engineered safeguards actuation. Events causing 3.86E-2

=

low RCS pressure, such as steamline break or excessive cooling event due to over j food, would require throttle of HPI flow before PORV or pressurizer safeCes are l challenged. 'Ibese valves could open and fail to rescat, as they may be required to j pass water instead of steam, which would negatively afTect their ability to rer.iose.

l (3.5%)

l Failure to hold open or reopen RCP seal injection valve MU-V 20 when a loss of 7.27E-2 j instrument air initiating event occurs. A loss of RCP seal injection cooling occurs, i which is assumed to result in an RCP seal LOCA if accompanied by loss of RCP 3 seal thermal barrier cooling. (2.6%)

I Failure to trip RCPs before seal damage aAer a loss of NSCCW. NSCCW 5.59E-3 l l provides RCP cooling and loss of this cooling supply does not cause an automatic

RCP trip; if the RCPs are not manually tripped during the fast several minutes !

- aAer NSCCW loss, an RCP seal LOCA is assumed to result. (2.3%)

Failure to take actions to prevent boron concentration when in recirculation 8.87E-4 j followmg i LOCA. A failure to open the DHR dropline valves can lead to boron i precipitation buildup. (1.1%) ;

i I

-1 31

. 1 l

2.4 Back End Technical Review 2.4.1 Containment Analysis / Characterization l 2.4.1.1 Front endBeek-medDependeneins In the TMl 1 IPE the interface between the front.end and back-end analyses consists of a set ofplant damate !

states (PDS ). 'Ihe devaL===r of the PDS is provided in Section A of the Submittal's level 2 assessment. The PDS are dermed in terms of three characteristics: the core melt bin, the containment safeguard state, and the mata===t isolation state.

The first charactenstic, the core melt bin, describes the status of the reactor coolant system and % associated systans at the onset of core damage The pertinent considerations involve the reactor coolant system (RCS) leakage rate, the loss orpnmary systan makeup cy$ility , and the condition of the secondary side heat removal.

Sequences fall into one of six categuies accordmg to RCS leakage

1) sma': LOCA !

2) nwmm LOCA

3) large LOCA

4) cycling reliefvalve

5) steam generator tube rupture (SGTR), and

6) interfacing systems LOCA.

Grouping of sequences according to loss of primary system makeup capability is done on the basis of three l categories-

1) injection failure

2) recirculation switchover failure, and

3) recirculation run failure.

Finally, there are two categories for ==A= y side heat removal (SSHR) status:

1) SSHRis available, and

2) SSHRis unavailable.

As a result of these categories 19 core melt bins are established and listed in Table A.3-1 of the submittal.

The second characterisde, the contamment safeguard state, describes, at the onset of core damage, the status of systems that provide a containment protective function. These are the contamment sprays and the containment air coohng units (CACU). For any core damage sequence the CACUs are either available or unavailable while the mataiarnent sprays can be available in injection and recirculation, or only in injection, or completely unavailable.

For the third PDS characteristic the contamment isolation state can be o w of three:

32

i*

] 1) Isolated

! 2) Small inatahari fadure - hole siac less than or equal to six inches (this hole size is taken to preclude late l but not early over pressurization of the containment), or i 3) large iaalahari failure - hole size greater than six inches (such a hole would preclude both early and late

overpressurizatma of the contamment).

q i lhe IPE uses a two lesser designation for the PDS: where the first letter designates the core melt bin (one of 19 I possible) and the meervi letter designates the contamment safeguards and isolation state (one of 18 possible).

This acheme produces 342 possible PD$s. Of these 37 are yicpe.eied through the level 2 analysis.

4 1he RCS pressure of the PDS is detenined by the leakage p. a. include in the core melt bin grouping. For I

i PDS: maanciatat with a small LOCA or cycling relief valve leak rate the primary system pressure will remam

! high,i.e.,"in the 1000 psia range." In these PDSs vessel failure may lead to high pressure melt ejection DIPME) 2

and the associated phanamens Included here are sequences with breaks between 0.007ft to 0.1 A2, stuck open l PORVs, seal LOCAs, and SGTR where the manandary systan is intact This leakage is taken as small enough l

] so that SSHR is effective in delaying core melt.

i

1he median LOCA leakage rate is such that the pnmary pressure is taken to be in the 300 to 400 psia range and l thus the risk of HPME is simificantly reduced. Included here are sequences with breaks between 0.1 and 0.5 ft2 l l

and with stuck open SRVs. j t

The large LOCA leakage rate, for breaks greater than 0.5 ft2, is large enough so that the primary system pressure

is less than 200 psia and there is little risk for HPME.

l In addition the SGTR leakage category represents those tube ruptures where there is also a failure of the j aarnadary system and a bypass condition exists with little possibility of any retention. If the steam generators I

mnain intad the analysis assumes that retention is sufficierit to group these sequences with the appropriate intact l

cammnenent oore melt bins. Interfacing system LOCA (ISLOCA) sequences are also bypass sequences but the j analysis may still credit some retention in the buildings outside contamment.

j k ahanid be noted that the PDS definiiion does not explicitly contain the status of electrical power, i.e. whether it is available or not. Simplifyink assumptions are made to infcr the availability of power from the PDS definition _

by Imkmg it to the availability of the spray pumps, for instance, wiuch is part of the PDS definition.

On the whole, the PDSs defined in the TMI-l IPE submittal seem reasonable and provide a proper accounti' 3 1 of the front end and back-end Weies a well as adequate information for back end accident progressica analysis.

2.4.L2 I *=%eenet Ewant Tree C. :2,----'

The approach used in the TMI-l IPE for the development of a contamment event tree is the same as that of the Oconee analysis: a small event tree, supported by large decision trees, is used.

The only questions included as top events in the contamment event tree (CET) are those that have an effect on the release timing, csurgy, Inenhnn, or fianum prodg( frachnna Each CET end state represents a separate release category. Some of the CET top events are developed further with decision trees using success logic. These decision trees contain the detail that is needed for the IPE analyst to quantify the CET event.

33

I a

! The TMI-l CET consists of 11 top events of which 7 are developed further using decision trees. The 11 top l events, summarized in Table B.2 1 of the submittal are: !

q A: Containment Bypass Is Prevented i B: Contamment Is Isolated l C: Isolation Failure SizeIs Small D: Release Is Through Auxiliary Building E: Early Containment Failure Is Prevented )

F: Late Containment Failure Is Prevented i G: Cw 6t FailureIs Benign H: Ex-Vessel Release of Fission Products Is Prevented i I: raataianwat Failure From Basemat Melt-Through Is Prevented

, J: Revaporuation RescaseIs Prevented K: Fission Product Scrubbing is Effective i

Top events A, E, F, H, I, J, and K are developed by decision trees.

A brief description of the top events is presented below, i

l Containment bypass isprevented.

This event considers bypassing of the containment by an interfacing systems LOCA or a steam generator tube i rupture (SGTR). Induced SGTRs due to creep rupture of the steam generator tubes are also included. This basic 4

event is further developed with a Decision Tree.

! Containmentis isolated.

l Success for this event means that the containment is isolated such that (1) a leakage rate sufficient to cause a l substantial increase in radionuclide release to the environment does not occur, and (2) containment pressure 4

response is not significantly affected. Contamment isolation is determined directly from the PDS.

]_

Isolationfailure size is small.

Success for this event means that the isolation failure is less than 6 inches in diameter, so that there is some time f

avadable wiuse natural removal medanisms inside the contamment can occur. The size of the isolation failure a is determined from the PDS, i

i Releases through Auxiliary Building. l l This top event applies only if the containment is not isolated or is bypassed. Success means that the fission product release will pass through the auxiliary building.

, Early containmentfailure is prevented.

2 Success for this event means that the contamment remams in tact long after reactor vessel failure. Early enemmment failure is defined as occurnng within 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months of reactor vessel failure. A number of pha are considered as early containment failure mechanisms:

34

!w I 1) & rect contamment heating (DCH),

! 2) rapid steam generation (RSG),

i 3) hydrogen bum prior to reactor vessel failure, l

4) hydrogen burn at reactor vessel failure,

5) combustible gas burn early aAer reactor vessel failure,

6) direct contact of corium with the containment wall, and j 7) reactor shield plug missile.

) The early containment failure decision tree describes each'of these events in terms of what are called " basic events" and combines them logically to develop a probability of ee;ly containment failure. Missile generation i

==rhanian= which are considered in mechanism (7) above include alpha-mode failure, reactor vessel M.ing

a rocket, and pressure generated missiles.

Late containmentfailure isprewnted.

! Success for this event means that the contamment remams intact throughout the entire core-melt sequece Any i releases are due to normal containment leakage or iasemat melt-through. 'Ihis event is developed using a 4

decision tree. 'Ihe decision tree considers the following phenomena as potential causes oflate containment failure:

]

) 1) late steam overpressurization,

2) late combustible gas burn, and

3) late none*ible gas overpressurization.

j Containmentfailure is benign.

a A bmign failure is described as a series of small cracks that develop in the containment structure such that further j prasunzation does not occur.

Ex-Vessel release offssion products isprevented.

d 'Ihis evet detemunes whether a coolable debns bed is established outside the reactor vessel. The event is further j j developed using a decision tree. l i

Containmentfailurefrom basemat melt-through is prevented.

l in order to fail the containment through the basemat more than 6 feet of concrete must be eroded A decision tree is used to determme if a coolable debris bed is established so that basemat melt-through is prevented.

Revaporization release is prewnsed.

' Ibis event determines whether large amounts ofvol Cle fission products are revaporized and available for release when the containment overpressurizes Revaporization is only considered for late catastrophic containment i fadures. It is not considered for berign failures of the contamment since such benign failures would result in a slow depressurization with containment pressure remaimng high.

}

35

~

>l \

Fission product scrubbing is efective.

This event deternunes whether fission product removal mechanisms are available to reduce the release to the environment. The mechanisms considered are contamment sprays, plateout in the auxiliary building, and j scrubbing via the steam generator.

%ere are a total of 102 basic events considered in the seven decision trees and these basic events are quantified l

separately for each of the 37 PDSs for which a Level 2 analysis is carried out. The decision trees are Imkod so l that basic events and their quantification in any one tree are taken into consideration in the quantification and

logic ofeach of the other trees.

l 24.L9 Containment FailureModes and Maing I

- De analysis of the TMI-l matalanwat capability is based on the Oconee analysis and on the similarity of these '

two containments Appendix 1 of the submittal compares TMI-l's contamment structure with Oconee's l

matman==t structure and evaluates the ultunate capacity of the TMI-I contamment relative to Oconee's. While TMI l's containment structure is of similar design as Oconee's the dunensions of the contamment as well as the

] l arrangement and size of the post tensioning tendons is different in the two contamments. He comparison '

l i indicated that the pressure capacity of the TMI-l contamment is between 137 and 147 psig. Apparently, the mean containment strength is assumed to be the same as Oconee's at 144 psig. Oconee containment capacity '

curves are used directly in the TMI-l analysis to evaluate containment failure probability. Since the TMI-I i

, contamment has a larger diameter than Oconee, the larger area of the post-tensioning tendons in TMI-I is crucial for validating the conchsion that the TMI I pressure capability is the same as Oconee's. While the submittal I is somewhat ambiguous on the F = =y of the number of strands used in the post-tensioning tendons in TMI- l'

' 1, a response to an RAI confirmed that the appropriate number of strands existed in each tendon to bring the TMI-l capacity up to the level claimed in the analysis. l i

Another difference between the Oconee and TMI-1 contamment is the concrete composition. The TMI-l l l

containmet is constructed with limestone concrete. It has an ira.sewd potential for producing non-condensible I and combustible gases should molten core materials interact with the concrete. Thus late over-pressunzation is more likely to occur at TMI l prior to basemat melt-through. However, the TMI-l submittal notes that a number ofTMI-l specific MAAP runs wese performed to verify the applicability of the release category definitions from Oconee to TMI 1. The submittal claims that based on these MAAP runs, the difference in concrete composition does not produce sigruficant differences in release fractions. According to the submittal the MAAP runs clearly show reasonable agreement between the release category dermitions and the dominant TMI l sequences contributing to the release categories.

14.L4 Containment isolation Failure As noted above, the contamment isolation state is determined from the level I analysis and used as part of the 3

PDS Maitim. De d stmetion is made between small and large isolation failures. A small failure is defined as one with an area equal or less than that of a six inch diameter hole. The analysis assumes that small isolation fadures preclude late overpresasustion of the containment, but still allow for early overpressure failures. Large isolation failures, i.e. those with an area greater than a six inch diameter hole, preclude both early and late overpressure failures of the containment. Section 15 of Appendix F in Volume 6 of the submittal contains the anahais of the Reactor Buddmg isolation system. De analysis authned in this section is quite detailed and seem to satisfy the criteria for isolation analyses stated in Appendix 1 of GL 88-20. Unlike other systems of the IPE 1

36

. _ ~ . . = - - ..

7..

l l4

! analysis,which are modeke based on a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months time requirement, the isolation model uses a one week mission i time following the initiating event.

1 4

The TMI-l isolation system model considers the various pathways which could significantly contribute to .

j contanmait isolation failure, the signals required to isolate the containment penetrations, the availability of the needed power for signal generation, the applicable operating and maintenance procedures as well as technical j specifications, and common cause failures.

The likelihood of failing to isolate contamment is quite small and represents only 0.2% of the total CDF. No l

large isolation failures were found credib!e.

]

2.4.1.5 husaWHuman Raponses l In the Decision Trees used to develop the top events of the CET four operator action appear as basic events.

/ 'Ihese are:

Conrh that operators open the PORV prior to steam generator tube failure, i Confidence that operators start the reactor coolant pumps, Confidence that the operators will depressurize the Steam generators, and i Confidence that operators will manually open pressunzer PORVs.

'Ihe Decision Trees contan a number of other basic events, such as the recovery of fan coolers or sprays, which

} may imply some human w, but these events are either quantified as impossible or recovery is only credited if power failure was the cause of the loss. If the loss was due to any other cause recovery is not credited.

l The HEPs associated with the four actions listed above are discussed further in Section 2.3.2.4.6 of this TER.

i 2.4.1.6 RadionuclidrReleaseCharacterisselon The TMI l containment event tree (CET) is developed in such a way that each endpoint describes a unique set of release characteristics,i.e., each endpoint represents a separate release category. As a result,41 release categones were identdied although only 31 of these have non-zero PDS contributions. These in turn are grouped l into nine separate major categories:

1) containment bypass with auxiliary building bypass,

2) interfacing systems LOCA,

3) large isolation failures,

4) smallisolation failures,

5) early contamment failure,

6) late contamment frilure (catastrophic),

7) late containment failure (benign),

8) basemat melt-through, and

9) no containment failure.

The submittal divides discussion of each release category into three separate parts. The first is a generic

description of the release category dermed by its path through the CET. The second is a discussion of a

.%.tative m- which serves as a hanchmark from which the TMI l parameters are derived. The third part is a Ammina of the applicability of the reference sequence to TMI-1. This scheme reflects the fact that fo i

37

=. - . .

i i i,

D

!i i

most cases MAAP sequences from the Oconee PRA or other PRAs were actually used to determme source terms.

l j in a few cases TMI-l specific MAAP runs were performed to obtain TMI l specific release fractions. Besides 4

prtmdmg release fractions for the important group of fission products, each release category specifies a time of release, duration of release, warning time, energy of release, and elevation of release. Table D.1-2 of the submittal presents the C-matrix which shows how the PDSs are binned into the release categories.

l 2A.2 Accident Progression and Containment Performance Analysis

[e

! w.! SomeAceuant%r& i

\

! The submittal provides the CET in Figure B.2 1 and the Decision Trees with which the top CET events are j developed are shown in Figures B.4-1 through B.4-7. The basic events of the Decision Trees are 9-~i in Section B.4 of the submittal where some of the quantification of these basic events is provided. The

! rpann&stinn is % J in tens ofvesbal descriptors wiuch are then assigned numencal values. Table B.5-1

+

of the submittal provides the relationship between the verbal descriptors and the numerical values. The table subcates the following relationships: certain=1.0, almost certam=0.99 or 0.999, likely=0.9, mdeterminate=0.5,

! unkkely=0.1 or 0.01, anotely possible=0.001, ar.d impossible =0.0. In practice some other values are also used in a few isolated cases. De basic events are listed alpheMelly, not as they appear in the Decision Trees, which j l

l makes tracmg the logic of the trees somewhat inconvenient. Complete quantification is provided in Table B.5-3 which has values for all 102 basic events for each of the 37 Plant Damage States.

Little discussion of the actual accident progression is provided in the submittal. In theory one could trace the

quantificaten of various severe accident phenomena, and the failure mechanisms they produce with the

! information from the tables and figures, but in practice such an effort is beyond the scope of this review. The j submittal states that the CET was solved using the GTPROB code, a proprietary SAIC code, which works in j conjunction with the EPRI CAFTA software. As indicate elsewhere, MAAP runs taken from the Oconee (or j appmently also the McGuire) IPE analysis were primarily used to develop the TMI-l analysis through to the 1 source terms.

Dere is a brief discussion in Section B.5.2 of the submittal, entitled " Analysis Performed," which is related to accident progression. The items discussed are containment capacity, combustible gas burns, the reactor cavity geometry and its relation to corium dispersal and coolability, the MAAP model, and the contamment base pressure.

The containment capacity has been discussed in Section 2.4.1.3 of this TER.

Regardag combustible gas burns the submittal states that, to limit the amount of analysis, boundmg assumptions were made. Apparently adiabatic burns of all combustible gas in the atmosphere was assumed By using the

=< hah =he burn carve, a multiplier,which is the ratio of the maximum pressure after combustible gas burn and the initial pressure in naneamment, can be determmed, A boundmg pressure rise for a given hydrogen concentration was calent=*~i by multiplying the multiplier by the base pressure.

De reador cavity geometry is described as relatively confming, with a heavy access door and otherwise tortueus pathways ad of the cavity. Udess the access door fails, corium is assumed to be likely to remain in the reactor cavity even during bigh pressure melt ejection (HPME). Failure of this door is considered in the CET ,

quar *&mhnn but failure is taken as prevented in most cases. Corium dispersed out of the cavity is assumed to freeze in the lower compartment even without an overlying pool of water. However corium remaining in the cavity is ~~d~i ot be more than 20 inches thick due to the height of curbs and the effectiveness of an overlying 38

i 4

l pool of water to cool this debris is taken as indeternunate in the analysis. A continuous source of water is

. required to have a possibility of quenchmg the corium and ternunating concrete attack. A static water pool will I

result in boiloff of the ecolant and a containment pressure increase.

l Regardag the MAAP model the submittal only states that Oconee parameters were used "when the system and containment features at Oconee and TMI-l are similar, or the issue was strictly phenomenological.....For

! containment characteristics that were plant specific, MAAP runs were made with a TMI-l model to investigate

the sensitivity of that parameter " The only TMI l plant specific feature cited in this connection is the concrete composition.

}~ For the enntainment base pressure the submittal states that high and low pressure are defined as above or below i 40 psia respectively. Steam inertmg is assumed for high base pressures prior to concrete attack.

j 2.4.2.2 Dendment Canaktors: C: - 3 udahIPElaskhar j iss noted above, the submiaal p:ovides figures of CET and associated logic as well as tables with the j i

i quar *Heatiaa values of the basic events, but voy little discussion in terms of accident progression, such as which j failure mechanisms wcse found to be most important. Table 10 below provides the summary values for the TMI-

! I failure modes and compares them with values obtained for other Babcock and Wilcox plants, including

! Oconee.

i Table 10 Containment Failure as a Percentage of Total CDF Containment Failure Mode TMI-1 Oconee ANO-1 CR3* Davis-Besse l 2.95 6.3 j Early Failure Large 3.10 .91 5.7 Small 0.07 Late Failure Large 17.0 74.4 12.2 62.6 7.5

) leakage 46.0 ;

a Bypass 3.50 negligible 0.43 4.84 2.6 Isolation Failure 0.002 .22 0.5 0.67 negligible latact 30.3 24.4 81.2 28.9 83.6 CDF (1/ry) 4.49E-5 2.30E-5 4.88E-5 1.53E- 6.6E-5

~

Crystal River 1 As the table shows, approximately 93% of the CDF results in either an intact contamment (30%), late containment leakage (46%), or large late failures (17%). Bypasses and early failures make up the remaming 7%.

Since the total bypass contribution is reported as 3.5% of CDF and the submittal states that at the time of core damage the containment bypass status .was 2.4% of CDF, it can be inferred that induced SGTR contributes about 1.1% of CDF.

39

l t

i Additional information can be inferred from the representative sequences chosen for the MAAP mns used for 1 j accidet prograsion. As noted earher, for the most part these were taken directly from the Oconee analysis. For carly contamment failure the representative sequences both involve hydrogen bums, one with a high pressure vessel failure the other with a vessel failure at low pressure, which lead to early containment failure. The i representative sequences for the late failures all involve overpressurization due to steam and non-condensible

gases, except for one sequence wiuch involves basemat melt-through. Based on the source term summary of l Table D.1-2 of the submittal, basemat melt-through accounts for more than half of the late catastrophic failure l j category.

2.4.2J Chareeneriennien ofr'--M-"P>rformaner i As indscated in Table 10, the TMI-I contamment failure probabilities are in general consistent with those found

for other large dry containments. Total late failures are quite high but most of the contribution is fr..m the leakage i category (46% of CDF).

2 i '!he late source term releases, which give ample warning and evacuation time, represent 63% of CDF, while the early source term releases, which according to the submittal still give a warning time of at least two hours, represents approximately 7% of CDF.

The worst release is stated to be from contamment bypass scenarios, and these would have a source term with greater than 10% of the Csl inventory.

. 2.4.2.4 Ingedon EquipmentBehavior The original TMI l IPE analysis quantified probabilities associated with basic events in the decision trees which deal with the operability of the fan coolers in a post core damage environment as always equal to 1.0. In response l to a question raised during the peer review of the IPE as to why such an optimistic assumption was used, a i sensitivity analysis was carried out in which all parameters related to fan cooler survival under har;h envronmental conditions were quantified as 0.5. According to Table 1.0 of Appendix IV of the submittal, the

result showed a marked shift only in the "contamment intact" and " late leakage" containment failure categories. l The containment intact category was reduced from 30 to 10 per cent of CDF analyzed, while the late leakage ;

category increased from 46 to 68 per cent of CDF analyzed. ]

Equipment survival other than that of the fan coolers is not discussed in the submittal. However, on page 4 1 of the submittal a statement is made that"the scenarios analyzed in this project did not involve accident recovery

. post core damage and all of these scenarios do not involve any operational ECCS system in the reactor buildicg except the fan coolers."

.r 2.4.2.5 Uncersninnins and Sensiaivity Analysis The TMI I IPE submittal does not address uncertainty in the back end results. The only exception is the likelihood of the survival of the reactor bmidmg fan coolers in post core melt conditions for which a sensitivity analysis was reported in response to a question generated during peer review of the submittal.

The ladc of sensitivity analysis information was pointed out to the licensee in the RAI used to gather additional "g

informatum for this TER. The question in the RAI to GPU explicitly cited the need stated in NUREG-1335 and GL 88-20 to consider uncertamties in the level 2 analysis. The GPU response consisted of attaching a copy of a Duke Power response to e previous question in an NRC RAI for the Oconee PRA which dealt,in part, with 40

~ . _ . . _ . _________ _ _ _ . ___... _.._ _ _ _ _ _ __ _ _ ,

l l'

the use of recommend sensitivity parameters in MAAP. Since the Oconee Level 2 analysis was used as the l template for the TMI l analysis, GPU apparently felt that an Oconce response related to sensitivity was !

i applicable. The Duke Power response basically stated that, since the Oconec analysis was conducted prior to the i

'. establishment of the MAAP sensitivity parameters, no further analysis was carried out. More importantly, !

i however, the point of the RAI to GPU was the much broader question of sensitivity as discussed in NUREG- l 1

1335 and the Genenc Letter and this was not addressed in the response e

i The w ,h. lack ofsmsitivity analysis in the TMI-l level 2 analysis is a serious weakness. This is exacerbated i by the fact that the TMI l level 2 analysis is in most respects a reproduction of the Oconee level 2 analysis and j

, the undseadmg obtamed by the liansee,i.e. TMI-1, of accident progression in the TMI-l plant may be limited.

! Certainly a sensitivity analysis would have been desirable.

l 2.5 Evaluation of Decay Heat Removal and Other Safety Issues and Cl I j 2.5.1 Evaluation of Decay Heat Removal i'

LLI.1 Examinneon ofDHR i

Several systems perfornur. ;he DHR function are mentioned including main feedwater, emergency feedwater, HPI coohng and the decay heat removal system (i.e. low pressure injection and shutdown cooling). CDF fractions were estunated in which these systans had failed, as follows: main feedwater (failure 43.7%, too much feedwater 8.7%), emergency feedwater (failtre 13.1%, too much feedwater 0.006%), HPI cooling (failure of HPI train B 71.4%, failure of HPI train A S t.s .i, failure of HPI injection valves 51%, BWST failure 1.6%, operator failure to initiate HPI cooling 1.5%), DHR (decay heat removal pumps failure 65.5%, train A sump valve failures 24.6%,

train B sump valves 26.4%, piggy back valves 85.7%, failure to depressurize RCS during SGTR 1.5% and ,

failure to depressurize the waa&y during SGTR 0.1%). Note that these numbers are dominated by support systan failures, for exampic 43.2% of the CDF contains main feedwater failures caused by the initiator or loss of support Similarly,12.2% of the CDF contains failures which cause loss of EFW via support system losses or anironmental effects. For failures of HPI train B, loss of support shows up in sequences contributing 54.6%

of the CDF, whereas for train A, the figure is 30.1%. Likewise, loss of the DHR system is mainly caused by loss of supportin CDF sequences It should be noted that, unlike main feedwater, excessive feedwater does not cause a loss of the EFW system.

Core danuge sequences involving both emergency and main feedwater amount to 13.2% of the total CDF. The frequmcy ofcore damage sequences involving MFW, EFW and HPI cooling amounts to only 6.0% of the total CDF.

Closedloop DHRis only modeled as required for SGTR sequences The percentage of core damage sequences resulting from SGTR with failure of DHR is only 1.8%.

The lamane states that no particular vulnerabilities of the TMI l systems used to perform the DHR function have been identified. The majority of the core damage frequency at TMI l comes from RCP seal LOCAs without adequate injection or recirculation, rather than from failures of decay heat removal. Therefore, the licensee considers USI A-45 closed.

41

t l

2.11.2 Dimse Means ofDHR r

l The IPE evaluated the diverse means for DHR, including: use of the power conversion system, feed and bleed,

emergency feedwater, and ECCS. Depressurization using the secondary system was considered for the SGTR, small LOCA and transient event trees. Cooling for the RCP seals was taken into account. In addition, containment cooling was addressed j 1513 Unique Fenenres ofDHR

)

l The unique features of TMI-l that pertam to the DHR function are as follows Use ofonce through steam smerators (OTSGs), which is a feature of all B&W plants, means that less inventory is available in the steam generators and hence, less time is available to establish pemadary coolmg in a' ccident 889"a""

The turbine driven main feedwater pumps will contmue to run for most transients, as the pump flow output is noenmatically nimichad to the decay heat level.

De turbine driven EFW pump has a mechanical linkage for ontrol, thus is not dependent on DC power for long term control in station blackout scenarios. However, the IPE takes no credit for this featwe according to the discussion in Appendix B.! which considers power recovery models.

There are two motor driven and one tubine driven EFW pump. The EFW system is automatically started and controlled. Tests done by GPUN show that none of the pumps need the bearms cooling system for a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months operation.

The normal EFW suction source is the inventory in the madaa=** storage tanks (CSTs). Backup sources of EFW water are the river water, the denuniralized water storage tanks and the condenser hotwell, however none of these sowces were credited in the analysis.

One presswimr PORV and two safety valves can be utilized for makeup /HPI cooling (i.e., feed and bleed). This gives TMI-l a diversity ofoptions for makeup /HPI coobng. The PORV block valve is usually open. The PORV only depends on DC power and does not depend on instrument air or compressed nitrogen. The three makeup pumps (wtuch are also the HPI pumps) can be used with either the PORV or safety valves.

The normally operatmg makeup pump (1B) is nonnally cooled by the NSCCW system, with backup cooling from the DHCCW, while the other two pumps are normally cooled by the DHCCW, with backup provided by the NSCCW. The intermediate closed cooling system consists of two trams which, among other loads, provide thermal bemer RCP seal coohng. The ICCW coolers are cooled by the NSRW system. Thus there is redundancy in RCP seal coolmg/ injection systems, however loss of NSRW will cause at least a L.pu..iy loss of all seal coolmg/ injection, as the NSRW is the ultimate heat sink for the NSCCW system.

Fire water can be used as backup cooling of the makeup /HPI pumps, by cooling the DHCCW to support operation of an HPI pump for seal injection The closed cycle cooling consists of three trains of the NSCCW (cooled by the three train NSRW system) and two trains of the DHCCW (cooled by the two. train DHRW system). (In addition, the secondary CCW and RW systans cool the MFW pumps). Thus there is considerable redundancy in these systems. The NSCCW and the 1

42 l

1

i 4

NSRW system provide cooling to the RB fan motors and RB fan cooler units, makeup pump IB motor (and l

j badaip coohng to the makeup pump i A and IC motors), contml bmkhng AC chillers and the intermediate service

heat exchangers. The DHCCW and the DHRW systems provide cooling to the DHR coolers and the DHR

! pumps, the RB spray pumps and makeup pumps I A and IC (as well as backup cooling to makeup pump IB).

i

'Ibe emaramcy power system at TMI-l consists of three emergency diesel generators, including the EDG from Unit 2, added in response to the station blackout rule and called the SBODG. 'Ihe SBODG has to be started manually, upon failure of the two regular EDGs, and can supply full power requirements of one train of

--7 e safety features Cross ties exist between emergency buses ,

The emergency diesel generators are air cooled, thus reducing 4-:='=y on support systems. The SBODG needs v=hlahan and also is M* on firewater for cooling. The SBODG has ha#M 125 V batteries for j starting, however, it needs station battery A in order to load onto either emergency bus.

l 'Ibe two station battenes have a depletion time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , with proceduralized load sheddmg (assumed to always

occur). Without sheddmg, a battery life of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months results, for which a sensitivity study was done. Cross ties exist between DC buses. Each battery is e=W to two chargers, two of which are normally operating.

l j lastrument air is supphed by three compressors at TMI-1. Two of the compressors are on the emergency buses, i and key plant loads are backed-up by a two-hour air bottle system (including the EFW flow control valves). l i

l 2.5.2 Other GSIs/USIs Addressed in the Submittal In addition to USI A-45 (DHR Evaluation) the following USIs and GIs are discussed in the submittal:

' \

) l j 1) PressurizedThermalShock i 2) Failures ofInstrument Air l

3) Failures ofICS and Non Nuclear Instrumentation l

4) RCP SealLOCA(GI23)

5) Ims of CCW leadmg directly to core damage (GI 65)

6) RCP seal performance during loss of all cooling conditions

7) System Interactions in Nuclear Power Plants (A-17).

2.5.3 Response to CPI Program Recommendations The CPI iw ===4=sian for PWRs with a large dry contamment is that licensees evaluate containment and equipment vulnerabilities to lar=WM hydrogen combustion and the need for improvements.

The submittal states that for a local hydrogen burn in a large dry containment like TMI l's it is believed that the pressure rise due to a local burn would not present a threat to contamment integrity. As basis the submittal cites the TMI 2 W lt is acknowledged in the submitta that a local burn may damage equipment wiuch is used 43

l

l l

I

,s in acadet mitigation and recovari. However, the submittal further states that the scenarios analyzed in the IPE did not involve recovery post core damage and none of the sananos involve any operational ECCS system in the reactor building, i.e. containment, except the fan coolers and these are located in the basement where hydrogen amanulatina or burmng is not p-9 The sensitivity analysis regarding the probability of fan cooler survival post 4. discussed above in Section 2.4.2.4 of this TER, is also cited in the submittal response to the CPI issues An RAI question was forwarded to the licensee which asked if hydrogen detonations were considered, and if so what the conclusions wen: reganhng their impact on the TMI-l contamment and equipment. In the response the licensee stated that local hydrogen detonations are unlikely and were not considered because the TMI-l containment is similar to Oconee's as far as its openness. The GPU response further referred to a response agplied by the Oconee innere to a sindar NRC RAl regardag the Oconee IPE. The Oconee response included copies of several simplified figures of the Oconee cantain= cat contained in the Oconee PRA. The Oconee response also referred to NUREG/CR-4803 which investigated the potential for local hydrogen detonahons in the Bellefont Nuclear Plant, another B&W plant with a large day contamment. That analysis concluded that only one volume, a tunnel between the steam generators, presented conditions in which deflagration to detonation transitions (DDT) may occur. This volume does not exist in the Oconee containment which is more open than ,

Bellefoot. The TMI-l response did not address whether such a volume existed at TMI-1. l l

2.6 Vulnerabilities and Plant Improvements s 2.6.1 Vulnerability i

A vulnerability is defined in the submittal as any code damage sequence that exceeds 1.E-4/yr or any containment bypass sequence or large early containment sequence that exceeds 1.E-6/yr.

No vulnerabilities were found.

2.6.2 Proposed Improvements and Modifications Some opportunities for low cost improvements beyond those identified in the 1987 PRA were identified that could enhance overall reactor safety. These were identified by a review of:

1) 1he detailed results contained in the IPE PRA (both level 1 and Level 2).

2) The contributors to system unavailability contamed in Appendix F of the Level 1 PRA report.

3) The contributors to operator action error rates in Section 6 of the Level 1 PRA report.

The IPE took credit for some plant mnarnhnns and improvements that were considered here, even though none of them have been implemented. However, the CDF impact is small. The improvements considered were:

1) Throttling LPI in advance of switchover to recirculation would minimize the hydraulic transient and improve the chances of success without pump damage. An accident management guideline was considered.

44 l

1

i' t

! Resolution: has not been implemented and was not credited in the IPE. This human action would have I increased the NPSH upon switchover. However, the same effect was accomplished by providing additional sump water in a LOCA, by locking open SF-V-31 during plant operation and directing water l

from the deep end of the fuel transfer canal to the reactor building sump. No CDF impact of the proposed action was provided.

Note that the operators are instructed to throttle the HPI upon actuation, to prevent pressurizer

' PORV/ safety valve challenge, and also to mimmize the risk from the pressurized thermal shock.

SGTR amaer management W- were considered: a) isolation of the afTected OTSG and cooling f 2) down the RCS via the intact OTSG in cases when the HPI is lost and b) refilling the BWST.

Resolution: the action in a) has not been i.nplemented as an accident m* guideline, bat was 2 credited in the IPE, with the total contnbution to the CDF of 0.67%. The action will be considered in i futme gdates to the present isolation criteria in the EOPs. The HEP assumed for this recovery acten j

was 8.33E-2. 'Ihe action in b) has not been imp 1-ed as an accident management procedure as yet,

but was credited in the reported CDF as recovery acten REV. REV is also modeled as a recovery action i for very small LOCAs and the total contribution to the CDF is 3.66%. For small break LOCAs, procedural guidance 4 provided for refdhng the BWST in ATOG procedure 1210-6, small break LOCA l

cooldown. "It is believed that also including this action in other procedures for a steam generator tube

! rupture will not substantially change the failure rate assumed in the PRA. The BWST level is trended

! and monitored by numerous groups in emergency drills. During an actual SGTR event, the level is j -*M o be ttrcnded by the emergency response teams and the BWST will be refilled as needed The j failure probability assumed for event REV was 0.120".

3) An accident management guideline was considered to prompt the operaters to verify the closure of MUV-14 valves when aligning for piggyback recirculation. MUV-14 are the valves in the flow path from the BWST to the HPI pumps. In the event an MUV-14 valve fails to check flow, a path to the BWST and the environment could be established.

Resoluton this action has not bem implemented as m accident management guideline, but was credited in the reported CDF. 'Ihe HEP for this action was 3.3E 3 and the CDF contribution of reclosing of these valves (including both the HEP and the hardware contributions) was " negligible", but the risk achievement worth was high (60.5). The MU-V-14 valves are stop check valves and normally would close on their own when recirculation from the reactor building sump is initiated. The operator action would be a backup action to verify that the MU-V-14 valves have reclosed. The action of closing or venfying closure of the MU-V-14 valves will be considered in the future updates to the present plant t

EOPs.

in response to the SBO rule, the SBODG has bem added by connection to Unit 2 EDG and the estimated impact on the CDF (from the 1987 PRA results) is about a 2.25% reduction. ,

i Several human action related potential improvements were noted in the IPE submittal., they included:

. Changing the procedure for loss of instrument air to direct the operator to manually open RCP seal return valve (MUV-20). This assures continuation of RCP seal injection during loss of air scenarios. l l

'Ihis procedure change was apparently credited in the IPE.

45

_. - .. - . ._ , . - - . - i

4

. Relocation of the control switches for HPI pump min-recirc valves from the back panel to the control room console. This reduces the likelihood of operator failure to re-establish min-recire after throttling HPI and thus reduces the likelihood of pump damage and consequent loss of RCP seal injection.

Chariges to procedures for loss of river water events that direct the operators to alternate make-up pumps to utilize the heat capacity of the DHCC system as a heat sink for pump cooling, and if necessary to ;

cross-connect firewater to the DHCC heat exchangers. This reduces the likelihood that a loss ofriver 1 water intake event would lead to loss of RCP seal injection.

1 In =Mdian, the folkming operator actions will be " periodically reviewed for inclusion into the existing licensed ;

operator requalification training program", as they were identified in the IPE as particularly important to core damage risk:

1) switchover to reactor building sump following a LOCA; 1

2) refilling the BWST given a steam generator tube rupture;

3) properly throttling HPl flow after ES actuation-

4) holding open or reopening RCP seal injection valve MUV-20 on loss ofinstrument air;

5) tripping RCPs before seal damage after loss of NSCCW;

6) taking actions to prevent boron concentration when in recirculation following a LOCA.

It is pecuhar that the hcensee did not consider putting into place a procedure for firewater recovery of HPl pump !

coohng in case ofloss ofNuclear Services River Water (NSRW), since a procedure for this action already exists in case of loss of cli River Water (RW), and loss of NSRW is the second largest CDF contributor (14.4% of CDF). l l

I i

46

i i >

t i 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS 1

1 Strengths of the level 1 IPE are as follows: 'Ihorough a mlysis ofinitiating events and their impact, descriptions j of the plant responses, modeling of accident scenanos, reasonable failure data and common cause factors employed and usage of plant specific data where possible to support the quantification ofinitiating events and

. component unavailabilities. The effort seems to have been evenly distributed across the various areas of the i

analysis.

No major weaknesses of the level 1 IPE were identified, other than in the frequencies of certam initiating events, ,

l wiuch should not have a large impact on the results. In addtion, the uncertamty distribution of CDF seems tight.

2 The IPE dderminad that failures in the HPI system (caused by hardware failures), the Decay Heat River Water

and Closed Cooling Water systems and the recirculaten from the reactor building sump (hardware failures) dominate the risk. & CDF is not dnminated by any single mitiatmg event or accident sequence The most likely ways to experience a severe accident involve loss of river water and closed cooling water systems coupled with j losses of HPI. Other likely ways involve LOCAs with failure to establish long term recirculation. The study !

found that losses ofinstrument air are an important but not major contributor to core damage frequency The study also shows that losses ofoffsite power are an important but not major contributor. All of these conclusions seem reasonable with respect to the design features of the plant.

As was noted previously, several improvements have been contemplated, but none have been implemented as a !

l result ofinsights from the IPE. The CDF impact of these improvements is small. !

l The HRA review of the TMI-1 IPE submittal did not identify any significant problems or errors. A viable )

, .yy,vech was used in perfornung the HRA and nothing in the licensees submittal indicated that it failed to meet the intent of Generic letter 88-20 in regards to the HRA. Important elements pertinent to this determmation

)

i include the following:

1-I 1) The submittal indicates that utility personnel were involved in the HRA and that the walkdowns,

! documentation reviews and simulator observations represented a viable process for confirming that the HRA portions of the IPE represent the as-built as operated plant.

I 2) 'Ihe analysis of pre-initiator human actions included both miscalibrations and restoration faults. Potential W betwem two or more pre-initiator operator actions and potential miscalibration common cause i

failurts were consukred. While details regarding the basis for assuming the yw.cc, absence, or degree of j W or common cause effects were only briefly discussed, an examination of the pre-initiator human actions modeled and their HEPs failed to detect any obvious inappropriate treatment of Wies or

j. common cause effects. The HEPs assigned to the modeled pre-initiator human actions appeared to be j- remennahle and other aspects of their derivation was reasonably well documented.

3) Post-initiator human actions modeled included both response-type and recovery-type actions. A generalized

)

j operator action event tree, adopted from the Operator Action Trees (OATS) methodology, was used to 4 represent operator behavior in accident scenarios. The trees model the diagnosis and action phases of an

operator naponse and provide opportunity for radiagnosis/ redirection prior to an unsuccessfut end state. The j likelihand of an moorrect diagnosis, a failure to %=aa , and a " nonviable" action given a correct diagnosis i are all considered (at least in principle) as potential failure rnodes leading to unsuccessful end states. As i

47

)

J

(

l.

i described, the HRA modeling approach adopted for the TMI l IPE, was relatively thorough and more detailed than has been found for many of the other IPEs examined

) 4) Plant-specific performance shaping factors (PSFs) and 4-W=-ies were appropriately considered.

5) One potential shortcoming of the overall quantification approach used in the TMI-l IPE is that in spite of the fact that the action execution phase is represented in the generalized operator action tree, there was no I evidence that this phase of the action was actually quantified for the different operator actions modeled.

While this is an explicit characteristic of the HCR quantification model that has been defended on the smunds that the execution phase is addressed through the use of estunates of median response time, it was not made clear that the approach used for time :Pt events appropriately considered the response phase. Anndwr lautahon way the use ofexpert judgment in the quantification of some events. in particular the recovery events. While thejudgments were said to be based on previous PRAs and the ., elected values !

and guidelmes for their application was dnmmet4 additional detail on the basis for the selected HEPs and ;

evidence of peer review would have 41a.d. the submittal. Nevertheless, given the tlwood ss and

- thoughtfulness of the HRA MM for this IPE and the apparent reasonableness of the assigned HEPs, at worst these are mmor weaknesses !

6) A list ofimportant human actions based on their contribution to core damage frequency was provided in the :

submittal. !

The TMI-l Level 2 PRA was developed using a template approach based on the Oconee analysis.

The Oconee IPE has previously been reviewed by NRC (Oconee Review). The math ~talogy for plant damage !

state devalaa==t the Cna#ainm=# Event Tree (CET) development, the CET quantification, and the source term developmmt are all based on the Oconee PRA Level 2 analysis. According to the TMI-l Submittal the Oconee and TMI-l designs were compared to identify significant differences in plant characteristics. Then, the Oconee CET model and its quantification were modified to reflect these differences and formulate a plant specific model for TMI-1.

The important points of the technical evaluation of the TMI l IPE back-end analysis are:

b

1) The back-end portion of the IPE supplies a substantial amount ofinformation with regards to the subject areas identified in Generic letter 88-20.

2) 'Ibe IPE provides an evaluation of alli issw.e ofimportance to severe accident progression in accordance with Appendix I of the Genenc letter.

3) The IPE has identried some plant specific features for accident progression such as the cavity configuration and concrete composition, and has made an attempt to account for them in the analysis modified from Oconee

5) A sesitive study as that described in NUREG-1335 was not performed in the IPE. The IPE does not provide any quantitative information on how containment failure probabilities would change if uncertainties on containmmt phenomena are considered. "Ihe lack of a sensitivity study and the insights that may be obtained from the sensitivity study is a significant weakness of the level 2 TMI l IPE.

48

7) Containment isolation failure is thoroughly discussed and the IPE seems to have addressed all five areas identified in the Genenc Letter regarding containment isolation.

I

8) The is ==hions of the CPI program are discussed in terms of the Oconee IPE. l 1

i The TMI-l level 2 analysis appears to meet the requests of GL 88-20. However, because the entire level 2 analysm is a reproduction of the Oconee analysis with slight modifications, it is very difficult to ascertain from the submittal how much the bcensee actually leamed regarding severe accident progression at TMI 1. The total lack of a sensitivity analysis adds to the concern that the TMI-I level 2 IPE exercise may not have produced as much undetanding ofcontainment performance as could have been obtained from a more i%t analysis.

i l

l l

49

9 !

, 1 P

i t

4

4. REFERENCES 4

I l (IPE} 1MT Unit i IndividualPlant Examination SubmittalReport, March 1993; IMI l l Unit i Probabilistic Risk Assessment (Level 1) Update, December 1992; 1MT i Unit i Probabilistic Risk Assessment (Lewi 2), January 1993, GPU Nuclear Corporatum, Middletown Pennsylvania. ;

(KAI} Response to Requestfor Ad&tionalIn)6rmation Regarding Generic Letter 88-20

! Regarding the Indivikal Plant Examination (IMT-1), Deccaber 1995, GPU Nuclear Corporation, Middletown Pennsylvania.

! [NUREG/CR-1278] A.D.

wain and H.E. Guttman, Handbook of#uman Reliability Analysis wit!- 1 l' Emphasis on Nuclear Power Applications : Techniquefor Human Error Rate i Predction, NUREG/CR-1278, U.S. Nuclear Regulatory Commission, Washington ;

! D.C.,1983.

[NSAC 60-SY] Nuclear Safety Analysis Center (NSAC), Oconee PRA A Probabilistic Risk j i

Assessment ofOconee Unit 3, June 1984 (EPRINP-3838} NUS Corporation, Review of Selected Topics from PRA Studies: System i Dependencies, Human Interactions, and Containment Event Trees, Electric i Power Research Institute, EPRI NP-3838, May 1985.

i

! [ OATS] Wreathall, J., Operator Action Trees (OA1S) Method, Presented at the 1981 IEEE j Standards Workshop of Human Factors and Nuclear Safety, pp.102-105, Myrtle i bach, S,C., August 30-September 4,1981. 4

\ Confusion Matnces} Potash, L.M. et al., Experience in Integrating the Operator Contribution in the l"*

PRA ofActual Operating Plants, Pracmimgs of the ANS/ ENS Topical Meeting

i. on PRA, Port Chester, NY, American Nuclear Society, La Grange Park, Illinois, ;

1981. :

i fBNL} Estimation of Containment Pressure Loading due to Direct Containment

. Heatingfor the Zion Plant, Brookhaven National Laboratory, NUREG/CR 5282, j

M arch 1991.

Oconee Nuclear Station Unit 3 Probabilistic Risk Assessment, Duke Power (OconeeIPE}

Company, Seneca South Carohna, November 1990.

(Oconee Review} Review ofOconee Units 1,2,&3 Individual Plant Examination (IPE) Submittal-Internal Events, Memorandum from W. Minners, One of Nuclear Regulatory Research, NRC to A. C. 'Ihadam, OfHce of Nuclear Reactor Regulation, NRC, December 1992.

50

ML20138G346

Text

SUMMARY

Navigation menu

Search