ML20138G522
| ML20138G522 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 10/25/1996 |
| From: | Bozoki G, Lehner J, Musicki Z BROOKHAVEN NATIONAL LABORATORY |
| To: | NRC |
| Shared Package | |
| ML20138F088 | List: |
| References | |
| CON-FIN-W-6449 NUDOCS 9612160391 | |
| Download: ML20138G522 (69) | |
Text
-. - - .. . - -. .- -- .
Mnal Report 10/25/96 FIN W-6449 TECHNICAL EVALUATION REPORT OF THE IPE SUBMITTAL AND RAI RESPONSES FOR THE ARKANSAS NUCLEAR ONE, UNIT 1 NUCLEAR POWER PLANT George Bozoki ,
Zoran Musicki t John Lehner John Forester' Brookhaven National Laboratory Department of Advanced Technology Upton, New York
?
i l
8Sandia National Laboratories l l
w 901z / 603 9 / XV+ .
+
l t
f CONTENTS i L
Page Executive Summary ..................................................y Nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix :
t
- 1. Introduction '
.................................................1 1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I !
1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 '
- 2. Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 o 2.1 Licensee's IPE Process .....................................5 ;
2.1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status . . . . . . . . . . . . . . . 7 !
2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . . . . . . 8 ;
2.2 Front End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.1 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . . . 9 2.2.2 Quantitativ Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.2.3 Interface lssues ....................................19 2.2.4 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.5 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3 Human Reliability Analysis Technical Review . . . . . . . . . . . . . . . . . . . . , . 23 2.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . l 23 2.3.2 Post Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 i 2.4 Back End Technical Review ................................. 31 :
2.4.1 Containment Analysis / Characterization . . . . . . . . . . . . . . . . . . . . . . 31 !
2.4.2 Accident Progression and Containment Performance Analysis . . . . . . . 36 !
2.5 Evaluation of Decay Heat Removal and Other Safety Issues ............. 40 2.5.1 Evaluation of Decay Heat Removal . . . . . . . . . . . . . . . . . . . . . . . . 40 2.5.2 Other GSIs/USIs Addressed in the Submittal . . . . . . . . . . . . . . . . . . 42 2.5.3 Response to CPI Program Recommendations . . . . . . . . . . . . . . . . . . 42 2.6 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.6.1 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.6.2 Proposed Improvements and Modifications . . . . . . . . . . . . . . . . . . . 43 4
- 3. Contractor Observations and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.
, R eferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 f
4
) .
n 1
4 4
y m
1 4
1 i
s t
_ m. . _ . _ ,
1 TABLES i 8'
l Th i 4
E-1 Accident Types and heir Contribution to the CDF . . . . . . . . . . . . . . . . . . . . . . . . . ix E-2 Dominant Initiating Events and Deir Contribution to the CDP . . . . . .. . . . . . . . . . . . ix
. E-3 Containment Failure as a Percentage of Total CDF . . . . . . . . . . . . . . . . . . . . . . . . xiii 1
Plant and Containment Characteristics for Arkansas Nuclear One Unit 1 ........... 4 2 IPE vs. NSAC-147, Nonrecovery of Offsite Power . . . . . . . . . . . . . . . . . . . . . . . 13 '
3 ANO-1 Comparison of Plant Specific Failure Data . . . . . . . . . . . . . . . . . . . . . . . . 15 4 l Some Generic CCF Used in ANO-1 IPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 l 5 ANO-1 Initiating Events and Core Damage Frequencies . . . . . . . . . . . . . . . . . . . . . 18 -
- 6 Accident Types and Their Contribution to the CDF . . . . . . . . . . . . . . . . . . . . . . . . 21 7 Dominant Initiating Events and heir Contribution to the CDF . . . . . . . . . . . . . . . 22 8 Dominant Core Damage Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 j 9 System Importance Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 10 Important Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
-l 11 Containment Failure as a Percentage of Toal CDF . . . . . . . . . . . . . . . . . . . . . . . . 37 !
l i i
T f,
I 1
1 i
i I 4
s ,
)
4
- 1 4
l 1
l 1
IV i 1
I m
f
EXECUTIVE
SUMMARY
' This Technical Evaluation Repon (TER) documents the findings from a review of the Individual Plant Examination (IPE) for the Arkansas Nuclear One Unit 1 (ANO-1) nuclear plant. The primary purpose of the review is to ascenain whether or not, and to what extent, the IPE submittal satisfies the major intent of Generic Letter (GL) 88-20 and achieves the four IPE sub-objectives. De review utilized both the information provided in the IPE submittal and additional information provided by the licensee, Entergy Operations Incorporated, in the response (RAI Responses) to an NRC request for additional information (RAI).
E.1 Plant Characterization i
ne Arkansas NuJear One, Unit I (ANO-1) Nuclear Power Plant is located on a peninsula in Dardanelle Reservoir on the Arkansas River in Pope County, Arkansas. It shares the site with Arkansas Nuclear One, Unit 2 (ANO-2). He plant is operated by Entergy Operations, Inc., and started commercial operation in December 1974. The plant is a 883 MWe Babcock and Wilcox pressurized water reactor (PWR). The reactor coolant system (RCS) consists of the reactor vessel, two vertical once-through steam generators,4 shaft-sealed reactor coolant pumps, an electrically heated pressurizer and interconnected piping.
Design features at ANO-1 that impact the core damage frequency (CDF) relative to other PWRs are as follows:
Shared facilities with ANO-2: Startup Transformer 2, Control Room (s), and the Emergency Cooling Pond.
The Main Feedwater system contains two variable speed turbine driven pumps, and an Auxiliary Feedwater (AFW) pump , which is motor driven. De AFW pump is used to supply feedwater to the steam generators (SGs) during plant statup and shutdown conditions.
The Emergency Feedwater (EFW) system consists of just two trains each capable of supplying emergency feedwater (780 gpm) to either or both SGs. One train contains a motor driven pump, and the other train contains a turbine driven pump.
The ANO-1 safety batteries have a two-hour life upon loss of battery charging. This has been ameliorated (post-IPE) by addition of an alternate AC power source and a black battery which takes up nonsafety loads (the battery life is now 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />).
The HPI system consists of three pump trains with four injection legs to the RCS. One pump (P36B) can be aligned to either HPJ train and serves as a readily available installed spare pump in the event that one of the initially aligned pumps becomes unavailable. Lube oil cooling for each pump is provided by the service water (SW) system.
The unit has " feed and bleed" capability. De HPI shutoff head is grvder than the Safety Relief Valve (SRV) setpoint pressure. As a result, the HPI pumps can provide adequate core coolant injection without requiring RCS depressurization. A successful bleeding path can be provided t
I~
by either the opening of the Electromatic Relief Valve ERV (i.e., PORV) or the opening of one
- De RCP seals at ANO-1 re Byron 4ackson N 9000 pump seals. Each of these seals consists
- of a series of three mechanic;l seals. De seals are specifically designed and tested to minimim
j flow and by heat ex&ange (via the RCP Seal Return Coolers) to the Intermediate Cooling Water l
- (ICW) system. RCP seal failure is ==_W only if both cooling mechanisms fail and a pump is operated for more than about 40 minutes.
5 .
i
{ Service Air system via a crossover valve. In addition, the IA system can receive air from, or l supply air to, the ANO-2 IA system.
i
- Manual transfer is req. Ired to switet. from the injection to the recirculation mode of ANO-1 l
emergency core cooling.-
}
u
! He ANO-1 containment is a large dry post tensioned concrete reactor building of prestressed concrete l l construction and lined with steel. The containment volume is approximately 1.81 million cubic feet, while
! the nominal reactor power of ANO-1 is 2568 Mwth. Both of these values are close to those of the Surry I
plant, which is referred to in the ANO-1 IPE back end analysis. ,
The plant characteristics impostant to the back-end analysis are: i 3
- 1. The reactor building floor and cavity region are at the same elevation, and a path to the outer l i j reactor building wall is provided through the in-core instrument tunnel. Although a pressure :
- plate exists, which could absorb some of the energy from the various phenomena at vessel !'
! breach, a potential for containment failure exists if the plate fails.
i 3
- 2. He ANO-1 containment features a relatively large cavity and instrumentation tunnel floor area i (643 ft') and a relatively thick basemat (9 ft.) which is composed of basaltic concrete. A manway access hatch, currently propped open to allow water and gas flow, is located in the instrument tunnel.
- 3. The ANO containment has a relatively large volume, high pressure capability, and ,
compartments of an open nature which facilitate good atmospheric mixing.
- 4. De containment safeguards systems at ANO-1 include the reactor building spray system and the -
fan coolers. De reactor building spray flow is not directed to heat exchangers and therefore the :
sprays system by itself cannot perform a heat removal function in the recirculation mode. De i fan coolers or the decay beat removal heat exchanger in the low pressure injection (LPI) flow mode are used to remove decay beat. l
= t l
t VI I
e s
f '
__ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ - _ _ _- __, __ ~ _ _.. _ ______ __ ._. - - - . . - . . , _ . .-
f 4 ;
- E.2 Licensee's IPE Process l
, De licensee has provided the type of information requested by Generic Letter 88-20 and NUREG 1335.
The IPE was initiated in late 1988. De model reflects the plant as of 1988. Select plant changes made after that cutoff date that could have a significant impact on the model have been incorporated.
i To support the IPE process, the licensee reviewed a number of references (Section 2.4.2 of the Submittal '
lists 21 references) including a previous probabilistic study of ANO-1; the 1982 "IREP: Analysis of the :'
Arkansas Nuclear One-Unit 1 Nuclear Power Plant" level 1 Probabilistic Risk Assessment (NUREGICR 2787). De list includes other PRA studies for similar plants, for instance the ones for '
Oconee and Crystal River, the "ANO-2 Probabilistic Risk Assesment" (Entergy Operations,1992), as well as the NUREG-IISO studies.
4 l Licensee personnel were involved in all aspects of the analysis and contributed more than 50% of the total
- effon. De licemee was performing almost all the analysis in the latter half of the project (except internal !
l flooding analysis). The contractor was SAIC with ERIN Engineering performing the flooding analysis,
, with assistsace from Entergy.
I i De analysts was reviewed at three levels. ERIN Engmeermg provided outside review. Plant personnel {
were also involved in a formal review, as well as an ongoing review as pan of the QA procedures. ;
The licensee states that the HRA effort was performed by 'ANO-1 personnel with participation by i individuals from operations, training , and engineering. De submittal notes that the modeling techniques developed by SAIC and applied in the ANO-2 PRA were used. The recovery identification, recovery I characterization, and recovery quantification were all developed and reviewed in-house. ERIN Engineering provided an external review of all aspects of the IPE, but it was not stated as to whether the review team included an HRA expen. Regarding the IPE HRA representing the as-built, as-operated plant, the submittal states that the HRA was involved in the initial sequence and system modeling effons j and that during this period the "HRA task had the opportunity to review plant and system design information and become familiar with the control room and related operating procedures." While simulator exercises were not conducted, the statements discussed above suggest that the HRA analyst was significantly involved throughout the modeling effort. Rus, it appears that steps were taken to assure that the HRA represented the as-built, as-operated plant. However, it did not appear from the submittal that the HRA gave detailed consideration to plant-specific factors in determining the HEPs. Dere was no mention of any walkdowns of important or time consuming operator actions. Response times for actions outside the control room were based on interviews with operators. Both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident) were addressed in the IPE. A list of important human actions (as determined with a Fussell-Vesely analysis) was provided, as was a list of several recommended improvements to plant procedures. - - -
Regarding containment performance, the ANO 1 IPE submittal states that a limited scope level 2 analysis was done using a reference plant approach. No detailed plant specific phenomena or structural analysis was carried out, Information obtained from a walkdown of the ANO-2 containment was used for the ANO-1 containment analysis. ANO staff with the help of SAIC and ERIN carried out the analysis. De vii i l
- . . - -- . . - . _ - . .. +-- _- - . - . - -. --
~
. r peer review of the level 2 results was performed at one 2 day meeting and conducted by ANO Operations t and ERIN.
4 t .
j De licensee intends to maintain a living PRA. I E.3 IPE Analysis i
E.3.1 Front-End Analysis j
. De methodology chosen for the front-end analysis was a Iavel 1 PRA; the small event tree-large fault I
! tree with fault tree linking approach was used. De computer code used for modeling and quantification !
was CAFTA. i
? l The IPE quantified the following initiating event categories: 2 LOCAs,16 transients, one SGTR, and l several ISLOCA, flooding and ATWS initiators. De IPE developed 7 event trees to model the plant t
} response to these initiating events. De flooding analysis utilized the existing transient' event tree.
Success criteria were based on other PRAs, licensing basis analyses and more realistic calculations. l According to the submittal containment heat removal is not needed, unless the LPI heat exchangers are l inoperative, in which case condensation by the reactor building cooling units can ensure adequate NPSH :
for the core injection pumps.
De RCP seal LOCA model assumes LOCA occurs only if the operators fail to trip the RCPs within 30 minutes of a loss of all cooling and injection.
l The data collection process period was 1980 to 1989. Plant specific data were used where possible. l i
While ANO-1 data are generally consistent with the NUREG/CR-4550 data, the TDEFW run failure data is substantially lower and the LOOP and small LOCA initiating event frequencies appear low. De power recovery curve is significantly lower than that used in NSAC-147.
De beta factor approach was used for common cause failures, using established procedures. For some components the multiple Greek letter (MGL) approach was used.
The internal core damage frequency is 4.7E-5/yr. Flooding contributes an additional 1.E-6/yr. The internal accident types and initiating events that contribute most to the CDF and their percent contributions are listed below in Tables E-1 and E-2:
viii t
d i
Table E-1 Accident Types and 'Iheir Contribution to the CDF i
Initiating Event Group Contribution to CDF (/yr) %
Transients 3.09E-5 66.2 LOCAs 1.57E-5 33.6 ATWS (not included in TOTAL) (9.93E-7) (2.1)
Internal Flooding (not included in (8.1-7) (1.7)
TOTAL)
Steam Generator Tube Rupture 2.08E-7 0.4 Interfacing Systems LOCA 6.92E-8 0.1 TOTAL INTERNAL CDF 4.67E-5 100.0 Table E-2. Dominant Initiating Events and Their Contribution to the CDF Initiating Event Contribution to CDF (/yr) %
Loss of Offsite Power 1.66E-5 35.5 Small LOCA 1.49E-5 31.9 Reactor / turbine trip 5.42E-6 11.6 Total loss of service water flow 3.61E4 7.7 Loss of ae bus A3 2.15E-6 4.6 Loss of power conversion system 1.42E-6 3.0 ATWS (scoping analysis, not included (9.93E-7) (2.1) in total)
Loss of service water pump P4A train 8.93E-7 1.9 Large LOCA 7.52E-7 1.6 Loss of service water pump P4B train 4.19E-7 0.9 Steam generator tube rupture 2.08E-7 0.4 1.oss of 480V load center B5 1.38E-7 0.3 ix )
f
i j E.3.2 Human Reliability Analysis
! ne HRA process for the ANO-1 IPE addressed both pre-initiator actions (performed during
=mintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an l- accident). De analysis of pre-initiator actions included both miscalibrations and restoration faults. A
- screening analysis was performed and one pre-initiator human action which survived screening was j quantified in more detail using the "SAIC method" described in the book Human Reliability Analysis by j Dougherty and Fragola. Post-initiator human actions modeled essentially included both response-type 4 (rule-based) and recovery-type actions, but the terminology and categorization used in the submittal was somewhat different. For the post-initiator screening analysis, the modeled events were quantified using a screening value of 0.4 and potential dependencies were considered. After initial quantification, i surviving cutsets were examined and appropriate post-initiator operator actions were added. Dese
- actions, including in-.and ex-control room actions were quantified using a time reliability correlation
- approach developed by SAIC and documented in the book by Dougherty and Fragola. Brief discussions i of the input parameters for the quantification approach were provided in the submittal. De critical j elements for the in-control room model include
- the available response time and an estimate of the median j response time for the event examined, along with adjustments for type of behavior (verification, rule-l based, and response type, see section 2.3.2.1 for descriptions), degree of " crew burden", success l likelihood (an index that can be used to reflect the impact of PSFs), and model uncertainty. For the ex-l control room model, similar parameters are modeled, along with adjustments to response time for i potential " delaying hazards" outside the control room. He model uncertainty factor can also be adjusted
- for uncertainty due to other influences or hazards. Details regarding adjustments for hazard factors were j not provided.
l
- One potential limitation of the post-initiator analysis concerns the extent to which plant-specific factors t were considered. While the model itself provides reasonable mechanisms for addressing relevant plant-j- specific factors, on the basis of examples provided, it would appear that many of the parameters were left at their default values. Without access to the calculations for all events, it is difficult to determine j the extent to which plant-specific PSFs were actually considered, ne licensee's response to the NRCs
- ~ RAI notes that the burden factor does consider the difficulty 'of the task and the " perceived j consequences" (of acting or failing to act), which are potential PSFs.
l Another potential limitation concerns the licensee's calculation of very low HEP values (" epsilon") for j two events found in steam generator tube rupture (SGTR) sequences. Dey included the operator action
- to maintain RCS pressure belcw a specified MSSV set point and the action "to cooldown the RCS and i isolate the break with the DHR system." De former action was classified as a slip and apparently the
- probability of making an unrecoverable error in conducting the action was determined to be exceptionally .
- low. ' An illustration of the derivation of the HEP for this event was not provided, but the response to
! the RAI states that the action is stressed in training and that the operators have several hours to respond.
i Given that the BHEP for a slip is, assumed to be 0.003, substantial credit for recovery must have been i given. Details of the derivation of the action "to cooldown the RCS and isolate the break with the DHR
!. system" were not provided, but it was assumed to be a response type action with 517 minutes available !
j time. Without additional information, it is difficult to assess the reasonableness of the assigned HEPs. 1 i However, such exceptionally low HEPs are rarely justified in HRA modeling and it should be noted that the estimates of CDF for SGTR sequences in the ANO-1 submittal were four to five times lower than l those found for other similar plants. If these events were important to the sequences and their HEPs were I underestimated, the CDF estimates for the sequences could also be underestimated. Dus, the derivation ,
i of the HEPs for these two events may be a weakness of the HRA. While Fussel-Vesely importance l j X l t
! )
i' l l $
_ , _ _ . _.__._.__._._s 5
4 i
- results did not indicate that these events were high contributors to CDF, they may have had a high risk l achievement worth and may have been important if their HEPs had not been so low.
Dependence among multiple human actions was handled in the ANO 1 submittal essentially by examining auch combinations of modeled human events and determining that the combinations involved events that were either separated in time, involved completely different systems, or were performed by different individuals. De result was that "any dependence was considered negligible." De licensee further indicates that accident progression was accounted for on an accident sequence basis by using sequence-specific basic events. A list of important human actions was provided and it was noted that several l
t improvements to plant procedures were recommended. A list of the improvements are provided in section '
- 2.6 of this report.
l j E.3.3 Back-End Analysis I l
1he Approach usedfor Back-End Analysis As stated in the submittal's introductory section of the containment performance analysis, the ANO-1 l l level 2 analysis is a limited scope analysis since existing reference plant analyses and scoping calculations j
- were used to assess the ANO-1 containment response to severe accident conditions. ;
?
In the ANO-1 IPE Bridge Trees were used to bin the level 1 avident sequences into plant damage states j (PDS). De Bridge Trees provided the means to combine the level I sequences with the relevant RCS i l and containment system parameters and assigning the combinations to PDS bins. I 1
1 De submittal notes that of the 77 possible PDS there are 53 non-zero ones. Of these PDSs those with '
a frequency greater than 104 are retained and the rest are collapsed into the reained ones in a
" conservative" manner.
An event tree / fault tree approach, similar to that used in the level 1 effort, was selected for the ANO-1 CET analysis. A " Generic" and a " Bypass" CET were developed and these were used to assess every accident scenario. Fault trees (called logic trees in the IPE submittal) are used in the IPE to quantify the top events of the CETs. De logic trees used for CET quantification are very detailed and address all phenomena and systems important for Level 2 accident progression. Basic event probabilities are not provided in the submittal.
No credit is taken in the analysis for the possibility that external cooling by water flooding in the cavity can avert vessel failure. If RCS inventory cannot be recovered in-vessel during a sequence it is assumed that the bottom head will fail.
Containment failure modes are divided into small failures where the leakage is assumed to prevent a further increase of pressure but a slow release to the environment occurs in which natural removal l mechanisms in containment compete with leakage from the reactor building. De conta'mment analysis concluded that a catastrophic containment failure was not considered likely. The most likely containment failure mode was considered to be reactor building over pressurization resulting in liner tearing and subsequent leakage. However, in response to an RAI the Licensee notes that for some very energetic ;
failure modes such as alpha mode or rocket mode failures the type of failure is indeterminate between j rupture or leak (i.e., probability of 0.5) and only for the early pressurization failure events is the leakage mode considered more likely.
Xi I
l f
-. ._- . . - . . . . _ ~ - _ _ _ _ _. .
In the quantification of the CET the ANO-1 analysis used the failure distribution curve from the Surry NUREG-1150 analysis adjusted to ANO-1 mean failure pressure (taken to be 154.3 psig) and without any distortion of the Surry curve, as indicated in Figure 4.64 of the submittal.
he submittal states that "De reactor building (containment) response analysis considers the plant-specific features of ANO-1 by comparing the response of the reactor building under similar accident conditions to the reference plant. A Comparative Core /Containmant Response Scoping (CCRS) Model was developed to support this analytical comparative process. De CCRS model automates a set of ;
conservation equations for reactor building response using information from existing analyses of severe ;
accident progression and plant features that have a first order effect on the reactor building response.
De CCRS model simplifies the conservation equations of mass and energy using the reactor building as a control volume to estimate the reactor building response under severe accident conditions."
Scoping calculations were carried out to account for ANO-1 specific reactor building features and for response to mass and energy addition to the reactor building during the periods of core damage, debris dryout, and concrete attack. " Conservative" adiabatic calculations of pressure loads due to hydrogen ;
burning were used. No detailed plant specific phenomena or structural analysis was carried out. '
Most quantification of the CETs is based on point estimates taken from the Surry NUREG-1150 analysis.
Containment isolation failure was evaluated via a plant specific isolation system fault tree model which ,
is summarized in Appendix A of the submittal.
Similar to many PWR IPE analyses the ANO-1 analysis apparently took no credit for operator actions beyond core damage aside from ac power recovery.
i in the ANO 1 analysis each accident progression path through the CET leads to a containment end state i which has a set of radionuclide release characteristics associated with it. Therefore each PDS is easily mapped into its corresponding release categories. The largest fission product releases involving cesium )
and iodine are associated with containment bypass or with early containment failure involving a rupture l with no mitigating sprays available. De submittal states that for ANO-1 a large release may occur in J about 2.8% of all severe accidents.
Source term results are based on simple calculations using insights from reference plants. According to the submittal, the approach used to calculate radionuclide release fractions for each end state is similar to that used in the NUREG-1150, NUREG/CR-4551, and NUREG/CR-4881 studies. The submittal notes that while the NUREG-1150 SURSOR methodology samples each input term based on a distribution defined as a histogram, in the simplified ANO-1 analysis the input values used for the approximate source term analysis are point estimates which are not sampled.
Back-End Analysis Results Table E-3, below, shows a comparison of the conditional probabilities for the various containment failure l
, modes obtained from the ANO-1 IPE with those obtained from the Surry 1&2 and Oconee 1,2&3 analyses.
xii i
l
\
Table E-3 Containment Failure as a Percentage of Total CDF j Containment Failure ANO-1 Oconee 1,2,3 Surry 1,2 Early Failure 5.7 0.9 0.6 Late Failure 12.2 74.5 29.2 Bypass 0.4 negligible 16.7 Isolation Failure 0.5 0.2 0.03 Intact 81.2 24.4 53.5 CDF (1/ry) 4.9E-5 2.3E-5 7.5E-5 As shown in the above table, the conditional probability of containment bypass for ANO-1 is 0.4% of
, >tal CDF. De dominant contributors to bypass are steam generator tube niptures as an initiating event.
induced SGTR is not considered likely in the IPE analysis which claims the hot leg will fail first. The interfacing system LOCA frequency was found to be below the screening criteria in the level 1 analysis.
He probability of early failure, including isolation failurr:s, is about 0.063 where early failure is defined as failure prior to or approximately coincident with reactor vessel failure. Besides over pressure events, failure modes involving (1) thermal failure of the liner at the reactor building wall /basemat floor junction
^
for dry cavity conditions following vessel breach, and (2) impulse load failure at the same junction given ;
ex-vessel steam explosions were also identified as possible early failure mechanisms. He submittal also l
- notes that a large release, i.e, early containment failure without source term mitigation, is expected to
- occur in about 2.8% of all severe accidents. Isolation failures were found to involve 0.5% of CDF in i the analysis.
The ANO-1 IPE analysis determined that the ANO-1 cavity and instrumentation tunnel design is unlike i
that of the reference plants. He ANO-1 design allows the flow of material from the reactor cavity to the outer containment wall. After reactor vessel failure, under dry cavity conditions, molten core material could flow and contact the containment liner at the junction of the containment wall and the basemat floor and this could lead to a potential failure by liner melt-through from the contact with the molten material.
Under wet cavity conditions the impulse load due to an ex-vessel steam explosion or a missile generated as a result of the explosion could fall the containment due to the exposure of the liner. His failure mode was a dominant early containment failure mode.
A number of sensitivity studies were carried out for the CET quantification in the ANO-1 IPE analysis.
De simple CCRS model used for the ANO-1 containment performance examination made the variation i of parameters a relatively easy task for the analysts. l De sensitivity of an issue was measured in terms of the calculated range about the mean value for the figure of merit selected which typically was early or late containment failure. A discussion of each issue is provided in Section 4.8 of the submittal. Of the thirteen issues examined nine showed an increase or decrease in the figure of merit by a factor of 2 or more, and four showed an increase of a factor of 3 or more. De most sensitive issue was the one concerning the effect on early containment failure of increasing the probability of impingement of the containment liner at vessel failure. If this probability xiii
, _ _ _. . __ __ . ~...__..._. _ _ - . _ , _ . _ _ _ _ _ _ _ . _ . _ _ _
d 1
4 was set equal to one the early failure probability increased by a factor of 14 over the base case. All other
- issues had an effect on the results which was less than order of magnitude.
De results of the source term calculations are provided in Table 4.7-4 of the submittal. De largest '
] source terms come from either of two scenarios: (1) an early conteinment failure involving rupture and with containment sprays unavailable, and (2) a containment bypass without scrubbing in the release path.
4 No sensitivity calculations were made for source terms.
E.4 Generic Issues and Containment Performance Improvements -
i ne IPE addresses the decay heat removal (DHR) issue. CDF contributions were estimated for the [
] following DHR methods: secondary cooling (main feedwater, auxiliary feedwater, emergency feedwater) ,
1 and primary inventory control (HPI, LPI and HPI cooling). Failures of the LPI and the EFW were l found to make a major contribution to the total CDF.
l According to the submittal, DHR failure contributes 4.7E-5/yr to the CDF. This falls in the i " intermediate" DHR contribution criterion of NUREG-1289. With model and plant improvements the
! contribution will fall below the 3.0E-5/yr " acceptably low" criterion. Derefore, this issue is considered l j closed by the licensee. !
l De following generic issues are also discussed in the submittal and considered resolved by the licensee:
GI-23 (RCP seal failures) and GI-105 (interfacing system LOCAs). In addition, the submittal is
- considered " favorably relevant" by the licensee to USI A 47 (systems interactions due to internal j flooding) and GI-121 (hydrogen control for large dry PWR containments).
The CPI issues were not treated explicitly in the submittal. In response to an RAI on this subject the :
licensee stated that while global hydrogen burns were accounted for in the containment response atudysis, ,
j localized hydrogen combustion inside the ANO-1 containment was not considered a safety significant
- issue.
f j E.5 Vulnerabilities and Plant Improvements :
1 l De licensee defined a vulnerability in conformance with NUMARC 91-04 criteria (basically a CDF >
i 1.E-4/yr or a CET endstate frequency > 1.E-5/yr). No vulnerabilities were found. The licensee states that the results are within the range of other PRAs and furthermore no individual cutset contributes more ,
! than 10% of the total CDF.
I
- No credit for plant improvements was given in the IPE.
In the plant improvement section of the IPE, several potential improvements to plant procedures were recommended. Hey included the following:
- 1) Include anticipatory warnings in the loss of SW abnormal operating procedure regarding the
- . sensitivity of tripping the RCPs following a sustained loss of SW. De action to trip the RCPs I was not "directly" proceduralized. A related improvement suggested was to trip all but one of the operating HPI pumps (if conditions allow) given a loss of SW. The objective is to avoid i
b xiv i
1 4
\
r w
. _ . _ __ ._ ._ _ _ _ _ _ . _ . . _ . _ __ . _ _ _ . _ _ _ . . . _ _ . _ _ ~ _ . . . _
4 I
unnecessary HPI and reactor building spray pump overheating. Disposition: not implemented.
ACDF: not available.
- 2) Proceduralize the process to recover the LPI failure combination of one LPI suction line and one :
LPI pump unavailable by allowing flow from the available suction line to the oparable LPI pump. 5 Disposition: implemented. ACDF: -3.0E-7/yr.
- 3) Improving severe accident management guidelines to allow refilling the BWST at a specified low ;
level in order to prolong core cooling. Disposition: not implemented. ACDF: not available. -
- 4) Altering the dirty liquid waste and drain processing procedure to direct closure of normally open '
LPI/DHR and RB spray pump room daain isolation valves. His action ensures that the LPI pumps would not be affected by ISLOCA discharges into the auxiliary building and additional !
potential for ISLOCA leak determination. Disposition: implemented. ACDF: -1.68E-7/yr.
- 5) Add verification for closure of SV-7454 to station blackout procedure. Disposition: implemented. l ACDF: negligible. '
In addition the following proposed improvements were noted in the submittal for consideration: '
!) Change valve lineup to keep CV-3806 and 3807 normally open (provide cooling to EDG jackets).
Disposition: not implemented. ACDF: -5.0E-7/yr (this is qtler the new alternate AC power source is modeled); ;
- 2) Manual valve FW-1016 internals removal (provide EFW pumps P7A&B bearing cooling common !
discharge). Disposition: scheduled next outage (10/96). ACDF: -5.0E-7/yr.
- 3) New non-safety battery to reduce safety battery loads and increase battery duty cycle to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. i Disposition: implemented. ACDF: -6.7E 6/yr.
- 4) Anticipated new alternate AC power source. Disposition: implemented. ACDF: -1.1E-5/yr. l l
De following changes were made in response to the SBO rule: addition of the additional diesel generator i or the alternate ac source, not credited in the IPE, see improvement #4 above.
Although no back-end vulnerabilities were found for ANO-1, a number of back-end issues were identified l for further investigation. Dese include:
- the design of the in-core instrument tunnel which makes containment failure via liner melt-through and /or ex-vessel,s, team explosions a credible scenario.
- the status of the cavity personnel hatch door, which when opened will ensure water can enter the cavity area and when closed would increase the likelihood of a dry cavity.
- containment isolation failures following an SBO event via valves in the radiation air monitoring leak detection system.
" l i
t
I
- containment isolation failures via the (no longer used) hydro 7en purge containment isolation valves.
in response to an RAI requesting further information regarding the status of these investigations the licensee indicated that the latter two issues had been dealt with by implementing a procedure to manually isolate the containment radiation air monitoring leak detection system during an SBO event and by <
. removal and flanging off of the hydrogen purger valves. The rammining areas are related to liner impingement and ex-vessel steam explosion phenomena, issues which are considered as having a high i degree of uncedainty for which the licensee has not initiated funber study but will monitor industry progress in investigating and understanding the phenomena involved.
E.6 Observations Based on the level I review of the ANO-l IPE tf9 licensee appears to have analyzed the design and operations of ANO 1 to discover instances of panicular vulnerability to core damage. It also appears that '
the licen.ee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at ANO-1; and implemented changes to the plant to help prevent and ,
mitigate severe accidents. Because of the data problems listed below, it is not clear that a quantitative understanding was gained by the licensee.
Strengths of the IPE are as follows: Dorough analysis of initiating events and their impact, descriptions j of the plant responses, modeling of accident scenarios, generally reasonable failure data and common I cause factors employed and usage of plant specific data where possible. The flooding analysis seems to have been reasonable and thorough. De effort seems to have been evenly distributed across the various areas of the analysis. The documentation was usually good, and effort was made to provide RAI i responses.
i Re weaknesses were the use of seemingly low values for some important data: LOOP and small LOCA l initiating event frequencies, power nonrecovery curve, and omission of some CCFs. De TDEFW run {
failure number is low compared to the NUREG/CR-4550 recommended value. There is uneven modeling of common caase failures and some common cause failures are omitted from the analysis, it is not clear if CCF of all three HPI pumps or all three CCW pumps was considered. Dese omissions may have a l moderate impact on the results. However, they may be offset to a degree by a somewhat pessimistic modeling of the LOOP convolution integral, where no credit is given for increased core uncovery times later on in the accident, and no credit is given for diesel generator recovery.
De IPE determined that failures in the AC power, SW, LPI, EFW, ventilation system, MFW and HPI systems dominate the risk profile. Loss of offsite power and small LOCA account fcr about 67% of the total CDF. SBO accounts for about 33% of the CDF. De CDP is dominated by 5 accident sequences.
The HRA review of the ANO-1 iPE submittal and a review of the licensees responses to HRA related questions asked in the NRC RAI, revealed several weaknesses in the HRA as documented. In general, a viable approach (the Dougherty and Fragola method) was used in performing the HRA, but several weaknesses were identified in how the analysis was conducted. While the weaknesses are not severe enough to conclude that the licensee'; submittal failed to meet the intent of Generic Letter 88-20 in i regards to the HRA, they do suggest the licensee may not have learned as much about the role of humans xvi t
i T
L l- during accidents at their plant as would have been possible. Important elements (both strengths and j weaknesses) pertinent to this determination include the following:
- 1) De submittal indicates that utility personnel were significantly involved in the HRA. Regarding the IPE HRA representing the as-built, as operated plant, the submittal states that the HRA was
] involved in the initial sequence and system madaling efforts and that during this period the "HRA i' task had the opponunity to review plant and system design information and become familiar with i
the control room and related operating procedures." While simulator exercises were not conducted, the statements discussed above suggest that the HRA analyst was significantly l involved throughout the modeling effon. Dus, k appears that steps were taken to assure that j the HRA represented the as-built, as operated plant. However, it did not appear that the HRA
~
gave detailed consideration t; plant-specific factors in determining the HEPs (which is discussed
{ below as a weakness).
1 i 2) De submittal indicted that the analysis of pre-initiator actions included both miscalibrations and
- restoration faults. While an acceptable analysis was conducted, a weakness of the submittal was
! that it did not provide a list of the modeled restoration faults. Apparently only a single pre-
- initiator event was found important enough to receive detailed quantification. All other pre-j initiators were apparently screened out.
j 3) A strength of the analysis of post-initiator events was the screening analysis. Modeled events were 1
- quantified using a screening value of 0.4 and potential dependencies were consd
- lered. After initial quantification, surviving cutsets werc examined and appropriate post-initiator " recovery" l operator actions were added. His approach helped ensure that imponant post-initiator actions t were not inappropriately truncated.
(
i 4) De post-initiator analysis included appropriate types of operator actions and had a viable process for identifying, selecting, and quantifying operator actions.
l 5) One apparent weakness of the post initiator analysis concerns the extent to which plant-specific
! factors were considered. While the model itself provides reasonable mechanisms for addressing l relevant plant -specific factors, on the basis of examples provided, it would appear that many of i the parameters were left at their defauli values. In particular, all saccess likelihood indices (SLIs) were left at their default values. Hat is, PSFs were assumed to have no effect. He licensee stated that the relevant factors were unknown for all situations in which a recovery could be applied. By leaving the SLis for the modeled events at their default values, the analysts are basically assuming ANO-1 is an " average" plant in terms of its PSFs. De resulting analysis is therefore " generic" rather than plant-sm:ific and may or may not adequately represent the plant.
- 6) Another potential wakamme concerns the licensee's calculation of very low HEP values
(" epsilon") for two events found in stram generator tube rupture (SGTR) sequences. They included the operator action to maintair RCS pressure below a specified MSSV set point and the action "to cooldown the RCS and Lolate the break with the DHR system." He former action was classified as a slip and apparently the probability of making an unrecoverable error in conducting the action was determined to be exceptionally low. An illustration of the derivation of the HEP for this event was not provided, but the response to the RAI states that the action is
. stressed in training and that the operators have several hours to respond. Given that the BHEP for a slip is assumed to be 0.003, substantial credit for recovery (apparently allowed by the HRA xvii S
l i'
I model) must have been given.' Details of the derivation of the action "to cooldown the RCS and isolate the break with the DHR system" were not provided, but it was assumed to be a " response ,
] type" action with 517 minutes available time. Without additional information, it is difficult to assess the reasonableness of the assigned HEPs. However, such eaceptionally low HEPs are t rarely justified in HRA modeling and it should be noted that the estimates of CDF for SGTR '
sequences in the ANO 1 submittal were four to five times lower than those found for other similar plants. If these events were important to the sequences and their HEPs were [
j underestimated, the CDF estimates for the sequences could also be underaatimatad. Dus, the derivation of the HEPs for these two events may be a weakness of the HRA. While Fussel- !
Vasely importance results did not indicate that these events were high contributors to CDF, d.ey ,
i may have had a high risk achievement worth and may have been important if their HEPs had not been so low. l
- 7) A list of important human actions based on their contribution to core damage frequency was !
4 provided in the submittal. !
l
- 8} The HRA portion of the flooding analysis appeared reasonable and thorough. !
l 4
he important points of the technical evaluation of the ANO-1 IPE back-end analysis are summarized i
- below
- '
De back-end portion of the IPE supplies a substantial amount of information with regards to the subject areas identified in Generic Letter 88-20. f 1
L
- De IPE identified several plant unique failure modes arising from the distinctive construction of the ANO-1 cavity and in-core instrument tunnel design: containment liner melt-through and l containment failure due to ex-vessel steam explosions are credible (although low probability) )
[ modes of early containment failure.
\
Th.e results calculated for the various containment failure modes are well within the range of typical large dry PWR containment response.
The simplified analysis and rather limited plant specific calculations restrict the range of applicability of the ANO-1 containment performance evaluation.
Bacause of the simplified scoping type of analysis used and the lack of detailed plant specific calculations using more sophisticated tools, the level 2 analysis described in the ANO-1 submittal is likely to be of limited use for applications beyond the fulfillment of the intent of GL 88-20.
e
. )
n )
' i
NOMENCLATURE AAC Alternate AC ACW Auxiliary Cooling Water A-W Achievement Worth AFW Auxiliary Feed Water ANO-I Arkansas Nuclear One Unit 1 ANO-2 Arkansas Nuclear One Unit 2 ASEP Accident Sequence Evaluation Progum ATWS Anticipated Transient Without Scram BHEP Basic Human Error Probability BOP Balance of Plant BWST Borated Water Storage Tank CCF Common Cause Failure ,
CCI Core-Concrete Interaction CCRS Comparative Core / Containment Response Scoping CCW Component Cooling Water CDF Core Damage Frequency CET Containment Event Tree CPI Containment Performance Improvement CST Condensate Storage Tank DHR Decay Heat Removal ECCS Emergency Core Cooling System EDG Emergency Diesel Generator EFIC Emergency Feedwater Initiation and Control EFW Emergency Feedwater EOP Emergency Operating Procedures EPRI Electric Power Research Institute ERV Electromatic Relief Valve ES Engineered Safeguards ESAS Engineered Safeguards Actuation System F-V Fussel-Vesely FTC Failure to Close FTO Failure to Open FTR Failure to Run FTS Failure to Start GI Generic Issue i GSI Generic Safety Issue HEP Human Error Probability HPI High Pressure Injection <
HPME High Pressure Melt Ejection j HPR High Pressure Recirculation '
HRA Human Reliability Analysis )
IA Instnament Air '
ICW Intermediate Cooling Water ISLOCA Interfacing System LOCA )
IPE Individual Plant Examination xix f
. .. _~ . . - . _ _- _- . _ _ _ - . - . _ .
l l
! LER Licensee Event Repon . i
- LOCA Loss of Coolant Accident l LOOP Loss of Off-site Power LPI Low Pressure Injection LPR Low Pressure Recirculation MGL Multiple Greek Letter NPSH Net Positive Suction Head PDS Plant Damage State PORV Power Operated Relief Valve PRA Probabilistic Risk Assessment PSF Performance Shaping Factor PWR Pressurized Water Reactor QA Quality Assurance RAI Request for AdditionalInformation '
RCP Reactor Coolant Pump RCS Reactor Coolant System SAIC Science Applications International Corporation SBO Station Blackout SG Steam Generator SGTR Steam Generator Tube Rupture SIMS Station Information Management System SLI Success Likelihood Index l SRV Safety Relief Valve SW Service Water TDEFW Turbine Driven EFW TER Technical Evaluation Report >
USI Unresolved Safety issue l .
I f
J l
I XX 4
i 4
- 1. INTRODUCTION 1.1 Review Process his technical evaluation report (TER) documents the results of the BNL review of the Arkansas Nuclear One Unit 1 Individual Plant Examination (IPE) submittal [IPE submittal and RAI Responses). The TER ,
adopts the NRC review objectives, which include the following: (1) to assess if the IPE submittal meets :
the interd of Generic Letter 88-20, and (2) to determine if the IPE submittal provides the level of detail l requested in the " Submittal Guidance Document," NUREG-1335. ,
l A Request of Additional Information (RAI), which resulted from a preliminary review of the IPE submittal, was prepared by BNL and discussed with the NRC's " Senior Review Board". Based on this -
discussion, the NRC staff submitted an RAI to the licensee on December 1,1995. Entergy Operations, Inc. responded to the RAI (RAI Responses) in a document dated May 9,1996. This TER is based on the original submittal and the response to the RAI.
j
- 1.2 Plant Characterization l Re Arkansas Nuclear One, Unit 1 (ANO-1) Nuclear Power Plant is located on a peninsula in Dardanelle l Reservoir on the Arkansas River in Pope County, Arkansas. It shares the site with Arkansas Nuclear One, Unit 2 (ANO-2). The plant is operated by Entergy Operations, Inc., and started commercial j operation in December 1974. The plant is a 883 MWe Babcock and Wilcox pressurized water reactor (PWR). The reactor coolant system (RCS) consists of the reactor vessel, two vertical once-through steam generators,4 shaft-sealed reactor coolant pumps, an electrically heated pressurizer and interconnected pipmg. ]
1 Design features at ANO-1 that impact the core damage frequency (CDF) relative to other PWRs are as '
follows:
Shared facilities with ANO-2: Startup Transformer 2, Control Room (s), and the Emergency Cooling Pond. (See Section 2.1.2 " Multi- Unit Effects.")
The Service Water (SW) system consists of two independent loops capable of supplying water to the required cooling components under normal and " engineered safeguard" (ES) modes. Here is a third SV.' pump, which can be aligned to either SW train and serves as a readily-available installed spare pump in the event that one of the normally-operating pumps fail. Normal water is supplied from Lake Dardanelle, however an emergency pond is also available in case of the loss of this water source (e.g., by plugging of traveling screens). During ncrmal operation , the SW pumps supply cooling water to the Auxiliary Cooling Water (ACW) loop serving Balance of Plant (BOP) loads. In the event of an Engineered Safeguards Actuation Signal (ESAS) auxiliary cooling is isolated (or manually should be isolated) from the SW system.
He Main Feedwater system contains two variable speed turbine driven pumps, and an Auxiliary Feedwater (AFW) pump , which is motor driven. The AFW pump is used to supply feedwater to the steam generators (SGs) during plant startup and shutdown conditions.
1 i
The Emergency Feedwater (EFW) system consists of just two trains each capable of supplying emergency feedwater (780 gpm) to either or both SGs. One train contains a motor driven pump, and the other train contains a turbine driven pump. Dere are three water sources for the EFW; the Condensate Storage Tank (CST), a backup (non-Q) condensate storage tank, which is interconnected with the Unit 2 CST and has a ecpacity of 202000 gallons, and the SW system.
A unique feature of the system is a common manual isolation valve on the discharge to the circulating water fiume from both EFW pump bearing casings. Although normally locked-open this valve introduces a passive single failure to the EFW system.
For the automatic initiation and control the EFW flow rate the unit has a dedicated Emergency Feedwater Initiation and Control (EFIC) system. In addition to these functions, the system provides regulation of the secondary side pressure during EFW operation and isolates automatically the main steam and feedwater lines associated with an affected SG in the case of a main steam line or feed line rupture.
The ANO-1 safety batteries have a two-hour life upon loss of battery charging.
The safety impact of this short battery life might be reduced by the installation of an Alternate AC, "AAC" system, and a new non-safety, so called " black" battery. This new battery will allow the removal of several important but non-safety DC loads from the safety batteries.
(Targeted installation of the black battery was: Fall of 1993.)
The submittal indicates that the Alternate AC power source will be capable of supplying power individually to any of the ANO-1 or ANO-2 4.16 kV AC safety buses. This AAC power source will be completely independent of SW (air cooled) and DC power (separate batteries) with the capability to be started and aligned readily from either control room. (Targeted insta:lation of the AAC was: Prior to the end of 1994.)
The HPI system consists of three pump trains with four injection legs to the RCS. One pump (P36B) can be aligned to either HPI train and serves as a readily available installed spare pump in the event that one of the initially aligned pumps becomes unavailable. Lube oil cooling for each pump is provided by the SW system.
During reactor operation the HPI is used to supply RCS makeup and RCP seal injection. For {
high pressure recirculation (HPR) the HPI pump suction is aligned to the reactor building sumps via a Low Pressure Recirculation (LPR) pump (" piggy-back operation") and decay heat is removed from the RCS through the LPR heat exchangers. ,
i He unit has " feed and bleed" capability. De HPI shutoff head is greater than the Safety Relief Valve (SRV) setpoint pressure. As a result, the HPI pumps can provide adequate core coolant ;
injection without requiring RCS depressurization. A successful bleeding path can be provided '
by either the opening of the Electromatic Relief Valve ERV (i.e., PORV) or the opening of one of the two SRVs. The ERV block valve is usually open.
The RCP seals at ANO-1 are Byrondackson N-9000 pump seals. Each of these seals consists of a series of three mechanical seals. The seals are specifically designed and tested to minimize leakage following the loss of RCP seal cooling. They are cooled by both by HPI seal injection flow and by heat exchange ( via the RCP Seal Return Coolers) to the Intermediate Cooling Water 2
(ICW) system. RCP seal failure is expected only if both cooling mechanisms fail and a pump is operated for more than about 40 minutes. Since SW cools the tube side of the ICW heat exchangers a loss of SW event has the potential, to develop into a small LOCA because of the loss of both HPI and ICW. Therefore, operators are instructed to secure the operating RCPs if loss of seal cooling occurs for greater than 10 minutes. He assumed high seal resistivity against rupture eliminates the probability of a RCP seal LOCA in a LOOP event (because the RCPs are tripped due to loss of power). It is believed by the licensee, that an RCP seal LOCA will not occur during SBO conditions at ANO-1.
The Instrument Air (IA) system (containing three IA compressors) can be supported by the Service Air system via a crossover valve. In addition, the IA system can receive air from, or supply ali to, the ANO-2 IA system.
Manual transfer is required to switch from the injection to the recirculation mode of ANO-1 emergency core cooling.
He ANO-1 containment is a large dry post tensioned concrete reactor building of prestressed concrete construction and lined with steel. He containment consists of a cylindrical wall with an internal diameter of 116 ft. and a thickness of 3,75 ft., a hemispherical dome with a thickness varying from 3.25 ft. at the top to 3.75 at the spring line, and a flat concrete basemat foundation 9 ft. thick. The containment volume is approximately 1.81 cubic feet, while the nominal reactor power of ANO-1 is 2568 MWth. Both of these values are similar to those of the Surry containment, which is referred to in the ANO-1 IPE analysis.
Some plant features important to the back-end analysis are:
- 1. The reactor building floor and cavity region are at the same elevation, and a path to the outer reactor building wall is provide <l through the incore instrument tunnel. Although a pressure plate exists, which could absorb some of the energy from the various phenomena at vessel breach, a potential for containment failure remains if the plate fails.
- 2. He ANO-1 containment features a relatively large cavity and instrumentation tunnel floor area (643 ft) and a aclatively thidc basemat (9 ft.) which is composed of basaltic concrete. A manway access hatch, currently propt ed open to allow water and gas flow, is located in the instrument tunnel.
- 3. The large containment volume, high containment pressure capability, and the open nature of compartments which facilitates good atmospheric mixing.
- 4. The containment safeguards systems at ANO-1 include the reactor building spray system and the fan coolers, ne reactor building spray flow is not directed to heat exchangers and therefore the sprays system by itself cannot perform a heat removal function in the recirculation mode. The fan coolers or the decay heat removal heat exchanger in the low pressure injection (LPI) flow are used to remove decay heat.
Some of the plant parameters relevant to the back-end analysis are summarized in Table 1.
3
n -a > -. _ a - - . _ . _ . . -_ . , .
i Table I Plant and Containment Characteristics for Arkansas Nuclear One Unit 1 Characteristic ANO-1 Oconee 1,2,3 Surry 1,2 Thermal Power, MW(t) 2568 2568 2441 Containment Free Volume, ft' 1,810,000 1,860,000 1,800,000 ,
Mass of Fuel, Ibm 205,250 NP* 175,000 Mass of Zircalloy, Ibm 42,200 50,772 36,200 Containment Design Pressure, psig 59 59 45 l
Median Containment Failure Pressure, psig 154 144 126 I 1
RCS Water Volume / Power, ft'/MW(t) NP* NP* 3.8 l Containment Volume / Power, ft'/MW(t) 705 724 737 !
Zr Mass / Containment Volume, Ibm /ft' O.023 0.027 0.020 I Fuel Mass / Containment Volume, Ibm / ft' 0.113 NP* 0.097
- Not provided in the IPE submittal, i
1 l
l l !
l l
f 4
I
a d h I
- 2. TECIINICAL REVIEW 2.1 Licensee's IPE Process .
2.1.1 Completeness and Methodology 1
He licensee has provided the type of information requested by Generic Letter 88-20 and NUREG 1335.
l He front-end ponion of the IPE is a Level 1 PRA. This is followed by a limited scope Level-2 PRA 3 to analyse containment performance and severe accident phenomena. The specific approach used for the Level 1 PRA was the "small event tree /large fault tree" approach which relies on the well-established PRA technique called fault tree linking. This approach is clearly described in the submittal.
Internal initiating event and internal flooding were considered. Event trees were developed for all classes 4
of initiating events. Model quantification was performed twice: using plant specific data and using i generic data. Uncenainty analysis v as also performed; basic event distributions were propagated to the ,
accident sequence level through the Monte Carlo technique that provided a probability distribution for j the total core damage frequency. Sensitivity analyses were carried out to obtain information about the <
CDF impact of various plant risk model variables, such as: test and maintenance data (CDF values were !
estimated by increasing and decreasing the inputs by a factor of 10), human reliability values, off-site
, l power recovery factors, some plant modifications and improvements, procedure changes, etc. In !
addition, importance analyses were performed for plant systems and other risk model elements, such n initiating events, system components, human failures, top events in the functional event t:ees.
j Importances have been ranked by the Fussel-Vesely (F-V) imponance measure and the Achievement-l Wonh (A-W) importance measure.
To support the IPE process, the licensee reviewed a number of references (Section 2.4.2 of the Submittal l 1 lists 21 references) including a previous probabilistic study of ANO-1; the 1982 "IREP: Analysis cf the l Arkansas Nuclear One-Unit 1 Nuclear Power Plant" Level 1 Probabilistic Risk Assessment
- (NUREG/CR-2787). The list includes other PRA studies for similar plants, for instance the ones for
- Oconee and Crystal River, the "ANO-2 Probabilistic Risk Assesment" (Entergy Operations,1992), as -
) well as the NUREG 1150 studies. I 1
, The submittal information on the HRA process was generally inadequate in scope. Additional !
information/ clarification was obtained from the licensee through an NRC request for additional information. The HRA process for the ANO-1 IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as pan of the response to an -
accident). The analysis of pre-initiator actions included both miscalibrations and restoration faults. A ;
screening analysis was performed and one pre-initiator human action which survived screening was '
quantified in more detsil using the "SAIC method" described in the book Human Reliability inalysis by Dougherty and Fragola. The post-initiator human actions modeled essentially included both response-type (rule-based) and recovery-type actions, but the terminology and categorization used in the submittal was somewhat different. For the post-initiator screening analysis, the modeled events were quantified using a screening value of 0.4 and potential dependencies were considered.. After initial quantification, surviving cutsets were examined and appropriate post initiator operator actions were added. These actions, including in- and ex-control room actions were quantified usinF Dougheny and Fragola's time reliability correlation approach. Brief discussions of the input parameters for the quantification approach 5
were provided in the submittal. He critical elements for the in-control raam model include: the available response time and an estimate of the median response time for the event examined, along with adjustments for type of behavior (verification, rule based, and response type, see section 2.3.2.1 for descriptions), degree of " crew burden", success likelihood (an index that can be used to reflect the impact of PSFs), and model uncenainty. For the ex-control room model, similar parameters are modeled, along with adjustments to response time for potential " delaying hazardr~ >utside the control room. He model uncertainty factor can also be adjusted for uncertr,inty due other influences or hazards. Details regarding adjustments for hazard factors were not provided One potential limitation of the post-initiator analysis concerns the extent to which plant-specific factors were considered. While the model itself provides reasonable mechanisms for addressing relevant phnt
-specific factors, on the basis of examples provided, it would appear that many of the parameters were left at their default values. Without access to the calculations for all events, its difficult to determine the extent to which plant-specific PSFs were actually considered. He lictnsee's response to the NRCs RAI notes that the burden factor does consider the difficulty of the task and the " perceived consequences" (of acting or failing to act), which are potential PSFs.
Dependence among multiple human actions was handled in the ANO-1 submittal essentially by examining such combinations of modeled human events and determining that the combinations involved events that were either separated in time, involved completely different systems, or were performed by different individuals. The result was that "any dependence was considered negligible." The licensee further indicates that accident progression was accounted for on an accident sequence basis by using sequence-specific basic events. A list of important human actions was provided and it was noted that several improvements to plant procedures were recommended. A list of the improvements are provided in section 2.6 of this report.
Regarding the containment performance the ANO-1 IPE submittal states that the ANO-1 level 2 analysis is oflimited scope since very few plant-specific accident simulation code calculations were performed in support of the effort. According to the submittal, existing reference plant analyses were used to evaluate the containment response to severe accident phenomena. Scoping calculations were done to account for ANO-1 specific reactor building features and for response to mass and energy addition to the reactor building during the periods of core damage, debris dryout, and concrete attack. " Conservative" adiabatic calculations of pressure loads due to hydrogen burning were used. No detailed plant specific phenomena or structural analysis was carried out.
Essentially the containment response analysis for ANO-1 is carried out by comparing the partimle SNO-1 reactor building features to those found in previously published analyses of typical large sy PWR containments. A Comparative Core / Containment Response Scoping (SSCR) model was developed to suppon this comparative process. The CCRS model uses a simplified set of conservation equations for mass and energy to estimate reactor building response from first order effects under severe accident conditions. For instance, pressure calculations were carried out at selected time points with this model, thus deleting the sequential nature of the accident progression from the simplified analysis. Scoping calculations were carried out with the CCRS model for:
(1) the timing of core uncovery, debris dryout, reactor building failure, and pressure rise for hydrogen burning, (2) reactor building conditions at core uncovery, debris dryout, and reactor building failure, 6
i !
4 3
( f
. (3) borated water storage tank (BWST) inventory depletion due to core injection and containment l spray actuation. :
j
- In addition to these scoping calculations sensitivity calculations were performed with the CCRS to i i determine first order effects of the various assumptions used in the analysis. -
l ;
j A few plant specific MAAP runs were also carried out aAer the level 2 analysis was completed to confirm
{
- i. some of the assumptions made for the scoping calculations. *
! i l Information obtained from a walkdown of the ANO-2 containment was used for the ANO-1 containment i j analysis. !
j 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status {
l As mentioned above, the plant's site is shared with ANO-2. Shared facilities and equipment are few I however, nese include: the Startup Transformer 2, the Control Room (s), the Emergency Cooling Pond j and a variety of non-safety related structures and facilities. ;
Startup Transformer 2: his is a standby transformer for the respective unit auxiliary or )
startup transformers. It represents an additional, independent :
source of power allowing operational flexibility without loss of i redundancy required for the Engineered Safeguards power j supply. ;
ne Control Room (s): The Control Rooms for the ANO Units are located in adjacent !
areas of the respective auxiliary buildings. De control panels l and equipment are physically separated by glass doors that are l open at the top to allow " ventilation systems" to be shared.
The Emergency Cooling Pond: It can be used by either Unit as a source of emergency cooling water (or as a heat sink if desired during normal operations). It was not modeled in the SW system analysis, but considered for operator recovery action.
Non safety related shared systems: Waste disposal, fire water supply, bromination, communication, etc.
Dere are a number of crossties and crosstie possibilities: The backup water source for the EF system, the (non-Q) CST T41, is interconnected with the Unit 2 CST. The instrument Air interconnection was not modeled in the basic risk model. However, it is considered as part of a potential recovery action.
Apparently, the EDG fuel transfer system to the EDG day tank can be cross-tied as well. The operator action to recover the EDG fuel transfer pump by cross tieing to the ANO-2 transfer pump was one of the top ten important human actions.
A wide variety of up-to-date information sources were used to develop the IPE: FSAR system description, piping and instrumentation drawings, electrical one line drawings, system design basis documents, licensee event reports, monthly operating reports, technical specifications, emergency operating procedures and special studies and analyses, he analysis was applied to the plant configuration as it existed in 1988 (select important changes after that date were incorporated into the model if the CDF 1
7
hupact was thought to be signiGeant). The data was collected from January 1980 through March,1989, except for generic power recovery data which was collected over the 30+ year period of the applicable data base. For loss of offsite power, generic data was reviewed in the period January 1980 through December 31 1991 (a 12 year period). Walkdowns were perfcrmed if there were questions with a specific aspect of modeling (also there were frequent interactions with persons familiar with various aspects of the plant). la addition, a flooding analysis walkdown was performed. There was also some reliance on ANO-2 walkdowns.
He submittal states that the HRA was involved in the initial sequence and system modeling efforts and that during this period the "HRA task had the opportunity to review plant and system design information and become familiar with the contro! room and related operating procedures." While simulator exercises were not conducted, the statements discussed above suggest that the HRA analyst was significantly involved throughout the modeling effort. Thus, it appears that steps were taken to assure that the HRA represented the as-built, as-operated plant. However, it did not appear that the HRA gave detailed consideration of plant-specific factors in determining the HEPs In addition, there was no mention of any walkdowns of important or time consuming operator actions and response times for actions outside the control room were based on interviews with operators.
Insofar as the back-end analysis is concerned, the ANO-1 submittal cites a number of sources used, including the BMI-21(M and NUREG/CR-4624 studies of Zion and Surry, the NUREG-4551 assessment of containment loads due to HPME at vessel failure, the NUREG-il50 consideration of uncertainty issues, the parametric analyses in EPRI NP 611 and NP-7192, the NSAC/60 probabilistic risk assessment of Oconee, and some selected MAAP plant specific calculations to confirm assumptions made in the analysis.
It seems the licensee intends to maintain a "living PRA".
2.1.3 Licensee Participation and Peer Review The licensee contributed "well over 50% of the total engineering effort (about nine man-years) applied to the project". Tha licensee contracted with SAIC to develop the PRA and transfer the technology to Entergy personnel. ERIN Engineering was the contractor for the flooding PRA. The relationship with )
SAIC was such that there was a gradual increase in the fractiori of responsibility exercised by the utility I personnel (SAIC led the project and transferred technology in the beginning, with about a 50-50 1 arrangement at the midpoint and almcst total responsibility by ANO-1 personnel at the end). Initially the !
relationship consisted mostly oflearning and assistance by utility engineers. ANO-1 personnel and SAIC shared the initial development of system fault trees, quantification and evaluation. As the project l progressed, utility involvement and expertise in all aspects of the PRA increased. The internal flood j analysis is the single exception since the bulk of the technical work there was performed by ERIN Engineering personnel with ANO-1 personnel input and assistance. Entergy staff participated, particularly during the data collection and plant walkdown, and result review phases of the project. Utility engineers were involved in assuring that all the components in affected flood areas were accounted for and that the Level I basic events representing those components were appropriately tagged. He Entergy staff were involved in directing the contractor on key assumptions and operator recovery actions that could be credited. Finally, the same staff reviewed and approved the final results of the analysis to ensure a clear understanding of the analysis details and results by the utility.
8 j
1 l
i Re reviews performed for the IPE included both independent in-house reviews and an external review. ;
Dere were three levels of review: normal engineering quality assurance carried out by the organization !
performing the analysit, which consisted of a qualified individual with knowledge of PRA methods and ,
plant systems performing an independent review of all assumptions, calculations and results for each task j and system model in the Level 1 analysis (except the internal flood analysis). De second level of review l was performed by plant personnel not directly involved with the development of the PRA model and i consisted ofindividuals from Operations, Engineering, Training and Licensing groups who reviewed the l system models and accident sequence description. De third level of review was performed by PRA :
experts from ERIN Engineering. His review was conducted in two phases. During the first phase, the i review team concentrated on the rsverall PRA methodology, accident sequence analysis and system fault 1 trees. De intent was to provide early feedback to the ANO-1 sta'f concerning the adequacy and accuracy ;
of the reviewed products. De second phase included Level I results, human failure and recovery )
analysis, preliminary plant damage state cutsets and a preliminary containment event tree (CET) (Level 2). De intent of this phase was to identify any modeling inaccuracies, inappropriate failure data, inconsistencies between cut sets, reasonableness of recoveries and results, and make sure the cut sets were ;
properly binned into the PDSs. A summary of the major areas of review comments is provided in the submittal. }
An area of concern is that there was apparently no outside independent review of the flooding analysis, as ERIN Engineering both performed the flooding analysis and was involved in the Level I review work.
l De containment perfonnance analysis was carried out by SAIC and ANO personnel. According to the submittal, the peer review of the level 2 results was performed at one 2 day meeting and conducted by ANO Operations and ERIN.
From the description pro idad in the IPE submittal it seems that the intent of Generic Letter 88-20 regarding licensee participation and peer review is satisfied.
2.2 Front End Technical Review 2.2.1 Accident Sequence Delineation and System Analysis 2.2.1.1 Initiating Events ne identification of initiating events proceeded in a three stage approach: 1) review of existing sources, including other PRAs of similar plants (Crystal River 3 IREP, Crystal River 3 PRA, Oconee PRA, ANO-2 PRA, ANO-1 IREP), EPRI documents (EPRI NP-2230 and NP-801), 2) review of actual plant )
occurrences in the LER system, and,3) a thorough review of each frontline and support system at ANO-1 i to identify failures that could lead to an initiating event.
As a result, a total of 19 initiating events were identified. In addition, three ATWS initiators are discussed in the ATWS appendix (a scoping study). Dese were a turbine trip ATWS, a loss of MFW ATWS and a loss of offsite power ATWS. Also,6 types of ISLOCA initiators were discussed in another appendix (a screening study). Rese were: ISLOCA through LPI injection line A, LPI injection line B, DHR suction line, RCS piping drains, letdown heat exchanger tube rupture and RCP seal cooler tube !
rupture. 'Ihe possibility of reactor vessel rupture is considered insignificant. Rupture of an instrument j i
9 l
tube was judged insignificant based on a Crystal River study. None of the flooding scenarios survived screening. The following are the 19 initiators in the main report:
LOCAs: ,
Reactor / turbine trip less of PCS (power conversion system)
Loss of offsite power Excessive feedwater Steamline/feedline break Spurious low pressurizer pressure signal actuation Spurious engineered safeguards actuation system (ESAS) actuation Total loss of service water Loss of service water pump P4A train Loss of service water pump P4B train Loss of DC bus D01 Loss of DC bus D02 Loss of AC bus A3 Loss of AC bus A4 Loss of 480 V load center B5 Loss of 480 V load center B6 Other:
Steam Generator Tube Rupture Failure of a 120 V AC bus would not cause a plant trip. Only one RPS channel would trip, whereas at least two RPS channels must be in a trip state in order to initiate a reactor trip (RAI responses).
1 HVAC failures are included in the frequency of loss of AC and DC systems. Other equipment would l not be susceptible to HVAC failures for a long time (72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />). In case of the control room, credit is l taken for the operator action to open the doors and place fans in the doorways. These determinations are l based on heatup calculations (RAI responses). '
Spurious failure of RCP seals is included in the small LOCA frequency (RAI responses).
'Ihe initiating event list seems to be mostly complete and comparable to events considered in other PRAs.
2.2.1.2 Event Trees The IPE developed 7 event trees: small LOCA event tree, large LOCA event taee, SGTR event tree, transient event tree and three ATWS evem trees in the appendix (one each for turbine trip ATWS, loss !
of MFW ATWS and loss of offsite power ATWS). No event tree was developed for the interfacing LOCA, however consideration is given to the fraction of ;ow pressure piping outside vs. Inside 10 i
containment, and operator actions to close isolation valves or depressurize the RCS. The flooding analysis did not use any event tree, as no scenarios survived screening.
'Ihe event trees are functional. The mission time used in the core damage analysis was 24 hears, unless a shorter t;me is indicated (e.g., LOCA injection phase).
The event tree end states are divided into two possible outcomes: success or core damage.
It appears the analysts used core uncovery as the definition of core damage for most initiators, along with l the limit on clad temperature for larger LOCAs.
Success criteria are based on review of the ANO-1 Safety Analysis Report, the Oconee PRA, the CR-3 PRA and the ANO-1 and CR-3 IREP studies.
1 Containment cooling is apparently not needed for the Level 1 analysis. Recirculation cooling can be accomplished by either the LPI heat exchanger or operation of the reactor building fan coolers.
In case oflarge LOCAs, core flood tanks (CFT) are assumed to be needed (% CFTs and % LPI pumps needed for core inventory).
In this plant, piggyback recirculation is used in case of small LOCAs (LPI pumps providing suction to the HPI pumps).
If both seal injection via HPl pumps and thermal barrier cooling via the ICW (intermediate cooling water) system fail, then RCP seal LOCA will result if the operators fail to trip the RCPs within 30 minutes, and will not result otherwise.
In the ATWS analysis, the RCS pressure limit is 4,000 psig, based on B&W studies. There will be some small areas of overstress at the RCP pressure boundary at this pressure, but not in the reactor vessel or other RCS components. Also, the injection valves will remain in the elastic deformation regime up to 4,300 psig, although with an increased probability of nonoperability (the Oconee value of 0.1 is used, but only above 4,000 psia).
2.2.1.3 Systems Analysis A total of 15 systems / functions are described in Appendix B of the Submittal. Included are descriptions of the following systems: AC power, ICW or intermediate cooling water (also known as the component cooling water at most other plants), reactor building spray, DC power, emergency feedwater, engineered safeguards actuation, high pressure injection / recirculation, instrument air, low pressure injection / recirculation, power conversion, reactor coolant system pressure control, core flooding tanks, service water, reactor building cooling and reactor building isolation system. In addition, the RAI responses provided more information on the HVAC system and its modeling.
Each system description includes a discussion of the system design and operation, details of modeling and assumptions, and system interfaces (suppon systems).
Also included for many systems are simplified schematics that show major pieces of equipment and important flow and configuration information.
11 l
System dependencies are summarized in a matrix form.
Many systems have dependencies on service water: HPI pumps, LPI pumps, reactor building spray l pumps, reactor building spray coolers, emergency diesel generators, circulating water pumps, condensate pumps and of course ICW heat exchangers. In addition to the two safety loops of the SW system, there is also the auxiliary cooling water (ACW) system, used to cool balance of plant loads during normal operation. He SW system takes suction from Lake Dardanelle, or the emergency cooling pond, which is also shared with the other unit on site, ANO-2.
The ICW system , in addition to cooling the RCP thermal barriers, is also used to cool the main feedwater pump lube oil coolers, and the instrument air compressors and aftercoolers.
1 The instrument air dependency at this plant is not great, and only needed for operation of the power conversion system. There is also a high redundancy in the PCS/lA interface for important components 1 (e.g., the turbine bypass valves have redundant air headers and also independent air bottles). The emergency diesel generators have a dedicated starting air system, including dedicated compressors and accumulators.
The EDGs also require DC power for control, and operation of the ventilation system. Each EDG room is equipped with two exhaust fans and two electro-hydraulic operated outside air intake louvers.
l The alternate AC EDG, installed in response to the station blackout rule, has not been credited in the analysis. '
HVAC failures are not prominent in this plant due to slow heatup. The most vulnerable rooms are the ones containing AC and DC equipment, the control room and the safety pump rooms. Calculations show equipment operability for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> in the electrical switchgear and emergency safety features pump rooms, and a maximum temperature in the control room of Il5'F. This is assuming the operators open the switchgear room door at 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> into the accident (however subsequent calculations show this may not be necessary) and, in case of the control room, the operators open the door and place fans in the doorways to provide forced air circulation with outside air (RAI responses). i As stated in Section 1.2, this plant has only two trains of EFW, a turbine driven and a motor driven one.
The turbine driven train can be supplied by the DC control power from either of the two emergency DC buses. Here are three primary sources of EFW water: the condensate storage tank (CST) T41B, which has a capacity of 321,000 gal. and a minimum inventory of 107,000 gal (good for a minimum of 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />), the non-Q CST T41, which is a backup with a capacity of 202,000 gal and is interconnected with the Unit 2 CST, and, the service water loop supply.
2.2.1.4 System Dependencies The IPE addressed and considered the following types of dependencies: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, areas requiring HVAC, operator actions. There is not much discussion of environmental effects, apart from HVAC and flooding / spray considerations.
Table 3.2-4 of the submittal contains the overall system dependency matrix, including both support-on-support and frontline-on-support dependencies.
12
~
4 2.2.2 Quantitative Process 2.2.2.1 Quantification of Accident Sequence Frequencies he IPE used a small event tree /large fault tree technique to quantify core damage sequences. The event i trees were functional. The CAFTA workstation software package was used for development and l quantification of top event probabilities and accident frequencies.
De cut set truncation limit used was 1.E-8/yr, and 1.E-9/yr for containment bypass sequences. The RAI responses state that the truncated residuals would not add significantly to the CDF. This is based on running the updated PRA model with a truncation limit of 1.E-9/yr.
The IPE took credit for various recovery activities, including the recovery of offsite power. The quantification of loss of offsite power and station blackout sequences was accomplished using the convolution approach. This method involves evaluating an integral, which takes into account the fact that !
equipment failures may not occur all at the beginning of the accident (e.g., a diesel generator may start, I and run for some time, before failing), and thus, the time for offsite power recovery is extended. In the submittal, no credit is given for the fact that the core uncovery time will also be extended later on in the accident, due to the decaying nature of the core thermal power post trip. Instead, the standard 60 minute ,
core uncovery time, after a loss of all methods of core cooling, is kept throughout. This has apparently I been corrected in the latest update of the PRA, according to the RAI responses. Also, no credit is given to any diesel generator repair or recovery. However, the power recovery factors seem to be optimistic, i when compared to the NSAC-147 data. As seen from Table 2, this under-representation of the nonrecovery factors is more pronounced at longer times, where the IPE non-recovery factors are 3-4 times lower than those in NSAC-147.
It is expected that the smaller power nonrecovery factors will have a noticeable effect on LOSP sequences, and therefore on the total CDF.
Table 2 IPE vs. NSAC-147, Nonrecovery of Offsite Power IPE probability of nonrecovery NSAC-147 probability of Time after initiator (hr) of offsite power nonrecovery of offsite power 1 0.44 0.46 3.5 0.11 0.17 6 0.04 0.12 8 0.02 0.08 2.2.2.2 Point Estimates and Uncertainty / Sensitivity Analyses Mean values were used for the point estimate initiator frequencies and all other basic events. De point estimate for the CDF is 4.67E-5/yr. Uncertainty analysis was also performed. The 5th percentile is 1.41E-5/yr and the 95th percentile is 1.36E-4/yr. Importance measures were calculated for basic events (risk achievement worth (A-W) and Fussell-Vesely). He F-V most important failures deal with SBO and LOSP events (failures of EDGs, Batteries, offsite power nonrecovery factors). The A-W most important failures are various electrical failures (EDGs, AC and DC breakers, relays), sump plugging, manual valve 13
l
.I r
i
! failures and motor driven pump failures. Also, A-W and F-V imponance measures for systems were !
calculated.
Several sensitivity studies were done. Increasing all test and maintenance unavailabilities by a factor of f 10 resulted in a 68% increase in the CDF (to 7.85E-5/yr). Decreaf b such unavailabilities by a factor j of 10 resulted in a 6% decrease in the CDF. When all the beta n ars were raised by an order of ;
r magnitude, the CDF rose by 210% (to 1.45E-4/yr). A tenfold decrease in the betas resulted in a 23% l
! decrease in the CDF. When all the HPI cooling operator recovery actions were set to fail at 1.0, the l l
CDF rose by 824% (to 4.32E-4/yr). Excluding the salt spray events from the offsite power recovery l model cut the CDF by 14%. Extending the battery life from 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> by the addition of the new l black battery for nonsafety loads, decreased the CDF by 165. De addition of the new AAC source (per ;
SBO rule, i.e., another diesel generator), assumed to result in a tenfold decrease in the nonrecovery i factors, decreased the CDF by 36%. De combination of the new AAC source and extension of the ;
battery life resulted in a 38% decrease in the CDF. Use of " conservative" nonrecovery factors used in j other PRAs (licensees words) 1.e., failures occur at the beginning of the event, and no convolution l
l Integral is calculated, results in a 164% increase (to 1.23E-4/yr) of the CDF. Addition of the procedural '
guidance to open the LPI pump suction crossover valves from the control room resulted in a 12%
l decrease in the CDF. Procedure change to trip the RCPs due to an anticipated loss of ICW, upon loss i of SW, resulted in a 4.5% cut in the CDF. Removing the internals of FW-1016, the com'non manual isolation valves on EFW pump bearing cooling return to circulating water flume (prevents plugging of ;
' that valve), results in a 1.3% decrease in the CDF. Maintaining the EDG Jacket cooler service water (
supply valves normally open results in a 7.1% decrease in the CDF. He latter in combination with the i new AAC source results in a 37.25% decrease in the CDF. Crediting use of the reactor building sump !
l pump to provide suction to the HPI pump, in the event the LPI pump is not available, decreased the CDF by 5%.
l De results were also displayed, in most categories, by using the generic data only. He generic data l only results were usually not much different from the plant specific data results.
2.2.2.3 Use of Plant Specific Data l
Since the plant is relatively new and there hasn't been enough time to develop plant specific data, mostly generic data was used, except for the maintenance data and the diesel generator failure data.
He data collection period was from January 1980 to March 1989. Prior to July 1985, data had to be collected from hardcopy reports, a time consuming process. Afterwards, the data were available on the l computerized Station Information Management System (SIMS).
For components where good plant specific data did not exists, generic data were used instead. He data sources examined for plant specific data were the SIMS, the NPRDS (nuclear plant reliability data system) and the GADRS (generation availability data reporting system).
Table 3 of this review compares the failure data for selected components from the IPE to values used in the NUREG/CR-4550 study [NUREG/CR 4550, Methodology].
I
- ANO-1 data are generally in agreement with the NUREG/CR-4550 data, except for the following: the
i 14 i
l l l
components use plant specific data). It is expected that data used for these components will have a significant influence on the results.
i Apparently, no Bayesian updating was used in any plant specific calculations.
Table 3 ANO-1 Comparison of Plant Specific Failure Data Component ANO-1 4550m MD Pumps (HPSI, LPSI, EFW, SW, CS) FTS 3.86E-03 3.0E-03 FFR 2.0$E45 3.0E-05 TD Pump (EFW) FTS 5.76E-03 3.0E-02 FTR 9.37E-05 5.0E-03 DGs FTS 7.17E-03 3.0E-02 FTR 3.45E-03 2.0E-03 MOVs Fall to operate 1.07E-02 3.0E-03 AOVs (Air Operated Valve) Fail to operate 2.02E-02 2.0E-03 Battery failure 6.67E-06 1.0E-06 )
. Battery charger failure 1.47E-06 1.0E-06 Circuit breaker (spuriously open) 3.76E-06 1.0E-06 Check valve Fail to operate 5.98E-04 1.0E-04 Fail to open -
1.0E-03 Fail to close -
AC bus fault (480 V to 13.8 kV) -
1.0E-07 kV transformer failure 3.98E-06 Nois (1) 4550 are mean values taken from NUREG/CR-4550, i.e., from the NUREG-1150 study of five U.S. nuclear power plant.
(2) Demand failures, fail to start (FTS), are probabilities per demand. Failures to run (FTR) or operate are frequencies expressed in number of failures per hour.
2.2.2.4 Use of Generic Data '
De generic data mostly comes from the SAIC generic data base. The data were classified with respect to their origin (expert opinion, US nuclear experience), scope (number of components in population, dates of data, relevance, etc.) and quality (failure counts based on plant maintenance records or LERs; exposure time based on actual experience or estimates, etc.). He data was then aggregated and selected by matching the needs of the PRA to the available information.
15
2.2.2.5 Common-Cause Quantification The common cause failure (CCF) probabilities were based on the procedure presented in NUREG/CR-4780 and the data presented in EPRI NP-3967. It seems that the approach used was the beta factor approach, for most components. The licensee states that there is no evidence in the data reviewed for ANO-1 of CCFs for circuit breakers (other than reactor trip breakers), electrical switchgear, air operated valves, air c.ompressors, inverters, relays, switches, transmitters (RAI responses). Other PRAs have included these failures. The addition of common cause failures of check valves, chillers (room cooling is not important) and EDG fans (fans have a lower failure rates than EDGs) will be examined for the updated PRA (RAI responses), however they are not expected to have major impact.
The common cause failure between the TDEFW pump and the MDEFW pump was not modeled. It should be noted that the EFW system has a relatively large risk achievement worth (168) therefore this could have a discernible impact on the results. Common cause failures of pumps with different drivers have been modeled in PRAs and are included in EPRI documents (for example the ALWR requirements data base).
It is not clear if common cause failure of all three HPSI pumps or all three CCW pumps was considered (no CCF factors are provided and this does not appear in dominant sequences). If not, this may have a significant impact on the results.
A comparison of effective # factors in the submittal vs. those suggested in NUREG/CR-4550 (" reference
- factor") is presented in Table 4.
Table 4 Some Generic CCF Used in ANO-1 IPE Component Failure mode "I" C' 0 Submittal * # factor f ,
Diesel generator FTS/FTR 0.05 0.03.8 CCF of 2 DGs HPl/HPSI motor driven pumps, FTS/FTR 0.17 0.21 CCF of 2 pumps LPI/LPSI motor driven pumps, FTS/FTR 0.11 0.15 CCF of 2 pumps SW motor driven pump, FTR 0.03 0.026 CCF of 2 pumps ICW/CCW motor driven pump, FTR 0.03 0.026 CCF of 2 pumps CSS motor driven pumps, FTS/FTR 0.05 0.05 CCF of 2 pumps 1
O 16 l
i
Table 4 Some Generic CCF Used in ANO-1 IPE (Cont'd) l Component Failure mode Ref #
Submittal' # factor g HPI/HPSI MOV FTC/FFO 0.08 0.088 LPl/LPSI MOV FTC/FTO 0.08 EFW MOV FFC/FTO 0.08 SW MOV FTO 0.08 CSS MOV FTO 0.08 MFW MOV FTC 0.08 RCS safety / relief valve FTO 0.07 0.07 i
- EPRI, NP-3967 data. l The table shows general consistency between the ANO-1 CCF data and that recommended in NUREG/CR-4550.
In conclusion, the CCF analysis is mostly reasonable, however exclusion of certain component types / failure modes may be significant.
2.2.2.6 Initiating Event Frequency Quantification ne initiating event frequencies were calculated by two methods: ANO-1 specific experience, and generic industry data. No Bayesian updating was used.
The plant specific experience was used for the reactor trip, and loss of the power conversion system (the spurious low pressurizer pressure signal was apparently calculated from a fault tree analysis).
The initiating event frequencies used in the IPE are presented in Table 5.
He initiating event frequencies generally seem reasonable and are comparable to other PRA studies. The large LOCA, small LOCA and LOOP frequencies seem lower than expected.
It is stated in the submittal that the RCP LOCA frequency is included in the small LOCA frequency. The Byron Jackson design of the RCP seals is apparently less likely to leak than Westinghouse seal design, and there have been improvements in seal design over the years as well as several seal tests. On balance, the small LOCA frequency seems reasonable.
De large LOCA frequency (which also includes medium LOCAs) is low compared to NUREG/CR-4550 data. However, it contributes only about 1% to the total CDF, so even raising this frequency by an order of magnitude will not substantially change the results.
He LOOP frequency seems low compared to expected weather phenomena at the site. Only 15% of the LOOP frequency is due to weather causes, i.e., the site would experience such an event only once every 200 years, according to the IPE. It seems the methodology used for specializing the industry occurrence 17 l
i l :
8 i
t data to the plant specific conditions, tends to underestimate the LOOP frequency. The data appears to !
- include shutdown time in the calculation of the total reactor years, and there may be cases (as in plant l i centered LOOP) where inappropriate reactor years are not adequately screened out. In any case, the
, LOOP frequency should not rise by more than a factor of two, which would translate into a correspondingly higher LOOP caused CDF. Since LOOP is already a primary CDF contributor, the i conclusion as to LOOP significance to the CDF would not change, but the numerical values would. Also, l the observation above on the power nonrecovery factors (they seem low) would bias the LOOP CDF
, contribution in the same direction as the relatively low LOOP frequency, i
l 'Ibe 1978 ANO-1 LOOP event was not included in the LOOP frequency calculation, as it was outside i
the data window. Including this event would raise the LOOP frequency by about a factor of two.
In addition, some of the error factors quoted for the initiating events seem unreasonably low, and sometimes do not make sense when compared on a relative basis (some relatively rare events have a smaller error factors than some relatively frequent events). For instance, the error factor for loss of offsite power is 1.33 (meaning that this number is known with a high degree of certainty), while the error factor for the loss of the power conversion system, derived fmm plant specific occurrences, is 8.79. This l will have an impact on the uncertainty analysis (which, however, is not requested by the generic letter, l or NUREG-1335). I Table 5 ANO-1 Initiating Events and Core Damage Frequencies initiator Description r.- r-yr.) yr.) fDF 1 Tl Reactor \ Turbine trip # 3.90 5.42E-06 11.10 T2 Loss of power conversion system' O.28 1.42E-06 2.91 T3 less of off-site power
- 3.58E-02 1.66E-05 34.00 T4 Excessive feedwater* 6.0E-04 2.23E 09 0.01 T5 Steamline/feedwater line break
- 1.10E-03 3.59E-09 0.01 T6 Spurious low-pressurizer-pressure signal' 3.35E-04 9.24E-09 0.02 T7 Spurious engineered safeguards actuation 3.6E-03 8.14E-10 -0 system (ESAS) actuation
- T8 Total loss of SW flow
- 1.0E-03 3.61E-06 7.39
'I9 Loss of SW pump P4A train
- 3.16E 02 8.93E-07 1.83 T10 loss of SW pump P4B train
- 3.16E-02 4.19E-07 0.86 Til Loss of de bus D0l* 3.94E-04 8.43E 08 0.17 T12 less of de bus D02* 3.94E 04 3.16E-08 0.07 T13 less of ac bus A3* 3.94E-04 2.15E-06 4.40 T14 Loss of ac bus A4* 3.94E-04 3.38E-08 0.07 18
Table 5 ANO-1 Initiating Events and Core Damage Frequencies (Cont'd)
IEF CDF+
Initiator Description (per r.- (per r.- '" '
,g DF yr.) yr.)
TIS Loss of 480 V load center B5* 1.04E-03 1.38E-07 0.28 -
T16 Loss of 480 V load center B6* 1.04E-03 9.07E-08 0.19 t l S Small LOCA* 5.00E-03 1.49E-05 30.52 ,
A large LOCA* 1.00E-04 7.52E-07 1.54 R Steam generator tube rupture
6.92E-08 0.14 Internal flooding < 1.0E-06 < 2.05 l
ATWS ATWS scoping analysis 9.93E-07 2.03 CDF Total Review 4.89E-05 l + Plant specific data
- Generic initiating event frequencies l ' Plant specific initiating event frequencies 2.2.3 Interface Issues 1
2.2.3.1 Front.End and Back End Interfaces l The IPE assumes that reactor building cooling units (containment fan coolers) could provide sufficient cooling of the sump water, in case of failure of LPI heat exchangers, such that adequate NPSH for recirculation is provided. Otherwise, containment integrity does not seem to be necessary for the Level 1 analysis.
Section 2.4 provides more information on Level 2 considerations.
2.2.3.2 Human Factors Interfaces Section 2.3 presents information on HRA considerations.
2.2.4 Internal Flooding 2.2.4.1 Internal Mooding Methodology The methodology used to perform the flooding analysis consisted of five major steps:
- 1) Preliminary flood scenario development; 19 l
i
- 2) Plant walkdown; j 3) Initial flood scenario frequency screening;
- 4) Refinement of analysis bases and assumptions;
- 5) Detailed quantification of important flood scenarios.
- The final two steps were performed iteratively until each scenario was determined to be below the ,
established screening frequency or until the scenario frequency was as low as reasonably achievable using the screening methods of this study. His process may result in a substantial residual not being reported l in the final results.
l ,
- ne screening criterion was 1.E-6/yr.
ne development of flooding scenarios was supported by a plant walkdown. He effect of the flood on equipment cable terminal points (e.g. junction boxes) was deduced from automated plant cable data bases .
i and Appendix R equipment cable tables obtained from the ANO-1 design engineering electrical group. t Pipe whip and steam impingement were judged beyond the scope. Liquid jets and sprays were not considered as to the exact patterns of impingement, but were assumed to fail all the equipment in the 4 initiation flood area.
Propagation of flooding to other areas (including open doors, stairwells, elevator shafts, drains, and through gaps in closed doors) and isolation of the floods were considered. Fire doors are not water tight. :
l Sumps are asumed to overflow with sump pumps unable to keep up with the deluge flood flow. Drain plugging was apparently not considered. However, a deluge flood would seek large openings such as j stairways and elevator shafts to propagate to lower levels. Isolation oflarge floods in 20 minutes with a probability of 0.01 is assumed. Inadvertent actuation of the fire suppression equipment and maintenance ,
induced floods are " implicitly part of the data base", i.e., were not separately developed to uncover any l plant specific vulnerabilities. Component failures considered which could cause flooding were pipe and valve ruptures, pipejoints, flanges, tanks, etc. Internal flooding data from PLG-0624 of May 1988 were used, and calculation of flood source density in different areas was performed.
In the detailed analysis, minimum water levels to induce equipment damage were considered in the flood propagation zones.
Surviving flood scenarios were quantified using internal events event trees with flood induced failure tagged in the fault trees. Flood revised HEPs were used for recovery actions.
No flood scenarios survived the screening (after the procedural improvements).
2.2.4.2 Internal Hooding Results Two flooding scenarios initially exceeded the screening criteria. Rese were floods in the EFW pump area or the lower south piping penetration area that would propagate into the ECCS pump room via the normally open ECCS pump room sump drain valves. De procedure has been changed to keep these valves closed. As a result the flooding CDF decreased from 7.5E-6/yr to P.lE-7/yr.
l 20
2.2.5 Core Darnage Sequence Results 2.2.5.1 Dominant Core Damage Sequences De results of the IPE analysis are in the form of functional sequences, therefore NUREG-1335 screening criteria for rgoning of such sequences are used. De point estimate for the core damage frequency from internal events is 4.67E-5/yr. He internal flooding contributed an additional 8.lE-7/yr. Accident types and their percent contribution to the CDF, are listed in Table 6 (A'IWS and internal flooding are not included in the total, as they were the results of scoping analyses). The most important initiators are given in Table 7. Note that the reactor vessel rupture was not considered as pan of the study, however, a generic B&W value of 5.0E-7/yr is mentioned, based on pressurized thermal shock considerations.
Seven dominant sequences and one internal flooding sequence were described in detail (three transients, two small LOCAs, one SGTR, one ISLOCA). Each of the five non-bypass important sequences has a frequency greater than 1.E4/yr. The SGTR and the ISLOCA frequencies are greater than 1.E-8/yr and approaching 1.E-7/yr. For each of the important sequences, the submittal gives a discussion about the dominant failures and initiators. The impcrtant sequences are sununarized below in Table 8. System importances are presented.in Table 9.
De RCP seal LOCA contributions are as follows: as an initiator 8.9E-6/yr (19%), SBO induced 5.6E-8/yr (0.1%) and loss of ICW induced 4.6E4/yr (9.9%). He SBO contribution is 33%. The LOOP events and the small LOCA are the most important events.
Table 6 Accident Type and Their Contribution to the CDF Initiating Event Group Contribution to CDF (/yr) %
Transients 3.09E-5 66.2 LOCAs 1.57E-5 33.6 ATWS (not included in TOTAL) (9.93E-7) (2.1)
Internal Flooding (not included in (8.1-7) (1.7)
TOTAL)
Steam Generator Tube Rupture 2.08E-7 0.4 Interfacing Systems LOCA 6.92E-8 0.1 TOTAL INTERNAL CDF 4.67E-5 100.0 21
(
4 Table 7. Dominant initiating Events and Their Contribution to the CDF Initiating Event Contribution to CDF (/yr) %
l Loss of Offsite Power 1.66E-5 35.5 Small LOCA 1.49E-5 31.9 l l
Reactor / turbine trip 5.42E-6 11.6 Total loss of service water flow 3.61E-6 7.7 Loss of ac bus A3 2.15E-6 4.6 Loss of power conversion system 1.42E-6 3.0 ATWS (scoping analysis, not included (9.93E-7) (2.1) in total) l Loss of service water pump P4A train - 8.93E-7 1.9 '
Large LOCA 7.52E-7 1.6 Loss of service water pump P4B train 4.19E-7 0.9 Steam generator tube rupture 2.08E-7 0.4 ,
i Loss of 480V load center B5 1.38E-7 0.3 Table 8. Dominant Core Damage Sequences
% of Initiating Event Dominant Subsequent Failures in Sequence CDF transient loss of primary to secondary cooling and failure of HPI 48 cooling in the injection phase small LOCA loss of high pressure recirculation 26 transient induced SLOCA (e.g., RCP seal LOCA) with loss of 9 primary inventory makeup in the injection phase transient loss of primary to secondary heat removal and failure of 8 HPI cooling in the recirculation phase ;
small LOCA loss of high pressure injection in the injection phase 6 l steam generator tube rupture loss of long term steam generator isolation and heat 0.2 removal interfacing system LOCA -
0.1 internal floods loss of primary to secondary heat removal and failure of (1.7)
HPI cooling in the recirculation phase 4
22
Table 9 System Importance Measures s
j System Fussell-Vesely importance Risk achievement importance !
- ac power (non-initiator) 5.51E-1 2,042.18 !
j service water 4.38E-1 398.3 >
! LPI 4.31E-1 607.64 l EFW l.75E-1 167.8
! ventillation systems 7.24E-2 12.0 i l main feedwater 6.00E-2 19.3 HPI 5.75E-2 77.6 I de power 4.08E-2 423.6 l
l RCS pressure control 1.05E-2 11.0- l ACW & ICW l.54E-3 27.2
. main steam 9.61E-4 9.2 l ESAS 9.26E-4 26.2 j reactor bldg tan coolers . 4.49E-4 6.0 i instrument air 9.26E-5 18.1 l service air 2.34E-6 3 1
4
- - 2.3 Human Reliability Analysis Technical Review t
i 2.3.1 Pre-Initiator Human Actions Errors in the performance of pre-initiator human actions (such as failure to restore or properly align equipment after testing or maintenance, or miscalibration of system logic instrumentation), may cause
.' components, trains, or entire systems to be unavailable on demand during an initiating event. The review of the human reliability analysis (HRA) portion of the IPE examines the licensee's HRA process to j determine the extent to which pre-initiator human events were considered, how potential events were j identified, the effectiveness of any quantitative and/or qualitative screening processes used, and the 1
! processes used to account for plant-specific performance shaping factors (PSFs), recovery factors, and j j dependencies among multiple actions, j j 2.3.1.1 Types of Pre-Initiator Human Actions Considered i
j De ANO 1 IPE indiented that it considered both of the traditional types of pre-initiator human actions:
{ failures to restore systems after test, maintenance, or surveillance activities and instrument l J miscalibrations. However, neither the submittal nor the licensee's response to the NRC's RAI provided )
j a list of the failure to restore events that were modeled. De response to the RAI lists nine miscalibration
- errors as potential contributors to ESAS failures and one of these events is listed in the submittal along
, with its HEP. De submittal states that unimportant human failure events (HFEs) were not routinely '
j included in the HFE database. Rus, the remaining miscalibration events and all restoration faults
! apparently failed to survive screening. Consistent with other HRA methods, " slips" were the only pre- ,
j initiator error mode modeled. l l 1 1
! 23 I 4
4
.c - _. , . -
- n. - - - . - , .
2.3.1.2 Process for Identification a.1d Selection of Pre-Initiator lluman Actions The submittal indicates that the "quantification as well as the identification and qualitative assessment of human failure events (HFEs) follows an SAIC technique (Dougherty and Fragola,1988) that is nearly identical to what has recently been described as SHARP 1." In the licensees response to the NRC's request for additional information (RAI), it was stated that the pre-initiator events were included "during the development of the system fault trees by reviewing the various failure modes of the systems and accounting for human induced failures " Human interactions with the equipment were examined, discussions with plant personnel were held, and operating, calibration, and surveillance procedures were reviewed. While it appears that relevant information sources were examined, a complete listing of all pre-initiator restorations and miscalibration errors modeled would have helped in determining whether the process was adequate.
2.3.1.3 Screening Process for Pre-Initiator lluman Actions A screening value of 0.003 was assigned as the basic probability of a slip involving a single train of equipment, e.g., failing to restore equipment in HPSI train A. De screening probability of a slip affecting multiple trains was set at 0.0003 (e.g., miscalibratinn of both RB pressure sensors), which is a train or " beta factor" of 0.1. THERP was cited as the source from which these values were derived.
All HFEs (pre- and post-initiators) in "cutsets above an HRA cutoff frequency of 1.0E-8 were given detailed analysis " While the submittal states that no post-initiator HFEs were screened out ("every one that appeared in the model was included in the final cutsets"), all but one pre-initiator was apparently screened out.
2.3.1.4 Quantification of Pre-Initiator iluman Actions l
A " time-independent" technique was used to quantify all " slips", which is assumed to be the only failure i mode for pre-initiator events. He submittal states that the technique is a variant on THERP and is similar )
to the ASEP HRA procedure. De technique assumes a basic human failure probability (BHEP) of 0.003 i and a "mt.!tiple component beta factor" to (essentially) account for common cause slips across trains.
For two train systems, a multiplier (or beta factor) of 0.1 is used and for three or more trains, a beta factor of 0.01 is assigned. Thus, the median common cause failure probability for three or more pressure sensors could be 3.0E-5, but would usually be less due to credit for recovery by a checker (personnel factor) etc. Credit for redundant crew members (e.g., an independent post-maintenance check) was taken for only one checker and moderate dependency was assumed in the example provided in the submittal.
Apparently, credit for the personnel factor could range from 1.0 to 0.05. On the basis of recovery credit allowed in methods such as ASEP (NUREG/CR-4772), the amount of credit is not unreasonable, but the lower values such as 0.05 may be optimistic without justification based on . morocgh analysis.
He response to the RAI states that a PSF value of 1.0 was assumed for all pre-initiators modeled in the IPE. If this implies that PSFs were not really evaluated, a lack of consideration of any plant-specific PSFs, coupled with the more or less " generic" approach used to quantify the pre-initiator events, results in an HRA that may not provide a good representation of the actual plant. However, since both restoration and miscalibration events were apparently modeled, the licensee's pre-initiator analysis ,
provides at least some opportunity to identify potentially important events.
24
i i 2.3.2 Post-Initiator Human Actions I
i Post-initiator human actions are those required in response to initiating events or related system failures.
, Although different labels are often applied, there are two important types of post-initiator human actions j that are usually addressed in PRAs: response actions and recovery actions. Response actions are generally j distinguished from recovery actions in that response actions are usually explicitly directed by emergency j operating procedures (EOPs). Alternatively, recovery actions are usually performed in order to recover i a specific system in time to prevent undesired consequences. Recovery actions may entail going beyond l EOP directives and using systems in relatively unusual ways. Credit for recovery actions is normally not
- taken unless at least some procedural guidance is available.
a j The review of the human reliability analysis (HRA) portion of the IPE determines the types of post-initiator human actions considered by the licensee and evaluates the processes used to identify and select, screen, and quantify the post-initiator actions. He licensees treatment of operator action timing,
- dependencies among human actions, consideration of accident context, and consideration of plant-specific i PSFs is also examined.
l j 2.3.2.1 Types of Post-Initiator Hu nan Mions Considered The ANO 1 IPE categorizes human actions as either human failure events (HFEs) or recovery actions.
l The distinction is " functional" in the sense that HFEs are ialuded in the fault or event trees, while j recovery actions are applied at the cutset level. HFEs included both pre- and post-initiator events.
l Twenty-two post-initiator HFEs were modeled in the fault trees. The rest of the post-initiator human j actions were labeled recovery actions because they were applied to the cutsets after initial quantification.
1 The licensee indicated that all HFEs were highly proceduralized and that most of the recovery actions 1 were also proceduralized. Thus, while the licensee's categorization scheme is not completely consistent i with the traditional distinction between response and recovery type actions, it appears that both types of actions were modeled.
l Three criteria were identified for recovery actions: 1) the equipment to accomplish the recovery must exist and be available,2) time to accomplish the action must be available, and 3) the action must be in procedures, taught in training, or otherwise be obvious to the operators. Given these criteria, the recovery actions could include both response and recovery actions as described in the traditional sense. However, a distinction was made between potential rule-based mistakes (procedure-based) and " response mistakes" which have been described elsewhere (e.g., the Waterford 3 IPE submittal which used the same HRA method as that used in the ANO-1 IPE) as mistakes "in on-the-spot, general diagnosis and response in the absence of rules." These two categories appear to roughly fit the traditional distinction between response and recovery actions, but in this case the " response" actions are the ones that may not be proceduralized. A third type, verification mistakes, was also discussed. Verification mistakes were described as mistakes in immediate actions found in the emergency procedures. These three different types of actions were treated in the analysis by assignment of different " type" factors (discussed further below). -When considered independently from other factors, verification actions were more likely to succeed than rule-based, which were in turn were shore likely to be successful than response actions.
Interestingly, several actions listed in the licensee's response to the RAI as HFEs and included in the fault trees, were denoted as " response" actions in the submittal. Assuming tne ANO-1 licensee adopted the same definitions as used with the same HRA method applied in other IPEs (and diey may not have), it could be that some non-proceduralized actions were included as HFEs in the fault trees. Alternatively, 25 I
)
4 4
the response" designator could have been assigned to a proceduralized action only to ensure a degree of conservatism (for some reason) in the derived HEP. The discrepancy could not be explained on the
, basis of the information in the submittal or the licensee's response to the RAl. In any case, a review of s the " response" actions listed in the submittal did not suggest that extraordinary behavior was being asked
_ of the operators and the HEPs did not appear to be unreasonable based on the descriptions of the actions.
2.3.2.2 Process for Identification and Selection of Pust-Initiator Human Actions Aside from the general statement in the submittal that "quantification as well as the identification and qualitative assessment of human failure events (HFEs) follows an SAIC technique (Dougherty and Fragola,1988) that is nearly identical to what has recently been described as SHARPI," a specific discussion regarding the identification of post-initiator HFEs (as opposed to " recovery" events) was not provided. The submittal does state that HFEs " involve human actions that are of a manual actuation nature rather than a corrective or recovery nature" and "that these actions were modeled in the fault trees i in the same manner as equipment failures." It is also stated in the submittal that the HRA was involved in the initial sequence and system modeling efforts and that during this period the "HRA task had the opportunity to review plant and system design information and become familiar with the control room
, and related operating procedures."
However, the submittal explicitly states that simulator exercises were not conducted.
The submittal and the response to the RAI indicate that post-initiator recovery human actions were selected by manually reviewing cutsets and determining if operator actions could mitigate the sequence.
1 The response to the RAI aiso states that "all potential recovery actions were characterized and identified during interviews with operations personnel" and "that the basic failures for each sequence were
~
characterized for the operators based on general knowledge of the plant procedures , design, and response failures." The operators then indicated what their response would be, what procedures would be used, what types of dependency existed, and how much time the operators would take to complete the action.
Obstacles or adverse conditions the operators might encounter were also identified. The licensee notes that the information from the interviews with the operators was used in calculating the recovery and post-initiator HFEs.
While simulator exercises were not conducted, the statements discussed above suggest that the HRA
- analyst was significantly involved in the modeling effort, that appropriate procedures were reviewed, and that relevant interviews were conducted with plant personnel. Rus, it appears that steps were taken to assure that appropriate post-initiator human action identification and selection occurred.
2.3.2.3 Screening Process for Post-Initiator Response Actions
- The licensee indicated that all post-initiator HFEs included in the models (fault trees) were set to HEPs of 0.4 in order to assure that they would not be inadvertently truncated from the cutset results. It was further indicated that no HFEs were actually screened out. Even if detailed quantification was not performed, all modeled events were included in the final cutsets. As noted above, all pre- and post-initiator HFEs that appeared in cutsets above an HRA cutoff frequency of 1.0E-8 were assigned a mean failure probability based on detailed human reliability analysis.
4
- De screening approach and the associated HEP of 0.4 was reasonable. The only time such a screening value would not be reasonable would be in cases where multiple, dependent events occurred in single 26 G
1 I
I cutsets. In the response to the RAI, the licensee indicated that during screening, the individual cutsets were examined and occurring combinations of modeled human events were evaluated. It was determined that the identified combinations involved events that were either separated in time, involved completely different systems, or were performed by different individuals. For these reasons, the licensee concluded that "any dependence was considered negligible."
2.3.2.4 Quantification of Post-Initiator Human Actions !
i De quantification of all but one post-initiator human action was based on the time-dependent system of l time reliabiFty correlations (TRCs) developed by SAIC and documented in the book by Dougherty and l Fragola. Tne submittal states that the TRCs are similar to the HCR and RMIEP TRC methods. One l actiori, which involved maintaining pressure below a specified MSSV set point during a steam generator I tube rupture (SGTR), was modeled as a slip and quantified with the time-independent model that was also l used to quantify pre-initiator events. De assigned HEP for this event was " epsilon" (this event is I discussed further below). The basic form of the time-dependent TRC was not provided in either the submittal or the response to the RAI (a version is presented in Dougherty and Fragola's book). However, brief discussions regarding the relevant input parameters for both an in-control room model and an ex-control model (i.e., for actions to be performed outside the control room) were provided in the submittal. j In additiora, the submittal provided examples of " data sheets" for both in- and ex-control room actions, I which showed the parameters selected. The critical elements for the in-control room model include: the available response time and an estimate of the median response time for the event examined (assumed to be 4 minutes in most cases), along with adjustments for type of behavior (verification, rule-based, and response type), degree of " crew burden", success likelihood (an index that can be used to reflect the impact of PSFs), and model uncertainty. The model uncertainty factor is fixed at 1.68, apparently to reflect that the model uncertainty is distributed lognormally about the mean.
For the ex-control room model, similar parameters are modeled, but apparently there are provisions to allow adjustments to response time for potential " delaying hazards" outside the control room. The model uncertainty factor can also be adjusted for uncertainty due to other influences or hazards. Details relating to the adjustments for hazard factors were not provided in the submittal or the response to the RAI, but they have been provided elsewhere (e.g., the Waterford IPE).
While it is impossible at this point to determine the overall basic validity of the method briefly described above and used in the ANO 1 IPE (the "SAIC method"), the basic TRCs are apparently consistent with those used by other methods and the approach does attempt to provide mechanisms for addressing various factors that should influence operator performance. However, as with all HRA methods, the validity of the results can be no better than the quality of the analysis on which the analysts base their judgments.
For example, to what extent were plant-specific PSFs considered and how accurate were the estimates of the timing parameters? Rese and other aspects related to the quality of the ANO-1 HRA are discussed below.
The response to the RAI indicated that all success likelihood indices (SLis) were left at their default values. That is, PSFs were assumed to have no effect. The licensee stated that the relevant factors were unknown for all situations in which a recovery could be applied. By leaving the SLIs for the modeled events at their default values, the analysts are basically assuming ANO-1 is an " average" plant in terms of its PSFs. He resulting analysis is therefore " generic" rather than plant-specific and may or may not l adequately represent the plant. No additional information was provided regarding the extent to which 27 l l
\
i
plant-specific PSFs were actually examined to support the validity of the assumption that ANO-1 is
" average" in terms of PSFs for all the events modeled.
He licensee's response to the NRCs RAI notes that the burden factor does consider the difficulty of the task and the " perceived consequences" (of acting or failing to act), which are potential PSFs.
In general, the way in which the SAIC HRA method was applied in the ANO-1 IPE did not appear to violate its basic tenets and the resulting HEPs would not in most cases (but see discussion of two exceptions below) be considered unusual. The main concern in regard to the general application of the methcx! is the extent to which plant-specific and scenario-specific PSFs were considered. As noted above, the information provided suggests that in many cases " default" values were assumed. Whether or not these judgments were based on thorough analyses is difficult to determine. Most of the HEP values themselves would not suggest that identifcation of human action vulnerabilities was precluded. (Although it should be noted that the human acticn HEPs listed in the submittal apparently include hardware failure probability.) However, another important factor that relates to the adequacy of the application of the method is the determination of timing parameters. This aspect is discussed below in section 2.3.2.4.
Before proceeding however, it should be noted that two human actions in SGTR sequences were assigned failure probabilities of " epsilon." They included the operator action to maintain RCS pressure below a specified MSSV set point and the action "to cooldown the RCS and isolate the break with the DHR system." As noted above, the former action was classified as a slip and apparently the probability of making an unrecoverable error in conducting the action was determined to be exceptionally low. An illustration of the derivation of the HEP for this event was not provided, but the response to the RAI l states that the action is stressed in training and that the operators have several hours to respond. Given '
that the BHEP for a slip is assumed to be 0.003, substantial credit for recovery must have been given. I Details of the derivation of the action "to cooldown the RCS and isolate the break with the DHR system" were not provided, but it was assumed to be a response type action with 517 minutes available time.
Without additional information, it is difficult to assess the reasonableness of the assigned HEPs.
However, such exceptionally low HEPs are rarely justified in HRA modeling and it should be noted that the estimates of CDF for SGTR sequences in the ANO-1 submittal were four to five times lower than those found for other similar plants. If these events were important to the sequences and their HEPs were ,
underestimated, the CDF estimates for the sequences could also be underestimated. Rus, the derivation I of the HEPs for these two events may be a weakness of the HRA. While Fussel-Vesely importance l results did not indicate that these events were high contributors to CDF, they may have had a high risk achievement worth and may have been important if their HEPs had not been so low.
2.3.2.4.1 Esthnates and Considemtion of Opemtor Response Time ne determination of the time available for operators to diagnose and perform event related actions is a critical aspect of HRA methods which rely on TRCs to assess the probability of operator failure. In order to appropriately uv the SAIC TRCs, the net available time for an operator to respond must be determined by considering the appearance of cues, such as control room alarms or other indications, that signal the operators that a particular response is required. In many cases the time at which operators receive the relevant cues is Qnificantly later than when the event to be responded to actually occurred. Rus, if the point at which the relevant cues occur is not considered in determining available time, the resulting estimates could be significantly greater than the actual time available. Moreover, if significant, the time needed to perform a certain action must be subtracted from the total available time before the TRCs are used. For example, if the actions necessary to accomplish a particular task, such as the switchover to 28
recirculation, require 15 minutes and only 30 minutes total time is available, then the operators have only 15 minutes available. Thus,15 minutes rather than 30 minutes should be used with the TRC equation and the result is non-trivial (e.g., an order of magnitude in difference).
The submittal itself did not discuss the approach used to determine or estimate the time available for operator actions. However, the licensee's response to the NRC RAI did provide some insight and it appears that the available time was determined from applicable system response analyses, including MAAP code analyses etc. The submittal indicates that the temporal occurrence of relevant cues was considered in determining available time for each event. A default median response time of four minutes was assumex! for all but a few of the in-control room actions modeled. That is, adjustments according to the type of behavior involved in the task were made for only a few events. He median response time (default or not) for in-control room actions apparently includes diagnosis time and response execution time. He response to the RAI states that the default value was caived from the nominal diagnosis curve from THERP.
Regarding ex-control room actions, actual estimates were obtained for the time required to diagnose and complete the required actions These times were based on interviews with operators. Apparently no time measurements or walkdowns occurred. Exactly how many operators were interviewed and the approach for soliciting the estimates were not discussed. Other methods, such as THERP have argued that time estimates obtaintxi from operators should be doubled, but this is not mentioned by the licensee.
Without additional detail, it is difficult to determine whether or not the response times used are reasonable. In general, they seem to be relatively short. On the other hand, the total time assumed available tends to be substantially longer than the estimated response time and the HEPs do not in general appear to be excessively low (exceptions are discussed above in section 2.3.2.4).
2.3.2.4.2 Other Perfonnance Shaping Factors Considered Other than those discussed above, there was no evidence of any other PSFs being considered.
2.3.2.4.3 Consideration of Dependencies Two basic types of dependencies are normally considered in quantifying post-initiator human actions:
- 1) time dependence and 2) dependencies between multiple actions in a sequence or cut set. One type of time dependence is concerned with the fact that the time needed to perform an action influences the time available to recognize that a problem has occurred and to diagnose the need for an action. This type of time dependence is handled by the Dougherty and Fragola method by using TRCs which reflect the likelihood of operators diagnosing and performing the related actions in a particular time window. I l
Another aspect of time dependence is that when sequential actions are considered, the time to complete l one action will impact the time available to complete another. Similarly, the sooner one action is .
performed, the slower or quicker the condition of the plant changes. His type of time dependence is !
normally addressed by making conservative assumptions with respect to accident sequence definitions. J One aspect of this approach is to let the timing of the first action in a sequence initially minimize the time window for subsequent actions. The occurrence of cues for later actions are then used as new time origins. This type of dependence was apparently handled in the same way as other context effects and is i discussed below.
29 1
i
ne second type of dependence considers the extent to which the failure probabilities of multiple human j actions within a sequence or cutset are related. There are clearly cases where the context of the accident '
and the pattern of successes and failure can influence the probability of human error. Rus, in many cases !
it would clearly be inappropriate to assume that multiple human actions in a sequence or cut set would !
be independent. Funhermore, context effects should be examined even for single actions in a cut set.
While the same basic action can be asked in a number of different sequences, different contexts can obviously lead to different likelihoods of success. Dependence among multiple human actions was handled in the ANO-1 submittal essentially by examining such combinations of modeled human events and determining that the combinations involved events that were either separated in time, involved completely {
different systems, or were performed by different individuals. The result was that "any dependence was considered negligible." The licensee further indicates that accident progression was accounted for on an accident sequence basis by using sequence-specific basic events.
l 2.3.2.4.4 Quantification of Recovery 1)pe Actions i ne submittal indicated that all post-initiator human actions were quantified with the approach described above in section 2.3.2.4. Different TRC parameters were used to quantify non-rule-based as opposed to rule-based actions. .
1 2.3.2.4.5 Human Actions in the flooding Analysis in the ANO 1 IPE, human actions and human recovery of several flooding scenarios were modeled.
During initial quantification (screening) all ex-control actions were set to fail. In addition, in-control room actions for those flood scenarios that started or propagated through the control room were also assumed to be failed as considered. All the actions modeled initially were identical to those modeled in the level I analysis. After the initial screening, consideration was given as to wilether any human !
recovery actions which were set to 1.0 could be assumed to be performed under conditions of the flood. I Apparently during the early rounds of quantification, flood recovery values of 0.01 and 0.1 were I assigned to large and small floods, respectively. Later, three recoveries were created for the flooding i analysis. The actions included: 1) isolating the flood before in-control room actions or equipment are disabled, 2) a local action to manually initiate EFW or AFW, and 3) a local action to recover an in-control failure (or inability) to stop the RCPs within 30 minutes of the loss of seal cooling. Versions of the latter two events were analyzed in the level 1 analysis and the submittal notes that the HEP for the RCP trip action was increased by an order of magnitude to account for the difficulty of the action "at the 6.9kV buses H1 and H2." The basis for the quantification of the other two events was not provided except to note that the actions related to the in-control floods (#1 above) for small floods was reduced to 0.01 because the control room is continuously manned. He treatment of human actions in the flooding analysis was consistent with that done in other IPEs, (e.g., Waterford 3).
2.3.2.4.6 Human Actions in the Level 2 Analysis The licensee states that " generally, no credit was taken for operator recovery beyond core damage." The only recovery event quantified in the logic was the recovery of offsite power subsequent to core damage.
He licensee does state that "if required, operator recovery events could have been quantified with level-1 HRA methods."
30
i l
l 1
l 2.3.2.5 Important fluman Actions I i
The ANO 1 submittal presents a list of basic event importance as determined by Fussel-Vesely (F-V) 1 measures. 'Ihe top ten operator actions in terms of their contribution to CDF are presented in Table 10 below, along with their F-V values and their HEPs.
)
Table 10 Important Human Actions l Event Description F-V HEP Failure to manually open CV-1405\06 upon failure to deliver flow 12.7E-02 3.lE-01 l from the sump (failure of MOVs apparently). (MANSUMP)
Failure to trip RCPs within 30 min. of loss ofICW (intermediate 9.20E-02 1.2E-02 cooling water) seal cooling or HPI seal injection. (QHFIRCPTRP) j Failure to prevent SG overfill due to excessive MFW flow 8.53E-02 4.2E-02 l (SGOFREC)
Failure to start and align operating SW pump including available 7.47E-02 2.8E-01 power source given total loss of SW. (T8 RECOVER)
Fail to locally manually open SW cool 9 Jacket. valves CV- 6.26E-02 5.7E-01 3806/07 upon a MOV failure signal. (SWEOCMOV) J Failure to attempt HPI cooling (feed and bleed cooling' 4.97E-02 6.0E-03 l Failure to locally open breaker to disconnect A1. (MANOSPREC2) 4.68E-02 1.0E-01 I Failure to open HPI crossover valves MU-14,15 to suction to 4.4E-02 2.9E-01 operating HPI pump. (HPICROSS)
Failure to recover EDG fuel transfer pump by cross tieing to ANO-2 3.84E-02 3. lE-01 transfer pump (EDGFXTIE2)
Failure to start and align operating SW pump including available 2.58E-02 9.9E-02 power source. (SWSWINGREC) 2.4 Eack End Technical Review 2.4.1 Containment Analysis / Characterization i
2.4.1.1 Front-end Back-end Dependencies ,
in the ANO-1 IPE Bridge Trees were used to bin the level 1 accident sequences into plant damage states (PDS). The Bridge Trees provided the means to combine the level I sequences with the relevant RCS l and containment system parameters and assigning the combinaions to PDS bins. The IPE notes that fault tree models of containment systems were developed to assure that the proper interface between the level l
+
31 i
I
\
l 1 and level 2 analyses was obtained. The PDSs are the starting point for the containment event trees (CErs) which were used to assess the accident progression and determine the radionuclide release to the '
environment. The PDS attributes, and their possible states, found in the ANO-1 analysis are: 3
- I Core melt timing: [1] very early (0 to 30 min.), [2] early (30 min. to 2 hrs.), and [3] late (> 2 hrs.). >
t RCS pressure at vessel breach: [1] high (>2500 psig), [2] moderate (200-2500 psig), [3] low .
(<200 psig).
i Containment integrity status at vessel breach: [1] isolated and intact (within design leakage), [2]
unisolated,13] failed due to over pressure before core damage, and [4] bypassed.
Containment pressure at vessel breach (not explicitly modeled in bridge trees but implied by other i attributes): [1] low or [2] elevated.
Fan cooler operation: [1] available or 12] not available.
(
Containment spray operation: [1] available in bc1 injection and recirculation and actuated pnor !
to vessel breach, [2] available in both injection and recirculation and not actuated,13] available ,
in injection but fails in recirculation and actuated prior to vessel breach, [4] available in injection !
but fails in recirculation and not actuated prior to vessel breach, and [5] not available.
Reactor cavity water inventory: [1] wet cavity or [2] dry cavity.
RCS retention capability: [1] steam generators in RCS exit path or 12] no SG in exit rath.
SBO or SBO like accidents: [1] AC power is recover or [2] is not recovered.
He submittal notes that of the 77 possible PDS there are 53 non-zero ones. Of these PDSs those with
[
a frequency greater than 104 are retained and the rest are collapsed into the retained ones in a
" conservative" manner. The PDS binning and collapsing process is clearly described in the. IPE ;
submittal's Section 4.3 and the associated tables. The submittal also notes that due to double counting l and truncation errors in the level 2 Boolean calculations, i.e. in the Boolean combination of the level 1 ;
cou,ets, the level 2 CDF is slightly higher than the actual level 1 CDF and that this higher CDF was !
" conservatively" applied in the balance of the level 2 calculations. !
2.4.1.2 Containment Event Tree Development An event tree / fault tree approach, similar to that used in the level 1 effort, was selected for the ANO-1 CET analysis. A " Generic" and a " Bypass" CET were developed and these were used to assess every accident scenario. The submittal states that the ANO-1 ISLOCA level I frequency was significantly below the IPE screening criteria and therefore was not further considered in the level 2 analysis.
Therefore the only scenarios developed via the Bypass CET are steam generator tube rupture (SGTR) events.
De IPE defines early containment failure as occurring prior to or about the same time (or shortly after) vessel failure. Late failure is defimed as occurring significantly after vessel failure.
32
The CET includes the following top events:
- 1. Plant damage state - the entry state to the core melt progression defining boundary conditions of core damage.
- 2. P.CS depressurized before vessel breach - generally defined by the entry state, operator actions, or phenomena subsequent to core vulnerability.
- 3. Coolant recovered in-vessel before breach - may be initiated by operator recovery action or via a passive actuation if the conditions that preclude initial operation are removed.
- 4. No vessel failure - implies arrest of core melt progression, terminating within the vessel with a coolable debris bed configuration being formed.
- 5. No early containment failure - implies challenges to containment integrity prior to or shortly after vessel failure are insufficient to fail the containment.
- 6. Coolable debris formed ex-vessel - implies formation of a coolable configuration outside the vessel, precluding significant core-concrete interaction.
- 7. No late containment failure - implies long-term containment challenges are mitigated or do not occur.
- 8. Fission product removal occurs - used to characterize potential fission product release magnitudes; considers the mitigation of releases from the fuel in or outside the vessel and removal processes in containment.
- 9. Containment Failure Modes - used to characterize implication of containment failure on the magnitudes and duration of fission product release to the environment.
Fault trees (called logic trees in the IPE submittal) are used in the IPE to quantify the top events of the CETs. The logic trees used for CET quantification are very detailed and address all phenomena and systems important for Level 2 accident progression. Basic event probabilities are not provided in the submittal.
No credit is taken in the analysis for the possibility that external cooling by water flooding in the cavity can avert vessel failure. If RCS inventory cannot be recovered in-vessel during a sequence it is assumed that the bottom head will fail.
Challenges which could lead to early containment failure considered in the analysis include:
Pressure spikes due to blowdown of the RCS and/or hydrogen burns during core damage or at vessel failure.
Energetic fuel coolant interactions within the vessel at core slump or in the reactor cavity.
Loads from HPME at vessel breach.
- Rocket" mode of the vessel which generates a missile that fails containment.
- Impingement of the molten core debris on the containment liner.
33
The submittal lists the following challenges considered for late containment failure:
Steam generation from long term debris-coolant interactions in the cavity without decay heat removM.
- Noncondensible gas generation from core-concrete interaction from a non-coolable debris bed.
Burning of hydrogen and other combustible gases.
- Basemat melt-through.
- Over-temperature failure from high temperature degradation of seal materials.
Containment failure modes are divided into small failures where the leakage is assumed to prevent a -
further increase of pressure but a slow release to the environment occurs in which natural removal mechanisms in containment compete with leakage from the reactor building.
Most quantification of the CETs is based on point estimates taken from the Surry NUREG-ll50 analysis.
i j 2.4.1.3 Containment Failure Modes and Timing 2 i
} The containment failure characterization described in the submittal involves several failure modes:
Containment structural failure by tearing or breaking, leakage of electrical and mechanical penetrations -
(especially due to high temperatures), and containment bypass.
i j To evaluate containment failure or leakage under internal pressure two failure. criteria were considered: ;
~
Ultimate strength criterion (yield > 1% strain) leading to large failure, and leakage criterion ( ductile !
! failure or tearing ofliner). To calculate the containment capability corresponding to the ultimate strength ,
criterion the ANO-1 analysis referred to NUREG/CP-0033, 7he Proceedings of the Workshop on Containment Integrity. Using the strength-of materials type of equation from this reference an ultimate ,
containment failure pressure of 162 psig was calculated. To calculate the capability corresponding to liner failure the analysis was based on EPRI NP-6260 Criteria and Guidelinesfor Predicting Concrete i Containment Irakage. Based on this formulation a failure pressure for liner tearing of 154.3 psig was
! calculated. In response to an RAI the licensee stated that the 154.3 psig value was the mean failure pressure used in the analysis to determine if failure had occurred for a particular scenario.
j Handbook type of calculations were conducted during the course of the analysis to estimate the strength !
of the important electrical and mechanical penetrations. i
~
The containment analysis concluded that a catastrophic containment failure was not considered likely. ;
. The most likely containment failure mode was considered to be reactor building over pressurization (
! resulting in liner tearing and subsequent leakage. However, in response to an RAI the Licensee notes j that for some very energetic failure modes such as alpha mode or rocket mode failures the type of failure
. is indeterminate between rupture or leak (i.e., probability of 0.5) and only for the early pressurization l failure events is the leakage mode considered more likely. (Of course, early pressurization failures are found to be a more likely mechanism in the ANO-1 analysis than alpha or rocket mode failures).
In the quantification of the CET the ANO-! analysis used the failure distribution curve from the Surry )
} NUREG-Il50 analysis adjusted to ANO-1 mean failure pressure (taken to be 154.3 psig based on the analyses described above) and without any distortion of the Surry curve, as indicated in Figure 4.6-4 of the submittal. (It should be noted that the Licensee confirmed, in response to an RAI, that Figure 4.64 i
4 34 I
i
contains 2 typographical errors: the abscissa of the bottom plot should be in psia not psig, and this bottom pkw should be labeled " Probability of Failing Pressure (P)" not " Probability of Surviving Pressure (P)").
2.4.1.4 Containment isolation Failure Containment isolation failure was evaluated via a plant specific isolation system fault tree model which is summarized in Appendix A of the submittal. The PDSs uses in the analysis are given the suffixes "I" and "u" to indicate successfully isolated or unisolated containment states, respectively.
The analysis indicated that, without considering the level I cutsets, the most likely containment isolation failure is due to a failure of the hydrogen purge isolation valves. Since the hydrogen purge system is no longer used in ANO-1, the isolation valve outside containment is locked closed with the breakers removed. He inboard valves are opened after an accident to allow for hydrogen sampling. Therefore a single failure of the outboard hydrogen purge valves can result in a containment isolation failure.
However, since these valves are locked closed with the breakers removed, this failure mode is given a low probability. If the level I cutsets are accounted for, the most frequent containment isolation failu e PDS is SBOu where the isolation failures are dominated by the failure to isolate the radiation air monitoring leak detection system. This is.because if one of the isolation valves in this system is already failed based on the level I cutsets, then the failure rate of the remaining solenoid valve to close is higher than the failure rate of the hydrogen purge system. Isolation failures were found to involve 0.5% of CDF in the analysis.
2.4.1.5 ' System /Iluman Responses Similar to many PWR IPE analyses the ANO-1 analysis apparently took no credit for operator actions beyond core damage aside from ac power recovery. The licensee states that " generally, no credit was i taken for operator recovery beyond core damage. The licensee further noted that "if required, operator recovery events could have been quantified with level I HRA Methods." The description of the accident progression analysis provided in the submittal is consistent with the assertion made that no credit for level 2 operator actions were taken: While at least one level 2 operator action appears to be implicitly considered in the containment event tree, i.e., in the discussion of the top event DP "RCS Depressurized ;
Before Vessel Failure" the possibility of operator initiated depressurization of the RCS is mentioned as j a possibility, in the quantification of top event DP no credit is taken for this possibility.
2.4.1.6 Radionuclide Release Characterization l
in the ANO-1 analysis each accident progression path through the CET leads to a containment end state l which has a set of radionuclide release characteristics associated with it. Therefore each PDS is easily mapped into its corresponding release categories. He source terms associated with each end state depend on the type of fission product releases from the fuel, the fission product path to the environment, the operation of containment spray, the presence of passive removal mechanisms, and the relative timing of reactor vessel and containment failure. The largest fission product releases involving cesium and iodine are associated with containment bypass or with early containment failure involving a rupture with no mitigating sprays available. He submittal states that for ANO-1 a large release may occur in about 2.8% i of all severe accidents. '
Source term results are based on simple calculations using insights from reference plants. According to the submittal, the approach used to calculate radionuclide release fractions for each end state is similar l I
35
1 to that used in the NUREG-1150, NUREG/CR-4551, and NUREG/CR-4881 studies. The mput !
parameters for release into the containment are derived from the NUREG/CR-4551 CORSOR ,
methodology. Surry and the SURSOR inputs were used as the reference plant. The approximate fission !
product release model used in the analysis uses a table look-up method which applies appropriate release ;
terms for the specified sequence. He submittal notes that the calculation of radiological source terms and uncenainty ranges for_ each containment end state using extensive deterministic calculations (such as i with MAAP for instance) would be potentially time consuming and expensive. Therefore the simplified "
methodology was chosen which adjusts values calculated for a few specific scenarios (either reference plant or ANO-1 specific) to values which apply to other scenarios that have similar characteristics. No i
sensitivity analyses of source term calculations were performed in the ANO-1 IPE.
De submittal notes that while the NUREG-ll50 SURSOR methodology samples each input term based on a distribution defined as a histogram, in the simplified ANO-1 analysis the input values used for the !
approximate source term analysis are point estimates which are not sampled. These non-sampled calculations with SURSOR provide point estimates which are not necessarily mean values. As a matter of fact the submittal notes that when these point estimate source terms were reviewed by the IPE analysts, !'
the release terms obtained were in some cases not consistent with the insights obtained with MAAP or STCP calculations. The submittal then states that " median values were used in this study for a more ;
consistent iepresentation of each release and removal term along a CET sequence." :
The source terms are summarized in Tables 4.7-3 (by PDS) and 4.7-4 (by ranking) of the submittal. !
Radionuclide releases in terms of fractions of initial core inventory of noble gases, cesium, iodine, ,
tellurium and strontium are provided in these tables for tne 55 different release categories resulting from !
the CET end states. t i
2.4.2 Accident Progression and Containment Performance Analysis j 2.4.2.1 Severe Accident Progression l 1
As stated in the submittal's introductory section of the containment performance analysis, the ANO-1 level 2 analysis is a limited scope analysis since existing reference plant analyses and scoping calculations
]
were used to assess the ANO-1 containment response to severe accident conditions. The submittal states <
that "He reactor building (containment) response analysis considers the plant-specific features of ANO-1 l by comparing the response of the reactor building under similar accident conditions to the reference plant. ]
A Comparative Core / Containment Response Scoping (CCRS) Model was developed to suppon this l analytical comparative process. The CCRS model automates a set of conservation equations for reactor j building response using information from existing analyses of severe accident progression and plant l features that have a first order effect on the reactor building response. De CCRS model simplifies the j conservation equations of mass and energy using the reactor building as a control volume to estimate the reactor building response under severe accident conditions."
Scoping calculations were carried out to account for ANO-1 specific reactor building features and for response to mass and energy addition to the reactor building during the periods of core damage, debris dryout, and concrete attack. " Conservative" adiabatic calculations of pressure loads due to hydrogen burning were used. No detailed plant specific phenomena or structural analysis was carried out.
36 1
- \
- - - -- - . _- . _ - _ - .. ~ ~
l An example of the use of the CCRS model use are the pressure calculations which were carried out at selected time points with this model, thus deleting the sequential nature of the accident progression from the simplified analysis. Scoping calculations were carried out with the CCRS model for:
i (1) the timing of core uncovery, debris dryout, reactor building failure, and pressure rise for hydrogen burning, j (2) reactor building conditions at core uncovery, debris dryout, and reactor building failure, (3) borated water storage tank (BWST) inventory depletion due to core injection and containment
. spray actuation.
In addition to these scoping calculations sensitivity calculations were performed with the CCRS to determine first order effects of the various assumptions used in the analysis.
The submittal indicates that a few plant specific MAAP runs were also carried out after the level 2 analysis was completed to confirm some of the assumptions made for the scoping calculations. In response to the RAI the licensee provided some comparison of the MAAP calculations with the results l
from the CCRS model. The comparison shown involved times to core uncovery, to vessel failure, and '
to containment failure for various sequences as calculated by MAAP and the CCRS model. Agreement appeared to be reasonable for most cases but the time to containment failure was predicted to occur much earlier by MAAP for the SBOTTBF sequence (44 hrs vs. 74 hrs for CCRS), and for a large break LOCA sequence MAAP predicted containment failure while CCRS did not. The RAI states that some of this discrepancy is due to the fact that MAAP assumes containment failure at 154.3 psia while CCRS uses i 169 psia. Here is no explanation offered however why the 154.3 psia value is used in MAAP when the ;
RAI clearly stated in response to another question that the assumed failure pressure for ANO-1 was 154.3 l
psig, i.e.,169 psia.
2.4.2.2 Dominant Contributors: Consistency with IPE Insights Table 11 below, shows a comparison of the conditional probabilities for the various containment failure modes obtained from the ANO-1 IPE with those obtained from the Surry 1&2 and Oconee 1,2&3 analyses.
Table 11 Containment Failure as a Percentage of Total CDF Containment Failure ANO-1 Oconee 1,2,3 Surry 1,2 Early Fahre 5.7 0.9 0.6 Late Failure 12.2 74.5 29.2 Bypass 0.4 negligible 16.7 Isolation Failure 0.5 0.2 0.03 Intact 81.2 24.4 53.5 CDF (1/ry) 4.9E-5 2.3E-5 7.5E-5 37 1
l
l 1
l As indicated above the ANO-1 early failure probability is larger than that obtained in either the Surry or ;
Oconee IPEs. He late failure probability is smaller than in either of these other analyses and bypass j probability is toward the lower end of the range PWRs. '
As shown in the above table, the conditional probability of containment bypass for ANO-1 is 0.4% of total CDF. He dominant contributors to bypass are steam generator tube rupures as an initiating event.
Induced SGTR is not considered likely in the IPE analysis which claims the hot leg will fail first. De interfacing system LOCA frequency was found to be below the screening criteria in the level 1 analysis, ne probability of early failure, including isolation failures, is about 0.063 where early 'ailure is defined as failure prior to or approximately coincident with reactor vessel failure. Besides over pressure events, failure modes involving (1) thermal failure of the liner at the reactor building wall /basemat floor junction for dry cavity conditions following vessel breach, and (2) impulse load failure at the same junction given ex-vessel steam explosions were also identified as possible early failure mechanisms. The submittal also notes that a large release, i.e, early containment failure without source term mitigation, is expected to 0:: cur in about 2.8% of all severe accidents.
Late containment failure has a probability of 0.122 according to the submittal, while the containment is expected to remain intact with a conditional probability of 0.811.
2.4.2.3 Characterization of Containment Perfonnance ;
All relevant failure mechanisms for early and late failure appear to be considered in the analysis. Two CET s were developed for the containment performance analysis, a " generic" and a " bypass" CET as indicated in Figures 4.5-2 and 4.5-3 of the submittal.
He ANO-1 IPE analysis determined that the ANO-1 cavity and instrumentation tunnel design is unlike that of the reference plants. The ANO-1 design allows the flow of material from the reactor cavity to the outer containment wall. After reactor vessel failure, under dry cavity conditions, molten core material could flow and contact the containment liner at thejunction of the containment wall and the basemat floor and this could lead to a potential failure by liner melt-through from the contact with the molten material.
Under wet cavity conditions the impulse load due to an ex-vessel steam explosion or a missile generated as a result of the explosion could fail the containment due to the exposure of the liner. This failure mode was a dominant early containment failure mode.
The results of the source term calculations are provided in Table 4.7-4 of the submittal. The largest source terms come from either of two scenarios: (1) an early containment failure involving rupture and with containment sprays unavailable, and (2) a containment bypass without scrubbing in the release path.
In response to an RAI the licensee noted that while the bypass CET used in the ANO-1 analysis does not consider induced SGTR, the intact or generic CET does consider induced SGTR along with hot leg or surge line failure. Based on the reference plant analysis (Surry analysis in NUREG/CR-4551) a value of 0.005 is used for the probability of induced SGTR in ANO-1 and a value of 0.825 is used for the probability of hot leg or surge line failure. He response also notes that while the effect of RCP restarts on induced SGTR are not explicitly accounted for in the ANO-1 analysis, the 0.005 value compares reasonably with induced SGTR probability value used in Davis Besse for an RCP restart of
" intermediate" (~ 1/2 hr) duration.
38 1
I
The C-matrix is given in Table 4.6-2 of the submittal. Table 4.6-3 (repeated in Table 4.9-1) indicates the various PDS contributors for each CET end state, i.e. release category.
2.4.2.4 Impact on Equipment Behavior The ANO-1 submittal briefly discusses the survivability of containment systems under severe accident conditions on page 4.1-4. His discussion only considers the impact of containment failure on sprays and fan coolers but does not discuss the effect of adverse conditions in an intact containment on these systems.
In response to an RAI the licensee stated that the probability of containment sprays and fan coolers failing if the containment remains intact after vessel failure was palculated by using failure rate data to determine a failure rate for a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time and then increasing that probability by an order of magnitude.
In addition only one pump or fan is considered to be running and a single failure of that pump or fan is assumed to fail the system. These assumptions are characterized as conservative relative to other work in this a.ea.
2.4.2.5 Uncertainties and Sensitivity Analysis A number of sensitivity studies were carried out for the CET quantincation in the ANO-1 IPE analysis.
He simple CCRS model used for the ANO-1 containment performance examination made the variation of parameters a relatively easy task for the analysts. The following issues were selected for study:
in-vessel coolability induced rupture of the primary system DCH, HPME and early hydrogen burn loads hydrogen ignition and resulting pressure loads
=
containment failure pressure high temperature effects on reducing the containment failure pressure ex-vessel debris coolability in-core instrument tunnel closure effects AC power recovery
- impingement of the containment liner at vessel failure ex-vessel steam explosion a impulse load on the containment wall at vessel failure
- non-condensible gas generation The sensitivity of an issue was measured in terms of the calculated range about the mean value for the figure of merit selected which typically was early or late containment failure. A discussion of each issue is provided in Section 4.8 of the submittal. Of the thirteen issues examined nine showed an increase or decrease in the Ogure of merit by a factor of 2 or more, and four showed an increase of a factor of 3 or more. The most sensitive issue was the one concerning the effect on early containment failure of increasing the probability of impingement of the containment liner at vessel failure. If this probability was set equal to one the early failure probability increased by a factor of 14 over the base case. All other issues had an effect on the results which was less than order of magnitude.
39
j 2.5- Evaluation of Decay Heat Reinoval and Other Safety Issues i 1
i
! 2.5.1 Evaluation of Decay IIeat Removal :
l j 2.5.1.1 Examination of DilR I
De IPE addresses the decay heat removal (DHR) issue. In the submittal DHR involves those systems I i required for primary and secondary inventory control and heat transfer from the RCS to an ultimate heat
- sink following shutdown of the reactor for transients and small LOCAs. Several methods of DHR are j mentioned, including the main feedwater system, the auxiliary feedwater system, the EFW system, and j feed and bleed cooling.
l DHR function loss contributes 4.7E-5/yr to the CDF and is thus within the 3.0E-5/yr to 3.0E-4/yr l criterion used to define " average" DHR performance in NUREG-1289. With the already implemented i improvements, this value will drop to the " low" range of the NRC DHR performance criteria (3.0E-5/yr).
t
)
Contributions to DHR-loss CDF from the DHR frontline systems and their support systems is calculated and presented in RAI responses. Contribution of components and support systems to each DHR system's I
- unavailability is not calculated or readily available.
1
} 2.5.1.2 Diverse Means of DHR f
l
j Cooling for the RCP seals was taken into account. In addition, containment cooling was addressed.
3 1 2.5.1.3 Unique Features of DHR l The unique features of ANO-1 that pertain to the DHR function are as follows:
l Shared facilities with ANO-2: Startup Transformer 2, Control Room (s), and the Emergency j Cooling Pond. (See Section 2.1.2 " Multi- Unit Effects.")
i j
- The Service Water (SW) system consists of two independent loops captble of supplying water j to the required cooling components under normal and " engineered safeguard" (ES) modes. There j is a third SW pump, which can be aligned to either SW train and serves as a readily-available
- ' installed spare pump in the event that one of the normally-operating pumps fail. Normal water l- is supplied from Lake Dardanelle, however an emergency pond is also available in case of the j' loss of this water source (e.g., by plugging of traveling screens). During normal operation , the
! SW pumps supply cooling water to the Auxiliary Cooling Water (ACW) loop serving Balance of Plant (BOP) loads. In the event of an Engineered Safeguards Actuation Signal (ESAS) auxiliary cooling is isolated (or manually should be isolated) from the SW system.
He Main Feedwater sy.~ tem contains two variable speed turbine driven pumps, and an Auxiliary Feedwater (AFW) pump , which is motor driven. De AF pump is used to supply feedwater to the SGs during plant startup and shutdown conditions.
The Emergency Feedwater (EFW) system consists of two trains each capable of supplying emergency feedwater (780 gpm) to either or both SGs. One train contains a motor driven pump, 40
and the other train contains a turbine driven pump. Here are three water souices for the EFW; the Condensate Storage Tank (CST), a backup non-Q condensate storage tank, which is interconnected with the Unit 2 CST and has a capacity of 202,000 gallons, and the SW system.
A unique feature of the system is a common manual isolation valve on the discharge to the circulating water fiume from both EFW pump bearing casings. Although normally it is locked-open this valve introduces a passive single failure to the EFW system.
For the automatic initiation and control the EFW flow rate the unit has a dedicated Emergency Feedwater Initiation and Control (EFIC) system.. In addition to these functions, the system provides regulation of the secondary side pressure during EFW operation and isolates automatically the main steam and feedwater lines associated with an affected SG in the case of a main steam line or feed line rupture.
The ANO-1 safety batteries have a two-hour life upon loss of battery charging.
The safety impact of this short battery life might be reduced by the installation of an Alternate AC, "AAC" system, and a new non-safety, so called " black" battery. This r.ew battery will allow the removal of several important but non-safety DC loads from the safety batteries.
(Targeted installation of the black battery was fall of 1993.)
He submittal indicates that the Alternate AC power source will be capable of supplying power individually to any of the ANO-1 or ANO-2 4.16 kV AC safety buses. This AAC power source will be completely independent of SW (air cooled) and DC power (separate batteries) with the capability to be started and aligned readily from either control room. (Targeted installation of the AAC was prior to the end of 1994.)
Jae HPI system consists of three pump trains with four injection legs to the RCS. One pump (P368) can be aligned to either HPI train and serves as a readily available installed spare pump in the event that one of the initially aligned pumps becomes unavailable. Lube oil cooling for each pump is provided by the SW system.
During reactor operation the HPI is used to supply RCS makeup and RCP seal injection. For high pressure recirculation (HPR) the HPI pump suction is aligned to the reactor building sumps !
i via a Low Pressure Recirculation (LPR) pump (" piggy-back operation") and decay heat is removed from the RCS through the LPR heat exchangers.
Re unit has " feed and bloxl" capability. The HPI shutoff head is greater than the Safety Relief Valve (SRV) setpoint pressure. As a result, the HPI pumps can provide adequate core coolant injection without requiring RCS depressurization. A successful bleeding path can be provided ,
by either the opening of the Electromatic Relief Valve ERV (i.e., PORV) or the opening of one of the two SRVs. The ERV block valve is usually open.
The RCP seals at ANO-1 are Byrondackson N-9000 pump seals. Each of these seals consists l of a series of three mechanical seals. The seals are specifically designed and tested to minimize I
leakage following the loss of RCP seal cooling. Hey are cooled both by HPI seal injection flow l and by heat exchange ( via the RCP Seal Return Coolers) to the Intermediate Cooling Water j (ICW) system. RCP seal failure is expected only if both cooling mechanisms fail and a pump is i' operated for more than about 40 minutes. Since SW cools the tube side of the ICW heat 41
J i
1 exchangers a loss of SW event has the potential to develop into a small LOCA because of the loss of both HPI and ICW. Herefore, operators are instructed to secure the operating RCPs ifloss of seal cooling occurs for greater than 10 minutes. He assumed high seal resistivity against
. rupture eliminates the probability of a RCP seal LOCA in a LOOP event (because the RCPs are l tripped due to loss of power). The licensee believes that RCP seal LOCA will not occur during SBO conditions at ANO-1.
j
- The Instrument Air (IA) system (containing.three IA compressors) can be supported by the Service Air system via a crossover valve. In addition, the IA system can receive air from, or supply air to, the ANO-2 IA system.
Manual transfer is required to switch from the injection to the recirculation mode of ANO-1 j emergency core cooling.
4 2.5.2 Other GSis/USIs Addressed in the Submittal In addition to USI A-45 (DHR Evaluation) the following USIs and Gls are considered addressed in the j submittal: GI-23 (RCP seal failures) and GI-105 (interfacing system LOCAs in LWRs). In addition, the submittal's information is considered " favorably relevant" by the licensee to USI A-47 (systems interactions due to internal Gooding) and GI-121 (hydrogen control for large dry containments).
a
- 2.5.3 Response to CPI Program Recommendations
, The CPI recommendation for PWRs with a dry containment is the evaluation of containment and equipment vulnerabilities to localized hydrogen combustion and the need for improvements. The CPI issues were not treated explicitly in the submittal. In response to an RAI on this subject the licensee i
stated that while global hydrogen burns were accounted for in the containment response analysis, localized hydrogen combustion inside the ANO-1 containment was not considered a safety significant issue. The response stated that the ANO-1 containment was relatively open and all parts of the containment i
atmosphere are expected to be well mixed during an accident scenario with or without containment sprays ,
1 or fan coolers operating. A possible exception was the reactor cavity area which is a relatively enclosed l l volume. However, since the volume is surrounded by thick reinforced concrete walls and since no
, equipment is located in this area, hydrogen combustion in the cavity is not expected to affect any safety significant equipment. While no walk down of the ANO-1 containment was performed, the licensee again stated that the ANO-2 containment, for which a walk down was performed, is similar enough to the
- ANO-1 containment that the conclusions regarding the openness of the containment relative to hydrogen accumulation can be inferred for ANO-1 from the ANO-2 walkdown. '
2.6 Vulnerabilities and Plant Improvements 2.6.1 Vulnerabilities i
A vulnerability search was conducted ib the IPE using NUMARC 91-04 criteria. Specifically, CDF greater than 1.E-4/yr or a large release frequency greater than 1.E-5/yr would represent a vulnerability.
42 t
l Based on these criteria no vulnerabilities were found. Also, the submittal states that no individual cutset i
contributes more than 10% of the CDF and the ANO-1 CDF is within range of other PRAs. The ANO-1 CDF of 4.7E-5/yr is below the staff's proposed subsidiary safety goal of 1.0E-4/yr.
I
! Under containment performance the submittal notes (Section 4.9.7) that a plant specific vulnerability has been defined for the ANO-1 IPE as any condition satisfying the top evaluation category of the tables adopted from NUMARC 91-04 that is not artificially increased by conservative assumptions regarding uncertain plant response or phenomena. Based on this definition no back-end vulnerabilities were identified for ANO-1. In response to an RAI the licensee stated that this was the case even if no consideration was mada for the " conservative" assumptions of the level 2 analysis. Although no back-end vulnerabilities were identified for ANO-1 several issues relating to the ANO-1 containment performance during a severe accident were noted as appropriate for additional investigation, nese are discussed in j the next section of this TER.
2.6.2 Proposed Improvements and Modifications
- The IPE did not take credit for any potential plant improvements.
In the plant improvement section of the IPE several potential improvements to plant procedures were j recommended. They included the following:
l I) Include anticipatory warnings in the loss of SW abnormal operating procedure regarding the sensitivity of tripping the RCPs following a sustained loss of SW. The action to trip the RCPs was not "directly" proceduralized. A related improvement suggested was to trip all but one of the operating HPI pumps (if conditions allow) given a loss of SW. The objective is to avoid unnecessary HPI and reactor building spray pump overheating. Disposition: not implemented.
ACDF: not available. !
- 2) Proceduralize the process to recover the LPI failure combination of one LPI suction line and one l LPI pump unavailable by allowing flow from the available suction line to the operable LPI pump.
Disposition: implemented. ACDF: -3.0E-7/yr.
- 3) Improving severe accident management guidelines to allow refilling the BWST at a specified low level in order to prolong core cooling. Disposition: not implemented. ACDF: not available.
- 4) Altering the dirty liquid waste and drain processing procedure to direct closure of normally open LPI/DHR and RB spray pump room drain isolation valves. His action ensures that the LPI pumps would not be affected by ISLOCA discharges into the auxiliary building and additional potential for ISLOCA leak determination. Disposition: implemented. ACDF: -1.68E-7/yr.
- 5) Adding verification for closure of SV-7454 to station blackout procedure. Disposition:
implemented. ACDF: negligible.
In addition the following proposed improvements were noted in the submittal for consideration: I
- 1) Change valve lineup to keep CV-3806 and 3807 normally open (provide cooling to EDG jackets).
Disposition: not implemented. ACDF: -5.0E-7/yr (this is q/ter the new alternate AC power source is modeled);
43
l
- 2) Manual valve FW-1016 internals removal (provide EFW pumps P7A&B bearing cooling common ;
discharge). Disposition: . scheduled next outage (10/96). ACDF: -5.0E-7/yr. )
1
- 3) New non-safety battery to reduce safety battery loads and increase battery duty cycle to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.
l Disposition: implemented. ACDF: -6.7E-6/yr. 1
- 4) Anticipated new alternate AC power source. Disposition: implemented. ACDF: -1.lE-5/yr.
He following changes were made in response to the SBO rule: addition of the additional diesel generator or the alternate ac source, not credited in the IPE, see improvement #4 above.
Although no back-end vulnerabilities were found for ANO-1, a number of back-end issues were identified for further investigation. These include:
the design of the in-core instrument tunnel which makes containment failure via liner melt-through and /or ex-vessel steam explosions a credible scenario.
the status of the cavity personnel hatch door, which when opened will ensure water can enter the cavity area and when closed would increase the likelihood of a dry cavity.
1 containment isolation failures following an SBO event via valves in the radiation air monitoring !
leak detection system. l containment isolation failures via the (no longer used) hydrogen purge containment isolation valves. ,
In response to an RAI requesting further information regarding the status of these investigations the licensee indicated that the latter two issues had been dealt with by implementing a procedure to manually I isolate the containment radiation air monitoring leak detection system during an SBO event and by i removal and Danging off of the hydrogen purger valves. He remaining areas are related to liner !
impingement and ex-vessel steam explosion phenomena, issues which are considered as having a high l degree of uncertainty for which the licensee has not initiated further study but will monitor industry progress in investigating and understanding the phenomena involved. ,
44
i l
1
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS Based on the level I review of the ANO-1 IPE th.e licensee appears to have analyzed the design and
)
operations of ANO-1 to discover instances of particular vulnerability to core damage. It also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at ANO-1; and implemented changes to the plant to help prevent and mitigate severe accidents. Because of the data problems listed below, it is not clear that a quantitative understanding was gained by the licensee.
Strengths of the IPE are as follows: norough analysis of initiating events and their impact, descriptions of the plant responses, modeling of accident scenarios, generally reasonable failure data and common cause factors employed and usage of plant specific data where possible. He flooding analysis seems to have been reasonable and thorough. The effort seems to have been evenly distributed across the various areas of the analysis. The documentation was usually good, and effort was made to provide RAI responses.
He weaknesses were the use of seemingly low values for some important data: LOOP and small LOCA initiating event frequencies, power nonrecovery curve, and omission of some CCFs. The TDEFW run failure number is low compared to NUREG/CR-4550 recommended value. There is uneven modeling of common cause failures and some common cause failures are omitted from the analysis. It is not clear if CCF of all three HPI pumps or all three CCW pumps was considered. These weaknesses may have a moderate impact on the iesults. However, they may be offset to a degree by a somewhat pessimistic modeling of the LOOP convolution integral, where no credit is given for increased core uncovery times later on in the accident, and no credit is given for diesel generator recovery.
The IPE determined that failures in the AC power, SW, LPI, EFW, ventilation system, MFW and HPI systems dominate the risk profile. Loss of offsite power and small LOCA account for about 67% of the total CDF. SBO accounts for about 33% of the CDF. The CDF is dominated by 5 accident sequences.
The HRA review of the ANO-1 IPE submittal and a review of the licensees responses to HRA related questions asked in the NRC RAI, revealed several weaknesses in the HRA as documented. In geaeral, a viable approach (the Dougherty and Fragola method) was used in performing the HRA, but several weaknesses were identified in how the analysis was conducted. While the weaknesses are not severe enough to conclude that the licensee's submittal failed to meet the intent of Generic Letter 88-20 in regards to the HRA, they do suggest the licensee may not have learned as much about the role of humans during accidents at their plant as would have been possible. Important elements (both strengths and weaknesses) pertinent to this determination include the following:
- 1) ne submittal indicates that utility personnel were significantly involved in the HRA. Regarding the IPE HRA representing the as-built, as-operated plant, the submittal states that the HRA was involved in the initial sequence and system modeling efforts and that during this period the "HRA task had the opportunity to review plant and system design information and become familiar with the control room and related operating procedures." While simulator exercises were not conducted, the statements discussed above suggest that the HRA analyst was significantly involved throughout the modeling effort. Thus, it appears that steps were taken to assure that the HRA represented the as-built, as-operated plant. However, it did not appear that the HRA 45
l l
i gave detailed consideration to plant-specific factors in determining the HEPs (which is discussed below as a weakness). 1
- 2) De submittal indicted that the analysis of pre-initiator actions included both miscalibrations and restoration faults. While an acceptable analysis was conducted, a weakness of the submittal was that it did not provide a list of the modeled restoration faults. Apparently only a single pre-initiator event was found important enough to receive detailed quantification. All other pre-initiators were apparently screened out.
- 3) A strength of the analysis of post-init!ator events was the screening analysis. Modeled events were quantified using a screening value of 0.4 and potential dependencies were considered. After initial quantification, surviving cutsets were examined and appropriate post-initiator " recovery" operator actions were added. This approach helped ensure that important post-initiator actions were not inappropriately truncated.
- 4) he post-initiator analysis included appropriate types of operator actions and had a viable process for identifying, selecting, and quantifying operator actions.
- 5) One apparent weakness of the post-initiator analysis concerns the extent to which plant-specific factors were considered. While the model itself provides reasonable mechanisms for addressing relevant plant -specific factors, on the basis of examples provided, it would appear that many of the parameters were left at their default values. In particular, all success likelihood indices (SLIs) were left at their default values. That is, PSFs were assumed to have no effect. He licensee stated that the relevant factors were unknown for all situations in which a recovery could be applied. By leaving the SLis for the modeled events at their default values, the analysts are basically assuming ANO-1 is an " average" plant in terms ofits PSFs. The resulting analysis is therefore " generic" rather than plant-specific and may or may not adequately represent the plant.
- 6) Another potential weakness concerns the licensee's calculation of very low HEP values
(" epsilon") for two events found in steam generator tube rupture (SGTR) sequences. They included the operator action to maintain RCS pressure below a specified MSSV set point and the action "to cooldown the RCS and isolate the break with the DHR system." The former action was classified as a slip and apparently the probability of making an unrecoverable error in conducting the action was determined to be exceptionally low. An illustration of the derivation of the HEP for this event was not provided, but the response to the RAI states that the action is stressed in training and that the operators have several hours to respond. Given that the BHEP for a slip is assumed to be 0.003, substantial credit for recovery (apparently allowed by the HRA model) must have been given. Details of the derivation of the action "to cooldown the RCS and isolate the break with the DHR system" were not provided, but it was assumed to be a " response type" action with 517 minutes available time. Without additional information, it is difficult to assess the reasonableness of the assigned HEPs. However, such exceptionally low HEPs are rarely justified in HRA modeling and it should be noted that the estimates of CDF for SGTR sequences in the ANO-1 submittal were four to five times lower than those found for other similar plants. If these events were important to the sequences and their HEPs were underestimated, the CDF estimates for the sequences could also be underestimated. Thus, the derivaticn of the HEPs for these two events may be a weakness of the HRA. While Fussel-Vesely importance results did not indicate that these events were high contributors to CDF, they 46
may have had a high risk achievement wonh and may have been important if their HEPs had not been so low.
- 7) A list of imponant human actions based on their contribution to core damage frequency was provided in the submittal.
- 8) The HRA portion of the flooding analysis appeared reasonable and thorough.
As acknowledged by the licensee, the ANO-1 level 2 analysis is oflimited scope since very few plant-specific accidert simulation code calculations were performed in support of the effort. Essentially the containment response analysis for ANO-1 is carried out by comparing the particular ANO-1 reactor building features to those found in previously published analyses of typical large dry PWR containments.
A Comparative Core / Containment Response Scoping (CCRS) model was developed to support this comparative process. The CCRS model uses a simplified set of conservation equations for mass and energy to estimate reactor building response from first order effects under severe accident conditions.
In addition to the scoping calculations sensitivity calculations were performed with the CCRS to determine first order effects of the various assumptions used in the analysis.
A few plant specific MAAl runs were also carried out after the level 2 analysis was completed to confirm some of the assumptions made for the scoping calculations.
Information obtained from a walkdown of the ANO-2 containment was used for the ANO-1 containment analysis.
The important points of the technical evaluation of the ANO-1 IPE back-end analysis are summarized below:
- He back-end ponion of the IPE supplies a substantial amount of information with regards to the subject areas identified in Generic Letter 88-20.
- He IPE identified several plant unique failure modes arising from the distinctive construction of the ANO-1 cavity and in-core instrument tunnel design: containment liner melt-through and containment failure due to ex-vessel steam explosions are credible (although low probability) modes of early containment failure.
- The results calculated for the various containment failure modes are well within the range of typical large dry PWR containment response.
- The simplified analysis and rather limited plant specific calculations restrict the range of applicability of the ANO-1 containment performance evaluation.
The overall assessment of the ANO-1 level 2 analysis based on the IPE submittal and the licensee's response to the RAI is that it is adequate to meet the intent of GL 88-20. Strong points of the analysis are the containment event trees which, along with the accompanying fault trees, are quite detailed yet scrutable; the containment isolation failure analysis; and the fairly extensive sensitivity analysis of the various CET parameters which provides insights as to the major effects of some assumptions made in the analysis. Weak points are the very simplified combustion calculations, simplified containment failure analysis, and the simplified radionuclide calculations which contain no sensitivity analysis.
47
Because of the simplified scoping type of analysis used and the lack of detailed plant specific calculations using more sophisticated tools, the level 2 analysis described in the ANO-1 submittal is likely to be of limited use for applications beyond the fulfillment of the intent of GL 88-20.
f a
I
' I 48 <
l
l l
i l 4. atreassces (GL 88-20) Crutchlield, D.M., Individual Plant Ezanination for Sewre Accident ;
Fulnerabilities, U.S. Nuclear Regulatory Commission Generic later 88-20, November 23,1988.
(NUREG-1335) individual Plant n+elon: Submittal Guidance, U.S. Nuclear Regulatory Commission Report NUREG-1335, August 1989.
l
[1PE Submittal) Individual Plant Examination Submittal for Arkants Nuclear One Unit 1, i submitted by Entergy Operations, Inc., Russe!ville, Arkantac, April 1993.
l
[RAI Responses) Imter from D. C. Mims, Director Nuclear Safety, Entergy Operations, Inc. To .
U.S. NRC Document Control Desk, dated May 9,1996. l l
fBook) E.M. Dougherty and 3.R. Fragola, Human Reliability Analysis: A Systems Engineering Approach with Nuclear Powr Plant App!! cations, NY: John Wiley l
& Sons,1988.
INUREGICR-1278) A.D. Swain and H.E. Guttman, Handbook ofHuman Reliability Analysis with Emphasis on Nuclear Pour Applications : Technique for Human Error Rate i Prediction, NUREG/CR-1278, U.S. Nuclear Regulatory Commission, Washington D.C.,1983.
fNUREGICR-4772) A.D. Swain, Accident Sequence Enluation Program Human Reliability Analysis l Procedure, NUREGICR-4772, U.S. Nuclear Regulatory Commission, Washington, D.C., February,1987.
(NUREGICR-4834) D.W. Whitehead, Recowry Aalons in PRAfor the Risk Methods Integration and Emluation Program (RMIEP), Volume 2:&lcation of the Data-Based Method, NUREGICR 4834, U.S. Nuclear Regulatory Commission, Washington D.C., ;
December 1987 !
l 49
.