ML20138H994
| ML20138H994 | |
| Person / Time | |
|---|---|
| Site: | Comanche Peak  |
| Issue date: | 01/02/1997 |
| From: | Musicki Z BROOKHAVEN NATIONAL LABORATORY |
| To: | NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| Shared Package | |
| ML20136E894 | List: |
| References | |
| CON-FIN-W-6449 NUDOCS 9701310074 | |
| Download: ML20138H994 (68) | |
Text
_ _. . _ _ _ _ _ __ _ _ _ _ _ ._ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ . _
i
- i TECHNICAL REPORT 1 . rwwm49 sums,n.wi eeinar '
I i
I i
l' TECHNICAL EVALUATION REPORT 4
i .. .
j OF THE IPE SUBMITTAL AND i
RAI RESPONSES FOR THE i
l COMANCHE PEAK STEAM ELECTRIC (
STATION (UNIT 1) i l
l Zoran Musicki George Bozoki :
l
- l John Forester
! C. C. Lin i
Department of M TE! iyi, Resokhaven National Laboratory Upton,NewYork 11973 .
l l
i I
j
,i hQl ,.w in u.a.m n =y cake erMusiest napammy nosewoh m kOE M M S c w.en
- I l
l M NotonalLabmWales s i
i i
L ~ ~ ~ --~ ~ - -
CONTENTS EXECUTIVE SU M MARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v NOMENCLATURE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvil
- 1. INTRODU CTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
. 1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
- . 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I l l 2. TECHNICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1 Licensee's IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1.1 Complatanaan and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . S
- 2.1.2 Multi Unit Effects and As-Built, As Operated Status . . . . . . . . . . . . . . 6 i i 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . . . . . . 7 i 2.2 Front End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.1 Accident Sequence Delineation and System Analysis . . . . . . . . . . . . . . 8 l
! 2.2.2 Quantitative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
- 2.2.3 Interface lssues . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . 17 2.2.4 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
! 2.2.5 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . 19 j 2.3 Human Reliability Analysis Tachnical Review . . . . . . . . . . . . . . . . . . . . . . 28 l
- 2.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 1 2.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
- 2.4 Back End Technical Review ................................. 35 2.4.1 Containment Analysis / Characterization . . . . . . . . . . . . . . . . . . . . . . 35 l
- 2.4.2 Accident Progression and Containment Performance Analysis . . . . . . . 41 l l 2.5 Evaluation of Decay Heat Removal and Other Safety Issues and CPI . . . . . . . . 43 l l 2.5.1 Evaluation of Decay Heat Removal . . . . . . . . . . . *. . . . . . . . . . . . . 43 l
! 2.5.2 Other GSis/USIs Addressed in the Submittal . . . . . . . . . . . . . . . . . . 44
' l 2.5.3 Response to CPI Program Recommendations . . . . . . . . . . . . . . . . . . 44 i
- 2.6 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . 45 l j 2.6.1 Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 .
- 2.6.2 Proposed Improvements and Modifications . . . . . . . . . . . . . . . . . . . 45 l I
j 3. CONTRACTOR OBSERVA*IlONS AND CONCLUSIONS . . . . . . . . . . . . . . . . . . 47 i
- 4. REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 4
1 l
i
? $
I t
111 4
d 1
, . TABLES i
Page Table E-1. Accident Types and Their Contribution to the CDF . . . . . . . . . . . . . . . . . . . Vill
- ', . Table E-2. Initiating Events and Delt Contribution to the CDF . . . . . . . . . . . . . . . . . . . ix i
Table E-3. Containment Failure as a Percentage of Total CDF . . . . . . . . . . . . . . . . . . . . xi
- Table 1 Plant and Containmant Characteristics for Comanche Peak Steam Electric Station . 4 l Table 2 Comparison of Failure Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 l j Table 3 Comparison of Common-Cause Failure Factors . . . . . . . . . . . . . . . . . . . . . 15 i Table 4 Initiating Event Frequencies for Comanche Peak IPE , . . . . . . . . . . . . . . . . . 16 j Table 5 Accident Types and Deir Contribution to the CDF . . . . . . . . . . . . . . . . . . . 24 l Table 6 Initiating Events and Deir Contribution to the CDF . . . . . . . . . . . . . . . . . . 25 i Table 7 Dominant Core Damage Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
. Table 8 Important Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
- Table 9 Containment Failure as a Percentage of Total CDF , . . . . . . . . . . . . . . . . . . 41 1
I I
h i
1 1
1 l
1 1
1 l
l 4
t l l I
i
't i'
1 i
4 1
1 iv i
1
. . EXECUTIVE
SUMMARY
His Technical Evaluation Repor't (TER) documents the findings from a review of the Individual Plant
. Examination (IPE) for the Comanche Peak Steam Electric Station (CPSES). He primary intent of the review is to ascertain whether or not, and to what extent, the IPE submittal satisfies the major intent of Generic Letter (GL) 88-20 and achieves the four IPE sub-objectives. He review utilized both the
. Information provided in the IPE submittal and additional information (RAI Responses) provided by the licensee, the Texas Utilities Electric Company, in the response to a request for additional information ,
(RAI) by the NRC.
E.1 Plant Characterization
! The Comanche Peak Steam Electric Station is a two unit nuclear power plant. Each unit is a
! Westinghouse 4 loop pressurized water reactor (PWR) with an electrical power rating of 1150 MWe.
l CPSES is operated by Texas Utilities. Unit 1 started commercial operation in August 1990, while the i Unit 2 start date was August 1993. De IPE is a PRA analysis of Unit 1, as Unit 2 was still under l constmetion at the time of the analysis.
4 A number of design features at Comanche Peak impact the core damage frequency. These are:
- He plant has a feed and bleed capability. %e PORV block valves are normally open and one j i PORV is enough for success of the feed and bleed operation.
- MFW (tubine driven) is automatically isolated on a reactor trip, but can be restarted if needed.
j
! * 'Re RCPs employ Westinghouse seals with charging pump injection and component cooling water j cooling of the thermal barriers. New high temperature seals have been installed since the completion of the IPE.
- ne high head injection can be provided by either of the two SI pumps, or by either of the two centnfugal charging pumps (CCPs), thus providing a high level of redundancy. The CCPs and the SI pumps are physically separated.
- Cross connection capability exists between the units for the SW and CCW systems. De following systems are shared: the intake structures for SW and circulating water, the switchyard, and the instrument air common compressors.
- De batteries have a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> capacity (without load shedding). The ECCS equipment cannot be started without DC power. De TDAFW pump can be manually operated locally upon lost, of ,
a support system (instrument air or de power, including SBO conditions). H is is a j proceduralized action, j
- De switchyard design is reliable. Dere are two switchyards and 5 available transmission lines.
- There is a relatively heavy dependence on HVAC (or chilled water), instrument air, CCW and j SW. l i
V 1
j o Recirculmion switchover b automatic with some additional operator actions. Manual switchover j may be required under certain conditions.
i
- CPSES has the AMSAC system, which automatically trips the turbine and starts the MDAFW j pumps upon ATWS.
j -
- De CPSES pressurizer level is programmed such that the RCS maintains a constant mass. His means that all cooldown events do not require RCS makeup.
1 l' De CPSES containment is a large, dry, steel-lined reinforced concrete structure with approximately a i 3 million cu. A. volume and a 50 psig design pressure. Both the power level and the =*ala-nt free
- volume of Comanche Peak are similar to that of Zion.
i
- The plant characteristics important to the back-end analysis are
! De large containment volume, high enntainmant pressure capability, and the open nature of aompartmanen which facilitates good armaapharic mixing. Calculations performed in the IPE show that the containment would not reach the failure pressure even if a hydrogen burn from a 100%
i Zirconium ovidarian were postulated. De IPE also shows that the containment is unlikely to fail l as a result of HPME (i.e., DCH etc.) even with the use of NUREG-1150 data for Zion, which is believed to be pessimistic for CPSES because, although similar, the flow path for the CPSES i
cavity and instrument tunnel configuration is more restrained than the sloped configuration of
) Zion.
l l A large reactor cavity floor area (800 ft') and a cavity design which facilitates flooding of the
] reactor cavity. De debris depth on the floor would be about 25 cm with a conservative estimate j of the amount of debris in the cavity. Additionally, all the water collected on the containment floor is likely to flow to the reactor cavity because there is no curb'at the containment floor i elevation surrounding the reactor cavity exit for the instrument guide tubes that would prevent j the return of water from the main contala=** to the reactor cavity.
j E.2 Licensee's IPE Process De ficasee initiated work on a probabilistic risk assessment (PRA) for Comanche Peak in response to j Generic Letter 88-20. De freeze data for the analysis was January 1992, i
i De IPE was performed by Texas Utilities (TU) staff with support from consultants in some specialized l areas: HRA, flooding analysis (ERIN Engineering) and Level 2 analysis. TU staff managed the IPE and j did over 905, of the work.
4 l
To support the IPE process, the licensee reviewed several NRC PRA studies: NUREG/CR-2300, NUREG/CR-2815, NUREG/CR 4550, NUREG/CR-5313, NUREG/CR-4920, as well as guidance in i NUREG-1335. Other plant PRAs were also reviewed to gain additional insights: the Seabrook PSA and
} the Crystal River Unit 3 PRA.
'
- De submittal indicates that most of the work was performed by the Comanche Peak IPE team with direction and th from the Accident Prevention Group (APG), a consulting firm. It was noted that even specialized areas such as the human reliability analysis (HRA) was performed by in-house staff, but i .
under the direction and guidance of the consultant. Procedure reviews, discussions with operations and i training staff, reviews of results from previous simulator exercises, and walkdowns of important recovery i
4 h vi i
) .
l i
- - _ -, . - - - ~ - , . - - ~ . . - -
!. . actions helped assure that the PE HRA representad the as-built, as-operated plant. In addition to reviews of the HRA by in-house staff and consultants from APG, several other firms were noted as participating i in a final independent review of the overall IPE. Exactly which firm or firms performed the review of
! the HRA was not mentioned. Two HRA related comments from the initial review led the HRA analysts
! to use more conservative screening values and to address common cause contributions to human disabling of multiple redundant trains of various systems. Both pre-initiator actions (performed during l maintenance, test, surveillance, etc.) and post-initiator actions (performed as past of the response to an i accident) were addressed in the IPE. Important human actions were identified and several procedure i l . related enhancements were discussed by the licensee.
l De analysis was reviewed at several levels. An independent review (by plant personnel not involved in j the PRA) was also performed, as well as by PRA experts from outside. The IPE team responded to and i resolved comments from this formal review.
I l l The submittal does not explicitly indicate whether the licensee intends to maintain a "living" PRA, although it is implied that the IPE will be periodically updated.
! E.3 IPE Analysis E.3.1 Front-End Analysis a
- De methodology chosen for the front-end analysis was a level 1 PRA; the small event tree-large fault
- j. tree with fault tree linking was used. He computer code used for modeling and quantification was
. CAFTA.
l De IPE quantified the following initiating event categories: 6 LOCAs (including one ISLOCA category i broken down into several subcategories, and one excessive LOCA),13 transients (including 3 support i system losses), one SGTR and one flooding category (with two dominant scenarios shown in the IE
! section). He IPE developed 19 event trees and 5 special event trees to model the plant response to these initiating events. Flooding analysis was also performed.
Success criteria were based on best estimate plant response verified by MAAP runs and thermal hydraulic analyses.
No credit is given to rapid depressurization in small LOCAs in order to use low head pumps.
Employment of the condensate pumps (with secondary depressurization) upon failure of AFW and MFW is also apparently not credited.
. 1 Containment heat removal systems are not needed in level 1 analysis.
De RCP seal cooling model assumes that both CCW and seal injection must fall in order for the seals to fail. This element of the success criteria is consistent with other PWR PRA studies.
Mostly generic data is used, except for some test and maintan=nce unavailabilities.
- CPSES data are generally in agreament with the NUREG/CR-4550 data, except for the air compressors, ,
De TDAFW pump failure to run rate is somewhat lower than that reported in NUREG/CR-4550.
ne multiple greek letter (MGL) approach was used to characterize common cause failures. A very sophisticated analysis with Bayesian uPing was performed, which is at odds with generic data used vil
i * - elsewhere and lack cf CCF data. Most MGL parameters seem 1:w, and some are exceptionally low i (when compared to data used in NUREG/CR 4550), i.e., operating motor driven pumps, air operated valves, etc. Some important CCF categories seem to have been omitted from the analysis, notably the air compressors and the batteries.
I i- The internal core damage frequency is 5.72E-5/yr. 'Ibe internal accident types and initiating events that j- contribute most to the CDF and their percent contributions are listed below in Tables E-1 and E-2:
i l .
Table E 1. Accident Types and 'their Centribution to the CDF' i
4
- Initiating Event Group Contribution to CDF (/yr) %
Loss of offsite power 1.59E-5 28 l
Internal flood 1.29E-5 23 l
Transient 1.26E-5 22 l
LOCA' 9.70E4 17 Steam generator tube rupture 3.54E4 6
! less of support system' 2.31E4 4
} (Station blackout) (1.59E-5) (28)
(0.3)
TOTAL CDF 5.72E-5 100.0 l
i 1
t i
i -
8 Categories in parentheses (e.g., station blackout) are not separate initiator types but are included in other categories (e.g., SBO is included under LOOP and transient).
8LOCA category includes the 4 common LOCA sizes, plus excessive LOCA (i.e., reactor vessel
- rupture) plus interfacing system LOCAs
, 8 Loss of support system includes losses of CCW, SW or chilled water (HVAC). All others are included in the " transient" category, except for losses of offsite power, which are under their own category.
viii
% ,w- - ,.- -
$i
- 1thie E2. Initiating Events and Their Contribution to the CDF i
i j Initiating Event Contribution to CDF (/yr) %
! Loss of Offsite Power 1.59E-5 27.9
~
j laternal flooding 1.29E-5 22.7 1
I . less of main feedwater 5.03E4 8.8
- General transient' 4.56E4 8.0 i Very small LOCA 3.76E4 6.6 f Steam generator tube rupture 3.54E4 6.2 i
Large LOCA 2.85E4 5.0 4
Loss of de bus 1EDI 2.17E4 3.9 Small LOCA 1.65E4 3.0 i Medium LOCA 1.02E4 1.8 Loss of component cooling water 9.03E-7 1.6-l Loss of chilled water (HVAC) 7.55E-7 1.3 i
j loss of service water 6.04E-7 1.1 i
- l loss of condenser vacuum 5.84E-7 1.0 Excessive LOCA 2.66E-7 0.6 Interfacing systems LOCA 1.56E-7 0.3 l 14ss of 6.9 kV ac bus 1 A1 7.60E-8 0.13 i Inadvertent safety injection signal 5.%E-8 0.09 l f Main steam line break 5.48E-8 0.09 4
Loss of a protection channel 4.86E-8 0.08 i
- E.3.2 Human Reliability Analysis f The HRA process for the Comanche Peak IPE addressed both pre-initiator actions (performed during j maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an i.
- Yseneral transient includes reactor trip, turbine trip, excessive feedwater flow, inadvertent closure
- j. of one or all MSIVs, core power excursion and loss or primary flow.
Only the most dominant initiating event contributors to the CDF are listed here.
l IK 1
I i
l
accident). He analysis cf pre-initiator actions considered both miscalibrations and restoration faults.
- he licensee stated that the screening methodology used "... is a melding cf several previously published j methodologies." In response to the NRC's RAI, h was stated that the method used was the "HRA ,
j Calculator" method [EPRI RP-3082 03 Draft Report) [Moleni, P., et al.] [Moleni, P., Spurgin, A. J., l i and Singh, A.), which is a PC based software pmgram based on earlier Electric Power Research Institute i ,
(EPRI) methods, including HCR [EPRI RP-2170-3], ORE [EPRI NP4937] [EPRI 6560] and SHARP ,
! [EPRI NP-3583]. Application of the method involved the use of a series of structured questions !
i represented in a decision tree. Use of the decision tree lead the evaluator to a human error probability i i . (HEP) screening value whid was determined as a function of the relative impact of various performance l l shaping factors (PSFs). Different decision trees were used for restoration and miscalibration events. )
] ramman cause factors were accounted for. De overall screening approach used was relatively detailed
! and was not unreasonable or inconsistent with those used in other IPEs. Only one pre-initiator actions l was analyzed in more detail after screening, leaving all the other pre-initiator HEPs at screening values.
l
! De Comande Peak IPE modeled both response (Type C,) and recovery (Type C.) post-initiator human j metiana. He response to the NRCs RAI stated that all actions credited were proceduralized, but in some j cases procedures had to be written to cover the action. De screening process for type C, or response i type human actions was based on use of the " dynamic action screening value decision tree" from the i HRA Calculator methodology. He values used in the decision trees ranged from 1.0 to SE-2 and the values were assumed to account for both the diagnosis and execution portions of the action (the j probability of execution failures was assumed negligible). He PSFs considered in the tree were stated l to be heavily influenced by results from EPRI's ORE project. Rey included consideration of procedures l l and training, task complexity, operator reluctance and time available (short or long). He trees were l
{ designed to account for "the key influencing factors, their interactions, dependencies, and relative I j importance to human error likelihood. He licensee's response to the RAI suggests that potential
) dependencias between events were appropriately considered during screening, ,
1 : l I De licensee states that for events found to be important to either the probability of a dominant cut set l or to overall core damage frequency, a second evaluation was performed using an expert interview l method (two nuclear training department instructors were interviewed). He expert interview method l was referred to as the direct aerimation method [ Comer et al.] and was applied to ten events. In applying the method, the analysts generated detailed descriptions of each human interaction event (including )
boundary conditions, dependencies, and time windows etc.). Dey then discussed the events in the l context of previous experience with simulator runs and provided probabilistic scales to the experts . De experts provided an upper and lower bound and an average HEP value. De resulting HEPs for the ten events were not unreasonable and if anything, appear somewhat pessimistic. Human errors were ,
identified as important contributors in accident sequences leading to core damage and several procedure i related enhancements were implemented.
E.3.3 Back-End Analysis The Approach usedfor Back-End Analysis He methodology employed in the Comanche Peak IPE for the back-end evaluation is clearly described in the submittal. Cantninment event trees (CETs) were d weloped to determine the containment response
. and ultimanaly the type of release mode given that a core damage accident has occurred. De front-to-back and interface is provided in the IPE by the definition of 17 Plant Damage States (PDSs). Dese PDSs are identified by core damage state, determined by the core melt timing and the RCS pressure, and contalamant state, determined by the containment pressure boundary status and the containment safeguards system status.
x
- a. -
i i
he top events of the CET are quantified by the use of fault trees (called logic trees in the EE submittal),
j which address the phwsnesological, systems, and operator human response issues important to accident l progression. The CET and the logic trees used in the Comanche Peak IPE provide a structure for the
! evaluation of all of the containment failure modes discussed in NUREG-1335. He quantification of the ,
i CET in the Comanche Peak IPE is based on NUREG-1150 data and plant-specific evaluation. He l ,
evaluations include modeling and bounding calculations, consideration of phenomenological uncertainties,
- and MAAP calculations. De result of the Level 2 analysis are grouped to thirteen release categories.
! Release frartians for these release categories are determined by the analyses of representative sequences )
! . using MAAP computer codes. ;
l i
For the Comanche Peak Steam Electric Station IPE, the definition of the interface between Level 1 and l
- level 2 analyses is reasonable. He CET is well structured and easy to understand. CET quantification l and source term grouping and quantification also seem adequate. De IPE process is in general logical j and consistent with GL 88-20.
Back-End Analysis Results l~
i j For CPSES, the leading PDS, which contributes 29% to total CDF, is a PDS with early core melt, with j the RCS at medium pressure (200 to 2000 psia), and with containment spray failure. De accident sar== that contribute to this PDS include those initiated by a small LOCA or those initiated by a loss
! of offsite power (LOOP) with induced LOCA. His PDS is followed by two PDSs with early core melt
! but whh the RCS at high pressure (greater than 2000 psia). Of these two PDSs, the former does not have
! containment sprays (16%) and the latter has the containment spray available in both the injection and the recirculation phases (11%), and both are primarily initiated by transient events.
{
- Table E-3 shows the probabilities of matninn=v failure modes for Comanche Peak Steam Electric Station as percentages of the total CDF. Results from the NUREG-il50 analyses fo(Surry and Zion are also l presented for comparison. i 1
! Table E 3. Containment Failure as a Peressitage of Total CDF '
i
8"*** "
Containment Failure Surry
- 8""II""
Mode NUREG-1150 IPE+ + 1150 Early Failure 1.2 0.7 1.4 Late Failure 51.1 5.9 24.0 l Bypass 8.2 12.2 0.7 i Isolation Failure 0.02 Intact 39.5 81.2 73.0 CDF (1/ry) 5.7E-5 4.0E-5 3.4E-4 The data presented for Comanche Peak are based on Table 4.6-14 of the IPE submittal. .
- i Included in Early Failure, approximately 0.02%
Included in Early Failure, approximately 0.5%
. j
= \
As shown in the above table, the conditional probability of containment bypass for Comanche Peak is l
8.2% of total CDF. Most of it is from steam generator tube rupture (SGTR) as an initiating event (95%
l xi j l
i i of total bypass). Excluding SGTit, contstament bypass from ISLOCA and ISGTR is small (3.3% from l ISLOCA and 1.7% from ISGTR).
! De mndirinant probability of early cantalammar failure for Comanche Peak is about 1.2% of total CDF, j of which,56% comes from alpha mode failure and 44% comes from failure associated with HPME (e.g.,
j ,
DCH). For maridant sequence classes, early matalanvet failure comes primarily from transient sequences i with the RCS st high pressure. His is partly due to the high frequency of such sequences (40% of total l CDF) and partly due to HPME associated with these sequences.
! De aandleinnat probabilky oflate containmaar failure for Comanche Peak is 51.1% of total CDF. More i than half of this is from small LOCA sequences or transient sequences with induced LOCA with the RCS at intermediate pressure (57%), with most of the remaining coming from transient sequences with the l RCS at high pressure (35%). On a conditional basis, 74% of intermediate pressure sequences j (represented by small LOCA sequences) result in late aantainmant failure and 45% of high pressure
- sequences (repieeeeged by transient sequences) results in late matninmant failure.
l For demancha Peak, late containment failure is primarily due to overpressure failure associated with CCI j (49% of CDF). He contribution from steam pressurization is only about 2% of total CDF. Steam-
- induced failures for CPSES are low because they can only occur if RWST water is successfully injected and recirculation subsequently faus. If ECCS falls to inject, bou-off of the RCS plus accumulator inventory cannot take the pressure to containment failure. Additional pressurization from CCI non-condensible gas generation is required. He high failure probability associated with CCI may be partly due to the use of an infinite mission time for such event.
Source terms are provided in the IPE for 13 release categories. Two of the 13 source terms are for enntainmant bypass, one for isolation failure, four for early failure and six for late failure. Source term definitions are based on MAAP calculations for selected sequences. Sequence
- selection is based on the consideration of the dominant sequence in each release category and other factors that influence the source term results. The source term with the highest frequency is one with late and small containment failure with CCI and no fission product scrubbing (46% of total CDF, or 76% of total containment failure probability), his is followed by a release category with the highest release fraction, a bypass category from SGTR and ISGTR (8% of CDF). The sequence selection and the assignment of release fractions for source term determinarian seem adequate.
Sensitivity studies were performed in the CPSES IPE to determine the effects of key assumptions on the final results. Results of the sensitivity studies do not reveal any potential vulnerabilities due to assumptions used in the IPE. De sensitivity studies provided in the Comanche Peak IPE seems to have addressed the issues of significant uncertainties in the EE analysis.
E.4 Generic Issues and Containment Performance Improvements De IPE arldresses decay heat removal (DHR). CDF contributions were estimated for various initiators considered part of the DHR issue (e.g., large LOCAs, ATWS and SGTR were excluded), and dominant anyannas and failures presented. RCP seal LOCAs were also excluded from consideration of the DHR issue. Contribution of frontline DHR systems and their support systems to the total core damage
. Aequency were presented in the RAI responses. De following DHR frontline systems were discussed:
AFW, power conversion, RCS, CVCS, SI and RHR. Failures of the AFW and feed and bleed were found to make a major contribution to the total CDF. De AFW failures in the most important sequences are damlantad by 1DAFW pump failure to start or to run, and support system failures, e.g., HVAC room xil
l*
- cooling for the MDAPN pumps. De feed and bleed failures are dominated by support system failures (e.g., de power).
l f The DHR function contributes 1.58E-5/yr to the CDF. No DHR vulnerabilities were found.
t No other generic issues are discussed in the submittal, i
E.5 Vulnerabilities and Plant Improvements
- The licensee's definition of vulnerability seems to be any initiating event or accident sequence which 4
contributes disproportionately to the CDP. No vulnerabilities were found.
t
! *Ibe following seven modifications were made in response to conclusions drawn in the IPE and they have been completed (all have been credited in the analysis except for the last one, the new RCP seals):
. i
- 1) Procedural: Upgrade procedure for manual control of TDAFW post loss of support system !
4 (air or de power), to a higher level procedure. !
- 2) Procedural: Verification of CCW availability before recirculation, raised to a higher level procedure.
- 3) Procedural: Procedure for loss of seal injection was improved to more clearly direct the operator to manually control a flow control valve on loss of instrument air or power (previously proceduralized J,ust for loss of CCW).
- 4) Procedural: Direct operators to start the standby chiller on startup.of a MDAFW pump (the standby chiller train starts automatically only when its associated CCW train starts). Previously, the operators would start the standby chiller based on continuously monitored AFW room temperature reading.
- 5) Procedural: Modify procedure for MFW restart following AFW failure; previously the preferred method was to send operators to locally accomplish this. Now, the operators preferentially do this from the control room.
- 6) Hardware: Keep the cross-connect of CCW to Unit 2 (originally flanged off and planned for permanent blocking off when Unit 2 was finished).
- 7) Hardware: Install new RCP seals (temperature resistant).
Several SBO rule changes are mentioned in the RAI responses, mostly dealing wi UPS room ventilation (addition of a DC powered fan, operator procedure to open doors, additional capacity from Unit 2) and the control room ventilation (additional capacity from Unit 2).
No quantitative impact of these changes on the CDF is available at this time, but a limited sensitivity analysis was provided.
The back end analysis did not reveal any vulnerabilities nor the need for any plant improvements.
However, vulnerability is not defined in the IPE submittal for the accident progression.
xill s
1
l
!' E.6 Observathns
! De licanee appears to have analyzed the det and operations of Comanche Peak to discover instances i _ of particular vulnerability to core damage. It sie appears that the licensee has: developed an overall i appreciadon of severe accident behavior; gais wi an understanding of the most likely severe accidents at l . Comanche Peak; gained a quantitative understanding of the overall frequency of core damage; and i implemented changes to the plant to help prevent and mitigate severe accidents.
De atraagths of the 1.svel I analysis in the IPE are: comprehensive treatment of plant specific initiating
! events; generally comprehensive treatment and dismaalan of plant responses; and comprehensive common i cause failure methodology (which perhaps was too sophisticated compared to the state of knowledge and j nsage of generic data elsewhere in the IPE). Results are described with top cutsets. Insights have been
!- derived and results generally seem reasonable. De flooding analysis seems reasonable. Dare was heavy j utility involvement but with outside review.
l De weaknesses of the level I analysis in the IPE are: usage of generic data (by necessity because of the j newness of the plant); common cause factors are low, or even very low, for some important components j (by up to 2 orders of magnitude when woy. I to NUREG/CR 4550); some important components were
- _ not considered in the common cause failure analysis (e.g., air compressors, batteries); the offsite power f non-recovery factors are low by a factor of 2-5; the dual unit initiators were not considered, as Unit 2
- was under construction; no censitivity or importance analysis was shown. Operator recovery and repair i of failed systems (SW pumps, AFW pumps, emergency diesel generators, etc.) is credited in the IPE.
l A sensitivity analysis was provided in the RAI responses, showing a 70% increase in the CDF without
{ this credit.
I i De numerical results may have been affected somewhat by the weaknamaec liged above, but the effect
} is probably not overwhelming.
l 1 De IPE determined that RCP seal failures and failures in the auxiliary feedwater system (dominated by hardware pump failures, and support system failures such as HVAC) and in the primary feed and bleed
, operation (dominnead by support system failures, such as de power) are the principal contributors to core
! damage. Important support systems are emergency power, EDGs, SW and CCW.
LOCAs are a relatively low contributor to the CDF (17%) due to a highly redundant high pressure l 3
injection (the charging pumps can also be used in that role), and relatively reliable CCW and SW systems !
! due to cross-connect capability to the other Unit.
i l De contribution of station hincknut (28%) is due te seE iali res and inability to use feed and bleed upon !
j battery depletion. De switchyard is relatively idl@.
l De flooding contribution is relatively large (23%). De most dominant scenario involves flooding in the auxiliary building (dominant cause is flooding from die RWST) which propagates and causes a less of the chilled water system thus leading to a loss of ECCS and AFW pump rooms cooling. Another scenario postulates a break in the SW system inside the shared intake structure, thus resulting in a total loss of SW in both Units (but only Unit I was analyzed).
Several improvements have been completed as a result of insights from the IPE. He CDF impact of these improvements is not known, however a limited sensitivity analysis is shown.
xiV
! l i i 4 The HRA review of the Comanche Peak IPE submhtal did not identify any significant problems or errors.
! A viable approach was used in performing the HRA and nothing in the licensee's submittal (in i
! conjunction with their responses to the RAIs) indicated that they feiled to meet the intent of Generic
- l. Letter 88-20 in regards to the HRA. Important elements pertinent to this determination include the ;
following: I l
! I) De submittal indicated that utility personnel were involved in the HRA. Procedure reviews, l
! discussions with operations and training staff, reviews of results from previous simulator l
. saercises, and walkdowns of important recovery actions, helped assure that the IPE HRA ,
i represented the as-built, as-operated plant. 1 i
j during maintanance, test, surveillance, etc.) and post-initiator actions (performed as part of the j i response to an accident). De analysis of pre-initiator actions considered both miscalibrations and J l nstoration faults (162 events modeled). De quantification approach involved a relatively detailed
)
! acreeninte zalysis, with only one event being analyzed in more detail. Nevertheless, appropriate dependencies were considered and the results from the analysis of pre-initiator events were not ,
unreasonable. ,
i 3) e De nmanche Peak IPE modeled both response (Type C,) and recovery (Type C.) post-initiator
! human actions. De response to the NRCs RAI stated that all actions credited were 1 l proceduralized, but in some cases procedures had to be written to cover the action. While the
! screening and final quantification approaches were acceptable, potential dependencies between ,
i events were appropriately considered, and plant-specific PSFs were evaluated, a minor weakness i l
! of the post-initiator analysis was that all but ten HEPs were left at their screening values. De l problem with such an approach is that human actions left at screening values.In dominant sequences may have led to an incorrect ordering of sequences. Dat is, pith realistic HEPs, some i of the dominant sequences may no longer have been dominant and others may have shown to be j 4
more dominant. Rus, there existed a potential for distortion in the results. - In response to an 1 additional RAI on this issue, the licensee noted that after initial re-quantification was completed, j l '
i if some non dominant sequences became &='= 1 the human actions were evaluated again. With this approach, the licensee maintains that a high percentage of the operator actions in important i sequences were analyzed in detail and therefore the appropriate ordering of sequences was j maintained. Given this is the case, there is no apparent reason to believe that the approach used i to assess post iniristar human actions would have precluded identification of human action related ,
I l vulnerabilities i
- 4) Plant-specific performance shaping factors (PSFs), event timing, and dependencies were adequately considered.
j 5) A list of important human actions based on their contribution to core damage frequency was j provided in the submittal.
i j De following are the major findings of the back-end analysis described in the submittal: ;
1
! . I) De back end portion of the IPE supplies a substantial amount of information with regards to the 1 -
subject areas identified in Generic Letter 88-20.
i i -
- 2) De Comanche Peak Steam Electric Station IPE provides an evaluation of all phenomena of )
{ imporence to severe accident progression in accordance with Appendix I of the Generic IAtter, i ,
1 l Xv l
4 i
- ' he containment analyses indicate that there is a 61% conditional probability cf containment 3) failure. De conditional probability of containment bypass is about 8.2%, the conditional probability of early containment failure is 1.2%, the conditional probability ofisolation failure is about 0.02%, and the condidonal probabliity of late containment failure is 51.2%,
- 4) He licensee has addressed the recommendations of the CPI program.
1 l
I l
O 4
xyl
j l- . NOMENCLATURE i AFW Auxiliary Feedwater q AICC Adiabatic Isochoric Complete Combustion -
! s AMSAC ATWS Mitigating System Actuation Circuitry l AOV Air Operated Valve l l
~
APG Accident Prevention Group ARV Atmospheric Relief Valve
- ATWS Anticipated Transient Without Scram j CCF Common Cause Failure i CCI Core Concrete Interaction i CCP Centrifugal Charging Pump !
CCW Component Cooling Water i CDF Core Damage Frequency l CET Containment Event Tree i CPI Containment Performance Improvement 4 i CPSCS Comanche Peak Steam Electric Station
] CSS Containment Spray System
- CVCS Chemical and Volume Control System
. CW Circulating Water -
- l. DCH Direct Containment Heating j DHR Decay Heat Removal ECCS Emergency Core Cooling System i EDG Emergency Diesel Generator
[ EOP Emergency Operating Procedure ,
r EPRI Electric Power Research Institute .
i ESFAS Engineered Safety Features Actuation System
! FTC Fall to Close l FTO Fall to Open l FTR Fall to Run l FTS Fall to Start i
FW Feedwater i GL Generic Letter j GSI Generic Safety Issue
, HCR Human Cognitive Reliability i
HEP Human Error Probability
)'
HHSI High Head Safety injection HPME High Pressure Melt Ejection HRA Human Reliability Analysis HVAC Heating, Ventilating and Air Conditioning IA Instrument Air -
IE Initiating Event IPE Individual Plant Examination IPEM Individual Plant Evaluation Method ISGTR Induced Steam Generator hbe Rupture ISLOCA Interfacing Systems LOCA LOCA Loss of Coolant Accident LOOP loss of Offsite Power LPI low Pressure Injection xvil
NOMENCLATURE (Cont'd) ,
MAAP Modular Accident Analysis Package MDAFW Motor Drive AFW
, MFW Main Feu! water MGL Multiple, Greek latter MOV Motor Operated Valve MSIV Main Steam Isolation Valve NPSH Net Positive Suction Head NRC Nuclear Regulatory Commlulon ORE Operator Reliability Experiments
,PDP Positive Displacement Pmnp PDS Plant Damage State PLG Pichard, I. owe & Garrick PORV Power Operated Relief Valve PRA Probabillstic Risk Analysis PSF Performance Shaping Factor PWR Pressurized Water Reactor RAI Request for AdditionalInformation RCP Reactor Coolant Pump RCS Reactor Coolant System RHR Residual Heat Removal RV Relief Valve RWST Refueling Water Storage Tank SBO Station Bisckout .
SGTR Steam Generator Tube Rupture -
SHARP Systematic Human Action Reliability Procedure SI Safety Injection SRV Safety Relief Valve
, TER Technical Evaluation Report
- THERP Technique for Human Error Rate Prediction TPCW Turbine Plant Cooling Water TU Texas Utilities UPS Uninterruptible Power Supply USI Unresolved Safety Issue 4
xviii
. , 1. INTRODUCTION i
! 1.1 Review Process i - Dis tachaie=1 evaluation report (TER) daenmana the results of the BNL review of the Comanche Peak i ladividual Plant Examination (IPE) submittal [IPE, RAI Responses). His technical evaluation report j ado 9ts the NRC review objectives, which include the following:
1 l
- To determine if the IPE anhmistal provides the level of detail requested in the " Submittal Guidance naenmaat," NUREG-1335, and
- To assess if the IPE submittal meets the intent of Generic latter 88-20.
i i
A Request of Additional Information (RAI), which resulted from a preliminary review of the IPE l
l suhmirral, wm prepared by BNL and discussed with the NRC. Based on this discussion, the NRC staff t submitted an RAI to the Texas Utilities (TU) Electric Company, on January 23,1996. TU Electric j responded to the RAI in a document dated June 14,1996. His 'IER it, based on the original submittd and the response to the RAI (RAI Responses).
l 1.2 Plant Characterization j The Comanche Peak Steam Electric Station is a two unit nuclear power plant. Each unit is a j Westinghouse 4 loop pressurized water reactor (PWR) with an electrical power ratmg of 1150 MWe.
CPSES is operated by Texas Utilities. Unit I started commercial operation in August 1990, while the Unit 2 start date was August 1903. De IPE is a PRA analysis of Unit 1, as Unit 2 was still under construccon at the time of the ansysis. Most cross-tied and shared systems are modeled, and it is stated in the sub nittal that only minor differences exist between the units, such that the results won't be affected.
A number of design features at Comanche Peak impact the core damage frequency. These are:
- De plant has a feed and bleed capability. It seems that the PORV block valves are.normally open. One PORV in enough for success of the feed and bleed operation (the operators are instructed to open both). Each PORV is equipped with massive nitrogen accumulators allowing 100 cycles. During the feed and bleed operation, the operators are instmeted to keep the PORVs open, rather than cycle them. The accumulators can be replenished from the nitrogen gris system.
At normal system pressures only the centrifugal charging pumps provide sufficient flowrate for the feed and bleed operation.
- MFW (turbine driven) is automatically isolated on a reactor trip. It can be restarted by the operator under certain conditions. De two condensate pumps are apparently not used alone when the reactor is depressurized and the MFW is unavailable (at least no credit is given for such operation).
- Dere are 2 MDAFW and 1 TDAFW pump. De altemate source of water is the service water system. De operators are credited with operation of the AFW system upon loss of a support system (instrument air or de power) This action is proceduralized ard involves local manual throttling of the flow control valves.
1 I
l, ,
o De RCPs employ Westinghouse seals with charging pump injection and component cooling water
! cooling cf the thermal barriers. Upon loss cf both methods of seal cooling, a seal LOCA will
! result. De analysis does not credit the improved high tamperature O rings which have been )
j installed at both Units (after completion of the IPE).
- Dere are three charging pumps. Two are centrifugal, with SW cooled bearings, and one is a )j 4 positive displacement type whose bearings are cooled by CCW. Any one of the three pumps can be used for normal charging (which includes RCP seal injection), or emergency boration (taking
. auction from the boric acid transfer pumps), but only the centrifugal charging pumps (CCPs) are )
used for injection following a safety signal. l
{
I 1 .
j Dis means.that an RCP seal LOCA will result from events which cause a sustained loss of SW, j
^
1 j- unless the operators align alternate cooling to the CCP sump (either firewater or domineralized water), for which they have about one hour.
i:
- De high head injection can be provided by either of the two SI pumps, or by either of the two )
i CCPs, thus providing a high level of redundancy. De CCPs and the SI pumps are physically
! separated.
4 I
- At the time of the IPE, due to Unit 2 construction, the cross connection capability only existed
! between the Units for the SW pumps (2 pumps per Unit, all four normally operating, one pump i sufficient for one train of either Unit), and the CCW (2 pumps per Unit, cross connection 3 normally closed). De following systems are shared: the service water intake structure and
! traveling screens and screenwash systems, the circulating water intake stmeture, the switchyard, l and the instrument air common compressors.
- Dere are four 125V DC buses, each with an associated battery, and two chargers. De batteries j have a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> capacity (without load shedding). De ECCS equipment *cannot be started without DC power.
! l I
- De switchyard design is reliable. Dere are two switchyards: a 138 kV switchyard with 2 in-off I 4 lines and a 345 kV switchyard with 3 in-offlines and I offline. Any in-offline can supply the emergency ac buses.
i
- The following systems need room cooling: HPI (also called SI here), all three charging pumps, RHR (i.e., LPI), containment sprayr, MDAFW pumps, component cooling water, the control !
i room, and the electrical power system (diesel generators, electrical switchgear, and batteries), j
- Dere is a strong dependence on HVAC systems at this plant. Dere are normal and emergency )
! (2 train) central chilled water systems, with some individual subsystems cooled by dedicated air conditioning units (e.g., UPSs and main control room), which are in turn cooled by CCW, while some other systems employ dedicated ventilation fans only (e.g., diesel generator air supply and j l anhane and battery moms). De normal (or ventilation) chilled water system cools the auxiliary
' building, safeguards building and the electrical switchgear rooms during normal operation startup and shutdown. De safeguards pumps and the electrical switchgear rooms can operate for some i considerable time without the normal or emergency HVAC, and this is credited in the model.
1 -
+
- Dere is a strong dependence on instrument air, with the following systems supported by it:
i pressurizer sprays, CVCS, RHR, AFW, MFW, maam relief pathways, chilled water and
- - circulating water. Valves that may need to be manipulated are provided with 30 minute accumulators. De steam generator atmospheric relief valves are provided with 4-5 hour
]
i j 2 J
1 accumulators, and the pressurizer PORVs have enough nitrogen in accumulators for 100 cycles.
! Dere are two spare common compressors, in addition to the two unit compressors.
l
- Service water is needed for the following systems: centrifugal charging pumps, HPI pumps,
! comainment spray pumps' bearings, EDG ja:kets, and the CCW beat exchangers. De safeguards pumps can operate without this support for some time (credited in model).
i 1
<
. . pumps and (recirculation) best exchangers, matninmant spray pumps' seals and recirculation heat i exchangers, ventilation and emergency chilled water system heat removal, room cooling of the
! UPSs and the control room, and for cooling of the unit instrument air compressors. De common i apare compressors don't depend on CCW, but are cooled by TPCW (turbine plant cooling water),
- which is cooled by the circulating water system. De safeguards pumps can operate without CCW j support for some time.
- Recirmistian swkchover is automatic with some additional operator actions. Manual switchover j may be required under certain conditions.
i' *
! Both the core injection systems (RHR) and the contstament sprays have separate heat exchangers
- for recirculation cooling. However, containment heat removal is not necessary to prevent containment failure and is not considered in Level 1 analysis. )
{
- High pressure recirculation uses the piggyback arrangement, whereby the RHR pumps provide j suction to the safety injection (SI) pumps or the centrifugal charging pumps. ,
l
!
- CPSES has tim AMSAC system, which, in case of an ATWS, automatically trips the turbine and i stans the two MDAFW pumps (the 'IDAFW pump will be started on low steam generator level).
] De operators are instructed to insure that the AMSAC actions are taken. I i l
- De CPSES pressurizer level is programmed such that the RCS maintalm a constant mass. His i means that as the temperature drops, the required pressurizer level drops also. Derefore, all j cooldown events do not require RCS makeup. j i 1
! He CPSES containment is a large, dry, steel-lined reinforced concrete structure with approxhnately 3 l
! million ca. A. volume and a 50 psig design pressure. Some of the plant characteristics important to the j back-end analysis are summarized in Table 1 of this repon.
] Both the power level and the anntninment free volume of Comanche Peak are similar to that of Zion. De l RCS water volume and the mass of fuel and Zircalloy of Comanche Peak are also similar to those of l
Zion. De median containment failure pressure obtained in the Comanche Peak IPE is 114 psig, lower j than those obtained in NUREG-1150 for Zion and Surry. As shown in the above table, the derived j parameters, which provide a rough indication of containment loading under severe accident conditions, i are similar between 0-ache Peak and Zion. The parameters presented in the above table provide only j rough indications of the containment's capability to meet severe accident challenges and both the
- containment strength and the challenges associated with the severe accident involve significant j . uncertainties.
L 3
1 j . , Tcble 1 Plant and Containment Characteristics for emnanetw Peak Steam Electric Station i
i Characteristic Comanche Peak Zion Surry Dermal Power, MW(t) 3425 3236 2441 RCS Water Volume, # 12,000 12,700 9200 Containment Free volume, # 2,985,000 2,860,000 1,800,000 l _
, Mass of Fuel, Ibm 223,000 216,000 175,000 f~ Mass of Zirulloy, Ibm 47,000 44,500 36,200 47 45 l Containn:ent Design Pressure, psig 50 l Median Caitninment Failure Pressure, psig 114 135 126 l RCS Water Volume / Power, W/MW(t) 3.5 3.9 3.8 l rantasamant Volume / Power, W/MW(t) 872 884 737 l Zr Mass / Containment Volume, Ibm / # 0.016 0.016 0.020 l Fuel Mass / Containment Volume, Ibm / # 0.075 0.076 0.097 l De plant characteristics important to the back end analysis are:
i
+
- 1) The large containment volume, high containment pressure capability, and the open nature of j comp.hoents which facilitata good atmospheric mixing. Calculations performed in the IPE show
! that the containment would not reach the failure pressure even if a hydrogen burn from a 100%
j Zirconium oxidation were postulated. De IPE also shows that the containment is unlikely to fall
]
as a result of HPME (i.e., DCH etc.) even with the use of NUREG-1150 data for Zion, which is believed to be pessimistic for the CPSES because, although similar, the flow path for CPSES i cavity and instrument tunnel configuration is more restrained than'the sloped configuration of j Zion.
4 l 2) A large reactor cavity floor area (800 F) and a cavity design which facilitates flooding of the
! reactor cavity. De debris depth on the floor would be about 25 cm with a conservative estimate
! of the amount of debris in the cavity. Additionally, all the water collected on the containment floor j is likely to flow to the reactor cavity because there is no curb at the contslament floor elevation j surrounding the reactor cavity exit for the instrument guide tubes that would prevent the return
- of water from the main containment to the reactor cavity.
j l
1 i .
f 1
i i
4 j 4 1
i
) . . 2. TECHNICAL REVIEW 1
I i
2.1 Licensee's IPE Process a -
2.1.1 Complaea== and Methodology -
l De licensee has provided the type of information requested by Generic I metar 88-20 and NUREG 1335.
! De front-end portion of the IPE is a IAvel 1 PRA. De specific technique used for the Level 1 PRA
- was a small event tree /large fault tree technique, and it was clearly described in the submittal. Details of event tree modeling are missing, however.
Event trees were developed for all classes of initiating events considered. A limited system importance
{ sensitivity analysis is shown in the RAI responses for certain aspects of the analysis. No uncertainty
! analysis was performed.
! To support the IPE process, the licensee reviewed several NRC PRA studies: NUREG/CR-2300, i NUREG/CR-2815, NUREG/CR-4550, NUREG/CR-5313, NUREG/CR-4920, as well as guidance in L NUREG-1335. Other plant PRAs were also reviewed to gain additional insights: the Seabrook PSA and the Crystal River Unit 3 PRA. l l De submittal information on the HRA, in conjunction the licensee's responses to NRC RAls, indicates the HRA process was appropriate and generally complete in scope. The HRA process for the Comanche
- Peak IPE addressed both pre-initiator actions (performed during maintannaca, test, surveillance, etc.) and
- post-initiator actions (performed as part of the response to an accident). De analysis of pre-initiator actions considered both miscalibrations and restoration faults. De licensee stated that the screening i nunhndology used "... is a melding of several previously published methodologies." In response to the i NRC's RAI, it was stated that the method used was the "HRA Calculator" method, which is a PC based '
soAware program based on earlier Electric Power Research Institute (EPRI) methods, including HCR, ORE and SHARP. Application of the method involved the use of a series of structured questions i represented in a decision tree. Use of the decision tree lead the evaluator to a human error probability (HEP) screening value which was determined as a function of the relative impact of various performance shaping factors (PSFs). Different decision trees were used for restoration and miscalibration events.
Common cause factors were accounted for. De overall screening approach used was relatively detailed and was not unreasonable or inconsistent with those used in o$er IPEs. Only one pre-initiator action was analyzed in more detail aAer screening, leaving the all other pre-initiator HEPs at screening values.
De Comanche Peak IPE modeled both response (Type C,) and recovery (Type C.) post-initiator human assions, De response to the NRCs RAI stated that all actions credited were proceduralized, but in some cases procedures had to be written to cover the action. De screening process for type C, or response type human actions was based on use of the " dynamic action screening value decision tree" from the HRA Calculator methodology. The values used in the decision trees ranged from 1.0 to SE-2 and the values were assumed to account for both the diagnosis and execution portions of the action (the probability of execation failures was assumed negligible). De PSFs considered in the tree were stated to be heavily influenced by results from EPRI's ORE project. Bey included consideration of procedures and training, task complexity, operator reluctance and time available (short or long). The trees were designed to account for "the key influencing factc.s, their interactions, dependencies, and relative 5
,. . importance to human error likelihood. De licensee's response to the RAI suggests that potential l dependencies between events were appropriately considered during screening, i
! De licensee states that for events found to be important to either the probability of a dominant cut set or to overall core damage frequency, a second evaluation was performed using an expert interview method (two nuclear training department instructors were interviewed). The expert interview method was refened to as the direct antimarian method (Comer et al.) and was applied to ten events. In applying the method, the analysts generated detailed descriptions of each human interaction event (including j . boundary conditions, dependencies, and time windows etc.). Dey then discussed the events in the j contat of previous experience with aimuisent runs and provided probabilistic scales to the experts . De i experts provided an upper and lower bound and an average HEP value. De resulting HEPs for the ten l events were not unreasonable and if anything, appear somewhat pessimistic. Human errors were
! identified as important contributors in accident aequences leading to core damage and several procedure
- related anhancamants were implamantad.
l De Comanche Peak Steam Electric Station Individual Plant haminarian (IPE) back end submittal is j neinily consistent with respect to the level of detail requested in NUREG-1335.
- i l De methodology employed in the C=~he Peak IPE submittal for the back-end evaluation is clearly
! described. Containment event trees (CETs) were developed to determine the containment response and 4 ultimately the type of release mode given that a core damage accident has occurred. De front-to-back l
and interface is provided in the IPE by the definition of 17 Plant Damage States (PDSs) These PDSs are
! identified by core damage state, determined by the core melt timing and the RCS pressure, and j containment state, determined by the containment pressure boundary status and the containment safeguards system status.
De top events of the CET are quantified by the use of fault trees (called logic trees in the IPE submittal),
, which address the phenomenological, systems, and operator human response issiues important to accident progression. The CET and the logic trees used in the C=~he Peak IPE provide a structure for the evaluation of all of the containment failure modes discussed in NUREG-1335. De quantification of the CET in the Comanche Peak IPE is based on NUREG-1150 data and plant-specific evaluation The evaluations include modeling and bounding calculations, consideration of phenomenological uncertainties, and MAAP calculations. De result of the Level 2 analysis are grouped to thirteen release categories.
Release fractions for these release categories are determined by the analyses of representative sequences using MAAP computer codes.
2.1.2 Multi Unit Effects and As-Built, As-Operated Status As of the IPE freeze date, the cross connection capability existed between the Units for the SW pumps (2 pumps per Unit, all four normally operating, one pump sufficient for one train of either Unit), and the CCW (2 pumps per Unit, cross-connection normally closed). The following :ystems are shared: the service water intake structure, the circulating water intake structure, the switchyacd, and the instrument air common compressors. With completion of Unit 2 construction, there was an improvement in the Unit f I control room and UPS room HVAC, in that now more HVAC units are available, served by a common !
electrical power supply. (Apparently these two rooms are shared between the Units). j
. I DeIPE analyzes Unit 1 only, as Unit 2 was under construction at the time of the analysis. Unit 2 has j begun commercial operation since. A sestamant is made in the submittal that a review was made of Unit !
. 2 information. Only minor differences between the Units were discovered, with the conclusion that the {
effect on the PRA results would be insignificant. Derefore, Unit I results apply to Unit 2 as well. j i
I 6
i
_ _ _ _ _ . _ . . . . _ . _ _ . _ . _ . _ _ _ _ _ _ _ - _ _ _ . _ _ - _ _ . ~ . - _ . . . _ .
4 At the time cf the IPE work, certain Unit 2 cross-connactable systems, such as its service water and l' '
component cooling water were turned ever to operation. Herefore, such cross ties were modeled j including the operator actions to open them. No additional cross ties were modeled (they were l undeveloped gates). k is not expected that these additional crossties will have a significant impact on the
, results. De effect of shutdown of the other unit was not modeled. In the RAI responses it was stated i ,
that at least one SW pump would be available on the ahurriawn unit per technical specification. De effect of a two week maimmance downtime of the CCW system in the opposite unit was calculated in the RAI l
, responses to be an approximately 5% increase in the CDF.
Dual unit initiators were not modeled. In addition, malmananca activities on the other unit could impact
! the laitiating event frequencies and equipment unavailabilities. Such effects should be considered for a '
l multi-unit site.
- A wide variety of up-todate information sources were used to develop the IPE, systusn operating i procedures, design basis documents, surveillance test procedures, plant operating procedures, cystem flow j diagrams, system instrumentation and control diagrams, control wiring diagrams, electrical one-line diagrams, emergency response guidelines, final safety analysis report, technical specifications, clarm procedures manuals. The freeze (e of the analysis was January 1992.
l 4
l Generic data were used throughout, even for most tatt and maintenance data (except for pumps and
! valves). Technical specificabons were also used for test and maintenance unavailabilities. Use of generic
- data is due to the recent startup date of the plant.
l Two plant walkdowns were performed for the level 1 model. He first was a two day walkdown during j the early phase of the examination, which was performed by the entire IPE team, in order to verify the
- plant layout and physical location of critical equipment, as well as accessibility. De second walkdown
! lasted a week and was used to refine and verify the preliminary flood scent:ds, significant component
! locations, flood propagation paths and flood mitigation / isolation featares .
l Significant participation in the IPE by plant staff, procedure reviews, discucions with operations and i traming staff, reviews of results from previous simulator exercises, and walkdowns of important recovery l actions, helped assure that the IPE HRA represented the as-built, as-operated plant.
i
! He submittal states that the information gathered (e.g., plant drawings) was very good, and representative of the as built as operated plant, due to the newness of the plant.
The submittal does not explicitly indicate whether the licensee intantin to maintain a "living" PRA.
Howent, mention is made of the interion to use the IPE in future regulatory applications and to improve future safety and economics of the CPSES Units 1 and 2.
Insofar as the back-end analyses are concerned, it appears that all the Comanche Peak containment specific features are modeled.
2.1.3 licensee Participation and Peer Review
. Licensee personnel were involved in all aspects of the analysis. TU staff performed over 90% of the
- work. Consultants were used mostly for highly specialized areas such as HRA, internal flooding analysis, and back-end analysis. Even in those areas, the TU staff performed the work, under the direction of the
- consultants. Six TU people were permanently part of the project, one of whom had the overall project management responsibility.
7 i
j
4 l
De IPE was subjected to a dual review process. In the internal review, each task was reviewed by an i IPE team member, other than the one who performed that task. In addition, depending on the type of analysis, the analysis was also reviewed by a plant staff member not involved in the IPE. TU Electric
- management was fully informed of the interim results of the examination, via IPE management review 1 meetings held periodically. Representative managers from the following organizations attended the
- meetings: operations, design engineering, plant engineering, reactor engineering, licensing and training.
ne outside review was performed by experts from SAIC, after each task was completed and reviewed i . Internally. De HRA review was performsd by Accident Prevention Group (APG). De flooding l analysis was reviewed by ERIN Engineering. ERIN also provided consulting guidance in performing the flooding analysis. De overall project plan was independently reviewed by Westinghouse.
De final independent review was performed after the IPE study was completed and the final quantification results obtained. His review considered the entire IPE study and hs supporting analyses.
The indcpendent review team was composed of amperts from PLG, Inc., ERIN Engineering, FRH, Inc.,
and Baltin> ore Gas and Electric. De review team spent a week at the TU Electric offices where
- documents, prreedures and all the required supporting analyses were available for use. Overall, the review team concluded that the IPE study was very comprehensive, well documented and technically j sound.
The review seems to have covered most major areas in modeling, with the most commented areas including system models, HRA, accident sequence analysis and quantification, flooding analysis and initiating event analysis. Overview of reviewers' comments and the IPE team's responses are provided in the report.
From the description provided in the IPE submittal it seems that the intent of Generic 1Atter 88 20 is satisfied. -
2.2 Front End Technical Review 2.2.1 Accident Sequence Delineation and Systern Analysis 2.2.1.1 Initiating Events The IPE initiating events were developed by including all events that could eventually result in core damage and assuming that a reactor trip would finally result. A fault tree logic diagram was also used for select initiators. Initiators were grouped in categories, based on their effect on plant systems. Dere were 21 initisting event categories, as follows:
excessive LOCA (reactor vessel rupture) large LOCA (> 6")
medium LOCA (>4" and < =6")
small LOCA (>2" and < =4")
very small LOCA (< =2")
8
4 2.115 t'% Quantification Most types of redundant ==p==* generally associated with common cause failures were examined to address potential common-cause failures. De approach used was the multiple greek letter approach (MGL). De # and (if applicable) the y factors are reported in the submittal, with discrimination based on failure modes (e.g. in general, different values of MGL parameters are given for failure to start as opposed to failure to run). He methodology followed that described in NUREG/CR4780 ("Procedre j for Treating Common Cause Failures in Safety and Reliability Studies"). De submittal also utilized a 4 . Bayesian updating approach, to account for historical generic failures deemed possible at this plant. De
! priors for the MGL parameters came from a PLG data base (PLG4500 from July,1989).
i A number of categories of components were modeled in the common cause analysis, including: MOVs, i AOVs, electro-hydraulic valves, solenoid valves, check valves, mechanical relief valves, mechanical l relays, bistables, swite'n as, circuit breakers, dampers, turbine driven pumps, operating motor driven l pumps, standby motor driven pumps, operating fans, standby fans, diesel generators, logic trip modules, l
motor generator sets, reactor trip breakers, undervoltage coils, shut trip coils and safety chillers. De list is fairly complete, but with the notable exception of batteries and air compressors, which may have l a visible effect on the results. Since, there also were no latent human errors causing common cause failure of these two types of components, it seems that no common cause failures of any types were i considered in this case. Also potentially significant is the common cause failure of all three AFW pumps
- (the two motor driven and one turbine driven), which was not considered, either.
! A wegrison of effective # factors in the submittal vs. those suggested in NUREG/CR4550 (" reference
- factor") is presented in Table 3. It should be noted that NUREG/CR-4550 generally reports just the damand type common cause failures of various components (e.g., failure to start of pumps).
The Table shows that the submittal's CCF factors are generally lower, and in some cases much lower than the ones in NUREG/CR 4550, however, some important ones are not very much lower (standby pumps, MOVs, AOVs, diesel generators).
De reason for some low values among the CCF factors for 2-component systems used seems to be that the PLG priors are generally lower than the CCF factors reported in NUREGICR-4550 and also the licensee has discarded generic events which do not apply to the CPSES plant. However, future events, which have not yet shown up in the data base, may be undercounted by this procedure. De licensee states that using the 95th percentile instead of the mean for the CCF factors would increase the CDF by only 2%. It is stated that some CCF would rise by as much as almost an order of magnitude, using this procedure; however it is not specified which.
Some potentially iwwwd CCFs appear to have not been considered, and the CCF factors shown in the submittal seem to be low. Dese effects could have a considerable impact on the results of the analysis.
e e
14
. ~ . - - _ - . . - - - .
i
! . , Table 3. Comparison of ('mnman-Cause Failure Factors i
l Failure Submittal Reference j mnPonet Mode $ factor # factor i
TD pumps,2 pumps FIS FTR 0.07 -
O 01 MD pumps, operating,2 pumps FTS 0.00273 0.026 l
- FTR 0.00209
- 1 1 MD pumps, standby,2 pumps FTS 0.036 .056 4.21 l FTR 0.0018 i MOV, CCF of 2 valves FTO/FTC 0.056 0.088 I AOV, CCF of 2 valves FTO/FTC 0.027 0.10 l i
Diesel Generator, CCF of 2 EDGs FTS 0.013 0.038 I
, FTR 0.015 j Mechanical relief valves,2 valves FTO spur. 0.0036 0.07
- open 0.0044 i
i e
- 2.2.2.6 Initiating Event Frequencies l The PLG data base (PLG 0500) was used for most initiating events. For.the three support system
). initiators (losses of chilled water, CCW and SW), plant specific fault trees were quantified with the
! generic data.
l .
i For losses of offsite power, data from NSAC-166 were used, yielding the generic value of 0.035/yr, used l l in many IPEs. As part of the RAI responses, the LOOP frequency was requantified by using data from l NSAC-203 as a prior (LOOP frequency of 0.11/yr), and doing a two stage Bayesian updating process
! with no events in 4 years of commercial operation (1991-1994) to arrive at the posterior mean LOOP l frequency of 0.058/yr (this is the site LOOP frequency). His was then adjusted by the plant capacity i factor of 0.83, yielding the modified LOOP frequency of 0.048/yr, an increase of 37% in the LOOP frequency causing a 10% increase in the total CDF (to 6.3E-5/yr).
! While the resulting LOOP frequency seems to be in the right range (at least when compared to many
- other IPEs), several questions remain
- how can 0 failures in 4 years lead to such a substantial reduction )
l in the generic LOOP frequency, and is it right to multiply by the capacity factor, since shutdown events are already screened from the data base? It should be also noted that no adjustment was made for severe i weather, which might be more frequent at this site than at many other sites.
De initiating event frequencies used in the IPE are shown in Table 4.
i
! '. De initiating event frequencies seem reasonable and are comparable to other PRA studies, with the above caveat about LOOP.
1 a 15 1
I 4
l l .
Table 4 Initiating Event Fig % for Comanche Peak IPE f
Initiating Event FHuguency (/yr)
- Excessive LOCA 2.66E-7 r Large LOCA 2.03E-4 i .
Medium LOCA 4.65E-4 Small LOCA 5.83E-3 l
l Very small LOCA 1.26E-2 loss of condenser vacuum 0.118 j General plant transient 2.90 i
j Inadvertent safety injection signal 2.99E-2 j Main steam line break 1.07E-2
! Loss of main feedwater 1.29 1
! loss of a DC bus 3.35E-2
- Loss of safety chilled water (HVAC) 7.31E-2 i
- i. Loss of offsite power (corrected) 3.50E-2 44.8E-2) i l Loss of a non vi*.al ac bus 8.23E-2
- Loss of a protection channel 8.36E-2
~
loss of component cooling water 1.53E-2 loss of station service water 4.79E-3 l Loss of instrument air 2.02E-3 i
i SGTR 2.84E-2 i
~
-accumulator (RV, piping) 9.78E-3, 2.71E-5 1 -RH suction line (RV, pipe, pump seal) 9.32E-5,1.47E-7, 7.08E4
-excess letdown (RV, pipe) 1.30E-5,1.19E-10 i -oormal letdown (RV, pipe) 2.27E-3, 4.77E-10 i -LPI, cold leg (RV, pipe, pump seal) 1.44E-5, 2.22E-8,1.47E-7
-LPI, hot leg (RV, spe, pump seal) 2.22E-7, 6.70E-11, 8.07E-9 i -SI, cold leg (RV, pe, pump seal) 1.44E-5,1.23E-9,1.47E-7
-SI, hot leg (RV, pe, pump seal) 4.44E-7, 7.57E-12, 8.07E-9
-euxih'ary building 3.02E-2
. -turbine building 2.19E-2 i
j 16
. _ , , , w, _ .- - . - . , , ,
{' ' ' 2.2.3 Intrface Issues i
- 2.2.3.1 Front-End and Back-End Interfaces De IPE analysis indicates that the energy in the RCS coolant, and from the decay heat is insufficient to j ,
pressurize the aantalarnant above its failure pressure, therefore containenent he:: removal systems are not
- considered necessary for the Level 1 analysis. Note that in recirculation, the core cooling systems have
- their own best endangers, separate from the matnininant spray heat exchangers, therefore recirculation
. cooling is separated between the two types of systems. Realistically, it might be posible to give credit i to containenant spray heat exchangers pivvidlop adeques NPS3 for the core cooling pumps, in case of failure of core cooling heat removal, however &at is not done in the submittal, and the effect on the results would probably be small.
Further insights into the Level 2 analysis, are provided in Section 2.4.
2.2.3.2 Beman Factors Interfeess Credit is given for local manual operation of the TDAFW pump on loss of supports (instrument air or
- de power). According to the subnuttal, available detection time is long, and it takes a short time for the l cperator to r&ach the local manual station to start the manual control. His apparently also includes SBO j conditions, as it is part of the procedures. It seems the same HEP value is used for all situations (only
{ the SBO acuon is proceduralized at this time, see the improvements section). Most of the time, in SBO i conditions, a RCP seal LOCA will be induced (according to the model) and core damage will ensue due to inability to provide makeup. Cross connect of CCW from Unit 2 under SBO conditions would not j h31p (to prevent a seal LOCA), as Unit 2 was under construction and its diesel generators were i unacilable, at the time of the IPE, therefore, Unit 2 CCW pumps would be inoperable following a l LOOP. ,
It is not clear how much time the operators have to recover RCP seal injection or cooling upon loss of both. He SW or CCW cross-connect is not credited in preventing a seal LOCA (the cross-connects are modeled for o:her purposes). On the other hand, SW recovery via firewater or domineralized water was I
credited in preventing a RCP seal LOCA.
RWST makeup is credited, and not just in case of an SGM as in some other plants, but also for a variety of LOCAs. It is stated the operators will follow precedures directing them to verify the availability of the recirculation capability before it is needed, which will alert them to the necessity of RWST makeup "many hours before recirculation is required.". l Restoration of main feedwater is credited (MFW pumps trip on reactor trip).
1 Recovery and repair of failed equipment is credited, in the CPSES analysis, which is not usually done in most IPEs and PRAs. Equipment treated in this manner include all three AFW pumps, emergency diesel generators, service water pumps, CCW, failed DC buses and chilled water (HVAC). Both failure to run and failure to start could be recovered, for most of the mantioned equipment. Recovery when one or both trains have failed is credited.
- In the RAI responses, a sensitivky analysis was provided showing the results obtained, without credit for these repair actions. De CDF would rise by 70%, with 60% due to EDG recoveries and 10% due to
. pump recoveries. De SBO contribution would rise from "27% to approximately 50%". De flooding 17
l 1
i CDF would rise by 55%, while the flooding contribution to the total CDF would fall from 20% to 10%.
4 All the other major contributors stay approximately the same.
i Dere are relatively few common cause latent human errors modeled.
I .
i . Further insights into the human reliability modeling, are provided in Section 2.3.
2.2.4 Internal Mooding A .
l I
2.2.4.1 Emeermal Mooding Methodology ne methodology used to perform the flooding analysis consisted of five major steps:
- 1) Preliminary flood scenario development;
! 2) Plant walkdown;
! 3) Initial flood scenario frequency screening;
- 4) Refinement of analysis bases and assumptions; ,
- 5) Detailed quantification of important flood scenarios.
]'
{ The final two steps were performed iteratively until eadi scenario was determined to be below the
- established screening frequency or until the scenario frequency was as low as reasonably achievable vsing j the screening methods of this study. This process may result in a substantial residual not being repocted j in the final results.
The screening criterion was 1.E-6/yr.
All liquid sources were included in the analysis (i.e., not just water). ,
The W+4st of flooding scenarios was supported by a plant walkdown. The effect of the flood and l spray on equipment cable terminal points (e.g. junction boxes) was deduced from automated plant cable !
data bases. Pipe whip and steam impingement were judged beyond the scope (as to the exact pattern of l affected zone). Liquid jets and sprays were not considered as to the exact patterns of impingement, but were assumed to fail all the equipment in the initiation flood area. The same a true of steam impingement and pipe whip.
Propagation of flooding to other areas (including, but not limited to drains) and isolation of the floods were considered. Effect of flooding on terminal junction boxes was considered. No credit for flood mitigation via drains or sump pumps was given. Potential flooding sources included all installed, fixed liquid systems and t-,v-y (e.g., base or tubing) liquid systems that are generally used on a repetitive, snurina basis at U.S. nuclear power plants. Temporary bose or tubing systems that could potentially be used for onHime maintenance or repair applications were outside the scope of the analysis. Maintenance induced floods were only implicitly treated as part of the generic data base used for developing flood scenario frequencies. Calculation of flood source density in different areas was performed.
4 in the detailed analysis, minimum water levels to induce equipment damage were considered in the flood
. propagation zones.
Surviving flood scenarios were quantified using internal events event trees with flood induced failure
, tagged in the fault trees.
18
With the cutoff established at 1.0E-6/yr, cne flood scenario survived the screening process. j l' ;
i 2.2.4.2 Internal Mooding Results l l
The scenario that survived was a source from the auxiliary building, propagating to other areas of the j l ,
building and to adjacent buildings (e.g., safeguards). One possible large source is the RWST (see the ;
- internal CDF results, section 2.2.5). De profile of this scenario is flat, with no cutset contributing an l inordinate amount, states the IPE. De next scenario (apparently falling below the 1.E-6/yr screening l )
cutoff) involved flooding from the SW system in the common intake structure, thus causing a two-unit j loss of SW (but only Unit 1 is analyzed). De total CDF from flooding is calculated to be 1.29E-5/yr.
l No animma of the raidual from the screened scenario is given, other than a enamare that conservative l j analysis was used in the screening process.
i I
In response to the RAls, it is stated that only the RWST associated pipe break scenario in the auxiliary
{
j building has the potential to affect both units. De dual unit CDF from flooding scenarios is animmed l to be less than 5.0E-7/yr, and is not included in the results for Unit 1.
j h seems that the flooding analysis was reasonable.
i
. 2.2.5 Core Damage Sequence Results l
2.2.5.1 Dominant Core Damage Seq ===
! De resuhs of the IPE analysis are in the form of functional sequences, therefore NUREG 1335 screening j criteria for reporting of such sequences are used. De intern.i core damage frequency has a point i estunate of 5.72E-5/yr, revised in the IPE responses to 6.31E-5/yr, Jae to the updated LOOP frequency.
- De numbers presented below and in the Tables are based on the umnodified CDF. Accident types and lairiming events that contributed most to the CDF, and their percent contribution, are listed in Tables 5 l and 6. The LOCAs in this plant are not as dominant as some othec PWRs. This may be due to a
! relatively large flooding matribution and a relatively large LOOP /SBO contrioution, due to the RCP seal
! LOCA model used.
I
! Fifteen dominant sequences were described in the submittal. Each of these important sequences has a
! frequency greater than approximately 1.E-6/yr. Dese sequences are summarized below in Table 7.
t l The loss of offsite power / station blackout contributes 28% or 1.59E-5/yr to the total CDF. His is I mostly due to the induced RCP seal LOCA model. De RCP seal LOCA contribution is 1.66E-5/yr or l 29%, from all initiators.
l Most of the RCP seal LOCA contribution to the CDF comes from the station blackout sequences. De CPSES RCP seal LOCA CDF contribution is relatively high for a number of reasons. First, no credit is given to the new, temperature resistant seals installed at both units. Second, the RCP seal LOCA model assumes a seal LOCA occurs whenever the RCP seal injection / cooling falls with the reactor at operating conditions, e.g., in an SBO, with a split fraction given for a small vs. a large seal LOCA.
. Other plants would model this in more detail, such that a reistionship between the probability of seal thCA (including, potaps, a distribution of possible flow rates) and expired time is input into the model.
This gives a much more relaxed success siterion for avoidance of seal LOCAs. Dird, for other
- initiators, the RCP seal cooling depends on instrument air, HVAC, SW, CCW and emergency power, and is thus more dependent on support systems than at some other Westinghouse plants. Fourth, the two 19
_ _ .____.__._..____.____m l_ ~ _ - _ _ _ _ _ _ _ _ _ . _ . _ _ _ _ _ _ I
. - dominant Sooding initiators will cause a loss cf HVAC cr SW, both of which will also cause a RCP seal l LOCA. Flooding is a dominant core damage event. FiAh, a pessimistic HEP is assessed for operator l recovery of SW (e.g., by firewster connection). De nonrecovery probability is 0.01, for an action which i j needs to be accomplished in an hour, j I
i
- . In conclusion, the RCP seal LOCA contribution is governed by plant features (dependence on support I
j systems, and flooding considerations) and pessimistic modeling assumptions.
1
. De A*IWS contribution is 9%, or 5.0E4/yr, mostly due to a loss of MFW initiator. This is somewhat l
! higher than at most PWRs, due to pessimistic success criteria and the moderator temperature coefficient l considerations.
- De ATWS contribution is relatively high (both in the relative and the absolute sense) compared to a j typical PWR PRA, but is still within range. His contribution seems to be governed by the fact that the i moderator temperature coefficient has a sufficiently small absolute value for a relatively large fraction ,
' of the time (compared to a typical PWR) that relatively stringent success criteria (on AFW flow rate and l
- PORV opening) are required in that time period, or, worse, no success is possible. For example, Table
! 3.1.2-2, on page 341 of the IPE, shows that without success of the manual rod insertion, even with both
! PORVs available, the RCS pressure limit of 3200 psia will be exceeded 16% of the time if full AFW l pumps are available (meaning all three AFW pumps), and 21.4% of the time if only % pumps are j available(meaning either N MDAFW pumps or the one 'IDAFW pump). With one PORV blocirti, l these ratios would increak 17% and 30%, respectively. (Note that some PWR PRAs do no' give i credit to the TDAFW pump in an ATWS, as it may take too long to start this pump in those plants).
Derefore, the ATWS contribution seems to be governed by the design of the core and the fuel cycle,
! and tlw design of the RCS. His is assuming that the ATWS modeling (i.e., the thermal hydraulic and neutron transport codes and underlying assumptions) is realistic and not pessimistic, relative to other i PWRs. -
! De SGTR contribution is reasonable (6%). The ISLOCA contribution is 0.3%. De flooding j- contributes significantly at CPSES,1.29E-5/yr or 23% of the CDF.
i
! ne SBO, LOOP and RCP seal LOCA contribution should diminish with installation of the new seals, i already accomplished. Some sequences should be reduesi by including effects of Unit 2 in the model.
4 On the other hand, there could be some downside effects of Unit 2 inclusion.
l If no credit were given to repair of failed equipment, the CDF would rise by 70% and the flooding CDF l
! would rise by 55%. Of the 70% increase,60% is due to EDG recovery and 10% to pump recovery.
- De SBO contribution would rise to 50% of the CDF, while the flooding contribution would decrease to 10%, all the other major contributors stay about the same in their relative contribution to the CDF.
l
! 1 No basic events or systems importance measures are given in the submittal. l 2.2.5.2 Discussion of Support Systen Initiation
. De question arises as to why certain initiators are not more dominant, particularly losses of supporting l 4
systems on which there is strong dependence at CPSFSm (* strument air, HVAC, CCW and SW). De following i=cey,la address these concerns.
l -
20
--,. ,. ~ ..-- ----..- .
_..~.,.e .-..-n
- . ~ a -<- ~ a.-.. ,.~,auu.~. . - - - - - - - ~ . - ---s- - > . - aum n - w.- a e ~
i j
j* '
lastnanent Mr j As stated in Section 1.2, the following systems depend in some way on instrument air: pressurizer i sprays, CVCS, RHR, AFW, MFW, steam relief pathways, chilled water and circulating water,
, On a loss of instrument air, the following events happen:
i i -
charging control valves fail fully open, letdown isolation valves close, l -
pressurizar spray valves close, j - MSIVs close, TDAFW pump steam supply valves open, j -
steam dump valves close, i -
FW regulatory valves close, l -
CC surge tank level makeup valves close, RH letdown flow control valves close, RH beat exchanger CC return valves close, and
- j. -
N 2supply header valve closes.
2
! In addition, IA provides motive power to the AFW control valves and the steam generator atmospheric i relief valves and also the steam dump valves. De closure of the N2 supply header also results in a loss l of nitrogen supply to the pressurizer PORV accumulators. In addition, the operators have to manually throttle flow through the safety chiller condenser, which would otherwise trip on low suction pressure (location unfavorable with respect to indication, so HEP of 0.3 used, even though I bour is available to j accomplish this).
} However, there are some mitigating considerations: .'
i Dere are two spare compressors on site (shared with the other Unit at this time, but not at the time of l
,l the IPE). Dese must be manually started, with either one being sufficient for success. De initiating
! event frequency just accounts for the loss of the two compressors dedicated to the Unit (one running and
-~
i one standby).
l l All the valves that must be manipulated following the initiating event have at least 30 minute accumulators.
- ne steam generator ARVs have enough air in their accumulators for 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of operation.
, De pressurizer PORVs have enough 2N in the ammniators for 100 cycles, before failing closed. De
! operators are instructed to do feed and bleed without cycling the PORVs. Manual actions to recharge l the accumulators (they have about an hour after the accumu!ators are exhausted) are credited (HEP of
- 0.05).
ne control room personnel will manually control charging flow to maintain pressurizer pressure and l level control. Dey must also manually align the RH and CC systems for the decay heat removal mode j
. of operation. Credit is given for manual manipulation of the charging system (valve HCV-182) to divert )
enough flow for RCP seal injection (about 45 minutes available, HEP is 0.05).
) . De AFW control valves have enough air in the accumulators for 30 minutes of operation before failing open. After that, there is a 90 minute period during which the operators can attempt to gain control of l
j 21 l
1 i
)' flow in order to prevent SG overfill. Dey have procedures to control flow cf the TDAFW pump
- following loss of supports (specifically loss of IA and loss of DC). Dese actions are credited in the IPE l (HEP of 0.01 to throttle the TDAFW flow).
J j Caiderina all these facts, and taking into account that a lot of the HEPs seem to have been left at their screemog value, the results that IA is not a dominant contributor, given the initiating event frequency of l 2E-3/yr are credible. De plant has provisions in place to offset strong IA dependence and maintain core cooling by a variety of methods, in addition to having two spare compressors.
] -
i RVAC i
i Loss of chilled water initiating event has a frequency of 7.32E-2/yr, yet the CDF is 7.55E-7/yr, or a j contribution of 1.3%. De conditional core damage probability, given the initiator is therefore IE-5.
j in Section 1.2, h is stated the following systems depend on room cooling (HVAC), which in some cases, l anmmp=== more than just the chilled water system: HPI (SI) pumps, all three charging pumps, RHR i
(LPI) pumps, CSS pumps, MDAFW pumps, CCW pumps, UPS, main control room, EDGs, electrical switchgear and batteries. Some equipment (e.g., batteries), may need heating at certain times of year.
l De EDGs and batteries just need ventilation fans operating. De UPSs (and also the battery chargers,
- which are collocated in the UPSs' rooms) have dedicated air conditioners, moled by CCW. De same j is true of the control room, i
j here are two HVAC chilled water systems, both ultimately cooled by the CCW: the ventilation chilled
! water and the emergency, or safety, chilled water (also simply referred to as " chilled water" in the IPE l and the TER). De emergency chilled water has two trains, one operating and one standb'y.
- l. De ventilmion chilled water is used to cool the auxiliary building, safeguards )uilding and the electrical j switchgear rooms (both emergency and normal) during normal operation, startup and shutdown. His
- system is cooled by the non-safeguards normal loop of the CCW system. De nonsafeguards CCW loop l is isolated on a "P" signal (high containmant pressure). Derefore, during most plant trancients, the j ventilation chilled water will continue to provide adequate HVAC cooling to the operating systems, j including the positive displacement charging pump, the electrical switchgear rooms and the CCW pumps.
! In addition, during intermittent operation of high pressure systems (CCPs or SI pumps) for the feed and i bleed operation, safety chilled water is not needed.
l The safety chilled water system is actuated on an "S" signal (safety injection), "BOS" signal (loss of f offsite power) or startup of a respective component cooling water pump. .Also, the system is manually i stated by operators on startup of a respintive MDAFW pump. All the ECCS pumps, the CSS pumps,
{ electrical switchgear rooms are supplied with both the normal ventilation chilled water HVAC and the i safety chilled water HVAC. Upon failure (J the normal HVAC, the operators have 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to switch to the safety HVAC in these rooms (proceduralhzd), based upon the room heatup rates (HEP of 0.01).
! In addition, the MDAFW pumps need the safety chilled water HVAC; failure of the chilled water system j is modeled by assigning a high failure probability to the two MDAFW pumps (about 0.3 failure l probability each), and that is the main effect of the safety chilled water HVAC loss as far as the pumps are concerned. Note that the TDAFW pump is not affected by HVAC. On loss of the safety chilled water system, there will be a precautionary manual shutdown. Some credit is given to restoring the j safety chilled water system (HEP of 0.77),
i .
i i
j 4
v - - ,
1 Operation without HVAC for a limited but significant time is credited for the safeguards pumps (HPI, CCP, RHR and CSS) and electrical switchgear rooms. His is based upon the comments received during j the internal IPE review.
Derefore, at the very minimum, on loss of safety chilled water, there will be the following systems i . available with high probability: the safety (and nonsafety) electrical switchgear, the UPSs, the EDGs, the 1 j DC power system, the control room, the three AFW pumps (albeit the two MDAFW pumps with high l failure probabilities), CCW (either Unit's own or via the cross-connect from the other unit), the positive i- displacement charging pump, and the CCPs and the SI pumps. Derefore the RCP seals will rammin j intact, ne instrument air and the service water would be available. De coerators could use the I secondary cooling or the feed and bleed operation.
la addition, for the HVAC systems cooled directly by CCW (the UPS rooms and the control room), there
( are operator procedures to respond to loss of su& systems. np=35 of doors, while proceduralized, was i' not credited. In case of UPS room HVAC loss, the operators are instructed to switch the instrument !
j power to unregulated 120 V ac power, instead of go*mg through the inverters. He effect of such loss j is a depletion of batteries in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, after which time the feed and bleed capability is lost! In case of
- the control room HVAC, the operators can start the standby HVAC unit, or failing that, manually trip the ESFAS upon exceedirg the environmental qualification temperature (HEP of 0.05, based on a slow l l
j control room heatup rate). His takes several hours. l i CCW
} As noted in Section 1.2, CCW is needed for RCP thermal barrier cooling, the PDP charging pump
! cooling, the RHR pumps and heat exchangers, containment spray pumps and recirculation heat ,
! exchangers, instrument air compressor cooling and HVAC throughout the plant (except diesel generators i and batteries). The RHR and CSS pumps can operate for a limited time witho7t CCW or roorn cooling.
Mitigating considerations are as follows: De operators can open the crosstie from the other unit CCW i system (HEP of 0.01). De two spare instrument air compressors are cooled by the turbina plant cooling l
water (IPCW), and therefore, independent of CCW. De bestup rates for the electrical switchgear rooms
, are very slow, and there are operator actions to compensate for loss of UPS and control room cooling.
l De main effect of CCW-caused loss of HVAC will be battery depletion (and loss of feed and bleed j capability) at 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and increased MDAFW pump failure probabilities. (The battery depletion occurs
- because the chargers are located in the UPS rooms and they will be lost). De CCPs (centrifugal i charging pumps) could be used for feed and bleed (dependence on service water) until battery depletion, and also for RCP seal injection. De TDAFW pump is independent of CCW. Restoration of failed CCW equipment is also credited (HEP of 4.5E-3, includes both restoration and crosstying to the other unit).
i
! Derefore, the operators could use the secondary cooling (via TDAFW pump, or via either MDAFW
! pump, if available), or they can employ the feed and bleed operation (if CCW is restored or crosstied).
- In cases when CCW is not crosstied ~or restored, no credit is given for extending the time to core damage j by having the feed and bleed operation for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, i la conclusion, the results for loss of CCW are credible, because of the credit for crosstying or restoring i . CCW and because of some credit given tc continued MDAFW operation under loss of HVAC. (De TDAFW pump would be unaffected by this eveat). In addition, instrument air, an important support l system, can be recovered as the spare compressors are independent of CCW.
i 23 i
i
l Servier Water l
1 De service water system at Comanche Peak supports the CCPs, the SI pumps, the CSS pumps, the EDGs j and the CCW beat exchangers. De CCPs, SI and CSS pumps can operate for a limited time without
- SW.
i .
Upon a loss of SW, the operators have several options in order to preserve the RCP seals, regain the
- room cooling and proceed with the secondary cooling (or feed and bleed). Restoring the CCW cooling, j . by either cross-tying the CCW systems, or the SW systems of the two units is one option (HEP of 1.E-2
! for either action is given). Credit is also given for repair of a failed SW pump. De RCP seals can be i preserved by aligning the firewater to the CCP sumps (one hour available, HEP of 1.E-2 given). De
- operators can =nps=* for the loss of room cooling in the rooms of the most immediate concern (UPS l and the control room) as stated above under loss of CCW and loss of HVAC.
- Therefore, the conditional core damage probability of 1.3E-4 calculated in the IPE appears to be l reasonable.
l J 4 1 i Table 5. Aeddent Types and 'their Centribution to the CDF* l i
r 5
! Initiating Event Group Contribution to CDF (/yr) %
j Loss of offsite power 1.59E-5 28 l Internal flood 1.29E-5 23 4
i Transient 1.26E-5 22 i
i 1
LOCA? 9.70E4 -
17 Steam generator tube rupture 3.54E4 6
! Loss of support system' 2.31E4 4 1
! (Station blackout) (1.59E-5) (28) j (Anticipated transient without scram) (5.03E4) (9) 2
i I
i ' Categories in parentheses (e.g., station blackout) are not separate initiator types but are included l In other categories (e.g., SBO is included under LOOP and transient).
l .
'LOCA category includes the 4 classical LOCA sizes, plus excessive LOCA (i.e., reactor vessel j -
rupture) plus interfacing system LOCAs
. 'I.oss of support system includes losses of CCW, SW or chilled water (HVAC). All others are j included in the " transient" category, except for losses of offsite power, which are under their own j category.
4 24 I
s
l
}
Tabic 6. Initiating Events and Their Contnbution to the CDF Initiatis.g Event Contribution to CDF (/yr) %
loss of Offsite Power 1.59E-5 27.9 i
Internal flooding 1.29E-5 22.7 l
. Loss of main feedwater 5.03E4 8.8 General transient
- 4.56E4 8.0 Very small LOCA 3.76E4 6.6 Steam generator tube rupture 3.54E4 6.2 Large LOCA 2.85E4 5.0 l Loss of de bus 1EDI 2.17E4 3.9 l l
Small LOCA 1.65E4 3.0 )
Medium LOCA 1.02E4 1.8 I Loss of component cooling water 9.03E-7 1.6 Loss of chilled water (HVAC) 7.55E-7 1.3 Loss of service water 6.04E-7 1.1 Loss of condenser vacuum 5.84E-7 1.0 Excessive LOCA 2.66E-7 0.6 Interfacing systems LOCA 1.56E-7 0.3 Loss of 6.9 kV ac bus 1 Al 7.60E-8 0.13 Inadvertent safety injection signal . 5.%E-8 0.09 Main steam line break 5.48E-8 0.09 Loss of a protection channel 4.86E-8 0.08 Meneral transient includes reactor trip, turbine trip, excessive feedwater flow, inadvertent closure
. of one or all MSIVs, core power excursion and loss or primary flow.
25
_. _ __ . - _. _ . . .~ _ _ _ _
__ _._- _ . _ _ . _ _ _ _ . - _ _ _ . _ _ _ _ _ ~ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _. . _ . _ _ _ _
k 1
Ttble 7.' Dominant Core Damage Sequences (Only the most dominant initiating event c ontributors to the CDF are listed here)
.{
Initiating Event Dominant Subsequent Failures in % of Sequence CDF l Las of Offsite Power failures of both divisions of emergency 20
~
power (due to CCF or individual latent j error of diesel generators, failure of
l
- induced seal LOCA is large (0.6"-2")
i and failure of offsite power recovery 2
before core uncovery.
Internal flood (RWST source) Failures of both trains of safety chilled 8 i water, instrument air compressors (fails i
main feedwater) and both trains of ECCS
{ pumps located on lower elevations of the i Safeguards building (disables feed and j bleed). Possible failure of either train of l MDAFW pumps due to loss of room j cooling (both fail in the cutset). TDAFW l
- pump lost due to latent human error, l failure of operator to manually locally i control flow or hardware failure during operation. .
l I Small break LOCA failure of recirculation due to operator 8 error l _
l Steam generator tube rupture operators fail to isolate break flow on 6 i SGTR in a timely manner (leads to j RWST depletion).
I Very small LOCA failure to align for recirculation due to 5 l operator error i Transient or loss of support system various system failures due to loss of 5 SW (as an initutor or as a subsequent l
i failure) or loss of a de bus, lead to a large seal LOCA (0.6"-2"), with failure
( of ECCS in injection (secondary cooling i is successful),
1 Transient mechanical control rod binding (ATWS), 5 l
- , failure of main feedwater (either as an
- initiating event, or loss of support, e.g.,
de bus), failure of any AFW pump j . (hardware failure to start or run, or i failure of support, e.g. de bus); turbine
- trip is successful.
4 h
Table 7. Dominant Core Damage Sequences i
- Initiating Event Dominant Subsequent Failures in % of l Sequence CDF i
Ims of offsite power" failure of both divisions of emergency 4 power (hardware failure of EDGs, CCF failures of the emergency buses), failure 4 of the TDAFW pump (hardware failure
! to stant or to run), failure of offsite
- l. power recovery in a timely mannar,
- failure of EDG recovery.
- General transient room cooling failure (due to various 3 l combinations of CCW and SW pump failures, including test! maintenance and i hardware failures); possibility of either
! MDAFW pump failing due to room l cooling failure (both fall in the cutsets);
} feed and bleed cancot be started when j the batteries deplete after 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (the
- batteries are called upon because the
, chargers are lost due to the HVAC failure),
l '
i large LOCA failures in either hot or cold leg 3 i recirculation (mostly hot leg redirculation
{ failures due to valve failures or' maintenance)
! Various initiators (dominant are loss of induced small seal LOCA due to various 3
)
offsite power, loss of station service failure combinations induced by the
- water, loss of a de bus, and a general initiators or in combination with i transient) additional hardware failures (e.g., CCF
! of both emergency buses, failure of a SW i pump, test / maintenance of a SW train, or
! an emergency bus); ECCS equipment falls due to same machankms; operators fall to recover from the initiator or
. subsequent failures; AFW is successful Various initiators (mostly loss of offsite various combinations of EDG failures 3 i power) (including SW support), lead to an SBO, i with a subsequent loss of seal cooling and a small seal LOCA; operators fail to recover a EDG, or offsite power;
'IDAFW pump fails due to latent error ij ,
or hardware failures i
27
]
, _ _ _ _ . _.___ _ m _ _ _ _ _ _ _ _ _. . _ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _
tble 7. Dominant Core Damage Sequences l' ;
l l Initiating Event Dominant Subsequent Failures in % of !
j Sequence CDF i 1 Transient (dominant loss of a de bus or electrical ATWS with successful turbine 2
{ loss of MFW) trip; main feedwater failed by the i
! initiator; failure of remote manual trip 1 (due to CCF of reactor trip breaker);' ;
combination of manual rod insertion, i i AFW capacity available, FORY l i availability and time in life is
} unfavorable, with dominant failures !
l involving hardware failure of TDAFW l 1
pump to start or to run, or the core life )
- being unfavorable with one MDAFW ;
j pump out, manual rod insertion OK and l t one PORY available.
I
- Tramient (mostly loss of offsite power) CCF of both emergency buses leads to 2 j SBO; this leads to PORV unavailability; i the SRVs are challenged and one fails to j close, leading to a LOCA (> 2"); offsite power recovery fails prior to core j uncovery l Loss of main feedwater failure of MDAFW pumps dueto loss of 2 i room cooling (caused by variods i combinations of failure of CCW and SW
- pumps), failure of TDAFW pump due to
! latent human error or hardware failures,
- . failure of operators to recover TDAFW, failure of feed and bleed after battery
{ depletion (chargers fall due to UPS HVAC failure) at 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> l
i 2.3 Hurnan Reliability Analysis Technical Review
[
$ 2.3.1 Pre-Initiator Human Actions
) .
- Errors in the performance of pre-initiator human actions (such as failure to restore or properly align equipment after testing or maintenance, or miscalibration of system logic instrumentation), may cause components, trains, or entire systems to be unavailable on decand during an initiating eveat. The review i of the human reliability analysis (HRA) portion of the IPE examines the licensee's HRA process to j -
determine the extent to which pre-initiator human events were considered, how potential events were j identified, the effectiveness of any quantitative and/or qualitative screening processes used, and the
- processes used to account for plant-specific performance shaping factors (PSPs), recovery factors, and dependencies among multiple actions.
I
- 28 i
i
k 2.3.1.1 Types of Pre Initiator Emman Actions Considered l
De Comande Peak IPE considered both of the traditional types of pre-initiator human actions: failures l'
to restore systems after test, maintanance, or surveillance activities and instrument miscalibrations. A i broad range of both types of events were considered, with over 160 events actually modeled. All pre-i . initiator or " latent" events were modeled in the fault trees.
l
. 2.3.1.2 Pmeens for Identification and Llaetta= ef PreInitiator Banan Actions j All operator arvians in the fault trees were inentified by Comanche Peak analysts during the development J ,
of the system models and accident sequences, it was stated that the process was consistent with that
- outlined in SHARPl. Identification of the events was based on a review of each system and on plant I procedures (operating and test and mairmannace). Plant personnel were involved in the identification and i selection of preinitiator actions and interviews with maintenance and instrumentation and control
- anchaleians regarding specific plant practices were conducted. Dus, it appears that relevant information sources were amannined and that facsors which could influence the probability of pre-initiator errors were considered.
1 I
2.3.1J Screening Process for PreInitiator Emman Actions l I I he licensee stated that the screening methodology used "... is a melding of several previously published '
methodologies." In response to the NRC's RAI, it was stated that the method used was the "HRA
- Calculator" method, which is a PC based software program based on earlier EPRI methods, including HCR, ORE and SHARP. De response to the RAI referred to several EPRI reports and published articles j
- for documar*=*ian on the logic behind the derivation of the method. Application of the method involved l the use of a series of structured questions represented in a decision tree. Use of the decision tree lead
- the evaluator to a human error probability (HEP) screening value which was daermined as a function of a the relative impact of various performance shaping factors (PSFs). Different decision trees were used j for restoration and miscalibration events. Cotamon cause factors were accounted for through use of a
! 0.1 beta factor or two modifying factors. A multiplier of 0.05 was applied if different calibration i
procedures were used for different channels and 0.01 was uses to reflect variations in schedule and frequency of calibration. De overall approach used was relatively detailed and was not unreasonable or 4
inconsistent with those used in o*her IPEs.
i 2.3.1.4 Quantification of Pre-Initiator Emman Actions De licensee's response to the RAI indicated that only one pre-initiator screening value was re-evaluated
- aRar initial quantification. AAer screening, it was determined that if RHR valve 1-1787 was misaligned, an alarm would signal in the control room. Dus, the HEP was reduced by multiplying the original
- screening value by 1E-2 (HEP reduced to 5.0E-5). In addition, the response to the RAI indicated that
} steps were taken to ensure that the screening values were not overly apetrat=*ic. He concern was that if the values were overly optimistic, important sequences might be prevented from appearing in the dominant category. De steps included comparing the values with available INPO data and ensuring that the values were conservative compared to industry sources such as NUCLARR [NUREG/CR 4639].
2.3.2 Post-Initiator Human Actions Post-initisant human actions are those required in response to initiating events or related system failures.
. Altbough different labels are often applied, there are two 1 piust types of post-initiator human actions i that are usually addressed in PRAs: response actions and recovery actions. Response actions are generally j distinguished from remvery actions in that response actions are usually explicitly directed by emergency 4 29
. - - - - , - - . - - , - - . ,. <__ . . - - -- ~ ,, , , . , - , _
4 l* operating procedures (EOPs). Alternatively, recovery actions are usually performed in order to recover l a specific system in time to prevent undesired consequences. Recovery actions may email going beyond
- EOP directives and using systems in relatively unusual ways. Credit for recovery actions is normally not I taken unless at least some procedural guidance is available.
o ne review of the human reliability analysis (HRA) portion of the IPE determines the types of post-initissor in= nan actions enanM=ed by the licensee and evaluates the processes used to identify and select, j screen, and quantify the post-initiator actions. De licensees tramtmant of operator action timing,
. depawlancia among hmnan actions, ennaMaration of accident context, and consideration of plant-specific j PSFs is also examined.
l j 2.3.2.1 Types of Post-Initiator Hammam Actions Considered i
j De nunancha Peak IPE modeled both response (Type C,) and recovery (Type C.) post-initiator human
) arriana. De susponse to the NRCs RAI stated that all actions credited were proceduralized, but in some l cases procedures had to be written to cover the action.
i
! 2.3.2.2 PWecess for Identification and E=lacela= ef Post-Imitiator Himaan Actions
- The licensee indicated that identification of response type actions was " based on plant procedures and information, interviews with operations staff with on-site experience, and consideration of timing."
l l=
Inclusion of recovery actions was based on results from the accident sequence analysis. That is, the
! recovery actions were determined after examining the cutsets. Apparently some limited simulator data j from C&che Peak was examined and simulator data from Diablo Canyon was also considered in i determining and assessing relevant human actions. Thus, reasonable steps were taken that would help j ensure appropriate actions were identified and modeled. ,'
l 2.3.1.3 Screening Facens for Post-Imitiator Response Actions i ne screening process for type C, or response type human actions was based on use of the " dynamic j assion screening value decision tree" from the HRA Calculator methodology. As with the pre-initiator
! events, the response to the RAI referred to several references for " notable explanation of a logic behind j construction of decision trees." he values used in the decision trees ranged from 1.0 to SE-2 and the 3
values were assumed to account for both the diagnosis and execution portions of the action (the i probability of execution failures was assumed negligible). De PSFs considered in the tree were stated
! to be heavily influenced by results from EPRI's ORE project. Hey included consideration of procedures i and training, task complexity, operator reluctance and time available (short or long). The trees were i designed to account for "the key influencing factors, their interactions, dependencies, and relative i bnportance to human error likelihood.
l De licecaee's response to the RAI suggests that potential dependencies between events were appropria'ely I considered during screening Cognitive dependency, accident sequence dependency, and the closeness 4
of events in time were evaluated. If events were determined to be linked, the HEPs for the second and i subsequent events were set to 1.0. If the events were independent, the decision tree values were used.
While this approach appeared reasonable, a avview of identified dominant sequences indicated that several l
- aequeraces contained multiple human actions that were at least potantially dependent, but which were j assumed to be independent. In response to an additional RAI on this issue, the licensee addressed
, sequences containing multiple " dynamic human actions" and provided reasonable rationales for their l assumptions of independence. While counter arguments to the rationales are possible, it was clear that j the pantial dependencies had been considered by the analysts. Given that the rationales presented were 30 i
reasonable, there is no particular reason to believe that hcportant sequences were inappropriately j truncated during screening.
While only a few type C, ex-control room actions were modeled during screening, the licensee did not i explickly distinguish between in and ex-control room screening values. Hey simply considered whether j . adequate time and appropriate procedural guidance was available. For screening purposes, such an approach is acceptable.
i -
2.3.2.4 Quantification of Post Imitiator Human Actions
! De licensee states that for events found to be important to either the probability of a dorainant cut set j or to overall core damage frequency, a second evaluation was performed using an expert interview
! adant (two nuclear training department instructors were interviewed). De expert interview method
! was referred to as the direct animarian method (Comer et al.) and was applied to ten events. In applying j the method, the analysts generated daniled descriptions of each human lateraction event (including
- boundary conditions, dependencies, and time windows etc.). Dey then discussed the events in the 4
context of previous expaience with simulator runs and provided probabilistic scales to the experts . The l experts provided sn upper and lower bound and an average HEP value. De resulting HEPs for the ten 4
events were act unreasonable and if anything, appear somewhat conservative.
i l While the quantification process for important events was acceptable, a potential problem arises from the j fact that only ten human actions were assigned more realistic values, with the remaining human actions i left at their probably pessimistic screening values. Es problem with such an approach is that human i actions lea at screening values in dominant sequences may have led to an incorrect ordering of sequences.
With realistic HEPs, some of the dominant sequences may no longer have been dominant and others may
{ have shown to be more dominant. Dus, there exists a potential for distortion in the results, la response j to an additional RAI, the licensee argued that the guidance from SHARP advocates a "fme" screening i analysis to prevent distortions in the relative ordering of sequences from the use of overly conservative ,
i HEPs. However, this is not really the issue. De problem, as noted above, arises from only performing l detailed analysis on a few human actions. Nevertheless, the licensee also noted that aAer initial re-l i
$ quantification was completed, if some norHlominant sequences became dominant, the human actions were !
- evaluated again. He licensee maintains that a high percentage of the operator actions in important j l sequences were analyzed in detail and therefore the appropriate ordering of sequences was maintained. l 2.3.2.4.1 E.stimatar and Consideration of Operator Jterponte 7tme De determination of the time available for operators to diagnose and giviso event related actions is a critical aspect of HRA methods. In the Comanche Peak HRA, total time available was determined with !
MAAP and RETRAN codes and the time available for operators to diagnose and conduct the actions was I at leut roughly treated in the screening decision trees and in the more detailed analysis. It appeared that expert opinion was used to assess whether the time was adequate and whether it would be considered a long or short time frame scenario. Some simulator data were reviewed to support the timing assumptions and the framework for the method described in the response to the RAI apparently included walkdowns for recovery actions. De walkdowns addressed timing, plant-specific time windows, evaluation of demands of the task, need for extra equipment etc., and other PSFs.
2.3.2.4.2 other f~ = naping Feaors Considerad
. As noted above, the decision tree approach and the direct estimation method address at least some relevant PSFs. In addition, the plant walkdowns addressed issues related to performing recovery and these are discussed below in Section 2.3.2.4.4..
31
i 2.3.2.4.3 Consideration qfDependencier ,
Two basic types of dependencies are normally considered in quantifying post-Initiator human actions:
- l. 1) time dependence and 2) dependencies between multiple actions in a sequence or cut set. One type of 1
- time dependence is concerned with the fact that the time needed to perferm an action influences the time ,
l ,
available to recognize that a problem has occurred and to diagnose the need for an action. )
l
! Another aspect of time dependence is that when sequential actions are considered, the time to complete l
- . one action will impact the time available to complete another. Similarly, the sooner one action is
{ performed, the slower or quicker the condition of the plant changes. His type of time dependence is ,
- normally addressed by making conservative assumptions with respect to accident sequence definitions. ;
- One aspect of this approach is to let the timing of the first action in a sequence initially minimi= the time l
- window for subsequent actions. De occurrence of cues for later actions are then used as new time l origins. De Comanche Peak submittal indicates that evaluation of such timing factors occurred, but j details were not provided. j
! De amenad type of dependence considers the extent to which the failure probabilities of multiple human l l'
actions wkhin a sequence or cutset are related. Dere are clearly cases where the context of the accident j and the pattern of successes and failure can influence the pmbability of human error. Dus, in many cases 1 it would clearly be inappropriate to assume that multiple human actions in a sequence or cut set would l
be independent. Furthermore, context effects should be examined even for single actions in a cut set.
While the same basic action can be asked in a number of different sequences, different contexts can l obviously lead to different likelihoods of success.
, Several discussions in the submittal and in the response to the RAls indicate that potential dependencies i
among the operator actions were appropriately considered. Details on the aspects of the licensees !
treatment of dependencies are discussed above in sections 2.3.1.3,2.3.2.3, and 2.3.2.4.
j 2.3.2.4.4 Quantiftaulon of}tecowry 1)pe Actions The licensee credited the recovery / repair of failed systems in many cases. Hey indicated that the i evaluation of recovery actions was based on the EPRI recovery methodology [EPRI RP-3206-03] which j apparently relies heavily on NSAC-161 [NSAC-161], " Faulted Systems Recovery Experience." It is
- asserted that the data (including recovery curves) from NSAC-161 were combined with assessed plant-l specific time windows. Where data were unavailable, use was made of decision trees with estimates l provided by the expert judgement approach. A reasonable set of PSFs related to the recovery action were
( considered. Hey included transit time, the man-machine interface (alarms and indicators), access to
- equipment, complexity involved in getting the equipment to operate and the environmental conditions.
! Potential dependencies were also evaluated.
1 I Given potential limitations with the NSAC-161 data, an additional RAI submitted to the licensee requested j an estimate of how the results would dange (i.e., a sensitivity analysis) if recovery credit was not taken in the IPE. De licensee set all recovery values to 1.0, and requantified, and estimatad the increase in CDF for the internal events results and for laternal floods and interfacing system LOCAs. De increase in CDF for the two cases were found to be approximately 70% and 55%. Hey also found that the dnminant sequences (LOOP and internal flood) still remained dominant, but that the LOOP contribution increased form 27% to about 50%. And the flood contribution dropped from about 20% to 10%. All j cther initistnes remained "more or less in the same range" (i.e., less than 10% for any single contributor.
j . De licensee also maintainad that they believe the values from NSAC - 161 are conservative, and they j provided a reasonable, but hatahle, justification of that belief. Dese results suggest that the application 32
_ _ _ _ _ _ _ _ . . _ _ .~._ _ _ ._ _ . .. _ _. _ _ . _ _ _-_ _ _ _ _ ___ _ ___ _
4 I
cf the recovery actions credited in the Comanche Peak IPE did not preclude identification of potential vulnerabilities.
2.3.2.4.5 Henan Aalons in the Flooding Analysis l
The HRA for the Comanche Peak internal flood analysis consisted of several parts. First, during initial i screening analysis, all HEPs were set to 1.0 Neat, human actions not affected by the flood (in risk l significam flood scenarios) were then assigned the HEPs used in the analysis of internal events. De HEPs
- . for the remaining actions (ex control room) were multiplied by a factor of two to reflect moderate stress
! (per THERP), e.g., mitigation of break Sow by tripping pumps or closing valves etc. Finally, for several acenarios,. a 30 minute mitigation assumption was made and the failure probability to isolate the break .
- was set at 0.1. De licensee provided a list of the human actions found in the cutsets and their HEPs.
j Of the eight actions listed, four were still at 1.0 with the others ranging (apparently as a function of j context) from 0.02 to 1.0. He flooding analysis appeared reasonable and as noted above, internal flooding was the second most important contributor to CDF.
l 2.3.2.4.6 Hanan Aalent in the Lowl 2 Analyris l Section 2.4.1.2 discusses the treatment of human actions in the level 2 analysis.
L j 2.3.2.5 hnportant Human Actions he C=== de Peak IPE provided a list of important human actions as determined on the basis of Fussel-Vesely measures. He top ten events, their HEPs, and their Fussel-Vesely values are presented below in Table 8.
Table 8 Important Human Actions .
Event Description Humanh Fumel-Vesely Probability Value Operator fails to realign CCPS, SIPS, and RHPS to Recirc. (Hot 2.00E-03 1.11E 01 or Cold) - After a LOCA and completion of the injection phase, the operators must realign the suction of the CCPs and SIPS to the discharge of the RH pumps. His task is initiated when the RWST reaches 40%. He Switchover must be completed prior to all pumps tripping on low suction pressure (&RCXX01).
Operators and Plant Staff Fall to Realign to Recire. On Late 1.00E-01 8.91E-02 Recire Events - On events in which recirculation is entered into very late, due to the small break flows and large RWST volume, the probability of not entering recirc. is overly conservative.
Therefore, this correction factor can be added to the cutsets to adjust the probability of that event (LATERECIRC).
Operator Falls to Recover a Diesel Generator that has Failed to 2.50E 01 8.25E-02 Start -If a single diesel generator has failed to start, it must be recovered by the operators. Based on review of the limited data )
in NSAC - 161, a conservative failure pdability of 0.25 was !
chosen as the probability that operators cannot recover this )
generator prior to core uncovery, which takes at least 110 minutes to occur (EPDGSTARTI).
33
1 j ""*" I Event Description Probability Value
! Diesel Generator CPI-MEDGEE42 inadvertently disabled 1.00E42 6.64E-02 (EPBDGGEE02NX) .
Operator Fails to Isolate Break Flow on SGTR aAer 2 Hours - 1.00E-04 6.45E 02 l
AAer a steam generator tube mpture with successful l . establishment of ECCS injection and secondary heat removal, the j operators must terminate break flow prior to depletion of the
- RWST. His is accomplished by depressurizing the non-i ruptured generators to cool the primary, then depressurizing the j primary. Dey have approx.18 hours2.083333e-4 days <br />0.005 hours <br />2.97619e-5 weeks <br />6.849e-6 months <br /> to perform this task
(&SGTR01).
I TDAFWP Train Unavailable Due to Latent Human Error 2.00E-02 6.34E42 ,
l (AFCP'I7TD01FX).
- 1 i Diesel Generator cpl-MEDGEE 01 Inadvertently Disabled 1.00E-02 5.00E-02 1 (EPADGGEE0lNX)
Operator Fall to Use ECA-1.1 on less of Recire. Capability - 1.00E-02 4.16E 02 Upon loss of recirculation capability, the operators must reduce i ECCS injection flows and align a source of makeup water to the j Refueling Water Storage Tank. This will ensure that the core rammina cooled until equipment can be repaired, and
- ~ recirculation can be accomplished. They will be aware of the loss of capability many hours before recirculation is required, as -
the procedure directs them to verify the capability (ECA-1.1). .
Operator Falls to Recover a Diesel Generator that has Failed to 2.50E Cl 3.30E-02
! Run -If a single diesel generator has failed during its mission i
time, it must be recovered by the operators. Based on review of j the limited data in NSAC - 161, a conservative failure
- probability of 0.25 was chosen as the probability that operators
- cannot recover this generator prior.to core uncovery, which j takes at least 110 minutes to occur (EPDGRUNI).
! Operator Fails to Recover 125 VDC BUS lEDI in 2 Hours -If 2.00E-01 3.24E 02 l 1
i IE DC bus 1EDI faults, the operators must repair and re- 1 energize it within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to make the equipment powered by l this bus available. Based on the data in NSAC - 161, they will be unable to do this 20% of the time (X1 RECOVER).
i.
i o
4 1
0 d
.,. . - - _ , .- - , ,.__m - _- - - - - . -
- - - . - . . - . - - - . - . - . - - . -l l*
2.4 Back End Technical Review
! 2.4.1 Containment Analysis /Ctaractedzation
- 2.4.1.1 Eresdgnd Back end ( "-- *=
1 j The interfaces between the front <nd and back end analyses are provided in the FE by the definition of 23
! Plant Damage States (PDSs). A PDS is defined in the IPE as a group of core damage sequence that have
{ similar characteristics with respect to the severe accident progression and containment response. Definition of the accident classes is discussed in Section 4.3 of the FE submittal.
He PDSs are defined in the (Wnanche Peak FE by the core damage state attributes and aantalanwne system status. De parameters considered in the PDS definition include:
For Core Damage States (Core Damage Bins):
Coro Melt Timing (Early or Late),
RCS Pressure (Low, Medium, or High),
For Containment States (Containment Safeguards Bins):
Containment Pressure Boundary Status (Intact, un-isolated, or bypassed),
Containment Safeguards Systan Status (Sprays and Fan coolers).
Based on core damage states and containment states,9 core damage bins and 3 containment safeguards bins l are considered in the IPE. Although fan coolers are discussed in the IPE submittal, their effect on accident l progression is not credaad in the IPE. De three corsainment safeguards bins therefo.re do not include the status ;
of the fan coolers (or assumed failed). Results of the binning process indicate 23 possible PDSs, with 17 of l them having non-negligible frequencies.
The leading PDS, which contributes 29% to total CDF, is a PDS with early core melt, with the RCS at medium pressure (200 to 2000 psia), and with containment spray failure. 'Ihe accident sequences that contribute to this PDS include those initiated by a small LOCA or those initiated by a loss of offsite power (LOOP) with induced LOCA. 'lhis PDS is followed by two PDSs with early core melt but with the RCS at high pressure (greater than 2000 psia). Of these two PDSs, the former does not have containment sprays (16%) and the latter has the containment spray available in both the injection and the recirculation phases (11%), and both are primarily initiated by transient events.
De PDSs defined in the Comanche Peak IPE to provide front end back end dependencies for the imel 2 analysis of the IPE seem M*
2.4.1.2 r%=ealan==4 Event Tree IN. ' .
De CPSES IPE treats Ma==at bypass and isolation failure casa separately from cases with intact containment. While containment failure is assured for the former cases, containment failure for the intact nnarnianwat cases are quantified using anntninnwne ewent trees (CETs). De dw%7 of the CETs is j disenemarl in Sections 4.5 of the IPE submkzal. De CETs includes the following top events: l
. I
- 1. Plant Damage State, l
- 2. RCS Not Depressurized Before Vessel Breach, j 35 s
i
- 3. Coolant Not Recovered In-Vessel Before Breach (credited only for SBO),
- 4. Vessel Failure Occurs,
! 5. Early Co*=laman' Failure Occurs,
- 6. Debris Bed Not Coolable,
, 7. Late enntainment Failure Occurs,
, . 8. Fission Product Removal Falls,
! 9. cantninment Failure Modes.
i 4 - Figure 4.5-1 of the submittal shows the structure ,,i 'he CET. De CET in the C-=* Peak PE have 44 and states, of whidi 37 involve enntainment failure. Tae top events of the CET are quantified by logic trees (or fault trees), which address the pheno-c,siogical, systems, and operator human response issues kogwd l 30 arcirlant progression. In general, the CErs developed in theenmancha Peak IPE are well structured and j easy to understand. De top events of the CET cover the io,ciwd issues that determine the RCS integaty, enntainment response, and eventual release from the enntainmant De quae.'ncation of the CET in the Comanche Peak IPE is based on systens performance for core damage l asomces determined from the IAvel 1 analysis and a number of plant-specific MAAP analyses. In general,
. tiup.J. A-i process used in the IPE is syntamatic and traceable. Although the values assigned in the IPE
! seem nriarata, their adequacy cannot be verified in this technical evaluation report because of the limited scope
! of this evaluation. Some items that are of interest are discutcad in the following.
i
- RCSDepressuritation De RCS depressurization -+=ai-s considered in the IPE include stuck open SRV, RCP seal failure after core damage, steam generator tube rupture, hot leg / surge line failure and operator action.
At CPSES, Procedure FRC-0.1 A instructs operators to depressurize the RCS when core exit i ocwiples reach 1200*F. Since the action is proceduralized, the level 1 screening value of 5E-2 is used for basic event HOP-DP (Operator Fails to Depressurize RCS) if equipment required for depressurization is available, and a value of 1.0 is used when any of the needed equipment is unavailable. De value used for a PDS is the weighted average of the cutsets in the PDS using the above values. Besides operator action, the probability values used for the other depressurization =+=alems are woy .!,le to those used in NUREG-1150.
He efect of RCS depressurization on the probability of early enntainment failure is evaluated in the sensitivP.y study. %e key concerns for the sensitivity study are the increase in early containment failure due to innease in DCH and ISGTR probabilities. The sensitivity study shows a small variation in early failure probability (lacluding bypass) with an assumed operator depressurization failure.
MesselRecowry Acconhng to the IPE submittal, recovery in the back eed analysis is credited only for Station Blackout PDSs.
Furthermore, the recovery is only considered possible if RCS depressurization is successful.
De recovery of AC power for the SBO PDSs takes into account the non-recovery of AC power before core uncovery and the time betwee core uncovery vessel failure. De probability obtained in the IPE for basic event
. SACPOWER (AC Power not Restored or Available) for the two SBO PDSs is over 0.9. After coolant reconry, the probability of vessel failure depeds on whether the debris being in a coolable condition, which in tan depends on the time of recovery (or the core damage condition at the time of recovery). De probability
. of the case debris being in a mdahle condition for the two SBO PDSs obtained from the above consideration 36
i b about 0.6. Because of the small frequencies of the two SBO PDSs (1.5% total CDF) and the low recovery
! fractions, the effect of in-vessel recovery on containment failure is small.
In arideina to inwessd malant recovery, the fault tree for top event VF (Vessel Failure Occurs, Figure 4.5-4)
- also includes events adore 4ing in-vessel recovery due to lower head cooling via ex-vessel best removal.
i , However, this cooling modo is not credited in CET quantification. His is felt to be a conserva!ve assumption
! in the IPE. However, slace this machanism may delay, if not tenninate, vessel penetration, fission product j production and niense paths are affected (e.g., in-vessel release from a dry debris bed versus ex-vessel release from a debris bed covered by waar). De release of fission products to the environment may actually increase
- if the comalmnem fails and external cooling was arra=*ad for in the ar=rce term calculation. External vessel i
cooling may also usult in maintaining the RCS at high asoperature for a longer time, and masarpw=*ly change
- ~
the probability of cnep rupture of RCS boundaries ad steam generator tubes. Dese issues are not addressed in the IPE submistal but are discussed in the licensee's response to the RAI. In general, the contributions of 1 the PDSs that may lead to poemtial adverse reimas cordaions associated with the above mantinned machanimms
- are small and will not affect the conclusions obtained from the IPE.
t i Enfy Caatainment Fauwe l De time frame defined in the CPSES FE for early containment failure is that from early phases of core l degradarian to vessel breach. De containment chauenges evaluated in the FE for early containment failure l include those from:
l'
- Presure spikes occurring due to blowdown at reamor pressure vesel (k?V) fauure with the RCS at high pressure,
- Fusi-coolant interaction resulting in rapid steam smeration within the ves;el at core slump or in the reactor cavity at vessel breach, and .
- High pnasure melt ejection (HPME) loads such as combustion of hydrogen released prior to and at vessel
)'
breach and direct containment heating (DCH). ,
t Dese include all the early mntainment failure modes discussed in NUREG-1335.
De quantification of the probability of early containment failure from rapid coneninment pressurization such as that from HPME uses both the data from NUREG-II5O and the data from plant-specific MAAP calculations.
In the CPSES IPE, the pressure rise antimaran for Zion in NUREG-ll50 are combined with the initial corsainmet pressure (immediately before vasel breedi) determined by MAAP analyses for mneminmant failure
-vihinn; De mr** ment pressure load distributions thus obtained are w-p.id with the containment fraguity curve for mntainment fauure determ'mation. His approach seems to be reasonable.
Besides HPME, the other important early fauure modes include that from in-vessel fuel coolant interaction (i.e., in-vessel steam explosion, or Alpha mode failure) and bydrogen combustion. For Alpha mode failure, the values developed in NUREG-ll50 (8E-3 for low RCS pnssure and RE-4 for high RCS pressure) are used in the CPSES IPE. For hydrogen ma%' inn. ils effect during HPME is evaluated with other mechanisms that occur during HPME (e.g., DCH). De containment pressure from hydrogen burn alone is of the order of 80 psia for the worst case and is not significant. De early containment failure fault trees in the CPSES IPE also j include an induced isolasion failure. His is maaidared in the IPE because the procedures for combustible gas ;
. control require the opeing of the purge valves. De peobability of this failure mode is found negligible in the 1 CPSESIPE. I l
)
l 4
37 l 1
e t
l . . Debris CoolaMuty and late Containment Fauwe l In the CPSES FE, successful cooling of ex-vessel core debris requires two things: (a) that there is water over t the debris, and (b) that the debris is in a malshle mafiguration. With regard to the first requirement, the debris i is asa:med not coolable if the RWST water is not injected into the containment. Late containment failure is j , amum.nl to occur if the debris is not successfully cooled (i.e., that CCI occurs). Late matninment failure also
- exr.ss if the debris is cooled but containment heat renoval is not adequate. In the later case containment failure is not assured, but is determined based on the time required to reach containment failure pressure, i
- in the CPSES IPE the probabilities of the formation of a coolable debris bed in the reactor cavity vary under i various anndninna. De probability of forming a coolable debris bed is higher if the debris is dispraed in the
! enntainmate such as may occur during HPME or ex-vessel steam explosion. Under these conditions a value
- of 0.95 is used. De probability is lower for low pressure vessel failure without steam explosion. De value l used in the CPSES IPE for this enedminn is 0.9. His is mannimad to be greater than that used in NUREG-Il50 j Oudged as indeterminate, or 0.5) because of the large surface area of the CPSES cavity.
As mantinned above, without CCI, steam generation from the core decay best may not result in mneminment I isilu te even if mneminment best renoval is not available. In the CPSES IPE a mission function is used for these l casa to detamine the probability of mntainmant failure. Instead of a mission time, which is a stg function (i.e., hav*mg a zero probability of pressurization arrest prior to the mission time and a 1.0 probability aAer that
{ time), a mission function, which is a Weibull di ibution function, is used in the CPSES IPE to determine i enemminnumt failure probability from steam gmeration. De missinn function used in the CPSES IPE has a mean
- value of 41 hours4.74537e-4 days <br />0.0114 hours <br />6.779101e-5 weeks <br />1.56005e-5 months <br /> and a variance of 3783 hr'. Racana of the use of a distribution function, the probability of
! containment overpressure failure due'to semam generation is finite for some PDSs in which the mean j mneminment failure pressure is reached beyond 41 hours4.74537e-4 days <br />0.0114 hours <br />6.779101e-5 weeks <br />1.56005e-5 months <br />. For example, for PDS 4H, the nnntainment failure i probability is 0.25 even though the failure pressure is reached at 53 hours6.134259e-4 days <br />0.0147 hours <br />8.763227e-5 weeks <br />2.01665e-5 months <br />.
4 j k is noted tbst the mission time curve dismuM above is only used for ovapressurization due to steam. In the
{ case of basemat meltahrough and/or overpressurization from non-condensibles resulting from CCI, an infinite i mission time is assumed in the IPE. According to the licensee's response to the RAI, the rationale for the
! inRnite mission time is a pc~ulated inevitability of the failure, if the debris is postulated to be non-coolable then the failure must be inevitabic, since nothing can happen to change the debris into a coolable configuration. De assurreption is overly pessimistic in cases where the debris is coolable but the water dries out. In such cases, the debris may be cooled aAer the recovery of water injection. According to tio data praantad in the IPE, the time required to reach metminment failure pressure from these mechtmisms is very long. For a MAAP analysis of a large I.DCA case, with a dry cavity, de time required to meit-through the basemat is about 20 days, and the time to reach containment failure pressure by non-condenrNes is about 7 days. In the CPSES IPE, they are the most important contributor to late matninmant failure (49 k of CDF). De contribution from the steam gemration case is about 2% of CDF. Cantninmant failure from late hydrogen combustion is also considered in the CET qu-miT.cition, its contribution to late anntninmant failure is small.
The finit trees used in the IPE for the determination of late mneminment failure addressed all important failure modes dwinenad in NUREG-1335. De approach used to determine the probability of late containment failure as discussed above is in general conservative.
. Sowce Term SaubMng Both active and passive runoval mechanisms are considered in the IPE. De active systems include scrubb'mg
. of rarhammve aerosols from the containment atmosphere by sprays. Passive runoval inclu&s natural praca===
38
i j -
(3g., graviational settling) that act on the radioactive airborne materials. Revolitalization of fission products l
- b also considered in the fault trees. ;
i l
} Castahonent Bypast and Induced Steen Genennor 7kbe Rypnae (ISG1R) i j , Containment bypass is one of the dominant mneminment failure modes for CPSES. Containment bypass
? considered in theenmanche Peak IPE includes bypass due to SGIR and ISLOCA as initiating events and an induced asep mpeure of the steam genermor tubes (ISGIR) during accident progression. As mentioned above,
. mn are not developed for SGTR and ISLOCA accident classes and mneminmant bypass is assured for these
! accident classes. Deir contributions to the total CDF, as ahtained from the Imvel 1 analysis, are 8% and i i I 0.3%, respectively. ISGIR is evaluated in the Imvel 2 analysis. According to the CPSES FE, the ISGTR frecpsncy was determined from the framinn of the non depressurized high pressure PDS frequencies for which
! the SG tubes fail prior to the hot leg or the pressurizer surge line. Although the value for ISGTR used in the i CPSES IPE is the same as that developed in NUREG-1150 (0.982 for ISGIR for high RCS pressure), ks use l is different in CPSES than in NUREG-ll50. De procedure used in the CPSES IPE for ISGTR evaluation is
! more nnmplicarsd than that used in NUREG 1150 and yields a maditinaal probability value much less than that j ahtainad in NUREG-1150 (1.2E-2 in NUREG-1150, and from 3E-4 to SE-3 in CPSES IPE). De licensee's response to the RAI docusses the above issue and concludes that the difference will not impact the conclusions
! ahtamad from the IPE. His is primaruy due to the small frequency of ISGTR (with an estimated upper bound l of 2.2E-7) in ecinimison with the much higher frequency of SGTR obtained from level 1 (3.5E4).
i i Another issue associated with the probability of containment bypass is the effect of RCP operation on the
' probability of ISGTR. In some IPEs, the probability of induced SGTR increases significantly as the RCP is restaned following the dremian of procedures. His issue is not addressed in the IPE submittal but is discussed
- in the licensee's response to the RAI, where the probability of ISGIR due to the restart of the RCP is l estimated and found to be insignificant. Since the procedure that calls for RCP restart also requires RCP 4 depnesurization, k is assumed in the assimara that ISGIR occurs only if the RCS is*not depressurized, and the l probability of successful RCP restart but with RCS depressurization failure, is sniali.
i 2.4.1.3 themi====t Failure Modes and T*sning
{
i De Comanche Peak containmern ultimate strength evaluation is described in Section 4.4 of the IPE submittal.
l A nuafuer of potential failure locations were investigated in the IPE. Dese include the examination of four
- categories of penetrations (i.e. large opening penetrations, purge and vent system isolation valves, piping i penetrations, and electric penetration assemblies), the containment rupture limit, and the containment liner j ducale failure limit. De large opening penetrations investigated include the personnel airlock, the esnergency l airlock, the equipment hatch, and the fuel transfer tube. De containment rupture limit is determined by a i simple calculation for a thin shell, which is found to be in good agreement with refined finite element analysis i of the mneminment structure. Based on the results of these analyses, an assumed normal distribution and a 7%
l medicier of varhaion, a cortninmme fragility curve was developed in the CPSES IPE. De mean value of the i fragility curve is 114 psig, corresponding to the smallest leakage or liner tear limit ahtainad in the analysis l around steam line penetrations.
i l De containment failure pressures and their distributions obtained in the Comanche Peak IPE seem to be i ananissant with those nhtninad in other IPEs For Comanche Peak, a large -uphic failure is nasumed in te IPE if enntainment is faded by Alpha or rocket modes. De probability of rupture failure is maanmad to be O.5 for other early failure modes and 0.005 for late failure modes.
i 1
1 39 i
- _ ,- y -, - , , _ . . . _ - - - . . - . . - ,_ _ - - . ,- .
2.4.1c4 Contaisnent i=darian Failure In the Caaaaehe Peak IPE, the probability of matninmant isolaion failure is determined in the Level 1 analysis and not evalumed as part of the CET. Although an induced isolation failure, caused by the opening of the purge valves fouowing the direction of the combustible gas control procedures, is included in the CET
. strucare and dism==ad in the IPE mihmitral, the licensee's response to the RAI indicates that consultation with
- coerations has revealed no procedural instruction to vent the matninmant during a severe accident. 'Ibe contribution to containment fauure from this failure mode is therefore zero.
According to the PE submittal, a fault tree model was developed for the mneminmant innistian system of
- CPSES. 'Ibe fault tree model includes. (1) the pathways that could significantly contribute to mneminment isolation fauure, (2) the signals rsqu 8ted to mienmatienlly isolate the penetrations, (3) the potential for
i generating the signals for each initiating event, (4) the aanminarian of the testing and maintenance procedures,
- and (5) the quantificmion of eth metminmant innistbn failure mode (including common cause failure).
According to the descriptiou provided in the IPE subnittal, au five areas identified in the Generic Letar l regarding the evaluation of mneminmant isolation failure a:e addressed in the PE. ;
2 2.4.1.5 Systen/Hismanu w l RCS depressurization by operator action is maniderud in the PE model. Since the action is proceduralized,
- the Level I screening value (SE-2) is used for the probability of operator action for sequences where the equipment for depressurization'is available, and failure is assumed if the equipment is unavailable. Because of the uncatainty of this probability value, the effect of operator depressurization on early containment failure is evaluated in the PE as a sersitivity case. According to the IPE submittal, the probability of early containment failure for the sensitivity case, in which operator action is assume to fail, is 4.29E4. 'Ihis is wmped with the base case value of 4.12E4, and according to the submittal, confirmed that no vulnerabilities to HPME l phenomena exist at CPSES. It is noted that the value used in the comparison includes the contribution from i containment bypass and isclation failure. The effect of opersor RCS depressurization on early containment failure is more significant if containment bypass, which is the daminant early failure mode, and containment
, lantseinn failure are excluded from the comparison. Nonetheless, the probability of early mntainment failure due to HPME is small ha mina of the large mneminmant volume.
Recovery of AC power is included in the CET for the SBO PDSs. 'Ibe recovery of AC power for the SBO PDSs takes into account the non-recovery of AC power before core uncovery and the time between core I uncovery vessel failure. 'Ihe probability obtained in the IPE for basic event SACPOWER (AC Power not Restored or Available) for the two SBO PDSs is over 0.9. 'Ibe effect ofin-vessel recovery on containment failure is sman because of the small AC recovery probability (i.e., less than 0.1) and the small frequencies of the two SBO PDSs (1.5% total CDF).
1 2.4.1.6 a.aia==4 Rdense Characterisation
- *!he 44 and states of the CPSES CET are binned to 10 release categories Comb *med with the two containment bypass and one containmait innistian failure release categories (which are not obtained from the CET analysis)
- there are a total of 13 release categories for CPSES. 'Ihe parameters considered in the definhion of a release category include:
- 1. Timing of release,
- 2. Size of breach,
. 3. Cause of failure, and
- 4. Release mitigation.
40
Table 4.7-1 of the FE submittal shows the classification of the various CET and states to ralease categories l* and Table 4.7-2 presents the C-Matrix. Source terms for the release categories, determined by the analyses of j
representative sequences using the MAAP -nr*~ code, are provided in Table 4.7-5.
l i
! The source term with the highest frequency is one with late, small, containment faile;e, caused by CCI, and j . with no fission product scrubbing (46% of total CDF, or 76% of total erwainment failure probability). %1s
! is followed by a bypass release category from SGTR and ISUTR (8% of CDF). %1s reler;e category is primarily due to SGIR as an initiating event; the contribution imm ISGTR is amah Cass than 2% of this l
j
. category). De bypass and isolation failure categories have the highest release frazions. De release fraction j of Cal for these categories is 0.8.
l De use of the ===d- code calculations for source term definition is discussed in the following section of
! this TER.
i
- 2.4.2 heinla=8 L, - -*
- = and r==eal====# Perfonnance Analysis
{ 2.4.2.1 Severe Accident Progression 1
! Sequence selection for accident pmgression quantification and fission product release characterization is
- discussed in Section 4.6.2 of the Commache Peak IPE. According to the IPE, the objecsive of the MAAP analyses is to obtain representative and/or bounding calculations for each of the CET and states. Sequence i adection for MAAP analyses is therefore carried out to choose specific accident progression sequences that best approximate the representative accident progression and source term results for each relevant CET end state
- based on the consideration of the dominant sequence in each end state and other factors that influence the source term results. As a result, the sequences selected as the basis to construct the MAAP analysis are not
- always the sequences with dominant fm% in the PDSs. However, the discussion of sequence selection
{ provided in the IPE submittal is of sufficient detail and the sequences selected for source term analyses and the
! source terms definicon used in the IPE seem to be ad=*
l
! 2.4.2.2 na-iaaad Contributors: r%==l=* aey with IPE Insights '
l Containment failure modes and their frequencies obtained imm the Comanche Peak CET quantification are i disenaud in Section 4.6 of the submittal. Table 9, below, shows a wir+erison of the conditional probabilities i for the various mntainment failure modes obtained imm the Comanche Peak IPE with those obtained imm the Surry and Zion NUREG-1150 analyses.
1 Table 9 Containment Failure as a Peruntage of Total CDF l
s Containment Failure Mode 4
FJartrie Station IPE+ + NUREG 1150 NUREG-1150 Early Failure 1.2 0.7 1.4
{ Late Failure 51.1 5.9 24.0 Bypass 8.2 12.2 0.7
]
i Isolation Failure 0.02 Intact 39.5 81.2 73.0 CDF (1/ry) 5.7E-5 4.0E-5 3.4E-4 ;
"The data presented for ra===* Peak are based on Table 4.614 of the IPF subaunal. ]
- 1meluded in Early Failure, appc=i-*Iy 0.02% "laciudad in Early Failure, appensi-uly 0.5%
41 I
O
)
! As shown in the above table, the conditional probability of containment bypass for Comanche Peak is 8.2%
of total CDF. Most of it is f:om steam generator tube rupture (SGTR) as an taki= ting event (95% of total
- bypass). Excluding SGIR, con taiesit bypass from ISLOCA and ISGTR is small (3.3 % from ISLOCA and I 1.7% from ISGTR). l l
! . De conditional probability of early containment failure for Cnmanche Peak is about 1.2% of total CDF, of which,56% comes from Alpha mode fdure and 44% nnmas from failure assocised with HPME (e.g., DCH).
l For accident sequence classes, early meaninmem indure comes primarily from transient sequences with the RCS I I
a high pnssure. His is partly due to the high frequency of such sequences (40% of total CDF) and partly due
! to HPME mannelsead with these aary-en.
, De anadirinnal probability oflate containment failure for Onmanche Peak is 51.1% of total CDF. More than l l half of this is from small LOCA sequences or translant sequences with induced LOCA with the RCS at l l hearmadiata pressure (57%), with most of the inmaindar coming from transient sequences with the RCS at high l prissure (35%). On a candrinnal basis,74% of intermadiata pressure sequences (reprasantad by small LOCA i l
aeginnema) result in late naarninment failure and 45% of high pressure sequences (represented by translant l aequences) result in late containment faDure.
l For Comandie Peak, lae containmet failure is primarily due to overpressure failure ==rl=*ad with CCI (49% l j of CDF). De cortribution from steam pressurization is only about 2% of total CDF. Steam-induced failures j for CPSES are low because they can only occur if the RWST is successfully injected and recirculation i subsequent?y fails. If the ECCS fails to inject, boil-off of the RCS plus accumulator inventory cannot raise the .
pressure to containmers failure. Additional pressurization from CCI non-condensible gas generation is required. l l De high failure probability associated with CCI may be partly dt- to the use of an infinite mission time for j j such an event.
i j 2.4.2.3 Characteri=riaa of Captai===t Perfonnance I As shown in Table 9, the core damage frequency for Comanche Peak Steam Electric Station is lower than that l obtained in NUREG-1150 for Zion but comparable to that attained in NUREG 1150 for Surry. De mnditional l 1 probability of containment bypass obtained in the Comanche Peak FE is also lower than that for Zion and i l
comparable to that for Surry. For the other failure modes, the conditional probability of late containment failure for OnmMa Peak is higher than that from either Zion and Surry. De containment failure profile obtainad l I in the Comanche Peak IPE is in general consistent with those obtained in NUREG-1150.
J De C-Matrix, which shows the condstional probabilities of CET and states (or containment failure modes) for the accidaar classes (or PDSs), is provided in Table 4.7-2 of the IPE submhtal. - j 1
2.4.2.4 hupact en Eqidyment Behavior j l
De effects of harsh envbonmental condition on the operation of nantainmant sprays and containment fan 1 coolers are not dim-t b the CET quantification of the IPE submittal b9e are discussed in the licensee's l response to the RAI. Accordli.g to the response, the environmectal conditions under which the containment
)
spray system, the only system that is credited in the CET quantification, is operating are within the '
envhunental qualification limits of the system, l
- 2.4.2.5 Uncertainties and Sensitivity Aanlysis Sensitivity studies are discussed in Section 4.6.3 of the IPE submittal. Two types of sensitivity studies were l performed in the Comandie Paek IPE to determine key assumptions on the final results: ihrsr,malogical I uncertainties and system and opmtional uncertainties.
42
- De sensitivity sadies for F--- - -%; cal uncertainties performed in the IPE include:
- 1. Performance of containment beat removal during core meltdown accidents, l 2. In-vessel hydrogen production at high and low RCS pressure and combustion in containment, i 3. Induced fauure of the RCS pressure hmmdary at high RCS pressures.
j . 4. Core relocation characteristics and mode of reactor vessel melt 4hrough at high RCS pressure and i direct nantninmant heating (DCH),
- 5. Core relocation characteristics, mode of reactor vessel melt <brough at high RCS pressure and insi/molant interactions at high and low presures,
! 6. Potential for early contain= ant fauure due to presure loads,
. 7. Potential for early nantninmant failure due to direct contact by core debris, and
- i. g. Imag-term disposition of core debris (annlahle or not cootable) and core concrete interartiana (water i availability and coolability of debris).
De sensitivity studies for System and operational uncertaintia performed in the IPE include:
l
- 1. Effect of operator action to depressurize the RCS at the onset of core damage, and l 2. Potential benefit of fan coolers.
According to MAAP sensitivity analyses, the amount of hydrogen produced in a severe accident would be
- somewhere between 30% and 60% of the clad reacted. Hydrogen combustion alone is not expected to cause early containment failure ha *= for CPSES, the containment can resist a burn of all hydrogen produced in-l vessel -= lag 100% clad oxidation with adiabatic, isochoric, complete combustion (AICC) in the i conteinment.
j If operator action for depressurization is assumed to fail, results of the sensiti,vity studies show an early
- containment fauure probability of 4.29E4 Dis is compared with the base case value of 4.12E4, and
- acconing to the submittal, confirmed that no vulnerabuities to HPME phannmand exist at CPSES. k should 2'
be noted that the value used in the mmparison includes the contribution from containment bypass and isolation j failure. De effect of operator RCS depressurization on early enntainment failure is more dF = if i containmera bypass, which is the dominant early failure mode, and enntninment isolation failure are excluded j from the coewi.on. Nonsheless, the probability of early containment failure due to HPME is small because
- of the large mntainment volume.
In gensal, results of the sensitivity studies do not show any potential vulnerabilities due to w@s used
, in the IPE.
j De sensitivity studies provided in the Comanche Peak IPE naama to have addressed the issues of significant j uncertaintics in theIPE analysis.
2.5 Evaluation of Decay Heat Removal and Other Safety Issues and CPI 2.5.1 Evaksation of Decay Heat Removal 2.5.1.1 h==In= alar- et DHR De IPE addnases decay heat removal (DHR). Initiments excluded from consideration of this issue were large 1.OCAs, markm LOCAs (except portion caused by a stuck open SRV), small IDCA (except portion caused by a stuck open PORV), SGIR and A*IWS. RCP ses! IDCAs wwe also excluded. Dominant sequences contributing to DHR-loss CDF are listed: very small LOCA with successful injection and AFW, but
- 43 .
recirculation fauure (dominmad by operator error), 3.33E-6/yr; general transient with failure of AFW, successful bleed and feed, but failure to establish recirculation (sequence caused by many low probability i combinations of equipmet failures leading to loss of the support symems),2.19E-6/yr; LOOP (dominated by SBO and fauures of the TDAFW pump),2.13E4yr; small LOCA with recirculation failure (dominmad by 1 operator error),1.53E4yr; LOOP induced PORV LOCA, ECCS injection failure (SBO dominated).
VHR loss comributes 1.58E-5/yr to the CDF (excluding operator action to establish recirculation it is 1.19E-j 5/yr).
2 l Several systmas used for DHR are mentioned and their CDF Fussell-Vesely importances given: AFW (0.34),
- CVCS (0.09), RHR (0.05), safety injection (0.1!), main steam (0.02) and reactor coolant (0.42). De DHR-l important support symans and their F-V importances are
- CCW (0.10), safety chilled water (0.02), EDGs and j auxiliaries (0.20), electric power (0.14), ESFAS 0.02) and station service water (0.15).
i No DHR vulnerabilities were found at the plant.
! 2.5.1.2 Diverse Means of DHR l De IPE evaluated the diverse means for DHR, including: use of the powet conversion system, feed and bleed, i auxiliary feedwater, and ECCS, Depresurization using the secondary system was not considered for small
- LOCA accidents when the HHSI was unavailable. Cooling for RCP seals was considered. As mentioned previously, containment cooling was not addressed in the level 1 analysis as it was not deemed nacmary.
2.5.1.3 Unique Features of DHR l
j De unique features at Comanche Peak that duectly impact the ability to provide DHR are described in Section 1.2 (" Key Features"). .
l 2.5.2 Other GSIs/USIs Additssed in the Suhmittal No GSis or USIs, other than USI A 45 (DHR Evaluation) are addressed in the submittal, i
i 2.5.3 Response to CPI Pym Rarammendations i De CPI is. wirer.dation for PWL as a dry matninmant. is the evaluation of containment and equipment vulnerabuities to localized hydrogen combustion and the need for improvements. Although the effect of
. hydmgen combustion on containment integrity and equipment are discussed in the submittal, the CPI issue is not WHy addrased in the submittal. More detailed information on this issue is provided in the licenree's l response to the RAl. Acmrding to the response, a walkdown of the CPSES matninmant was pafwn,sd for the IPE and no hydmgen pm+das concerns were identified. He response also provides information from the l CPSES FSAR. According to the FSAR, the CPSES metninmemr submmpartments have been designed to allow proper venting e preclude hydroge pm+dag and to promote good mixing. De likelihood of local detonation and the potential for missile generation as a result of local detonation, any of which failing the containment, are judged in the response to be too small to quantify independendy of the global burn concerns already factored into the IPE.
=
44 i
i 2.6 Vulnerabilities and Plant Improvements 2.6.1 Vidnerabilky
- De vulnerability screening carried out during the CPSES FE started with the GL 88-20 reporting criteria for j -
functional sequences. Den a qualitative analysis we does to see if there were any dominant contributors.
i k was determined that the core damage proRio grouped by initiating events was relatively flat. Based on this
! k was uncluded abat no single aequence type or initising event indicated a waalenaam or a vulnerability in oliet daign and operation.
k is stated in the IPE submittal that "the back-end analysis did not reveal any vulnerabilities nor the need for any plant improvements...." (p6-1). However, vulnerability is not defined for the back-end in the IPE aduninal.
2.6.2 Pmposed knprovs===*= and Modifications ,
De IPE took credk for the proposed 4h acept Ibr the new RCP seals. All the proposed procedural and hardware improvesnents have already been implemented at both Units. A number of potential improvemmen have beer. identified in the IPE and their CDF impact noted in the IPE and the RAI responses.
De procedural improvemeras mostly relate to improving existing procedures and making them more explicit.
Several human action related improvements were discussed. Dey included:
- 1) Manual control of Bow to sr.am generators to prevent overfill. His is already credited in IA loss and SBO events, it is raised to a higher level of procedure (ERG family). De RAI responses state the current HRA value is appropriate without this anhancanant because the actions are proceduralized, because the operators are trained on the procedure, because similar detection and implementation is required in the ERG procedure and because there is a reasonably long detection period and a fairly short time required for the operator to reach the area and begin manual control of flow. Doubling th'e HEP raises the CDF by 7.0E-7/ryr.
- 2) ECCS ahgnment for recirmlation. De operasar action to verify the availability of CCW is not credited per se in the HRA but is assumed to be part of the operator actions to realign for recirculation. De specific direction to verify CCW is provided in a lower tier procedure. To provide a higher level of assurance of success this diremion was added to the ERGS. Doubling the HEP raises the CDF by 4.8E-6/ryr.
- 3) Manual control of HCV-182 on loss of supports (throttling charging flow to ensure Sow to the RCP seals). This action is proceduralized in the CCW lots procedure. However, in case of loss of instrument air or power to the valve, there was no action in the appropriate procedure (e.g., for loss ofIA), rather alarm procedures directed reponses. Dus detection was assured but diagnosis may have been delayed. Dus the procedures for loss of seal i@*n due to loss of supports were modified to provide a high level of assurance of success of this action. Increasing the HEP by an order of magnitude nuuks in a CDF increase of 3.0E-7/ryr (doubling the HEP resulted in a negligible increase
, in the CDF).
- 4) Manual actuation of the standby chilled wa.or train upon startup of ==~i=~i MDAFW pump. De stan2y train automatically starts when ks inanciatai CCW train starts. However, upon startup of an MDAFW pump, the amanciarat diilled water train must br. =annally started to prevent ove-l.4!sg the 45
_ __ _ _ _- _._ _ _ . _ . . - _ _ _ - . . ~ - . _ _ _ _ __ _ . - _ _ _ _ _ _ _ _ . _ _ _
I
! . . MDAFW pump, an amion that was not proceduralized. However, the room temperature is monitored j s and subsequent high temperature alarms would ultimataly direct the operators to start the assocised chilled water train. Procedures were subsequently revised to direct this action, and this is reflected in the IPE results. If it is assumed the operutors always fall to start the standby train, the CDF rises by 4.0E-7/ryr. (doubling the HEP resulted in a negligible increase in the CDF).
l i 5) Restart of MFW upon loss of AFW. The procedure was modified to use the control room actions as j the preferred path, rather than sending the operator to various lacetians in the plant to manually
- manigmime valves. The pmcedure modificarian is ro6ected in the IPE. Doubling the HEP resulted in I a CDF increase of 1.(E 7/ryr. Raising the HEP by an order of magnitude resulted in a CDF increase of 1.4E4/ryr.
l Two hardwaressisted kuovamanet were also mantinned:
- Keep the cross-connect of CCW to Unk 2 (originally Sanged off md planned for permanent blocking off who Unit 2 was finished). No CDF impact animatad (credhed in the IPE). Procedures amist for CCW cross-connect.
Install new RCP seals (temperature resistant).
'Ibe SBO rule changes have been implemented in the plant, but not credited in the analysis (this will change with the next IPE update). 'Ihese are: the addition of DC powered ventilation fans for the UPS rooms to supplement the existing UPS HVAC units; revision of an abnormal procedure to direct the wouis to open UPS room doors within 30 minutes of SBO occurrence; finishing construction of Unit 2 (means that emergency power from the non-blacked out unit is available), such that credit can be taken for operation of some shared systems: the control room ventilation and UPS room ventilarian system with an electrical power supoly common to both units. .
l The back-end analysis did not identify the need for any plant improvements.
l l
e i
r l
- 3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS I
De smagths of the 12 vel 1 analysis in the IPE are: compnhensive treatment of plant specific initiating events;
} generally comprehensive treatment and discussion of plant responses; comprehensive common cause failure j - methodology (which pe haps was too sophisticated csoperM to the state of knowledge and usage of generic l data elsewhere in the IPE) Raults are described with top cutsets. Insights have been derived and results j generally seem to be reasonable. De flooding analysis seems reasonable. Dere was heavy utility 3 involvement but with outside review.
! De w=mirnaam of the level 1 analysis of the IPE are: usage of generic data (by nacmanity because of the i newness of the plant); common cause factors are low, or even very low, for some important components (by
{ up to 2 orders of magnkude when csnp M to NUREG/CR 4550), ahbough a limited sensitivity analysis (by j using 95th percentiles instead of the means of the CCF factors) shows only a 2% affect on the CDF; some
- important =npanante were not consklered in the =nman cause failure analysis (e.g., air crenpressors, i batteries); the offsite power non recovery factors are low by a facsor of 2-5; the dual unit initiators were not
!' considered, as Unit 2 was under construction; no sensitivity or importance analysis was provided, except in l some RAI responses. Operator recovery and repair of failed systems (e.g., SW pumps, AFW pumps, EDGs)
{ is credited in the analysis. A sensitivity analysis without this credit was performed, showing a 70% increase
! in the CDF and a 55% increase in the flooding CDF.
j De numerical results may have been affected somewhat 1,y the weaknesses listed above, but the effect is j probably not overwhelming.
! De IPE daarmined that RCP seal failures and failures in the auxiliary feedwater systic (dominated by
- hardware pump failures, and support system failures such as HVAC) and in the primary faxi and Need operation (dominated by support system failures, sudi as DC power) are the pch,cipel contributors to core
i
- llX'As are a relatively low contributor to the CDF (17%) due to a highly redundant high pressure injection 1' (abe darging pumps can also be used in that mie), and relatively reliable CCW and SW systems due to cross-mnnace capability to the other unit.
De contribution of station blackout (28%) is due to seal failures and inability to use feed and bleed upon battery dep!etion. De switchyard is relatively reliable.
4 De flooding contribution is relatively large (23%). De most dominant scenario involves flooding in the auxiliary building (dominant cause is flooding 6 the RWST) whidi propagates and cas6s a loss of the chilled water system thus leading to a loss - ' CCS and AFW pump rooms cnoling. Another scenario pomulses a break in the SW system inside O. diarad intake strudura, thus resulting in a total loss of SW in both units (but only Unit I was analyza5 Several improvements have been completed as a result of insights from the IPE. De CDF impact of these improvements is not known, however a limited sensitivity analysis is pmvided.
., %e HRA review of the Comanche Peak IPE submittal did not identify any significant problems or errors. A viable appread was used in performing the HRA and nothing in the licannae's submhtal (in conjunction with their naponses to the RAls) indicated that they failed to meet the Inter of Generic latter 88-20 in regards to the HRA. limportant elements pertinent to this determination include the following:
47
. . 1) De subminal indicated that utility personnel were involved in the HRA. Procedure reviews, 2 diammainna wkh opersions and training staff, reviews of results from previous simulator exercises, and walkdowns ofimportam recovery actions, helped assure that the IPE HRA i+ = J the as-built, as-i opersed plant.
. 2) De HRA process for the Comanche Peak FE addressed both pre-initiator actions (performed during l maintenance, test, surveillance, etc.) and post-ir.itiator actions (performed as part of the response to an accident). De analysh of pre-initiator actions considered both miscalibrations and restoration faults
'. o (162 events madated). De quantification approach involved a relatively detailed screening analysis, l with only one event being analyzed in more detail. Nevertheless, approprise dependencies were considered and the results from the analysis of pre initiator events were not unreasonable.
! 3) De Comenche Peak FE modeled both response (Type C,) and recovery (Type Q ) post-initiator i human actions. De response to the NRCs RAI samed that all actions credited were proceduralized, but j in some cases procedures had to be wrnten to cover the action. While the screening and final j quantification approaches were acceptable, potential d=pandmelar betme events were appropriately ennaktmed, and plam specific PSPs were avsMted, a minor wealenans of the post-initiator analysis was
- . the all but ten HEPs were let a their relatidy screening values. De problem with such an appecach
! is that human actions lea at screening values in daminant sequences may have led to an incorrect
- ordering of sequences. Dat is, with realistic HEPs, some of the dominant sequences may no longer
, have bem dnminant and others may have shown to be more dnminant Hus, there existed a potantial F for distortion in the results. In reponse to an additional RAI on this issue, the licensee noted that aAer i initial re quantification was completed, if some non dominant sequences became dami=* the human 4 actions were evaluated again. With this approach, the ILvasaa maintains that a high percentage of the
! opermor actions in important sequences were analyzed in detail and therefore the appropriate ordering of sequences was maintained. Given this is the case, there is no apparent reason to believe that the l approach used to assess pcst-initiator human actions would have precluded identification of human action related vulnerabilities .
- 4) Plant-specific performance shaping factors (PSFs), event timing and dependencies were adequately considered.
- 5) A list ofis jw.m human actions based on their contribution to core damage frequency was provided in the submittal.
De IPE uses a anall =*alaman event tree (CET) with 8 top events and associated fault trees for Level 2 analysis. The quannfication of the CET in the Cn=*a4e Peak IPE is based on NUREG-1150 data and plant-specific evaluations, which include modeling and bounding calculations, consideration of phenomesmlogical uncertaintina, and MAAP calmlatings. De interface between the Level 1 and Iavel 2 analyses is accomplished by the drip 1. of a set of 17 plant damage states (PDSs). De Level 1 core damage sequences are grouped ki the PDSs based on core damage timing, RCS pressure, nantalament status, and annesiamant system status.
De CETs used in the FE provide a reasonable coverage of the important back end i tsee.ma. De quantification of the CETs also maane adequate.
De important points of the technical evaluation of the FE back-end analysis are summarized below:
- 1) De back-end portion of the IPE supplies a pesareial amown of information with regards to the subject amm identified in Genric Latter 88-20.
48
l . .
- 2) 'Ibe Comanche Peak Steam Bearic srstinn IPE provides an evaluation of all phenomena of importance to severe accident progression in accordance with Appendix I of the Generic Latter.
- 3) The containment analyses indicate that there is a 61% conditional probability of containment failure.
'Ihe conditional probability of containment bypass is about 8.2%, the conditional probability of early
, containment failure is 1.2%, the conditional probability of isolation failure is about 0.02%, and the conditional probability oflate maininment failure is 51.2%.
- The licensee has addressed the rammmandstinna of the CPI program.
4) j i
).
i k
a 0
9 2
4 l
6 S
'w 49 t
9 D %
4 0
e f f i
I O
l 1
l l
l 1
l 1
G
.=..- . . . . . .- - - . .- -.- ----. --. . . ..- - -
~ " '
4, REFERENCES i
b [IPE] Cmeadne 1%ak Steen Bearic Station IndMdual Plant Exanination, Texas Utilities Sectric Company,1992.
[RAI Responses] Rapome so NRCReguatJbr Add /sionalIq/bmiation, C-* Peak Steam Bectric
, Station IPE," Texas Utilities Eactric Company, June,1996.
[EPRI RP-3082 03] Moieni, P., Spurgin, AJ. & Spurgin, J.P., Hanan Reliability Analysis (H R A)
Cdculator, Vd 1; Tedinical Desa@ don, (EPRI RP-3082 03 Draft Report), Sectric Power Research M*a. Palo Alto, CA, USA,1992. I l
[EPRI RP-3082-03] Spurgin, AJ., Moleni, P., & Spurgin, J.P., Human ReDability Analysis (HRA) l Cdadamr, Vd 2t Uarr's Manual, (EPRI RP-3082 03 Draft Report), Sectric Power Research Institute, Palo Alto, CA, USA,1991.
[Moleni, P. et al.] Moleni, P. et al., A PC-Based Human Reliability Analysis (HRA) Calculator, In Proceedmgs of PSA '93, international Topical Meeting on Probabilistic Sqfety A.w ,4nt, American Nuclear Society, La Grange Park, IL, USA,1993. l
[Moieni, P., Spurgin, AJ. & Singh, A.] Moleni, P., Spurgin, AJ. & Singh, A., Advances in Human Reliability Analysis Methodology. Part I: Frameworks, models and data, Part II: PC-based HRA software. In l ReDabihty Engineeriosg and Systen Sqfety, 44 (l994), 27-55 and 57-66, respectively. .
l
[EPRI RP 320603] Molenl, P. & Spurgin AJ., "Moddag ofRecmery Aaions in PRAs", EPRI RP 3206-03, Draft Report, September 1992.
[EPRI NP-6937] Spurgin, AJ., et al. ' Operator Reliability hperiments Using Power Plant Saudators", Vols 1-3, EPRI NP4937, July 1990.
[EPR14560] Molenl, P. et al. 'A Henan Reliability Analysis W Using Meanmnents)br indMdual Plant Etanination *, EPRl4560, July 1989.
[NUREG/CR-4639] NUREG/CR-4639, " Nuclear O=r*M Library for Assessing Reactor Reliability (NUCLARR)".
[ Comer, et al.] Comer, M.K., Seaver, D.A., Stillwell, W.G. & Gaddy, C.D., " General Hunan Reliability htimates Using Dpert Judgement *, NUREGICR-3688, SAND 840115, Vohunes 1 and 2, Main Report,1984.
[NSAC-161] NSAC-161, " Faulted Systems Recovery Experience", May 1992.
s.
51 c_ _ - _ _ -