Text

Technical Evaluation Rept of IPE Submittal & RAI Responses for VC Summer Nuclear Station
	ML20140H579
Person / Time
Site:	Summer
Issue date:	12/10/1996
From:	Bozoki G, Lin C, Musicki Z; BROOKHAVEN NATIONAL LABORATORY
To:	; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML20140H571	List: ML20140H566; ML20140H579;
References
	CON-DE-AC02-76CH00016, CON-DE-AC2-76CH16, CON-FIN-W-6449 NUDOCS 9705130188
	Download: ML20140H579 (100)
	v • d • e

, TECHNICAL REPORT '

l .

! FIN W-6449 11/14/96, Revised 12/10/96 i

l

! TECHNICAL EVALUATION REPORT i

l

!. OF THE IPE SUBMITTAL AND i

i i' RAI RESPONSES FOR THE l

l V.C. SUMMER

! NUCLEAR STATION l

Zoran Musicki l George Bozoki l C. C. Lin l John Forester' 1

i i

} Department of Advanced Technology, Brookhaven National Laboratory i

I Upton, New York 11973 III Prepared for the U.S. Nuclear Regulatory Commession Offee of Nuclear Regulatory Research Contract No. DE-ACO2-76CH00016 l

'Sandia National Lah,ratories 9705130188 970508 PDR ADOCK 05000395 P PDR

CONTENTS Page Executive S ummary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

1. Introduction ........................................... 1 1.1 Review Process . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I 1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2. Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1 Licensee's IPE Piocess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.1 Completeness and Methodology ..................... 7 2.1.2 Multi-Unit Effects and As-Built, As-Operated Status . . . . . . . . . 10 2.1.3 Licensee Participation and Peer Review . . . . . . . . . . . . . . . . . 11 2.2 Pront End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.1 Accident Sequence Delineation and System Analysis . . . . . . . . . 12 2.2.2 Quantitative Process ...........................20 2.2.3 Interface Issues ........................ ...... 24 2.2.4 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.2.5 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . 28 2.3 Human Reliability Analysis Technical Review ................. 35 2.3.1 Pre-Initiator Human Actions ....................... 35 2.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . 37 2.4 Back End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.4.1 Containment Analysis / Characterization . . . . . . . . . . . . . . . . . 45 2.4.2 Accident Progression and Containment Performance -Analysis ... 52 2.5 Evaluation of Decay Heat Removal and Other Safety Issues . . . . . . . . . 56 2.5.1 Evaluation of Decay Heat Removal ................... 56 2.5.2 Other GSIs/USIs Addressed in the Submittal . . . . . . . . . . . . . . 59 2.5.3 Response to CPI Program Recommendations . . . . . . . . . . . . . . 59 2.6 Vulnerabilities and Plant Improvements . . . . . . . . . . . . . . . . . . . . . 60

3. Contractor Observations and Conclusions ........................ 69

4. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 0

l.

4 TAsLES i

I t

Page ,

Tables l E-1 Core Damage Frequency by Plant Damage State . . . . . . . . . . . . . . . . . . . . xiii E-2 Core Damage Frequency by Initiating Event . . . . . . . . . . . . . . . . . . . . . . . xiv E-3 Containment Failure as a Percentage of Total CDF . . . . . . . . . . . . . . . . . xviii 1 Plant and Containment Characteristics for Virgil C. Summer Nuclear Station . . . 5 2- Comparison of Failure Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 )

3 Compaison of Common-Cause Failure Factors . . . . . . . . . . . . . . . . . . . . . 25 4 Core Damage Frequency by Plant Damage State . . . . . . . . . . . . . . . . . . . . 30 ;

5 Core Damage Frequency by Initiating Event . . . . . . . . . . . . . . . . . . . . . . . 31 6 Dominant Accident Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 7 Top Event Importances (F-V) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 8 Important H uman Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 9 Containment Failure as a Percentage of Total CDF . . . . . . . . . . . . . . . . . . 53 10 Summary and Status of VCSNS Improvements . . . . . . . . . . . . . . . . . . . . . 65 IV

J 9 EXECUTIVE

SUMMARY

This Technical Evaluation Report (TER) documents the findings from a review of the Individual Plant Examination (IPE) for the V.C. Summer Nuclear Station. The primary purpose of the review is to ascertain whether or not, and to what extent, the IPE submittal satisfies the major intent of Generic Letter (GL) 88-20 and achieves the four IPE sub-objectives. The review utilizal both the information provided in the IPE submittal and additional information provided by the licensee, the South Carolina Electric & Gas Company, in the response (RAI Responses) to an NRC request for additional information (RAI).

E.1 Plant Characterization The Virgil C. Summer Nuclear Station (VCSNS) is a single unit plant having a 900 MWe Westinghouse pressurited water reactor (PWR). The reactor coolant system (RCS) consists of the reactor vessel, three closed reactor coolant loops each containing a reactor coolant pump and a steam generator. An electrically heated pressurizer is connected to the hot leg of one reactor coolant loop, The reactor coolant pumps are vertical, single stage centrifugal pumps equipped l

with controlled leakage shaft seals. The steam generators are vertical , U-tube type heat exchangers (Westinghouse Model D) with inconel tubes. The RCS is housed inside a large dry containment. Reactors with similar characteristics are: Beaver Valley 1/2, Farley 1/2, H.B.

Robinson, North Anna 1/2, Shearon Harris 1, Surry 1/2 and Turkey Point 3/4.

The plant is located north (2.5 miles) of Parr, South Carolina. It is adjacent to the manmade Monticello reservoir that provides the water requirements for the nuclear station and a pumped storage facility. The pumped storage facility can raise or lower the reservoir level approximately 4.5 feet when the plant is in operation. The plant is owned and managed by the South Carolina Electric & Gas Company (SCE&G). Full commercial operation began on January 1,1984.

l A number of design features of the plant impact the core damage frequency (CDF) relative to those of other PWRs. The submittal highlights these features, but does not evaluate their effects f on the CDF quantitatively. These features are as follow:

Of the three air-operated pressurizer PORVs, two are supplied with air accumulators.

This feature allows use of the pressurizer PORVs on loss of Instrument Air events, and when the Reactor Building is isolated and air cannot be restored in a timely fashion.

. The SG PORVs can be operated locally during a station blackout.

. While the plant is designed with two train redundancy, some systems have additional redundancy through the use of spare equipment that can be aligned to either train. The Service Water (SW), Component Cooling Water (CCW), Chilled Water systems, and the v

- - . . - - . - . - . - . - . - - . _ - - - . . . ~ . .

P

, Chemical and Volume Control System (CVCS), each have additional equipment (pump's and chillers) that can be aligned mechanically and electrically to either of the two j redundant trains of these system:.

~

. The recirculation design employs a semiautomatic switchover. When the level of the e RWST reaches the low-low setpoint in coincidence with a safety injection signal (SI), a e signal is generated that automatically opens the containment recirculation sump isolation. t valves. When the sump isolation valves are fully open, the operator must close the i i RWST isolation valves.

i

The battery life is 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months without load shedding.

The plant has a diesel dnven air compressor ("Sullair") to maintain instrument air should )

an SBO or a loss of IA event occur. 'Ihis air compressor is air cooled. This compressor I is only credited in the loss of IA initiator, where it must be manually started and valved in the permanent IA header, and used for post trip control of air operated valves.

The RCP seal cooling is provided by two mechanisms at VCNS. The Charging System provides seal injection, and the CCW performs the thermal barrier cooling. Both systems consist of three pumps (one per train and a swing pump). Effectively the CCW booster '

i pumps are used for thermal barrier cooling. The charging pumps and and the CCW pumps are supplied by ESF power, however the CCW booster pumps are supplied by BOP power. The chilled water (VU) system provides cooling to the RCS charging pump i gear and oil coolers and the CCW pump motors. To prevent an RCP seal LOCA , the seals must be cooled by either of the two mechanisms and the systems associated with these mechanisms must function.

The drawback of the design is that the CCW booster pumps are powered from BOP sources. Therefore, in the event of a LOOP, the only seal cooling mechanism is via seal injection. The RAI response states that the plant recently eliminated the use of the chilled. water (VU) system to cool the charging pumps and CCW pump motors.

Through this plant modification, the charging pumps are now cooled by the CCW system, and the CCW pump motors receive cooling water from the discharge of the CCW pump (i.e. self-cooled).

For other unique features see Section 1.2 of this report.

The Virgil C. Summer Nuclear Station utilizes a large dry containment with a prestressed

- concrete construction.

The thermal power of VCSNS is between that of Zion and Surry, and the containment volume is less than that of Zion but close to that of Surry (with subatmospheric containment). While the vi

account for all possible combinations of support system successes and failures. Once the support system model was developed the potential support system states were identified. Support system

model paths were combined using the vector impacts on the front line and safety systems. Sixty-r five support states were identified for the "SI" support system model and 29 support states were '

' identified for the loss-of-offsite-power support system model. The "SI" support system model refers to a support system model developed for initiating events which cause SI signal generation and startup of ECCS equipment (e.g., LOCAs) as well as transients. Quantification of the l support system sequences was carried out by applying appropriate unavailability values to each top event in the model consistent with the operating states defined for each support system. The l unavailability values were determined by system fault tree analysis.

The data collection process period to establish a plant specific data base was from commercial f operation (January 1,1984) through December 31,1989. The collection process included raw data for component failure rates, demand probabilities, and test / maintenance unavailabilities.

V.C. Summer data are in most cases comparable with the NUREG/CR-4550 data, except for ;

the TDAFW pump -fail to run failure rate, which is two orders of magnitude below the l NUREG value (however, it is also a generic value, taken from NUREG/CR-2815).

Generic failure rates were used for certain component failure modes, when appropriate statistics !

were found to be not sufficient (particularly for electrical power related components). The generic data were compiled from several sources such as: NUREG/CR-2815, NUREG/CR-4550, NUREG/CR-2728 (IREP), WASH-1400, and some Westinghouse reports (WCAP-10271 and Supplements).

Redundant components were systematically examined to address potential common-cause failures. The approach used was the multiple Greek letter approach (MGL). The methodology

, followed that described in NUREG/CR-4780 (" Procedure for Treating Common Cause Failures in Safety and Reliability Studies"). The data base used was the EPRI data base (EPRI NP-3967).No plant specific evaluation of the common-cause events was performed.

Flooding event frequencies, were determined for three flooding initiators:

Loss of the operating CCW train, FLD1 !

Loss of SW train A, FLD2 and l Loss of SW train B, FLD3.

The frequencies of the three flood initiating events were calculated using failure rates from reference EGG-SSRE-%39 (" Component External I2akage and Rupture Frequency Estimates," ;

S. A. Eide, et al., November 1991).The actual number of pumps, valves , heat exchangers, and lengths of pipes for each considered train was multiplied by its hourly failure (rupture) rate to produce associated failure frequencies. l The results of the IPE front end analysis are in the form of systemic sequences, therefore NUREG-1335 screening criteria for reporting of such sequences were used (Section 3.4.1 of the submittal). The point estimate for the core damage frequency from internal events and internal xi a _ . . _ . _ _ :.

l

. 1

~ flooding is 2.04E-4/R-year, The most important containment bypass failure sequences selected -

for reporting were screened from the top 250 sequences. 6 such sequences are given in Table 3.4.1-2 of the submittal (CDF ranges from 1.5E-07 to 7.47E-08 per reactor-year). These ,

containment bypass sequences are primarily SGTR events. One ISL sequence was also identified. I In the top 100 sequences, only one (Sequence 98) was identified that results in containment i

isolation failure. This is a loss of service water event, with subsequent failure of containment !

penetrations to isolate.

l Tables E-1 and E-2 show the important' plant damage states and initiators. l l

l The results of the importance analysis of top events (hardware failures and operator errors) in 4 the event trees, are given in Table 3.4-4 of the submittal. The Table lists all the top event l importance (Fussel-Vesely importance measures) whose ranking was greater than 1 %. Top event ,

importance with ranking greater than 20% are reproduced in Table 7 of this TER.

Based on the information obtained from the accident sequence analysis and the importance ,

ranking the licensee concludes: l "The majority of the sequences are initiated by a LOSP event with a subsequent failure of all onsite power (SBO) or other combinations of system failures that l degrade RCP seal cooling and eventually result in a seal LOCA. Small LOCAS with loss of low pressure reci culation also contribute significantly." '

"The dominant failures are associated with the failure of the DGs, chilled water chillers, and service water pumps to start and run, and failure to restore offsite !

power following an SBO." -

l l

xii l l

1 L

of the HRA was performed by two individuals from Science Applications International l Corporation (SAIC) that were experienced in HRA. The submittal states that the independent HRA review team " concluded that the VCSNS HRA was reasonable and generally defendable" and that "several recommendations were made by SAIC to improve the HRA " that were addressed prior to completion of the IPE. Both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident) were addressed in the IPE, but miscalibration errors were not explicitly modeled. {

Important human actions were identified and several recommendations resulting from the IPE j 1

related to improving procedures have been implemented.

i The independent review performed for the Level 2 analysis includes the formation of an j Independent Review Team which comprises two individuals of diverse backgrounds from {

SCE&G and an outside PRA specialist.

According to NUREG-1335, "The submittal should contain, as a minimum, a description of the internal review performed, the results of the review team's evaluation, and a list of the review l team members." A161ough details are not provided in the IPE submittal on all the items listed above, the review prxess used in the VCSNS IPE as described in the submittal seems to satisfy ;

the intent of Generic Letter 88-20.

The submittal does not explicitly indicate whether the licensee intends to maintain a "living" PRA. (It indicates only, that all documentation pertaining to the IPE is available at the SCE&G .

offices for review, as necessary.) Based on the RAI response, however, one can infer, that j since the date of the IPE submittal the licensee recognized the significance of a "living PRA" and maintains the IPE accordingly.

E.3 IPE Analysis E.3.1 Front-End Analysis A total of 28 initiating events (including 3 floods) were identified. (Station Blackout, SBO and Anticipated Transients Without Trip (ATWT), ATWT events were treated as consequential failures, and for them no independent initiating event frequencies were determined.)

The initiating event frequencies were calculated by using plant specific data (where available),

generic data, and system modeling.

The time period for plant specific initiating event data collection was 5.5 yrs (from January 1,1985 to June 30,'1990). (Transients experienced in the first year of operation were excluded

- from the frequency estimates since the first year of plant operation was considered to be a learning period.) During this time period 31 transient events were experienced at VCSNS.

1

'Ihe submittal contains a sensitivity analysis that examined the impact of including the VCSNS ix

operating history from June 30,1990 to December 1992 into the data base.(Section 3.4.5 of the ,

submittal.) This resulted in a 4% decrease from the base CDF.

The support system approach was used to model the unavailability of key support systems.

These systems included the following: AC and DC power systems, Engineered Safety Features Actwtion System (ESFAS), Service Water (SW) system, Component Cooling Water (CCW) system, and the Chilled Water (VU) system.

Other less important support systems were modeled in other portions of the analysis. Usually .

they were included in the fault tree model of the supported systems.

The IPE developed 9 large and 6 special Plant Response Trees (PRT) to model the plant responses to internal iritiating events.

The PRT sequences progress to one of four endpoints:

1. Success, indicating core damage has not occurred ,

2. Suc/Am (apparently this means success but with more accident management), indicating core damage has not occurred at 24 hrs, but the plant is not yet in stable condition,

3. Transfer occurs from a consequential failure of a plant system (e.g. failure of reactor trip leads to the ATWT PRT),

4. Core damage and the resultant damage state.

The basic success definition, as related to core cooling, was: " Core cooling is considered successful if the core exit temperature does not exceed 1200 F for a prolonged period of time."

The RCP seal cooling model is briefly described in Section 3.1.7 of the Submittal. This is essentially the Westinghouse RCP seal LOCA model described in WCAP-10541.

A total of 15 systems are described in Section 3.2 of the Submittal. Each system description includes a discussion of the system design and operation, dependencies. Also included for many systems are simplified schematics that show major equipment items and important flow and configuration information.

The plant systems are classified into different categories; front line systems are defined as those systems that are operating at the time of the initiator ( such as: RCPs, main steam and feedwater systems, condensate, circulating water, chemical and volume control, reactor protection systems), safety systems are those systems required to respond to the event (such as:

RHR, EF, CVCS safety injection, accumulators, pressurizer PORVs, RBCUs, RWST),

" additional systems" are those systems that are used in the Emergency Operating Procedures or that may prove useful in accident management strategies (such as: fire protection), and support systems (AC, DC, IA, CCW, etc.).

The IPE used the support system state /large event tree technique to quantify core damage sequences. This technique involved developing an event-tree type logic structure to display and X

1

. a containment free volume to power level ratio is less than that of both Zion and Surry, the containment design pressure is greater than that of both Zion and Surry.

The plant characteristics important to the back-end analysis are:

1. A cavity design which facilitates flooding of the reactor cavity as well as provides an effective barrier to debris dispersal following HPME. According to the IPE, water can readily flow from the upper compartment to the annular containment and lower containment floors. Flooding of the cavity is accomplished through the cavity cooling fan opening. The VCSNS geometry, in comparison with Zion, would trap and de-entrain more debris than that in the Zion configuration (Response to RAI Level 2 Question 1).

2. A large cavity floor area with a thick basemat and extensive fill concrete. The cavity floor area is 716 ft2 . The combined thickness of the cavity floor and basemat is 13.7 ft.

A simple estimate shows that the debris depth in the cavity would be less than 25 cm (Response to RAI Level 2 Question 3).

3. 'Ihe large containment volume, high containment pressure capability, and the open nature of compartments which facilitates good atmospheric mixing. Although the containment volume to thermal power ratio is lower, the containment design pressure is higher for VCSNS than most PWR plants with large dry containments.

4. Two separate systems for containment atmosphere cooling and pressure suppression: the Reactor Building Cooling Units (RBCUs) and the Containment Spray system. According to the IPE, only the RBCU system is designed to remove decay heat from the containment, and only one RBCU is needed to provide sufficient containment cooling.

Containment spray can be considered only as a short-term containment pressure reduction system *. The operation of containment spray reduces fission product releases.

5. The implementation of Westinghouse ERG Maintenance Item #DW-93-019 which procedurally prevents operators from restarting the RCPs if the steam generator water is too low. This removes the concern about induced SGTR from RCP restart.

E.2 Licensee's IPE Process The licensee has provided the type of information requested by Generic Letter 88-20 and NUREG 1335.

4 The front-end portion of the IPE is a Level 1 PRA. The specific technique used for the Level 1 PRA was a variation of the large event tree /small fault tree technique and it is clearly described in the submittal.

The residual Heat Removal (RHR) system, although not a containment sys:em, also provides a means oflong-term containment beat removal.

vii

Internal initiating events and internal flooding were considered. Two support system event trees were developed: one for initiating events involving SI signal (all LOCAs) and transients, and j the second for the LOOP event. The end points of the support system trees served as a starting ;

points for the main event tree analysis and the quantification of the main event trees. The i submittal calls the main event trees Plant Response Trees (PRTs). The PRTs were used to define l the possible outcomes of each initiating events as determined by the availability of plant safety systems and the success of essential operator actions. The PRT endpoints were then used . for

~ the proper integration of the Level 1 analysis and the containment analysis portions (the. 3 1

" interface") of the IPE.

l While uncertainty analyses were not performed, sensitivity analyses were conducted on some !

specific areas.

The submittal states that a cut-off date of January 1,1990 was chosen for the IPE to represent ,

the current plant design. Dus the IPE model represents the as-built, as operated, as maintained condition of the VCSNS as it existed as of January 1,1990.

The group responsible for all IPE-related activities at V.C. Summer is the Design Engineering Depanment of the SCE&G Company. However, other depanments also participated in the IPE effort, such as Systems Engineering, Operations, Nuclear Licensing, and Training personnel.

Since SCE&G had no previous experience in PRA activity, the responsibility for the completion of IPE rested with experienced consultants from the Nuclear and Advanced Technology Division 1 of Westinghouse Electric Corporation; Fauske and Associates, Inc. (FAI) and the PRA group l within Design Engineering. Essentially, other personnel provided extensive support for the l various phases of the IPE effort.

The system and the dependency notebooks, critical operator actions, and recovery actions were reviewed by these personnel. They provided valuable assistance also to the IPE analysts during plant walk-downs. Comments received during this review were incorporated into a " final draft" or otherwise addressed. The licensee stated that this process has served to ensure the quality of the draft and exposed the SCE&G personnel to PRA techniques. !

To fulfill the independent review requests of Generic letter 88-20 the submittal describes four reviews which were deemed to be independent in nature: a phase one independent review (IR), i that was concerned primarily with the level I work; a second phase IR whose subject was the j Containment System Performance (Back-End) analysis; a third IR, concerned with the HRA 1 portion of the IPE; and a fourth IR, which covered all aspects of the level I work. I l

Two SRO-licensed individuals panicipated in the review of critical operator actions for the HRA. Westinghouse and FAI panicipated in three separate plant walkdowns "to gain first hand knowledge of the physical layout of the modelai systems."' These activities, along with

' appropriate reviews of procedures, interviews with appropriate plant personnel, and access to the computerized maintenance work order database helped to ensure the IPE PRA and HRA represented the as built, as operated plant. De submittal indicated a specific independent review l

viii

)

i

Table E-1 Core Damage Frequency by Plant Damage State Damage State Description Cgre Damage p g TRE13IH Transient event; early (0-2 hours) high-pressure core 4.04E-05 19.9 damage without EF and SI in"ection; Reactor Building heat removal fails; keactor Building sprays and isolation succeed j l

SLM10lL Small LOCA; intermediate (24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ), low-pressure 3.66E-05 18.0 damage without SI recirculction (SI injection succeeds)

Building heat removal and isolation succeedand without spray injection; Reactor l SLE12IH Small LOCA; early (0-2 hours) high-pressure core 2.21E-05 10.9 damage without SFinjection; Reactor Building heat removal, sprays, and isolation succeed SBE121L Station blackout; early (0-2 hours) low-pressure core 2.16E-05 10.6 damage without Si injection; Reactor Building heat removal, sprays, and isolation succeed SBE121H Station blackout; early (0-2 hours) high-pressure core 1.42E-05 7.0 damage without SI injection; Reactor Building heat removal, sprays, and isolation succeed SBE171H Station blackout; early (0-2 hours) high-pressure core 1.32E-05 6.5 damage; no systems available; Reactor Building isolation succecds TRL121H Transient event; late (6-24 hours) hi h-pressure core 1.19E-05 5.8 l damage without EF and SI injection Reactor Buildmg heat removal, sprays, and solation succeed TRE121H Transient event; early (0-2 hours) high-pressure core 8.21E-06 4.0 damage without EF and SI injection Reactor Building heat removal, sprays, and isolation succeed MLM061L Medium LOCA; intermediate (24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ) 1 ow- 6.52E-06 3.2 pressure core damage without SI recirculation (SI injection succeeds); Reactor Building heat removal, sprays, and isolation succeed SLE171L Small LOCA; early (0-2 hours) low-pressure core 3.89E-06 1.9 damage without SF injection; Reactor Building heat removal, sprays, and isolation fall ATE 12IH ATWT event; early (0-2 hours) high-pressure core 2.03E-06 1.0 damage without SIinjection; Reactor Building heat removal, sprays, and isolation fail

Table E-2 Cers D mige Frequency by Initiating Event Core Damage Identifier Initiating Event Description Frequency (rev Percent r.yr.)

LSP Loss-of-Offsite Power 8.01E-05 39.34 SLOC Small Loss-of-Coolant Accident 2.72E-05 13.35 LSW Total Loss of Service Water 1.74E-05 8.56 LMF less of Main Feedwater Flow 1.49E-05 7.31 LVU Total Imss of Chilled Water 1.14E-05 5.58 RT Reactor Trip 1.08E-05 5.29 MLO Medium Loss of Coolant Accident 7.62E-06 3.74 PMF Partial Loss of Main Feedwater Flow 5.' ' E-06 2.81 TT Turbine Trip 5.39E-06 2.65 US Inadverter.t Safety Injection Signal 4.24E-06 2.08 PRI Positive Reactivity Insertion 4.16E-06 2.05 LLO Large Loss of Coolant Accident 3.14E-06 1.54 PST Primary System Transient 2.90E-06 1.42 LACA Loss of 120 VAC Panels 5901-5904, Train A VU 2.38E-06 1.17 Running FLDI Flooding Initiator, Lose Train A CCW l.20E-06 0.59 LIA Total IAss ofInstrument Air 1.14E-06 0.56 SGR Steam Generator Tube Rupture 1.00E-06 0.49 RCS Loss of Reactor Coolant Flow 9.02E-07 0.44 LOC IAss of Condenser 7.92E-07 0.39 FLD2 Flooding Initiator, Lose Train A SW 2.87E-07 0.14 IOSV Inadvertent Opening of Steam Valve 2.07E-07 0.10 ISL Interfacing Systems LOCA 1.78E-07 0.09 LCC Total IAss of Component Cooling 1.55E-07 0.08 LDC Loss of One 125 VDC Bus 1.44E-07 0.07 SSBI Secondary Side Break Inside Containment 1.17E-07 0.06 xiv

l l

l 1

Core Damage Identifier Initiating Event Description Percent Frequenc)v(rev r.yr. !

l VRP Reactor Vessel Rupture 1.00E-07 0.05 SSBO Secondary Side Break Outside Containment 5.48E-08 0.03 !

FLD3 Flooding Initiator, Lose Train B SW 1.86E-08 0.01 l

LACB Loss of 120 VAC Panels 5901-5904, Train B VU 2.5'2E-09 0.00 i Running ;

Total Core Damage Frequency 2.04E-04 100.00 l l

E.3.2 Human Reliability Analysis The HRA process for the Summer IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response i to an accident). The analysis of pre-initiator actions considered both miscalibrations and j restoration faults, but only restoration faults were explicitly modeled. The licensee stated that !

miscalibrations of various sensors and instruments were determined not to be important for j several reasons. While the arguments provided by the licensee were not unreasonable, it should be noted that miscalibration events have been explicitly modeled in other IPEs and in some j instances have been shown to be significant contributors. Thus, the licensee's treatment of l miscalibration events may have precluded identification of potentially important pre-initiator I events (even if they were not major contributors) and therefore must be considered a weakness of the HRA. With the exception of events excluded on the basis of a qualitative screening l applied during the pre-initiator human action selection process, all pre-initiator restoration errors l were given detailed HRA analysis using the Technique for Human Error Rate Prediction !

(THERP) described in NUREG/CR-1278. A detailed discussion of the application of the methodology to restoration events was provided in the licensee's response to the NRC's RAI.

The response indicated that a thoughtful and reasonable application of the THERP methodology was used to quantify the pre-initiator restoration faults.

I Post-initiator human actions modeled included both response-type and recovery-type actions.

A formal screening of operator actions was not performed. The licensee states that early in the IPE process a decision was made to conduct a detailed evaluation of each operator action. The goal was "to obtain an operator response model of the plar.t that is as realistic as possible."

All post-initiator response type actions were quar.ufiM thv., ugh the use of the THERP. A general discussion of the application of the method'. elegy to response actions was provided in the licensee's response to the NRC's RAI. A review of the discussion regarding the quantification of response actions., in conjunction with a review of the licensee's HRA analysis notebook, suggests that a detailed analysis of operator actions was conducted. The human actions were quantified with a systematic (but modified) application of the THERP methodology. Per xy

t THERP, PSPs for stress level and crew redundancy were considered, as were potentiai . -

l '

dependencies between and within events, e.g., accident sequence context was evaluated. While the systematic application of the (modified) THERP methodology appeared to produce relatively ;

3 consistent HEPs, there are several aspects of the quantification of post-initiator response type actions performed by the licensee which clearly have the potential to be problematic. Examples ;

of such aspects include the licensee's interpretation of THERP in regards to the treatment of

! diagnosis enors (particularly the inappropriate consideration of time) and their application of ;

i- recovery credits that appear to go beyond that indicated by THERP, e.g., credit for recovery _ !

of failed actions as function of " slack time." The licensee defends their interpretation of l THERP and provides examples to illustrate that the HEP values they obtained with their analysis

'are not any lower than would be obtained using the THERP diagnosis model. While the licensee l

- did appear to closely follow THERP in their five illustrations, it should be noted that they '

" exercised" the model to its fullest in the sense that the values obtained are about as low as could be obtained with the model, e.g., credit was taken for multiple control room recoveries !

even in short-time frame scenarios. Such values are only justified in the THERP model when l very detailed analysis is performed and such credit is. not generally applied across all or even ;

s most actions. Thus, there are several aspects of the modified THERP which could have ;

produced unrealistic or underestimated HEPs. In particular, the diagnosis failure probability l

for short-time frame events could be underestimated due to the lack of a direct consideration of j

' time and events in which credit for local recovery or slack time were taken could also be .

underestimated. j

- According to the licensee, modeling of recovery type actions was limited to actions associated

with the repair or restoration of components to operable conditions within a given amount of ,

time. They did not " involve the ability of the plant operators'to respond to events _via ;

L procedures." A different quantification technique was used for recovery actions than was used ;

t for response type actions. The licensee indica:ted that recovery probabilities were determined

.on the basis of judgments from "four plant experts." The licensee's response to the RAI j described a relatively detailed and systematic procedure that was used to obtain the judgments j i and compute the resulting HEPs. - Assuming expert judgments had to be used, neither the ;

approach nor the resulting HEPs were obviously unreasonable.

The licensee did identify human errors as important contributors in accident sequences leading l to core damage and several recommendations to improve procedures were implemented as a i l' result of the IPE. ,

i E.3.3 Back-End Analysis The Approach usedfor Back-End Analysis The methodology employed in the VCSNS IPE for the back end evaluation is clearly _ described i

in the submittal. Unlike most other IPEs, which develop and use containment event trees (CETs) for Level 2 analyses, a single event tree, the plant response tree (PRT), is used in the VCSNS i IPE for both Level 1 and Level 2 analyses. The PRT developed in the VCSNS IPE explicitly i

xvi l

i

, . l 2

includes the analysis of containment systems normally assessed in the Level 2 analysis. The

containment condition is addressed in the PRT by the development of success' criteria for ,

containment integrity. According to the success criteria presented in the IPE submittal,. j containment integrity is maintained if the containment is isolated and containment heat removal j (CHR) is available, and containment fails by overpressure if CHR is not available. '

4 ,

i Except for containment overpressure failure, all other containment failure modes identified in i 4 NUREG-1335 are addressed in the IPE by phenomenological evaluation summaries (PESs, j prepared in support of the IPE, but not included in the IPE submittal) and, based on the results ;

a obtained from the PESs, dismissed in the IPE as unlikely failure modes and thus not included i j in containment failure quantification for VCSNS. ' Although the contributions to containment 4

failure probability from these unlikely containment failure modes are small and their exclusion

, from containment failure quantification seems justified, the lack of consideration of these failure ,

i modes in the IPE in a structured way, such as can be provided by a CET, precludes a systematic ;

j means to examine the relative (quantitative) importance of these failure modes and the effects l

) of some recovery actions (e.g., depressurization) on these failure modes.

I

! Results of the PRT analysis for Level 2 are grouped to ten source term bins (STBs). Release

! fractions for these STBs are determined in the IPE by the analyses of representative sequences

in the STBs using MAAP computer codes. These STBs, based on containment failure timing, t

containment failure mode, and the fractional release of fission products, can be further grouped ;

j to five release categories. !

i Back-End Analysis Results

l l Smee a smgle event tree, the PRT, is used for both Level 1 and Level 2 analyses, the grouping ,

! of Level 1 results to plant damage states (PDSs) to be used as interface between the Level 1 and I

Level 2 analyses is not required in the VCSNS IPE. However, sequence grouping is used in the VCSNS IPE to consolidate the large number of accident sequences obtained from the Level 1 i analysis into a small number of damage states (or plant damage states, PDSs). The intent of this )

3 grouping is that all sequences within a particular damage state can be treated as a group for assessing accident progression, containment response, and. fission product release. The

!- conditional probabilities of the PDSs for the various accident initiators are: 50.7% for SBO, j 21.3% for transient,20.9% for small LOCA,6.7% for medium LOCA,0.3% for SGTR, and i t 0,1% for ISLOCA. The most probable PDS(41% CDF) is a PDS of SBO sequences with early )

core melt at high RCS pressure and with both containment spray and containment heat removal available. This is followed by a PDS of transient initiated sequences, with early core melt at high l -

RCS pressure and the availability of containment spray (21%).

l Table E-3 shows the probabilities of containment failure modes for the Virgil C. Summer

) Nuclear Station as percentages of the total CDF. Results from the NUREG-1150 analyses for j j . Surry and Zion are also presented for comparison. l

)

XYii i I l

i l

i

+

Table E-3 Containment Failure as a Percentage of Total CDF - .

l

Containment Failure VCSNS IPE+ Surry 1150 Zion 1150 l Early Failure Negligible + + 0.7 1.4 l

' l i I2te Failure 20.5 5.9 24.0

! Bypass 0.4 12.2 0.7 ,

~

i Isolation Failure 0.3 I Intact 76.5 81.2 73.0 l CDF (1/ry) 2.0E-4 4.0E-5 3.4E-4 t j *ne data presented for VCSNS are based on Table 4.4.4-4 of the IPE submittal. He total is 97.7%. The i l probability of " Intact" containment includes that from "no contamment failure within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , but failure could l i eventually occur without further mitigating action" (11.5% CDF). l

++%e phenomena that may cause early containment failure are not considered in containment failure quantification l

j based on phenomenological evaluation summaries prepared by FAI. 1

{

Included in Early Failure, approximately 0.02%

i

! " Included in Early Failure, approximately 0.5%

i i

As shown in the above table, the conditional probability of containment bypass for VCSNS is ;

0.4% of total CDF. Most ofit is from steam generator tube rupture (0.3% of total CDF). The j

contribution from ISLOCA is small (0.1%), but it results in the highest releases. Induced SGTR j is not considered in the IPE as a credible failure mode. l i i j . Since all phenomena that may cause an early containment failure are considered in the IPE as {

unlikely to cause failure, and thus not included in containment failure quantification, the j

conditional probability of early containment failure for VCSNS is zero. The probability of i j containment isolation failure is 0.3% and all of it is from transient sequences. The conditional

. probability of late containment failure for VCSNS is 20.5% of total CDF, all of it from transient

! sequences.12te containment failure comes primarily from containment overpressure failure due i to loss of containment heat removal. Late containment failure by basemat melt-through is not i considered in the IPE as a credible containment failure mode (even if the debris is not coolable)

. because of the long time it takes to melt-through the containment basemat. Besides transient :

j. sequences, containment failure is not predicted in the IPE to occur within the 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months mission j time for IDCA and SBO sequences. Of these sequences, about 10% of small LOCA sequences and 20% of SBO sequences result in a containment state that requires mitigating actions beyond the 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months mission time. 1 i

Source terms are provided in the IPE for 10 Source Term Bins (STBs) using MAAP code calculation results. Two of the 10 STBs are for containment bypass, one for containment isolation failure, one for late containment failure, and six for no containment failure (of which three require mitigating actions beyond the 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months mission time). Source term definitions are based os MAAP calculations for selected sequences in the STBs. Sequence selection in the VCSNS IPE is based on either the frequency of the sequence or the expected bounding magnitude of the sequence in the source term bin. The sequence selection and the assignment xviii

of release fractions for source term determination seem adequate. Source term results reported +

in the IPE submittal show that the release of volatile fission products is more severe for no containment failure than for late containment failure. This is primarily due to the operation of :

containment spray in the late failure sequences. According to the IPE, all sequences grouped to i the late containment failure STB have containment spray available. ..

The sensitivity studies performed in the VCSNS IPE involve varying certain MAAP model parameters in MAAP calculations for selected base-case sequences. The ranges of MAAP mode parameter variation for IPE sensitivity analyses were based on the recommendations provided :

in EPRI documentation. The parameters investigated include those associated with hydrogen l' combustion, hot leg creep rupture, debris coolability, containment failure pressure, failure sizes, and comainment spray. The effects of containment phenomena (e.g., DCH) on containment l failure probabilities are not evaluated in the IPE because most containment failure modes are i cmsidered unlikely to occur and thus not included in the quantification. According to the IPE l submittal, uncertainties associated with the modeling of these unlikely phenomena will not l impact the conclusion obtained from the " conservatively" based evaluations performed in the PESs.

E.4 Generic Issues and Containment Performance Improvements The IPE addresses decay heat removal (DHR). Several methods of DHR are mentioned:

1. For transie.nts secondary cooldown and depressurization (using either emergency feedwater, EF or main feedwater, FW and condensate, systems), feed and bleed (i.e. j HPI system, the pressurizer PORV, and the associated operator actions).

2. For small LOCA events some decay heat is removed through the break while the i remainder is removed by the EF System or feed and bleed operation. l

'l

3. During small LOCA events or after feed and bleed cooling, when recirculation or normal RHR cooling is established, decay heat removal is accomplished by the RHR heat exchangers or the RBCUs.

These methods are described in detail in the submittal. However, neither the submittal nor the RAI responses provided clear-cut quantitative information about the CDF contributions of the DHR and its constituent systems (including feed and bleed). Instead, in the RAI responses , the ,

Fussel-Vesely importance of top events associated with the systems modeled for DHR are !

listed.

In addition to USI A-45 (DHR Evaluation) the following USI is considered in the submittal: )

1 USI A-17, Systems Interactions in Nuclear Power Plants' NRC has determined that the

. j licensee needs to take two actions to resolve this issue: a) consider insights from the )

appendix of NUREG-1174 in implementing the IPE requirement for an internal flooding ;

i xix i 1

1 i

i

nue" ment, and b) continue to review information on events at operating nuclear power .

plants.

l l The licensee states that a) above was answered by an extensive analysis of internal flooding and water intrusion. After incorporating the flooding scenarios into the plant model and quantifying j the results, the internal flooding was a relatively small contributor to the overall frequency of l core damage (about 0.8% of the total). As for part b) the utility presumably is doing what was requested. The licensee considers this issue to be resolved. j i

No other USIs or Generic Safety Issues (GSIs) were addressed in the submittal. However, the l licensee stated, (Section 3.4.4) that SCE&G may elect to pursue resolution of other safety issues

. using the IPE at a later date.

I The CPI recommendation for PWRs with a dry containment is the evaluation of containment and l equipment vulnerabilities to localized hydrogen combustion and the need for improvements. J Although the effects of hydrogen combustion on containment integrity and equipment are i discussed in the submittal, the CPI issue is not specifically addressed. More detailed information l on this issue is provided in the licensee's response to the RAI (Level 2 Question 8). According l

. to the response, walkdowns performed by FAI and VCSNS indicated that the open design and j significant venting areas for the subcompanments within the containment help ensure a well- l mixed atmosphere, a feature which inhibits combustible gas pocketing. Although a well-mixed atmosphere is expected in most of the containment areas, the walkdown did identify one potential location for hydrogen pocketing, in the vicinity around the "C" accumulator at the 436 ft. !

elevation. However, the walkdown noted that no ignition sources were found at the 436 ft.

elevation and that at worst, hydrogen combustion at this elevation could destroy the vertical duct l risers, with no potential for challenging the structural integrity of the containment. A detailed ]

assessment for hydrogen deflagration to detonation transition also showed that it was unlikely j to lead to containment failure. l l

E.5 Vulnerabilities and Plant Improvements l i

The vulnerability issue was explicitly treated in the submittal ~using the NUMARC 91-04, ;

" Severe Accident Closure Guidelines." In the RAI responses the licensee emphasizes that the l primary reason for selecting this method from various other vulnerability " uncovering" methods l

( system level importance calculations, review of top sequences, or review of initiating event ]

contribution to the total CDF) was the aim to be consistent with the industry. The identification i of the vulnerabilities was not limited to using the NUMARC process. It was done as an ongoing l process throughout the whole time period of the IPE program and implicitly includes all the knowledge gained from the complete IPE process.

Based on the above vulnerability screening process the submittal identified that the primary IPE-driven enhancement to plant safety was the development of an abnormal operating procedure ,

(AOP) to address a total loss of chilled water. This AOP represents that improvement where {

the most cost effective " safety benefit" could be obtained. In addition, accident categories were l xx

designated to be_ sources of inpot for the implementation of any future severe acc' dent '

management program at VCSNS, consistent with the plant, industry, and forthcoming NRC ;

direction.

The RAI response reiterates that frcm the point of view of vulnerability the lone remaining t issue is SBO, i.e., the RCP's O-ring replacement. The Westinghouse guidance is to replace the standard O-rings with the new high temperature O-rings.

Section 6.1 of the submittal describes the plant improvements. The RAI responses provided a summary of the plant improvements discussed in the submittal and also the improvement to eliminate the dependency of the CCW water pumps and charging pumps on the VU system for ,

cooling. .

l Because of the concise and tabular form of this summary, it is reproduced in Table 10 of this TER. For each improvement, the following information is provided: >

i

description ofimprovement, !

e date the improvement was implemented in the plant or status of evaluation,

- whether or not the improvement was credited in the IPE, e the impact of the improvement on the CDF, i a the basis for the improvement.

The ma.:ority of the improvements have not been credited in the IPE. The impact of the elimination of CCW and charging pumps' dependency on the VU system was evaluated in a study after the IPE results were submitted to the NRC. ( For completeness, the licensee provided a modified table for CDF byinitiating event: and another modified table for top event importance ranking.) The CDF is reduced to 1.22 E-04/r.-year from the .!PE submittal's value of 2.04E-04/r.-year.

The criterion used in the IPE to determine whether a vulnerability related to unusually poor ,

containment performance exists is:

"Any source term analysis bin which represents containment failure, bypass or failure to isolate, occurs with a frequency greater than 1E-5 events per year, and ;

in which a single function, system, operator action, or other element can be

identified which substantially contributes to the total frequency. The present state- ,

of-the-art of containment system analysis (as noted in Generic letter 88-20) may be considered when evaluating any potential vulnerability identified by the ,

criterion."

, Based on the above criterion, no plant-specific vulnerabilities were identified by the VCSNS level 2 analysis. ,

--n- .. - - - - - . . . -

.x.,

E.6 Observations ,

Strengths of the VCSNS IPE are primarily associated with its " philosophical approach," nicely formulated in the RAI responses: the preparation and use of the IPE at VCSNS "is not driven i by the ' pursuit'. oflower CDF numbers." The observation of the reviewer is that this statement of the licensee is indeed accurate, and expressed by the relatively high value of the total CDF. l l

One can see that an integral part of the IPE development process involved quantifying the model with limited recovery actions, a tendency of using pessimistic initiating event frequencies and ,

plant specific failure rates and in several cases making pessimistic assumptions (see the vulnerability screening process). Therefore, in some cases, more realistic assumptions or j 4 crediting a proceduralized recovery action lowers the frequency of a particular sequence, or category of sequences. But in other cases, such as the loss of Chilled Water (VU), based on the ,

IPE , a need was~ identified for a plant change. For instance: "The development of the Loss l Chilled Water AOP involved producing a new procedure, pre-staging dedicated hoses, fittings, ;

and tools, and training the operations staff" (to operate a charging pump using a temporary demineralized water connection). "After the IPE was submitted, a decision was made to further '

eliminate the dependency on VU by using the more reliable CCW system to cool the charging j pump skids and the CCW pump motors. In addition, dedicated connections were installed on the ,

new charging pump cooling lines for ' Emergency Cooling' in the event CCW is lost. These i connections are in an easily accessed, open area on an elevation directly above the charging .

I pumps. A new Totalloss of CCW procedure was written to address the loss of CCW and take advantage the pre-staged hoses, and proximity to back-up chilled water, demineralized water, >

and fire service water sources. This modification had been considered years before, but not until the IPE process.was complete had the magnitude of the change on plant safety been understood. ;

This is one of the key benefits of the IPE/PSA process, and demonstrates the adherence to the intent of Generic letter 88-20 in understanding the most likely severe accident sequences.".

Other positive aspects of the level 1 IPE are as follows: Thorough analysis of initiating events I and their impact, descriptions of the plant responses, application of the observations of reviewers and usage of plant specific data where possible to support the quantification of initiating events ,

and component unavailabilities. The presentation of the analysis is well structured, the quantification process is systematic and traceable. The effort seems to have been evenly distributed across the various areas of the analysis.

No major weaknesses of the Ixvel 1 IPE were identified. Minor weakness was the application of generic MGL common cause factors for a large variety of plant components of diverse nature.

The HRA review of the Summer IPE indicated that a viable approach was used in performing the HRA. While the modified THERP method applied by the licensee has several problems and ,

i limitations, it did not appear that the nature of the problems were significant enough to have prevented the licensee from identifying important HRA related vulnerabilities. Thus, the submittal appears to meet the intent of Generic letter 88-20 in regards to the HRA. Important l l

elements pertinent to this determination include the following-l 1 xxii l

l.

1 I

i

i i

1 i < '

1) The submittal indicated that utility personnel were involved in the HRA and the procedure reviews, discussions with operations and training staff, and walkdowns of operator actions represent a viable process for confirming that the HRA portions of the

IPE represent the as-built-as operated plant. i

2) The analysis of pre-initiator human actions focused on restoration faults. Miscalibrations i of various sensors and instruments were determined not to be important for several reasons. While the arguments provided by the licensee were not unreasonable, it should be noted that miscalibration events have been explicitly modeled in other IPEs and in I some instances have been shown to be significant contributors. Thus, the licensee's treatment of miscalibration events may have precluded identification of potentially important pre-initiator events (even if they were not major contributors) and must therefore be considered a weakness of the HRA.

]

3) The licensee conducted a systematic and detailed HRA of post-initiator human actions.

The HRA analysis notebook indicates that the demands placed on operators in specific scenarios were considered and that relevant dependencies were addressed. In particular, context specific factors and dependencies were considered and modeled in the HRA.

However, problems arise from the licensee's interpretation of THERP in regards to the treatment of diagnosis errors (particularly in terms of their inappropriate consideration of time) and their application of recovery credits that appear to go beyond that indicated by THERP, e.g., slack time recovery credit. The licensee defends their interpretation of THERP and provides examples to illustrate that the HEP values they obtained are not any lower than would be obtained using the THERP diagnosis model. While the licensee did appear to closely follow THERP in their five illustrations, it should be noted that they " exercised" the model to its fullest in the sense that the values obtained are about l as low as could be obtained with the model, e.g., credit was taken for multiple control !

room recoveries even in short-time frame scenarios. Such values are only justified in the I THERP model when very detailed analysis is performed and such credit is not generally ]

applied across all or even most actions. Thus, there are several aspects of the modified ;

THERP which could have produced unrealistic or underestimated HEPs. In particular, the diagnosis failure probability for short-time frame events could be underestimated due to the lack of a direct consideration of time and events in which credit for local recovery or slack time were taken could also be underestimated.

A review of the HEPs for all the post-initiator response type actions indicates that in many instances the HEPs tend to be lower than those obtained for similar events in other

. IPEs. However, in most cases, the relative ranking of the HEPs for the modeled events did not appear unreasonable. Two exceptions included an HEP of 2.8E-3 for manual trip

~

along with an HEP of 4.59E-6 for emergency boration. Manual trip is usually considered an "immediate operator action" that is memorized and well practiced, and very low probabilities of failure are usually assigned. Alternatively, initiating emergency boration is an event for which only ten minutes are assumed available and for which considerable stress would be likely. While it is unlikely that such a low value would xxiii

e _

i l

! have been obtained with the THERP diagnosis model, this event would usually be asked .

only in c.9ses where ATWS related hardware failures had occurred. In such a context l j nd gives. the relevant emergency procedures available, it is not unreasonable to expect j

a fairly low operator failure probability for initiating emergency boration.

)'

[ Regardless, in spite of the tendency to have relatively low HEPs, the licensee's j consideration of dependencies along with their detailed analysis appears to have resulted in a reasonable ranking of events in terms of their HEPs. The main concern with low ,

HEPs is that potentially important events may have been truncated out. However, the I i' calculational cutoff frequency was reported to be 1.0E-12 (page 3-178 of the submittal). l i In addition, the top 250 dominant sequences, accounting for 92% of the CDF, were l

subjected to a sensitivity analysis. Importance measures indicated that several of the I

most important human actions had low HEPs, but were still found to be important in 1 terms of either risk reduction or risk achievement (see section 2.3.2.5). Thus, it does !

l not appear that the low HEPs precluded identification of potential vulnerabilities related

. to operator actions.

l l 4) Fourteen recovery events modeled were for recovering service water, chilled water, and

- component cooling water under different conditions and for different time frames. The j licensee indicated that recovery probabilities were determined on the basis of judgments

! from "four plant experts." The licensee's response to the RAI described a relatively

. detailed and systematic procedure that was used to obtain the judgments and compute the

! resulting HEPs. The general approa*ch involved estimating the probability of recovering individual component failures that determine the system failures and combining those probabilities by a weighted average. The weighting is based "on the importance of the component failure to the system failure, that is, the cutset probability for that component." Assuming expert judgments had to be used, neither the approach nor the resulting HEPs appeared unreasonable.

5). A list ofimportant human actions based on their contribution to core damage frequency was provided in the submittal.

The important points of the technical evaluation of the IPE back-end analysis are summarized below:

1. The back-end portion of the IPE supplies a substantial amount of information with regards to the subject areas identified m Generic Letter 88-20.

2. 'Ihe Virgil C. Summer Nuclear Station IPE provides an evaluation of all phenomena of i importance to severe accident progression in accordance with Appendix I of the Generic Letter.

3. Except for containment overpressure failure, isolation failure, .and bypass, all other containment failure modes are considered as unlikely and thus not included in .j XXIV l

t 9 i l containment failure quantification. These include all phenomena that may cause early containment failure (steam explosion, hydrogen combustion, and DCH), and some l phenomena that may cause late containment failure (molten core debris interaction and i_ thermal attack of containment penetrations). Uncertainties of these phenomena on .

j containment failure probabilities are not included in the sensitivity studies. !

j

4. Induced steam generator tube rupture is not considered in the IPE. According to.the )'

response to RAI, Westinghouse Maintenance Item #DW-93-019, which procedurally prevents operators from restartmg the RPS if the steam generator water level is too low, j has been implemented at VCSNS. His reduces the concern of ISGTR at VCSNS.

i l 5. De release fraction of volatile fission products for late containment failure is specified ,

in the submittal as less than that for no containment failure. This is primarily due to the operation of the containment spray and the long time between accident initiation and late

. containment failure (almost 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months after accident initiation). The release fraction for late containment failure will significantly increase if containment spray is not available.

6. The containment analyses indicate that there is a 21.2% conditional probability of ,

containment failure. The conditional probabilities are about 0.4% for containment bypass, l

of which 0.3% is from SGTR, negligible for early containment failure, 0.3% for i

isolation failure, and the 20.5% for late containment failure. Of the 76.5% for no I containment failure, 11.5% involves accident management state (i.e., with no

. containment failure for the 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months mission time but with recovery actions required to prevent containment failure beyond the 48-hour mission time).

l

7. The licensee has addressed the recommendations of the CPI program.

The elimination, and thus exclusion, of most containment failure modes from containment failure ;

quantification limits the use of the level 2 analysis for systematic evaluations of the relative importance of the these failure modes and the investigation of potential benefit of recovery actions on overall containment performance.

4

)-

XXV

_m . - - . . .

y- _, - - - .

qu - -.- -

--.gy g, g4g y _ - , , , , - - ,

4 4 l

h o

i e

l l

4 e

l l

1 i

1

' . - _ _ _ , ,. -g--n-g-_

. _ * * -- - . . , . . , , _ * '*' ' " "==*e- 4 P""~-'evyryy,

) ,

NOMENCLATURE AOP Abnormal Operating Procedures ATWS Anticipated Transient Without Scram ATWT Anticipated Tran.sient Without Trip BOP Balance of Plant CCF Common Cause Failure ,

CCW Component Cooling Water l CDF Core Damage Frequency j CET Containment Event Tree >

CHR Containment Heat Removal CPI Containment Performance Improvement CVC3 Chemical and Volume Control System ;

DCH Direct Containment Heating DG Diesel Generator DHR Decay Heat Removal ECCS Emergency Core Cooling System EF Emergency Feedwater EOP Emergency Operating Procedures EPRI Electric Power Research Institute ERG Emergency Response Guidelines ESF Engineered Safeguards Features ESFAS Engineered Safety Features Activation System F-V Fussel-Vesely FAI Fauske & Associates, Inc.

FTC Failure to Close FTO Failure to Open FTR Failure to Run

. FTS Failure to Start FW Main Feedwater GL Generic Letter i

GSI Generic Safety Issue l HEP Human Error Probability l HPI High Pressure Injection l HPME High Pressure Melt Ejection HRA Human Reliability Analysis IA Instrument Air IPE Individual Plant Examination

! IR Independent Review ISGTR Induced Steam Generator Tube Rupture ISLOCA Interfacing System LOCA iER Licensee Event Report LOCA Loss-of-Coolant Accident xxvii

LOOP Loss of Off-Site Power *. .

LOSP Loss-of-Offsite Power LPI Low Pressure Injection MAAP Modular Accident Analysis Program MCCI Molten Core Concrete Interaction MDAFW Motor Driven AFW MDEF Motor Driven Emergency Feedwater MGL Multiple Greek letter NRC Nuclear Regulatory Commission PDS Plant Damage State PES Phenomenological Evaluation Summaries PORV Power Operated Relief Valve PRA Probabilistic Risk Assessment PRT h .t Response Tree -

PSA Probabilistic Safety Assessment PSF Performance Shaping Factor PWR Pressurized Water Reactor RAI Request for AdditionalInformation RBCU Reactor Building Cooling Unit RC Release Category RCP Reactor Coolant Pump RCS Reactor Coolant System RHT Residual Heat Removal RWST Refueling Water Storage Tank SAIC Science Applications International Corporation SBO Station Blackout SCE&G South Carolina Electric and Gas SG Steam Generator SGTR Steam Generator Tube Rupture SI Safety Injection SRO Senior Reactor Operator STB Source Term Bins SW Service Water TDAFW Turbine Driven AFW TDEF Turbine Driven Emergency Feedwater TER Technical Evaluation Report THERP Technique for Human Error Rate Prediction USI Unresolved Safety Issue VCSNS Virgil C. Summer Nuclear Station VU Chilled Water System xxviii

l

1. INTRODUCTION i

l 1.1 Review Process This technical evaluation report (TER) documents the results of the BNL review of the V.C.

Summer Nuclear Station Individual Plant Examination (IPE) submittal [IPE submittal and RAI Responses]. The TER adopts the NRC review objectives, which include the following: (1) to assess if the IPE submittal meets the intent of Generic Letter 88-20, and (2) to determine if the

IPE submittal provides the level of detail requested in the " Submittal Guidance Document,"

NUREG-1335. j 1

A Request of Additional Information (RAI), which resulted from a preliminary review of the IPE i submittal, was prepared by BNL and discussed with the NRC's " Senior Review Board". Based

on this discussion, the NRC staff submitted an RAI to South Carolina Electric & Gas Company (SCE&G)on January 11, 1996. SCE&G company responded to the RAI (RAI Responses) in a l

document dated March 20,1996. This TER is based on the original submittal and the response l to the RAI.

1.2 Plant Characterization 1

l

The Virgil C. Summer Nuclear Station (VCSNS) is a single unit plant having a 900 MWe Westinghouse pressurized water reactor (PWR). The reactor coolant system (RCS) consists of i t the reactor vessel, two three closed reactor coolant loops each containing a reactor coolant pump and a steam generator. An electrically heated pressurizer is connected to the hot leg of one .

reactor coolant loop. The reactor coolant pumps are vertical, single stage centrifugal pumps equipped with controlled leakage shaft seals. The steam generators are vertical , U-tube type heat exchangers (Westinghouse. Model D) with inconel tubes. The RCS is housed inside a large dry containment.

Reactors with similar characteristics are: Beaver Valley 1/2, Farley 1/2, H.B. Robinson, North Anna 1/2, Shearon Harris 1, Surry 1/2 and Turkey Point 3/4.

The plant is located north (2.5 miles) of Parr, South Carolina. It is adjacent to the manmade Monticello reservoir that provides the water requirements for the nuclear station and a pumped storage facility. The pumped storage facility can raise or lower the reservoir level approximately 4.5 feet when the plant is in operation. The plant is owned and managed by the South Carolina Electric & Gas Company (SCE&G). Full commercial operation began on January 1,1984.

A number of design features of the plant impact the core damage frequency (CDF) relative to those of other PWRs. The submittal highlights these features, but dxs not evaluate their effects on the CDF quantitatively. These features are as follow:

1

!

Increase of the Emergency Feedwater System's (EFS) capability. Originally the EFS was .

sized to provide design flow plus margin with two 50% motor-driven pumps (EFMDPs) or one 100% turbine-driven pump (EFTDP). Since that time the design flow requirement 1 has been reduced such that the EFS became a system with three full-capacity pumps.

Essentially the large margin allowed the EFS to satisfy design heat removal requirements

with oneeut-of-three pumps and thus increased the rehability of the system in the plant model.

Of the three air-operated pressurizer PORVs, two are supplied with air accum*: ors.

. This feature allows to use the yerric PORVs on loss of Instrument Air events, and when the reactor Building is isolated and air cannot be restored in a timely fashion.

. De RAI response calls attention to the Westinghouse Model D steam generators, which include a preheater, automatic feedwater isolation was included for low flow (< 13%),

and low temperature (<225T). His feature protected the preheater from water hammer at these low power conditions. However, it caused many transients in.the early period of plant operation. In 1994 the Model D SGs were replaced with Westinghouse Delta -75

j. SGs, and presently the above negative feature is completely eliminated.(This change is not reflected in the IPE submittal.)

Several steam dump mechanisms provide secondary side cooldown on events, that require

, this process. The steam dump mechanisms are: a.) the 85% turbine bypass system that i allows 49% steam dump to the condenser (through eight valves) and 39% steam dump

to the atmosphere, b.) the atmospheric steam dump system, which includes three j atmospheric relief valves, common to all three steam generators (SGs) and three power

operated relief valves i.e. SG PORVs (one on each SG), and c.) five safety valves on j each SG. The SG PORVs can be operated locally during a station blackout.

While the plant is designed with two train redundancy, some systems have additional

. redundancy through the use of spare equipment that can be aligned to either train. The Service Water (SW), Component Cooling Water (CCW), Chilled Water systems, and the Chemical and Volume Control System (CVCS), each has additional equipment (pumps and chillers) that can be aligned mechanically and electrically to either of the two redundant trains of these systems.

e' The recirculation design employs a semiautomatic switchover. When the level of the

RWST reaches the low-low setpoint in coincidence with a safety injection signal (SI),

a signal is generated that automatically opens the containment recirculation sump l isolation valves. When the sump isolation valves are full open, the operator must close only the RWST isolation valves.

The plant has four Reactor Building cooling units (RBCUs). Under normal operating condition three out of four cooling units are operating. The fans are running at high speed and cooled by industrial cooling water. In emergency mode, only two of the 2

l l

RBCUs (one on each train) will receive switchover signal to reduce speed and get service water for cooling. The requirement to provide containment cooling is only on-r RBCU. The fan units in fact can provide also core cooling during the recirculation phase.

VCSNS does not require a fast bus transfer of the MP power after a reactor / turbine trip. A main generator breaker with a high interrupt capacity is used to disconnect the '

generator output from the low side of the main power transformer. The unit auxiliary transformer, that normally supplies the BOP buses, provides continuous power .

- throughout most transients. This feature was not specifically credited in the plant model.

However, it is believed that it increases the reliability of the BOP Power System.

' According to the RAI response the original vital batteries of the plant did not have sufficient capacity to cope for four hours without stripping non-essential loads. VCSNS ,

f was categorized as a four hour coping plant. After the SBO rule a plant modification was performed (MRF-21595) to extend battery capacity beyond the four hour requirement without the need for operator action to strip loads. This modification was implemented well before the IPE " freeze" date. (No other plant modification were required to cope with an SBO.) The SBO event tree does assume a four hour battery capacity.

ne plant has a diesel driven air compressor ("Sullair") to maintain instrument air should an SBO or a loss of IA event occur. The air compressor requires no cooling systems (it is air cooled). This compressor is only credited in the loss of IA initiator, where it must be manually started and valved in the permanent IA header, and used for post trip control of air operated valves.

An AMSAC system has been installed at VCSNS. It provides a backup to the reactor -

Protection System and the ESF Actuation System (ESPAS) for initiating turbine trip and emergency feedwater flow. The system is credited in the IPE.

The RCP seal cooling is provided by two mechanisms at VCNS. The Charging System l provides seal injection, and the CCW performs the thermal barrier cooling. Both systems consist of three pumps (one per train and a swing pump). Effectively the CCW booster pumps are used for thermal barrier cooling. The charging pumps and and the CCW pumps are supplied by ESF power, however the CCW booster pumps are supplied by BOP power. De chilled water (VU) system provides cooling to the RCS charging pump j- gear and oil coolers and the CCW pump motors. To prevent an RCP seal LOCA , the

. seals must be cooled by either of the two mechanisms and the systems associated with '

! these mechanisms must function.

The drawback of the design is that the CCW booster pumps are powered from BOP sources. Therefore, in the event of a LOOP, the only seal cooling mechanism is via seal injection. The RAI response states that the plant recently eliminated the use of the chilled water (VU) system to cool the charging pumps and CCW pump motors. ,

3 l

Through this plant modification, the charging pumps are now cooled by the CCW

system, and the CCW pump motors receive cooling water from the discharge of the CCW pump (i.e. self-cooled).

i The Virgil C. Summer Nuclear Station utilizes a large dry containment design. The containment structure is a prestressed, post-tensioned concrete cylinder resting on a reinforced concrete slab ,

and closed at the top by a prestressed, post-tensioned concrete dome. The reactor coolant system

)

is a Westinghouse three-loop design. Some of the plant characteristics important to the back-end analysis are summarized in Table 1 of this report. i 4

i Both the power level and the containment free volume of VCSNS are between those of Zion and Surry. The containment free volume to power level ratio is less than that of both Zion and Surry, but the containment design pressure and the median containment failure pressure are greater than those of both Zion and Surry. The parameters presented in the above table provide rough indications of the containment's capability to meet severe accident challenges and that both the containment i strength and the challenges associated with the severe accident involve significant uncertainties. I l

4

i Table 1 Plant and Containment Characteristics for Virgil C. Summer Nuclear Station Characteristic VCSNS Zion Surry Thermal Power, MW(t) 2775 3236 2441 RCS Water Volume, ft S NP* 12,700 9200 Containment Free Volume, ft' 1,840,000 2,860,000 1,800,00 Mass of Fuel, Ibm NP 216,000 175,000 Mass of Zircalloy, Ibm NP 44,500 36,200 Containment Design Pressure, psig 57 47 45 Median Containment Failure 142 135 126 Pressure RCS Water Volume / Power, NP 3.9 3.8 3

ft /MW(t)

Containment Volume / Power, 663 884 737 ft'/MW(t)

Zr Mass / Containment Volume, NP 0.016 0.020 lbm/ft' Fuel Mass / Containment Volume, NP 0.076 0.097 lbm/ ft'

Not provided in the IPE submittal.

The plant characteristics important to the back-end analysis are:

A cavity design which facilitates flooding of the reactor cavity as well as provides an effective barrier to debris dispersal following HPME. According to the IPE, water can readily flow from the upper compartment to the annular containment and lower containment floors. Flooding of the cavity is accomplished through the cavity cooling fan opening. The VCSNS geometry, in comparison with Zion, would trap and de-entrain more debris than that in the Zion configuration (Response to RAI Level 2 Question 1).

A large cavity floor area with a thick basemat and extensive fill concrete. The cavity floor area is 716 ft'. The combined thickness of the cavity floor and basemat is 13.7 ft.

A simple estimate shows that the debris depth in the cavity would be less than 25 cm (Response to RAI Level 2 Question 3).

5

i The large containment volume, high containment pressure capability, and the open nature .

of compartments which facilitates good atmospheric mixing. Although the containment

volume to thermal power ratio is lower for VCSNS than most PWR plants with large dry l containments, the containment design pressure is higher.

Two separate systems for containment atmosphere cooling and pressure suppression: the 3

Reactor Building Cooling. Units (RBCUs) and the Containment Spray system."

According to the IPE, only the RBCU system is designed to remove decay heat from the

{ containment, and only one RBCU is needed to provide sufficient containment cooling.

Containment spray can be considered only as a short-term containment pressure reduction system. The operation of containment spray reduces fission product releases.

The implementation of Westinghouse ERG Maintenance Item #DW-93-019 which procedurally prevents operators from restarting the RCPs if the steam generator water is too low. This removes the concern about induced SGTR by RCP restarting.

I l

l I

l

)

i "The Residual Heat Removal (RHR) System, although not a containment system, also provides a means of long-term containment beat removal.

6

t

2. TECHNICAL REVIEW 2.1 Licensee's IPE Process 2.1.1 Completeness and Methodology The licensee has provided the type of information requested by Generic Letter 88-20 and NUREG 1335.

The front-end portion of the IPE is a Level 1 PRA. The specific technique used for the 12 vel 1 PRA w as a variation of the large event tree /small fault tree technique and it is clearly described in the submittal. l 1

Internal initiating events and internal flooding were considered. Two support system event trees were developed: one for initiating events involving SI signal (all LOCAs) and transients, and l the second for the LOSP event. The end points of the support system trees served as a starting l points for the main event tree analysis and the quantification of the main event trees. The i submittal calls the main event trees Plant Response Trees (PRTs). The PRTs were used to define the possible outcomes of each initiating events as determined by the availability of plant safety ;

systems and the success of essential operator actions. The PRT endpoints were then used for l the proper integration of the Level 1 analysis and the containment analysis portions (the

" interface") of the IPE. ,

I While uncertainty analyses were not performed, sensitivity analyses were conducted on some i specific areas, such as: Operator Action Failure Probabilities, Transient Initiating Event Frequencies, Loss of BOP, and the Implementation of Imss of Chilled Water Abnormal Operating Procedure.

The CDF impact of implementation of changing the cooling dependency of the CCW pumps and charging pumps from the chilled water system to the CCW system was evaluated recently, and the updated results are reported in the RAI response.

Importance analyses were also conducted for the top events of the PRTs. The RAI response lists them for various " cases"; the base case (IPE submittal), the Chilled Water AOP sensitivity case (also IPE submittal), and the IPE/PRA update case.

To complete the VCSNS IPE other PRA studies or IPEs for plants deemed to F- -imilar to VCSNS were reviewed. Such studies were: the Millstone 3, Diablo Canyon, Zior., J6 : 11/2 IPEs, and the Seabrook PRA. 'Ihe NUREG-ll50 studies were also used as reference for J ; IPE

, , study.

The submittal information on the HRA process was minimal. However, the additional i I

information/ clarification obtained from the licensee through an NRC request for additional information and by receipt of the HRA analysis notebook from the licensee, indicated that the 7

l

't HRA (with the exception of the modeling of miscalibartion events) was generally complete in -

scope. The HRA process for the Summer IPE considered both pre-initiator actions (performed i during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident). The analysis of pre-initiator actions considered both miscalibrations !

} and restoration faults, but only restoration faults were explicitly modeled. Miscalibrations of l various sensors and instruments were determined not to be important for several reasons. While the arguments provided by the licensee were not unreasonable, it should be noted that miscalibration events have been explicitly modeled in other IPEs and in some instances have i' been shown to be significant contributors. Thus, the licensee's treatment of miscalibration events may have precluded identification of potentially important pre-initiator events (even if i they were not major contributors) and must therefore be considered a weakness of the HRA. ]

With the exception of events excluded on the basis of a qualitative screening applied during the pre-initiator human action selection process, all pre-initiator restoration errors were given detailed HRA analysis using the Technique for Human Error Rate Prediction (THERP) described I

!' in NUREG/CR-1278. A detailed discussion of the application of the methodology to restoration events was provided in the licensee's response to the NRC's RAI. The response indicated that

a thoughtful and reasonable application of the THERP methodology was used to quantify the pre-initiator restoration faults. I 1

Post-initiator human actions modeled included both response-type and recovery-type actions. !

' A formal screening of operator actions was not performed. The licensee states that early in the ;

IPE process a decision was made to conduct a detailed evaluation of each operator action. The d

goal was "to obtain an operator response model of the plant that is as realistic as possible."

All post-initiator response type actions were quantified through the use of the THERP. A general discussion of the application of the methodology to response actions was provided in the licensee's response to the NRC's RAI. A review of the discussion regarding the quantification i of response actions., in conjunction with a review of the licensee's HRA analysis notebook, suggests that a detailed analysis of operator actions was conducted. The human actions were quantified with a systematic (but modified) application of the THERP methodology. Per THERP, PSFs for stress level and crew redundancy were considered, as were potential dependencies between and within events, e.g., accident sequence context was evaluated.

While the systematic application of the (modified) THERP methodology appeared to produce relatively consistent HEPs, there are several aspects of the quantification of post-initiator

response type actions performed by the licensee which clearly have the potential to be problematic. Examples of such aspects include the licensee's interpretation of THERP in '

regards to the treatment of diagnosis errors (particularly the inappropriate consideration of time) and their application of recovery credits that appear to go beyond that indicated by THERP, e.g., credit for recovery of failed actions as function of " slack time." The licensee defends their ,

interpretation of THERP and provides examples to illustrate that the HEP values they obtained with their analysis are not any lower than would be obtained using the THERP diagnosis model.

While the licensee did appear to closely follow THERP in their five illustrations, it should be i noted that they " exercised" the model to its fullest in the sense that the values obtained are about 8

i 1

l as low as could be obtained with the model, e.g., credit was taken for multiple control room recoveries even in short-time frame scenarios. Such values are only justified in the THERP model when very detailed analysis is performed and such credit is not generally applied across all or even most actions. Thus, there are several aspects of the modified THERP which could have produced unrealistic or underestimated HEPs. In particular, the diagnosis failure probability for short-time frame events could be underestimated due to the lack of a direct consideration of time and events in which credit for local recovery or slack time were taken could also be underestimated.

According to the licensee, modeling of recovery type actions was limited to actions associated with the repair or restoration of components to operable conditions within a given amount of time. They did not " involve the ability of the plant operators to respond to events via procedures." A different quantification technique was used for recovery actions than was used for response type actions. The licensee indicated that recovery probabilities were determined on the basis of judgments from "four plant experts." The licensee's response to the RAI described a relatively detailed and systematic procedure that was used to obtain the judgments and compute the resulting HEPs. Assuming expert judgments had to be used, neither the approach nor the resulting HEPs appeared unreasonable.

The licensee did identify human errors as important contributors in accident sequences leading to core damage and several recommendations to improve procedures were implemented as a result of the IPE The Virgil C. Summer Nuclear Station Individual Plant Examination (IPE) back-end submittal is essentially consistent with respect to the level of detail requested in NUREG-1335. However, a CET is not developed specifically for Level 2. A single event tree, the plant response tree (PRT), is used for both the Level 1 and Level 2 analyses. Since most of the phenomena that may challenge containment integrity are dismissed in the IPE as unlikely to cause containment failure (by the use of phenomenological evaluation summaries prepared by FAI), quantification of containment failure is greatly simplified in the VCSNS IPE. Quantification of containment failure is primarily based on the availability of containment heat removal addressed in the PRT.

. Since a single event tree is used for both level 1 and Level 2 analyses, the grouping of Level 1 sequences to plant damage states (PDSs) for interface between the 12 vel 1 and Level 2 analyses is not required in the VCSNS IPE. However, sequence grouping is used in the VCSNS IPE to consolidate the large number of accident sequences obtained from the 12 vel 1 analysis into a small number of damage states (called accident sequence damage states or plant damage states, PDSs, in the IPE submittal) such that all sequences within a particular damage state can be treated as a group for assessing accident progression, containment response, and fission product release.

The PRT developed in the VCSNS IPE explicitly includes the analysis of containment systems normally assessed in the 12 vel 2 analysis. Containment condition is addressed in the PRT by the development of success criteria for containment integrity, and, 9

l l

according to the IPE submittal, containment integrity is maintained if the containment is ,

isolated and containment heat removal (CHR) is available. Successful containment heat removal, based on plant-specific MAAP analyses and containment pressure capability (142 psig), can be provided by one of two RBCUs or one RHR heat exchanger (with associated recirculation train). Containment spray for VCSNS can only provide short-term containment cooling, not long-term CHR.

Except for containment overpressure failure due to the loss of CHR, all other containment failure modes identified in NUREG-1335 are addressed in the phenomenological evaluation summaries (prepared in styport of the IPE, but not included in the IPE submittal) and dismissed as unlikely failure modes and thus not' included in the containment failure quantification for VCSNS. Although the contributions to containment failure probability from these unlikely containment failure modes are expected to be small, and their exclusion from containment failure quantification in the ,

VCSNS IPE may be justified, the lack of consideration of these failure modes in the IPE l in a structured way, such as can be provided by a CET, precludes a systematic means j to examine the relative (quantitative) importance of these failure modes and the effects '

of some recovery actions (e.g., depressurization) on these' failure modes. I

Results of the PRT analysis for level 2 are grouped to ten source term bins (STBs).

Release fractions for these STBs are determined by the analyses of representative sequences in the STBs using MAAP computer codes. Based on containment failure timing, containment failure mode, and the fractional release of fission products, these STBs are further grouped to five release categories.

2.1.2 Multi-Unit Effects and As-Built, As-Operated Status There are no other units on site.

A wide variety of up-to-date information sources were used to develop the IFE (they are summarized in Table 2.4-1 of the submittal). For example: the VCSNS Final Safety Analysis Report (FSAR), current Technical Specifications, abnormal operating procedures, maintenance and test procedures, reactor trip reports, monthly operating reports , plant drawings, operator maintenance work requests, HVAC normal heat loads, etc. Plant walkdowns were performed for a number of objectives in addition to the familiarization of the analysts with the plant systems and layout. The objectives included, e.g.; confirmation of "as -built system" configurations, assessment of room environment and potential room hazards, identification of local controls and apatial interactions, assessment of potential recovery actions, and collection of information for internal flooding .

Plant-specific information was collected from a variety of plant databases, logs and reports.

Generic data from credible industry sources were used to supplement plant specific information

- when plant-specific data were not available or did not constitute a valid data base.

10

l l

Detailed system notebooks were developed for each of the systems modeled. Similarly, l notebooks were developed for major analyses of the IPE, such as: initiating events, internal flooding, and so forth. When identified, differences between source documents and real systems or layouts were resolved through discussions between the IPE team and plant personnel.

Individuals from all major departments supported the review of the system notebooks and the IPE model to ensure that it reflected plant design and operation. Two SRO-licensed individuals participated in the review of critical operator actions for the HRA. Westinghouse and FAI participated in three separate plant walkdowns "to gain first hand knowledge of the physical layout of the modeled systems." These activities, along with appropriate reviews of procedures, 3 interviews with appropriate plant personnel, and access to the computerized maintenance work order database helped to ensure the IPE HRA represented the as-built, as-operated plant.

Insofar as the back-end analyses are concerned, it appears that all the VCSNS containment specific features are modeled. ,

The submittal states that a cut-off date of January 1,1990 was chosen for the IPE to represent the current plant design. Hus the IPE model represents the as-built, as operated, as maintained condition of the VCSNS as it existed as of January 1,1990.

The submittal does not explicitly indicate whether the licensee intends to maintain a "living" PRA. (It indicates only, that all documentatic pertaining to the IPE is available at the SCE&G offices for review, as necessary.) Based on the RAI response, however, one can infer, that since the date of the IPE submittal the licensee recognized the significance of a "living PRA" i and maintains the IPE accordingly. ;

2.1.3 Licensee Participation and Peer Review -

Licensee participation in the IPE process and review activities are discussed in Section 5 and Appendix D of the IPE submittal. The group responsible for all IPE-related activities at V.C.

Summer is the Design Engineering Department of the SCE&G Company. However, other ,

departments also participated in the effort, such as Systems Engineering, Operations, Nuclear ,

Licensing, and Training personnel; altogether forty persons. Since SCE&G had no previous experience in PRA activity, the responsibility for the completion of IPE rested with experienced consultants from the Nuclear and Advanced Technology Division of Westinghouse Electric Corporation; Fauske and Associates, Inc. (FAI) and, of course, the PRA group within Design Engineering. Essentially, other personnel provided extensive support for the various phases of .

the IPE effort.

De system and the dependency notebooks, critical operator actions, and recovery actions were reviewed by these personnel. They provided valuable assistance also to the IPE analysts during plant walk-downs. Comments received during this review were incorporated into a " final draft" ;

or otherwise addressu!. The licensee stated that this process has served to ensure the quality of the draft and exposed the SCE&G personnel to PRA techniques. To fulfill the independent 11

} review requirements of Generic Letter 88-20 the submittal describes four reviews which were -

1-deemed to be independent in nature: a phase one independent review (IR), that was concerned .

primarily with the level I work; a second phase IR whose subject was the Containment System Performance (Back-End) analysis; a third IR , which was concerned with the HRA portion of the IPE; and a fourth IR, which covered all aspects of the level I work, i ne IR phase one team was composed of three individuals, all current or former holders of SRO

, licenses. His team reviewed the " foundation documents", such as: success criteria, initiating

[ events, data, system fault trees, support state models, event trees, and the supporting notebooks for each analysis. !

I j The IR phase two team was composed also of three individuals; two from VCSNS and an i

, outside PRA specialist from Science Applications International Corporation (SAIC). This team ;

reviewed the Preliminary Source Term Notebook, to verify the methodology and accuracy of l the containment performance analysis.

i

. The HRA IR team was composed of two experienced human error analysts from SAIC. The team reviewed the preliminary HRA data, which were obtained mainly by Westinghouse HRA l and Systems Analysis guidelines, and selected accident sequence event tree notebooks, for proper l applications. Their recommendations to improve the HRA were addressed prior to the completion of the IPE.

a i The fourth IR team was represented by a single experienced PRA analyst from SAIC. His independent " peer review" essentially provided a " reality check" for the VCSNS IPE.

A sample of the comments and resolutions generated during the IR process are reproduced in l Appendix D of the submittal to illustrate the depth and thoroughness of the reviews. Indeed, this j i Appendix is a valuable asset of the VCSNS IPE. l' l

j From the overall description of the licensee participation and independent reviews presented in the submittal it seems that the intent of Generic letter 88-20 is satisfied. ;

2.2 Front End Technical Review j 2.2.1 Accident Sequence Delineation and System Analysis J 2.2.1.1 Initiating Events The identification of initiating events consisted of two general tasks: (1) to select a-comprehensive set of initiating events that adequately represents the possible challenges to ,

- continued power operation, (i.e. in Modes 1 and 2), and (2)to combine similar initiating events based on the expected plant response to the event.

12 3

The first task was accomplished by considering information from previous PRAs of similar plants, VCSNS design and operating history, experience of similarly designed plants, and procedure reviews. The second task required proper grouping of the initiating events and selecting one representative for each of the initiating event group. Then, the accident progression for each of these representative initiating events was depicted in the PRT models.

As a result, a total of 28 initiating events (including 3 floods) were identified. These initiating events and their frequencies are reproduced in Table 1 of the present review. [ Station Blackout (SBO) and Anticipated Transients Without Trip (ATWT) events were treated as consequential failures, and for them no independent initiating event frequencies were determined.]

The loss of an ESF AC Bus was not considered as an initiator. The reason is explained in the RAI responses, i.e., that this event does not lead to a reactor trip. The loss of both ESF buses is included in the loss of offsite power initiator. The failure of both ESF buses, with offsite power available, was estimated to be a negligible contributor to the CDP. The loss of a non-ESF AC bus was also excluded as a separate initiating event. The event does not affect the systems required for safe shutdown. However, it is included in the plant model implicitly through its effect on other systems (instrument air and main feedwater) that can cause a plant trip. The failure of a 125V DC bus was found to contribute less than 0.1% to the total CDF, therefore !

postulated common failures that would initiate the loss of both 125V DC buses were neglected. .

According to the RAI responses four relevant pathway groups were identified for ISLOCA analyses: the RHR discharge lines, the RHR suction lines, the RCP seal water return and excess letdown lines, and the containment penetrations between the RCS and centrifugal charging pump discharge header. The VCSNS ISLOCA initiating event frequency is the sum of these four separate ISLOCA events. (Its value is dominated by the RHR suction lines.)

' The RAI responses describe in detail the impacts of loss of HVAC, both in terms of consequential failures and as an initiating event; the total loss of chilled water. It admits, that the IPE models this initiator as an event resulting in an RCP seal LOCA and room cooling impacts (switchgear rooms and control room) were not included in the evaluation. However, it advances convincing arguments that there would be sufficient time and proceduralized options available to the operators to deal with loss of room cooling (e.g. initiate a controlled shutdown) in addition to the initiating event.

The RAI response emphasizes that the plant configuration was changed after the IPE was submitted; the dependency of component cooling water and charging pumps on chilled water was removed. Thus the current impact of a loss of chilled water would be loss of HVAC to the various areas, but without seal LOCA.

The initiating event frequencies were calculated by using preferably plant specific data where available, generic data, and system modeling.

13

The time period for plant specific data collection was 5.5 yrs (from January 1,1985 to June 30, .

1990). (Transients experienced in the first year of operation were excluded from the frequency estimates since the first year of plant operation was considered to be a learning period.) During this time period 31 transient events were experienced at VCSNS.

He RAI response describes the plant specific calculational process: The experienced transients were grouped into event categories (representing partitioned NUREG/CR-3862 categories) and the category frequencies were determined. The VCSNS historical data were used directly; they

, were not incorporated into the generic data through a Bayesian update technique. The process resulted in higher frequencies than the generic frequencies, and always the plant specific values were selected for subsequent analyses.

De submittal contains a sensitivity analysis that examined the impact of including the VCSNS operating history from June 30,1990 to December 1992 into the data base.(Section 3.4.5 of the

' submittal.) This resulted in a 4% decrease from the base CDF.

The RAI response provided also a reason for the high contribution of the on-line maintenance unavailability of the chilled water system to the loss of chilled water initiating event frequency:

. the chilled water system consists of two 100% chiller / pump trains with a third " installed spare" chiller / pump set that can be aligned to either train. The high unavailability comes primarily from the out of savice time of the non aligned components. The "in service train components" have very low out of service times. However, they were prone for failures: the chilled water system experienced 20 chiller failures during the above plant specific data collection period.( The licensee states in the RAI response that to solve the problems associated with the chilled water system several improvements have been completed, or are underway, such as: prevention of air entrainment, chiller rotation policy, application of new dedicated oil clean-up system, etc.

See also previous remarks associated with this system in the present TER.)

To supplement the plant specific frequencies for events that have not occurred at VCSNS, in most of the cases generic frequencies were used. The Feneric frequencies were determined from experiences of Westinghouse plants during a 6.5-year (January 1,1984-July 1,1990) interval.

He LOSP frequency was calculated following the methodology in NUREG-1032 by using site-specific values for grid-related, weather-related, and extreme weather related loss components.

De values for the plant < entered loss (PCL) component were calculated from generic data given in NSAC-144 and NUMARC 87-00 for LOSP.

The large and medium LOCA frequencies from WASH 1400 were used in the VCSNS analysis.

The small LOCA frequency used includes RCP seal failures, small pipe breaks, and primary safety and/or relief valves failing open failures after a transient event. The special initiating event frequencies were determined by fault tree models.

The ISLOCA frequency was obtained as the product of the pressure boundary failure frequency and the probability that the ISLOCA flowpath is not isolated soon after the pressure boundary 14

l i'

j failure. The RAI response is tacit about other details of the analysis, such as the effects of >

check-valve testings, power removal of RHR suction MOVs, etc. .

~ The approach used to determine the frequencies of the Internal Flooding events will be discussel!

in Section 2.2.5 of this TER. i In conclusion, in the V.C. Summer IPE the list of initiating events considered is complete and l

the initiating event frequencies seem to be reasonable and are comparable to those of other PRA ,

studies.

2.2.1.2 Support System Event Trees and Plant *- ;: n Trees l The support system approach was used to model the unavailability of key suppon systems.

l These systems included the following: AC and DC power systems, Engineered Safety Features Actuation System (ESPAS), Service Water (SW) system, Component Cooling Water (CCW) '

system, and the Chilled Water (VU) system. I Other less important support systems were modeled in other portions of the analysis. Usually l they were included in the fault tree model of the supported systems. For instance, the Instrument i

Air (IA) system was included in the analyses of the Condensate and Feedwater system,

_ pressurizer PORVs, and the secondary steam dump valves. Similarly, the HVAC systems for l i

ESF electrical equipment (switchgear rooms) were included in the fault tree models of the i

applicable systems.

Two suppcet system models were developed: one for SI and transients and another for the ' l LOSP event. C! events include all LOCAs and other events that are expected to lead directly to j On SI signal and ~ sartup of the ECCS. Transients include all anticipated events causing reactor

, trip S a challecge to plant protection systems. For the LOSP event, secondary plant systems {

such M cirmleing water, condensate, and feedwater system were assumed to be unavailable.

I Combining support system end states into support states was performed via the vector impact I

method. By combining similar end states on impact on the frontline and safety systems 65 support states were identified for the SI support system model and 29 support states were l identified for the LOSP support system model. l i

Appendix B of the submittal shows the support system event trees .This Appendix presents also the top event descriptions , the vector impact matrix paths sorted by like vector impact and the dominant support states for each suppon system model.

The IPE developed 9 large and 6 special Plant Response Trees to model the plant responses to l internal initiating events. 'Ihe trees are presented in Appendix A of the submittal. The definitions !

. of the top events associated with the trees are also listed there.

1 I

I 15 t

i !

t I I

\ >

- _ _ _ . _ ___ _.__._ _._ . _._ _ _ _ _ _ _ _._ _ .___ ~___ _ .

b The large PRTs are the following: large, medium and small LOCA event trees, SGTR event -

tree, secondary side breaks (inside and outside containment) event tree, transient event tree, ATWT event tree, LOSP and station blackout (SBO) event trees.

I The special PRTs are: loss of service water, LOSW event tree, loss of chilled water, LOVU1 I event tree, loss of component cooling water, IACC event tree, interfacing system LOCA, l ISLOCA event tree (for the RHR suction lines), loss of instrument air, LOIA event tree, and )

l the reactor vessel rupture, RVRP special initiator. In general, these trees feed to other trees that

are parts or variations of the large PRTs. i l

No separate event trees were developed for flooding scenarios, a special event tree (LOSW or i LOCC) was used with additional flood-caused failures flagged in the appropriate fault trees.

'Ihe top events of the event trees are unavailabilities of system trains, human errors and recovery action failures. Essentially they represent the five safety functions required to prevent core damage (NUREG-2300) and define the containment status, such as: reactivity control, decay heat l removal, RCS pressure control, RCS inventory control, and containment integrity.

. The PRT sequences progress to one of four endpoints:

l. Success, indicating core damage has not occurred ,

2. Suc/Am (apparently this means success but with more accident management), indicating core damage has not occurred at 24 hrs, but the plant is not yet in stable condition,

. 3. Transfer occurs from a consequential failure of a plant system (e.g. reactor trip leads to the ATWT PRT), l

. 4. Core damage and the resultant damage state.

Core damage states are characterized by seven alphanumeric digits; the first two digits represent the initiating event; the third digit represents the time interval of the occurrence of i the core damage (E, for ely i.e. within 0 to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months ; M . for intermediate i.e. within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ; and L for late i.e. within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ). The fourth and fifth digits indicate the states of the SI, the reactor building spray system, and the containment heat removal. The sixth digit identifies the state of the containment after core damage (I for isolated, N for not isolated, and B for direct bypass), and the seventh digit identifies the RCS pressure, when core damage occurs (H for high pressure and N for low pressure).

Core cooling (prevention of core damage) success is defined in the submittal, as follows: " Core -

cooling is considered successful if the core exit temperature does not exceed 1200 degrees F for a prolonged period of time."This basic criterion was used to develop the success criteria of the safety functions and subsequently those of the event tree top events.

The Success criteria were developed partly on existing information (e.g. VCSNS FSAR) partly l - on additional information obtained by MAAP, TREAT, COMPACT and other calculations, as l needed.

16 ,

t .

c _m, - - -

-v, ,,o r,,- - - , , , -

r+

.. _ .- - . - - - -. - - - ~. -. - -- .-.- --.. -- -.- -

f 1

i !

e 3

^

The RAI response clearly states that in all cases where this (1200* F or 70(PF) success definition ;

' is used, the fluid measured by the core exit thermocouples is expected to be superheated steam. !

. (This core cooling success criteria was not used in the ATWT plant response tree for cases in

! which the RCS pressure was greater than the pressurizer safety valve setpoint, according to' the

! usage of the top event HPI in the ATWT PRT on p. A-81 of the submittal. The assumed failure

, pressure of the RCS in an NIWT event is 3200 psig. WCAP-11993.) It states furthermore, that i in the severe accident thermal hydraulic analyses the above temperature represented the hottest core node temperature rather than the steam temperature exiting the core, and essentially this l interpretation should have been used as success definition. However, the definition used is

! technically also correct, since the hottest core nodes always reach the specific temperature !

} before the core exit thermocouples reach that same temperature.

t l Like some other PWR IPEs, the VCSNS IPE calculates that for large LOCA short term success

[ can be achieved by using one RHR pump with no core flood tanks needed. The RAI response ,

j states, that this success criterion is well supported by MAAP analyses. Furthermore, it points i out the application of one HPI pump in conjunction with 2/2 core flood tanks would only delay

{ . core damage. No early containment pressure suppression is required. .The minimum containment I

heat removal requirement to prevent late containment overpressure failure was determined to be one operating RBCU or one heat exchanger in RHR recirculation.

i

. The RAI response reiterates that the VCSNS IPE considers "all postulated RCS ruptures (in the range of 2 to 6 inches) inside the reactor building with blowdown rates such that RCS pressure j remains above the shutoff pressure of the RHR pumps" as medium LOCAs. To utilize the low j pressure pumps additional equipment and operator intervention (secondary side depressurization) j are necenary. No early containment pressure suppression is required, and for late containment l cooling the same success criteria are used as described above for large LOCA.

1

~ The application of these (so called) " realistic" success conditions reduces the CDF contributions from large and medium LOCAs. By using the NUREG/CR-4550 success criteria the large

LOCA CDF would increase from 3.139E-6/yr to 4.739E-6/yr and that of the medium LOCA would increase from 7.62E-6/yr to 1.5E-5/yr. The total VCSNS CDF would change from 2.051E-4/yr to 2.125E-4/yr (less than 4.4%).

The RCP seal cooling model is briefly described in Section 3.1.7 of the Submittal. This is j essentially the Westinghouse RCP seal LOCA model described in WCAP-10541.

The application of the model in the analysis of the station blackout is interesting: every time

,. offsite power recovery is successful the probability of core uncovery is addressed. The 4

probability of core uncovery is calculated from the probability of core uncovery due to seal 4

failures combined with the power recovery curve from NUREG-1032. If the core has uncovered, core damage was assumed. If the core has not uncovered , core damage could be i prevented if the recovery actions to restore RCS inventory and decay heat removal were assumed

. to be successful.

l 17

-. - -. .- _, n u-- -. . -7.- _g-v-. 9

l 2.2.1.3 Systems Analysis , ,

A total of 15 systems are described in Section 3.2 of the Submittal. Included are descriptions !

E of the following systems: ,

electrical power (7.2kV, 480V, and 120V AC and 125V DC, 2DGs), ,

ECCS (three charging pumps, three accumulatars, and RHR), i service water (SW, including two trains, three pumps), -

l component cooling water (CCW, three pumps and three booster pumps), ;

i chilled water (VU, including three pumps and three chillers), ;

compressed air (instrument air, station service air, and reactor building air), :

main steam (MS, including three SGs,15 safety valves, three SG PORVs, three MSIVs, and MSI bypass valves), e pressurizer pressure relief (three PORVs and three safety valves), l main feedwater (FW, including three condensate, four booster, and three turbine-driven <

feedwater pumps),

reactor protection (reactor trip', RTS and ESFAS, w?h load sequencer), s HVAC (including eight large subsystems such as; relay room, switchgear room, battery J room, intermediate building pump rooms' cooling, ESF ventilation, control room air handling, etc.),

reactor building cooling (four RBCUs),

reactor building spray, SP containment isolation, and EP (two MDEF pumps and a TDEF pump).

(Other important plant features are discussed in Section 1.2 of this TER.)

Each system description includes a discussion of the system design and operation and .

dependencies. Also included for many systems are simplified schematics that show major equipment items and important flow and configuration information.

' The plant systems are classified into different categories; front line systems are defined as those systems that are operational at the time of the initiator ('such as: RCPs, main steam and feedwater systems, condensate, circulating water, chemical and volume control, reactor protection systems), safety systems are those systems required to respond to the event (such as: l RHR, EF, CVCS safety injection, accumulators, pressurizer PORVs, RBCUs, RWST),

" additional systems" are those systems that are used in the Emergency Operating Procedures or that may prove useful in accident management strategies (such as: fire protection), and support systems (AC, DC, IA, CCW, etc.).

Success criteria for support and frontline systems are listed in Tables 3.1.2-2 of the submittal.

Dependency matrices are used.to indicate the interrelationships between one system and other systems, and between initiating events and systems.

I l

18 I

l 1

2.2.1.4 System E:;:" *==

Appendix C of the submittal contains the detailed descriptions of the 9 system dependency matrices and supporting information in 6 tables.

The dependency matrices are the following:

Initiators and Frontline Systems, Initiators and Safety Systems, Initiators and Additional Systems, System to System, Frontline Systems and Support Systems, Safety Systems and Support Systems, Additional Systems and Support Systems, Support Systems and Support Systems.

The IPE addresses and considers the following types of dependencies: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, areas requiring HVAC (environmental effects).

The RAI response describes in detail the control of the TDEF pump during an SBO and its modeling. De flow control valves (FCVs) to the TDEF are air operated , normally open, fail open valves with handwheels for local control if air, or de power is lost. They are located in an easily accessed , open area of the Intermediate Building. The area has multiple emergency lighting with 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months rated batteries and flashlights for blackout extended beyond 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The control process can cope with the loss of HVAC in the pump room, because the operator is not required to enter the room and the control equipment is expected to operate at higher peak temperatures than are predicted for SBO operation. During the initial phase of an SBO, local operation of the FCVs would be established if compressed air was not available. The valves would be positioned while communicatin~g with the control room using hand held radios. The control room would use SG level and/or EF flow indication to determine the need for EF flow adjustments. If the SBO extended beyond the rated four hour capacity of the vital batteries the DC power and SG level indication would be lost. The position of the FCVs would be constant resulting in a gradual SG overfill and slowly falling reactor decay heat level. Since only 1 of 3 SGs is required to provide adequate heat removal, the process should not lead to a complete loss of heat sink.

. An important aspect of the operation control of the TDEF pump is that it is designed to operate without compressed air or DC power. De governor of the turbine is reverse acting such that a loss of air input or the loss of the power in the instrument signal-pneumatic signal transducer .

will cause the pump to fail, without trip, to the maximum speed setting (a rather large margin' exists between the high speed setting, 4150 rpm and the overspeed trip setpoint, which is 5060 rpm).

19

_ _ . _ _ _ _ _ _ _ _._._._ _ _ __ _ ~ . _ . - _ _ _ ~ . _ _ _ _ _ _ _ . _ -

The submittal's SBO event tree includes a top event to address the need for TDEF flow to -

continue to operate beyond four hours. This top event (Emergency Feedwater Continues, EFC) includes the probability of the TDEF pump continuing to run, and an operator action to manually -

control EF flow locally at the FCVs.

2.2.2 Quantitative Process 2.2.2.1 Quantiruation of Accident Sequence Frequencies The IPE used the support system state /large event tree technique (a variant of the small fault tree /large event tree method) to quantify core damage sequences. This technique involved developing an event-tree type logic structure to display an account for all possible combinations of suppon system successes and failures. Once the support system model was developed the ,

potential suppon system states were identified. Suppon system model paths were combined using the vector impacts on the front line and safety systems. As was mentioned above, 65 support states were identified for the SI suppon system model and 29 support states were -

identified for the loss-of-offsite-power support system model. Quantification of the support system sequences was carried out by applying appropriate unavailability value to each top event in the model consistent with the operating states defined for each support system. The unavailability values were determined by system fault tree analysis.

Each sequence in the plant response tree (PRT) was connected to each path of the support system model. Quantification of the PRT sequences involved assigning system unavailabilities, operator action failure probabilities, and other miscellaneous split fractions to each top events. The fault trees associated with the top event una' v ailabilities were quantified for a base case with all support systems available, and for various degraded cases consistent with the loss of support

- systems. Operator action. failure probabilities were determined based on the THERP HRA methodology. Off-site power recovery failure probabilities and other not system or human error i related top event unavailabilities were determined by hand calculations.

The accident sequence quantification for each path terminated with a plant damage state. .

i Sequences with similar plant damage characteristics were " binned " into several predefined plant damage states.

De fault trees were developed and quantified using the Westinghouse GRAFTER computer code system. >

De support system and PRTs were quantified using the Westinghouse Event Tree Software System. Sequence quantification was performed on the entire plant model with a calculational cut-off of 1.0E-12/yr. The sequence frequencies below the calculational cut-off were placed in

. . a " residual bin" and reported as an unaccounted plant damage state.

i t

20 4 '

i

= -ravi e r7~,5*+4 -

v y 9

2.2.2.2 Point Estianates and Uncertainty / Sensitivity Analyses Table 3.3.5-1 of the submittal lists the unavailabilities for systems and plant functions used in the VCSNS IPE.

]

Mean values were applied for the point estimate initiator frequencies and all other basic events.

No' formal mathematical uncertainty analysis was performed on the results. The submittal reports only the point estimates for the total core damage frequency and the frequencies of important sequences.

Importance measures are given in Table 3.4-4 of the submittal for each top events of the plant model with a ranking greater than 1%. The importance measure used is the Fussell-Vesely importance. However, one has to be careful with the interpretation of the results, because in the summation of the accident sequence frequencies in which a top event appears the IPE includes random failures and guaranteed failures due to support system failures.

The submittal reports about four sensitivity analyses. These were designed to determine the specific influence that Operator Errors (a NUREG-1335 request), transient initiating event frequency updates, loss of Balance of Plant power, and procedural enhancements have on the overall CDF and dominant accident sequence results. The RAI response provides also updated top event importance rankings for the case when the IPE model incudes the implementation of

" Loss of Chilled Water Abnormal Operating Procedure", and for the case, when the CCW pump and charging pump dependency on chilled water is eliminated from the IPE model. It reports also a cursory sensitivity analysis on the common cause failures.

2.2.2.3 Use of Plant Specific Data

'Ihe data collection process period to establish a plant specific data base was from commercial operation (January 1,1984 through December 31,1989. The collection process included raw data for component failure rates, demand probabilities, and test / maintenance unavailabilities.

These raw data were collected from component operating experience records (failure incidents and test / maintenance outage records), component demands (such as starting a pump or movement of a valve), component operating hours, work orders, etc. The specific sources were: component failure and maintenance information registered in the Computerized History and Maintenance Planning System (CHAMPS), Removal & Restoration checksheets, LERs, NPRDS data, Surveillance Test Procedures, and Equipment Run Time logs.

Plant specific data were used for the majority of fluid systems components and DG failures and almost exclusively for the unavailabilities due to test and maintenance activities. A Bayesian updating technique and using generic data was used only in one special case, for the evaluation of " service water pump failure-to-start" failure rate. When a statistical sample size was found to be limited for certain components, generic failure rates were used.

21

2 4

E j The submittal shows both the generic data (Table 3.3.1-1 ) and the plant specific data used for .

i a component, along with the plant specific experience (e.g. number of failures, demands and total operating time in hours) for that component (Table 3.3.2-3).

l The plant-specific maintenance and test unavailabilities are presented in separate tables Table l 3.3.2-4 and Table 3.3.2-5). Interestingly, the submittal indicates an unavailability for the 4 pressurizer PORV due to isolation, i.e. when its associated block valve is closed (4.29E-2).

f Table 2 of this review compares the plant specific failure data for selected components from the

! IPE to values typically used in PRA and IPE studies, using the NUREG/CR-4550 data for i comparison [NUREG/CR-4550, Methodology). !

i j V.C. Summer data are in most of the cases comparable with the NUREG/CR-4550 data, except l

for the TDAFW pump -fail to run failure rate, which is two orders of magnitude below the l

! NUREG value (it is to be noted, however, that the IPE value is also a generic value, taken from i NUREG/CR-2815).

2.2.2.4 Use of Generic Data e As discussed.in Section 2.2.2.3 above, generic failure rates were used for certain component l failure modes, when appropriate statistics were found to be not sufficient (particularly for j

. electrical power related compone s)._ Key fluid system components assigned from generic data j include:

i EF TDP--Fail to Run, SP MDP--Fail to Run, SW Booster Pump--Fail to Run, SW Booster Pump--Fail to Start, PZR PORV--Fall to Open/reclose, PZR Safety Valve--Fail to Open, and PZR Safety Valve-Fail to Reclose.

The generic data were compiled from several sources such as: NUREG/CR-2815, NUREG/CR-4550, NUREG/CR-2728 (IREP), WASH-1400, and some Westinghouse reports (WCAP-10271 and Supplements).

2.2.2.5 Common-Cause Quantification Redundant components were systematically examined to address potential common-cause failures. 'Ihe approach used was the multiple Greek letter approach (MGL). The methodology

, followed that described in NUREG/CR-4780 (" Procedure for Treating Common Cause Failures in Safety and Reliability Studies"). The data base used was the EPRI data base (EPRI NP- j 3967).No plant specific evaluation of the common-cause events was performed.

22 i

. _ . . - . ~._ _ . _ _ . _ . _ _ _ . _ _ _ _ _ . . _ _ _ _ . _ . _ - . _ . . _ _ . _ _ _ _ _ . . _ _

1 i

~

Table 2 Comparison of Failure Data l Cosnponent Summer 4550 n

j MDAFW Pump ,

fail to start 5.4 3 3.0-3 fail to run 2.2-4 3.0-5 TDAFW Pump fail to start 6.0-3 3.0-2 fail to run 2.0-Sm 5.0-3 Charging Pump fail to start 2.9-3 3.0-3 fail to run 9.54 3.0-5 RHR Pump fail to start 2.9-03 3.0-3 fail to run 5.105 3.0-5 SWS Pump (Bayesian update) fail to start 2.0-02 3.0-3 fail to run 5.0-06 3.0-5 CCW Pump fail to start 2.1-3 3.0-3 fail to run 8.74 3.0-5 Pressurizer PORV fails to open 2.0-2 2.0-3 fails to reclose 2.0-2 2.0-3 Emergency Diesel Generator fails to start 2.3-3 3.0-2 fails to run 7.1 3 2.0-3 Air Operated Valve fail to open/close 2.6-3 2.0-3 CCW MOV fails to open/close 2.01 04 CS MOV fails to open/close 1.63-03 RHR MOV fails to open/close 1.7-03 SP MOV fails to open/close 2.9-03 SWS MOV fails to open/close m 7,4 04

. MS MOV fails to open close 1.3-03 RCS MOV fails to open/close , 6.8-03 All MOV fails to open/close 8.9-04 3.0-3 40tes: (1) 4550 are mean values; taken from NUREG/CR-4550, i.e., from the NUREG-1150 study of five U.S. nucient power plants.

(2) Demand failures are probabilities per demand. Failures to run or opcrate are frequencies expressed in number of failures per hour.

(*) Generic Value 23

l In the EPRI data base the category "C" (designating common-cause) events were used (as it is .

explicitly stated in the RAI response, without screening for applicability to VCSNS IPE), and the common cause factors were calculated for certain components such as: reactor trip breakers, DGs, MOVs, various pumps, and safety relief valves. 'Ihe beta factor for chillers, fans and check valves came from NUREG/CR-4780. For other components generic MGL factors were applied. These generic MGL factors were determined for a " generic component" called "ALL" by utilizing also the EPRI data.

The RAI response provides the following reason of this approach: "At the time of the VCSNS s IPE analysis, only limited common cause data existed that had been compiled into usable form. ,

Due to limited data, breakdown of common cause further into failure modes, or introducing new component groups, was deemed to be speculative and detrimental to realistic modeling of common cause."..."Given the scarcity of data on which to base failure mode specific MGL parameters, the approach was taken to group all failure modes."

For the RAI response a sensitivity calculation was carried out to estimate the contribution of common cause failures to the total CDF. All the common cause basic events were set to 0.0.

The total CDF decreased by approximately 30%, demonstrating that common cause failures as a group, are important contributors to the VCSNS CDF. It is stated that change of this

, magnitude did not affect significantly the robustness of the IPE results as concerns e.g. the ranking ofleading sequences or vulnerability conclusions reached in the original submittal. Based on this result, the RAI concludes, changes in the MGL factors used, if specific factors were available for all components and failure modes, would be much less than those examined in the sensitivity quantification and would not alter the basic results/ conclusions presented in the IPE submittal.

A comparison of the effective S factors given in the submittal (Table 3.3.4-1) vs. those suggested in MUREG/CR-4550 (" reference # factor") is shown in Table 3 of this TER. l (NUREG/CR-4550 reports only failure to start # factors.) 1 The table shows general consistency between the VCSNS CCF data and that recommended in I NUREG/CR-4550.

i 2.2.3 Interface Issues 2.2.3.1 Front-End and Back-End Interfaces l The Reactor Building Cooling System, (four RB cooling units, RBCUs) acting in concert with the Reactor Building Spray System, can provide post accident heat removal to the Reactor Building.

However, only the RBCUs are designed to remove decay heat (long term) effectively from the containment. (The RB Cooling System also is required to ' remove airborne particulate contaminants during post-accident operation condition.) Containment spray can be considered only as a short term containment pressure reduction system, since there are no heat exchangers in the system. The RHR, although not a containment system, also provides a means of long term containment heat removal.

24

During the early phases of an accident, containment spray would be provided frong the RWST and NaOH tanks via 2 dedicated containment spray pumps. These pumps would switch suction to the ;

two containment sumps for recirculation, on receipt of RWST low-low level signal. To complete the 3 switchover to the recirculation phase, the valves in the suction lines from RWST and NaOH tank would be closed by the operator. The same sumps would be utilized as suction source for the RHR pumps which would provide core inventory recirculation through the RHR heat exchangers (and 4

possibly through the charging pumps if the RCS pressure was high enough).

Table 3 Comparison of Common-Cause Failure Factors ;

t Component Failure Mode Submittal B Factor Reference B Factor 1

EF pump (motor driven) FTS/FTR 0.021 0.056 {

SWS pump, CCF of 3 pumps FTS/FTR 0.032 0.014 CCWpump CCFof 3 pumps FTS/FTR 0.032 0.014 RHR pump, CCF of 2 pumps FTS/FTR 0.077 0.15 High-Pressure. CCF of 3 pumps FTS/FTR 0.10 0.10 Reactor Building Spray Pump FTS/FTR 0.057 0.11 MOV, CCF of 3 valves FTO/FTC 0.038 0.057 r AOV FTO/FTC 0.08 0.10 ,

DieselGenerator,CCFOf 2 FTS/FTR 0.025 0.038 DGS Pressurizer PORV FTO 0.094 0.07 FTS = Fails to start >

FTR = Fails to rur.

FTO = Fails to open [

FTC = Fails to close i

Contrary to some other PRAs, which link the front-end and the back-end analyses by " bridge-trees", the VCSNS containment event trees have been incorporated into the PRTs.

Developments of the PRTs included the assignments of containment system top events success criteria associated with a particular initiating event and appropriate end-state designators to

. represent the physical state of the plant for each core damage sequence. This involved binning L systemic accident sequences into damage states that have similar characteristics. Essentially each

. plant damage state defines a set of faulted functions that summarizes by function a set of system :

faults that would result in similar radiological consequences, i.e. the plant damage states represent functional sequences.

?

25 I

Table 3.4.2 of the submittal lists 11 dominant plant damage states that contribute greater thad '

1% to the total CDF. These 11 categories account for nearly 90% of the CDP. They are also reproduced in Table 4 of the present TER to provide insight about the risk profile of the plant.

One can observe that transient events, small LOCAs, and SBO events represent the leading functional sequences. In all cases, the containment is isolated.

2.2.4 Internal Flooding .

The presentation of the internal flooding analysis in the original submittal had some aspects that required additional information. The licensee provided a rather meticulous response, extending over 34 pages, covering all the unclear aspects. The subsequent text is essentially a concise summary of the new information.

2.2.4.1 Internal Mooding Methodology The VCSNS internal flooding analysis is based on the following considerations:

a) Plant locations containing equipment essential to safe shutdown and equipment whose failure would initiate a reactor trip can be considered only as " flood areas", where a flooding event may lead to reactor core damage. ,

b) Flooding / spray events at many of these " flood areas" do not necessarily lead to core damage. In some cases, no spray sources exist that would cause failure of both types of '

equipment, while drainage from the area is adequate to mitigate the effects of any flooding event that could occur. In other cases, equipment is qualified for operation in a harsh environment, and will survive the effects of a spray. In most cases, these areas can be identified and screened without detailed flood height calculations, or other quantitative means.

c) If, and only if a flooding or spray event within an area could cause failure of both types of equipment (i.e. equipment essential to safe shutdown and equipment whose failure would initiate a reactor trip) the event has potential for core damage.

To implement the above considerations the following steps were taken:

1) The list of all components nemry for safe shutdown was compiled from several documents, such as: FSAR, Fire Prc'a&,i: Report, Potential Internal Flooding Report, and Essential Equipment (Appendi': R shutdown equipment) List.

2)- Each room / area was reviewed. Those areas containing safe shutdown equipment whose failure would initiate a reactor trip were retained, and those areas with no potential for initiating a reactor trip were eliminated from further analysis. In these areas the presence of potential flooding and/or spray sources identified including charged fire suppression lines. Human failures that could leave a mitigating system improperly aligned such that 26

its ability to respond to an event is degraded were implicitly considered during the review ,

process. Table FE Q7-1 ( " Front End Question) of the RAI response lists 132 plant areas '

containing safe shutdown equipment, trip equipment and presence of. potential flooding and/or spray sources.

3) A plant walkdown was performed. Each retained room / area was investigated for '

flood / spray sources, possible effects of such sources on equipment in the room, drainage paths, doors, etc., and checklists were prepared. The checklists were used to screen out areas with no trip potential, and no flood / spray sources. The resulting short list of 25 areas represented the only possibilities for core damage from flooding events.

The list of these 25 areas is given in Table 3.3.8-1 of the submittal, and also in slightly

- different form in Table FE Q7-2 of the RAI responses.

4) Each selected area was subjected to a qualitative analysis for " area specific" flooding vulnerability including maintenance or test related human errors that could cause a flood or spray event. ,

The RAI response describes the specific characteristics for each area and provides specific reasons for eliminating the area from further analysis, or for retaining it for i quantitative analysis. i

5) Selected flooding areas were quantitatively analyzed. ;

The Intermediate Building elevation 412' general floor area, room 12-02 was found to require quantitative analysis. All other areas were eliminated from consideration because they either did not have a spray or flooding source or the flooding source did not result in both a reactor trip and in a degraded safe shutdown state.

The IB 12-02 room contains the CCW pumps and heat exchangers, and numerous 24" and smaller pipes from the CCW and SW systems. No single spray source was identified that could fail all three CCW pumps, but pipe rupture can flood the area.

The room contains three sumps with two pumps each. The pumps have level switches / alarms that trip main water flow when the water reaches the top of the sump. >

t A reactor trip will follow due to turbine trip on trip of 3 out of 3 Main Feedwater Pumps. The leaking CCW or SW pipe would be isolated, resulting in the loss of one .

. train of the affected system. It is stated, that a leak from one SW train will cause only a minor impact on the total flow of the intact train and it will not disable the complete ;

SW system.

[

27 1

Flooding event frequencies, were determined therefore for three flooding initiators: '

Loss of the operating CCW train, FLD1 Loss of SW train A, FLD2 and 2

Loss of SW train B, FLD3.

2.2.4.2 Internal hding Resuks The frequencies of the three flood initiating events were calculated using failure rates from the reference EGG-SSRE-%39 (" Component External Leakage and Rupture Frequeng 4

Estimates," S.A. Eide, et al., November 1991).The actual number of pumps, valves , heat exchangers, and lengths of pipes for each considered train was multiplied by its hourly failure (rupture) rate to produce associated failure frequencies. These frequencies were summed and converted into (calendar, not reactor) yearly failure frequency to generate the initiating frequency 4

for each CCW or SW train. The obtained frequencies are: ;

FLDI, loss of the operating CCW train 9.9E-04/ year, l FLD2, less of SW train A 1.lE-04/ year, FLD3, Imss of SW train B 1.0E-04/ year. ;

The flooding initiators impacting the support systems required a separate quantification of the

- support system event tree. That was performed by setting the appropriate top events to account 3

for the loss of one train of the impacted support system. The transient PRT has been used to determine the CDF for each of the initiator. The values obtained are listed in Table 5 of this

TER, showing CDFs by initiating events.

The total CDF from flooding is: 1.51E-06/ year, which is about 0.8% of the total CDF of the submittal.

2.2.5 Core Damage Sequence Results !

] 2.2.5.1 Dominant Core Damage Sequences l' '

. The results of the IPE front end analysis are in the form of systemic sequences, therefore NUREG-1335 screening criteria for reporting of such sequences were used (Section 3.4.1 of the submittal). The point estimate for the core damage frequency from internal events and internal j flooding is 2.04E-4/R-year. Tr.bL- 5 lists the CDF and the percent contribution to the total CDF j

, by initiating event. (The previous Table provided the CDF contribution by plant damage state, i i.e. in " functional" form.) Table 5 shows that two initiators contribute slightly over 50% of the ;

CDF: Ioss of offsite power (39.3%) and Small LOCA (13.4%). The total LOCA contribution l (without ISL) is 18.7%.The total contribution of the Transients (other than LOSP) is 24.6%,while that of the SpecialInitiators is'16.0%. SGTR and ISLOCA contributions are 0.5%

and 0.1%, respectively. The contribution of Internal Floods is 0.8%. )

28

According to NUREG-1335 requirements, any systemic sequence that contributes 1.0E-07 or more per reactor year to core damage should be reported. The submittal reports the first 100 systemic sequences that lead to core damage (in Table 3,Q of the submittal).Their frequency range is 1.61E-05 through 2.25E-07 per reactor year. 'Iheir total frequency represents more than 95% of the total CDP. For 21 sequences, that contribute more than 1% to the total CDF a brief description is provided in the submittal (also in Table 3.4-3). The first seven are also reproduced in Table 6 of this TER in concise form for illustration. ,

The most important contair. ment bypass failure sequences selected for reporting were screened from the top 250 secuences. Six such sequences are given in Table 3.4.1-2 of the submittal (CDF ranges from 1.5E-07 to 7.47E-08 per reactor-year). These containment bypass sequences are primarily SGTR events. One ISL sequence was also identified. ,

In the top 100 sequences, only one (Sequence 98) was identified that results in containment isolation failure. This is a loss of service water event, identical to the first sequence, with subsequent failure of containment penetrations to isolate.

The results of the importance analysis of top events (hardware failures and operator errors) in the event trees, are given in Table 3.4-4 of the submittal. The Table lists all the top event importance (Fussel-Vesely importance measures) whose ranking was greater than 1%. Top event importance with ranking greater than 20% are reproduced also here in Table 7 of this TER.

Based on the information obtained from the accident sequence analysis and the importance ranking the licensee concludes: ,

"The majority of the sequences are initiated by a LOSP event with a subsequent failure of all onsite power (SBO) or other combinations of system failures that degrade RCP seal cooling and eventually result in a seal LOCA. Small LOCAS with loss of low pressure recirculation also contribute significantly."

"The dominant failures are associated with the failure of the DGs, chilled water chillers, and service water pumps to start and run, and failure to restore offsite power following an SBO."

S 29 '

/

Table 4 Core Damage Frequency by Plant Damage State ' -

Damage State Description C re Damage Percent TRE131H Transient event; early (0-2 hours) high-pressure core 4.04E-05 19.9 damage without EF and Si injection; Reactor i Building heat removal fails; Reactor Building sprays j and isolation succeed SLM10!L Small LOCA; intermediate (2 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ) low-pressure 3.66E-05 18.0 damage without Si recirculation (SI injection

, succeeds) and without spray injection; Reactor Building heat removal and isolation succeed SLE12IH Small LOCA; early (0-2 hours) high-pressure core 2.21E-05 10.9 d

damage without Si injection; Reactor Building heat removal, sprays, and isolation succeed SBE121L Station blackout; early (0-2 hours) low-pressure core 2.16E-05 10.6 damage without SI injection; Reactor Building heat removal, sprays, and isolation succeed SBE121H Station blackout; early (0-2 hours) high-pressure core 1.42E-05 7.0 damage without Si injection; Reactor Building heat removal, sprays, and isolation succeed SBE171H Station blackout; early (0-2 hours) high-pressure core 1.32E-05 6.5 damage; no systems available; Reactor Building

] ,

isolation succeeds TRL12IH Transient event; late (6-24 hours) high-pressure core 1.19E-05 5.8 damage without EF and Si injection; Reactor

Building heat removal, sprays, and isolation succeed TRE121H Transient event; early (0-2 hours) high-pressure core 8.21E-06 4.0

. damage without EF and SI injection; Reactor Building heat removal, sprays, and isolation succeed MLM061L Medium LOCA; intermediate (2-6 hours) I ow- 6.52E-06 3.2 pressure core damage without Si recirculation (SI j injection succeeds); Reactor Building heat removal, sprays, and isolation succeed SLE171L Small LOCA; carly (0-2 hours) low-pressure core 3.89E-06 1.9 damage without SI injection; Reactor Building heat removal, sprays, and isolation fail ATE 121H ATWT event; early (0-2 hours) high-pressure core 2.03E-06 1.0 damage without Si injection; Reactor Building heat removal, sprays, and isolation fail 30 t

a Tcble 5 Care D;mtge Frequency by Initi: ting Evint I

I.lentifier Initiating Event Con Damage Initiating Event Description Frequency (/yr) Frequency (rry Percent r.)T.) of CDF 1.SP Loss-of-Offsite Power 0.073 8.01E-05 39.34 4 SLOC I Smalllef Coolant Accident 8.0E-3 2.72E-05 13.35 l.SW Totalless of Service Water 3.6E-5 1.74E 05 8.56 )

1.MI I Loss of Main Feedwater Flow 2.8 1.49E-05 7.31 I l

LVIJ Total Loss of Chilled Water 0.018 1.14E-05 5.58 RT Reactor Trip I .5 1.08E 05 5.29 MLO Medium Loss of Coolant Accident 8.0E-4 7.62E46 3.74 l'MF Partial Loss of Main Feedwater How

5.73E-06 2.81 TT Turbine Trip 0.73 5.39E-06 2.65 SIS Inadvertent Safety In_ ection Signal 0.57 4.24E-06 2.08 l'RI Positive Reactivity Insertion 0.56 4.16E 06 2.05 1.l .O Large Loss of Coolant Accident 3.0E 4 3.14E-06 1.54 l'ST Primary System Transient 0.39 2.90E4 1.42 1.ACA Loss of 120 VAC Panels 59015904, Train A VU Running 6.5E-4 2.38E-06 1.17 ILDI Flooding Initiator, Lose Train A CCW *"

1.20E4 0.59 f.lA Total Loss ofInstrument Air 0.13 1.14E-06 0.56 SGR Steam Generator Tube Rupture 0.014 1.00E-06 0.49 ,

l RCS Loss of Reactor Coolant Flow 0.12 9.02E-07 0.44 l.OC Loss of Condenser 0.1 7.92E-07 0.39 I l

FLD2 HoodingInitiator, lese Train A SW *" 2.87E-07 0.14 IOSV Inadvertent Opening of Steam Valve 0.028 2.07E47 0.10 ISL Interfacing Systems LOCA 1.5E-6 1.78E-07 0.09 LCC Total Loss of Component Cooling 1.4E-4 1.55E-07 0.08 LDC Loss of One 125 VDC Bus 5.3E-4 1.44E 07 0.07 SSBI Secondary Side Break Inside Containment 1.8E 3 1.17E-07 0.06

. VRP Reactor Vessel Rupture 1.0E 7 1.00E 07 0.05 SSBO Secondary Side Break Outside Containment 1.8E 3 5.48E 08 0.03 FLD3 Flooding Initiator, Lose Train B SW *" 1.86E-08 0.01 LACB Loss of 120 VAC Panels 5901 5904, Train B VU Running " 2.52E-09 0.00 Total Core Damage Frequency 2.04E 04 100.00

included in total loss of main feedwater, " included in LACA. '"all flooding initiators: 1.2E-3/>T 31

Tcble 6 Domin:nt Accident Sequrnces . .

I Sequence Percentage ofCDF Dassage State Sequence Description No. Events CDF (per r.yr.) Total l.61E-05 7.90 TRE13IH Initiator: Total loss of Service Water (Event includes i LSW the component failure and the maintenance unavailabilities of the installed spare pump.) The mitigating event cause the degradation and failure of the CCW and VU systems with respect to cooling the RCP seals. (CCW cools RCP thermal barriers and VU provides cooling to charging pumps that provides RCP l sealin ection.)

SW1 Service water is not recovered within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . RCP seal I

LOCA Service water is not recovered within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , no SW2 .

mitigating systems are available. Cor uncovery; core I damage.

Containment spray operates, containment is isolated.

l (Remedial action: Development of the totalloss of VU I'

AOP and change of the totalloss of SW AOP.)

( 2 LSP 1.07E-05 5.28 SBE12IL Initiator: Loss of Offsite Power AC Both 7.2 kV AC buses fail. DGs fail. l t SBO Consequential Station Blackout; it causes loss of RCP thermal barrier cooling and loss of seal irt ection.

(TDEF pump starts and provides DHR.)

IHR Offsite power is not recovered in the first hour. (DGs recovery is not credited. Operator depressurizes the secondary side using SG PORVs and accumulators ,

i in ect borated water to RCS.

4HR Offsite power is still available. Batteries are depleted, (TDEF pump continues to operate through manual -

control.)

CNV Core uncovered &- ta seal leakage at 14 hrs. Core damage in spite of that , offsite power is recovered.

RBCUs and contamrnent sprays are operating. _

Contamment is isolated.

3 LSP 9.9E-06 4.89 SBE17&l Initiator:less of Offsite Power AC Both 7.2kV AC buses fail,(DGs fail) ,

SBO Consequential Station Blackout causes loss of RCP l thermal barrier cooling and loss of seal in, ection.

(TDEF pump starts and provides DHR.)

1 l

32 l 1

e

Table 6 Dominant Accident Sequences Sequence Percentage No. Events CDF of CDF Damage State Sequence Description (per r.yr.) Total lHR Offsite power is not recovered in the first hour. (DGs recovery is not credited. Operator depressunzed the secondary side using SG PORVs and accumulators in ect borated water to RCS.)

3 4HR Offsite power is still unavailable. Batteries are depleted. (TDEF pump continues to operate through manual control.)

XHR Offsite power is not recovered at 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months . Core uncovery, due to seal leakage. Core damage.

YHR Offsite power is not recovered at 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months . RBCVs and containment sprays are unavailable. Containment is isolated.

4 SLOC 7.97E-06 3.91 SLM10IL Initiator: Small LOCA.

(Rx and SI in. ection are successful. EF operates and secondary side is depressurized by steam dump or SGPORVs. Low pressure recirculation is established on RWST low-low level.)

LPR LPI recirculation fails. Core damage. (RBCVs operate.

Containment is isolated. Containment sprays are available, but have not actuated.

5 LVU 6.97E-06 3.43 TRL121H Initiator: Total loss of chilled water (includes the loss of the runmng and the standby trains and the failure /

maintenance unavailability of the installed spare pump and chiller.) Cooling to the charging pumps is lost so RCP seal in ection is lost. Cooling to the CCW pump (s) is lost, but CCW train A continues to operate (up to 12 )

hours without cooling) and cools the thermal barrier l heat exchangers and thus the RCP seals remam )

operable. !

)

VURI Recovery of VU within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months fails. l CCR2 CCW train "B"(pump B) f ails in 12-24 hr. interval.

RCP seal cooling is lost. Seal LOCA occurs. No mitigation and core damage occurs. (RBCVs and containment sprays operate and containment is isolated.)

The loss of chilled water AOP was not credited in the analysis.

6 LSP 6.05E-06 2.98 SLE12IH Initiator: Loss of Offsite Power With the loss of BOP the CCW booster pumps are lost, thus the RCP thermal barrier heat exchanger cooling is degraded or lost.

I AC 7.2 kV AC Bus A (DG) fails. Train A charging pump is l lost.

! 33 l

l l

l

Trble 6 D:minznt Accident Sequences l

. Sequence Percentage l No. Events CDF of CDF Damage State Sequence Description (per r.yr.) Total i ! U Chilled water train B fails. Causes loss of cooling for train B charging pump.

l VUSB The spare chilled water train fails to cool train B charging pump due to maintenance, component failures I or w=%I realignment (from alignment to Train A).

I

! 6 VUFW Altemate cooling to charging pump from Fire Service l l Water System (two diesel fire pumps) is unavailable.

RCP sealin ection is lost. RCP seal LOCA HPI I l The recirculation function of is lost (RHR is not 4

!- available because CCW is not available due to loss of ,

l VU). Core damage. RBCUs and containment sprays operate. Containment is isolated. ;

7- SLOC 5.66E-06 2.78 SLM10lt Initiator: Small LOCA 1

l VU Random failure of chilled water train. It renders l charging pump B unavailable. (High pressure SI i in ection from train A is successful, secondary side DHR is operable, EF operates.)

LPR Random fmilure of train A low pressure recirculation.

Core damage. RBCVs operate, containment sprays are available. Containmentisisolated. ;

l i

4 '

.e l 34 I

J

Table 7 Top Event Importances (F-V)

Top Event Imp rtance Description Rankmg Name VU Chilled Water - chiller start or run failures 39.45 AC AC Power - diesel generators start or run failures following 39.37 loss-of-offsite power SW Service Water - pump start or run failures 27.23 SBO Station Blackout - diesel generator and Service Water System 26.50 failures following loss-of-offsite power lHR Offsite Power Recovered in 1 Hour - offsite power not 24.57 recovered within I hour SLO consequential Seal LOCA - loss of RCP seal colo ing 23.38 following transient events due to SW, VU, or CCW support system failures or seal failures LPR IAw-Pressure Recirculation - safeguard actuation signal on 21.92 low-low RWST level failure SWR 1 Restore SW in 2 Hours - failure of plant personnel to restore 20.06 one train of service water within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months following transient events with loss of service water and loss of service water events SWR 2 Restore SW in 3 Hours - failure of plant personnel to restore 20.06 one train of service water within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months following transient events with loss of service water and loss of service water events (Note SWR 2 fails with the probability of 1.0 given SWR 1 fails.)

2.3 Human Reliability Analysis Technical Review 9

2.3.1 Pre-Initiator Human Actions Errors in the performance of pre-initiator human actions (such as failure to restore or properly align equipment after testing or maintenance, or miscalibration of system logic instrumentation),

may cause components, trains, or entire systems to be unavailable on demand during an initiating event. The review of the human reliability analysis (HRA) portion of the IPE examines the 35

i- )

licensee's HRA process to determine the extent to which pre-initiator human events were .

considered, how potential events were identified, the effectiveness of any quantitative and/or !

l i qualitative screening processes used, and the processes used to account for plant-specific !

i performance shaping factors (PSPs), recovery factors, and dependencies among multiple actions.

1 i '

j 2.3.1.1 Types of Pre-Initiator Human Actions Considered

, The Summer IPE considered both of the traditional types of pre-initiator human actions: failures ]

l to restore systems after test, maintenance, or surveillance activities and instrument 1 i miscalibrations. However, while a fairly broad range of failure to restore events was modeled )'

j - in the fault trees, instrumentation miscalibration events were not modeled. The licensee stated

? that miscalibrations of various sensors and instruments were determined not to be important for several reasons. Firet, it was argued that " signals to trip the plant or actuate engineered safety features are svailable from a number of diverse sources..." Thus, "not only would multiple channels within the same function need to be miscalibrated, but also miscalibration across several unrelated functions would be necessary." Second, "miscalibrations errors would be as likely to produce premature actuation as well as prohibit an actuation." Finally, on the basis of the analysis of the reactor protection system in the Westinghouse Owners Group Technical Specification Optimization Program, which included miscalibration human errors in the analog channel unavailability model, it was argued that miscalibration contributed only approximately 10% to channel unavailablity and that this was not a significant contribution. Therefore, it was decided that "this failure mode could be eliminated from the analysis without any adverse impact in the VCSNS PRA model " While there are reasonable aspects of such an argument, it should be noted that miscalibration events have been explicitly modeled in other IPEs and in some instances they have been shown to be significant contributors in spite of low failure probabilities.

Thus, the licensee's treatment of miscalibration events may have precluded identification of potentially important pre-initiator events (even if they were not major contributors) and therefore must be considered a weakness of the HRA.

2.3.1.2 Process for Identification and Selection of Pre-Initiator Human Actions The submittal indicates that operator actions imponant to system operation (e.g., restoration failures) were identified during the systems analysis and fault tree development. In the i licensee's response to an NRC request for additional information'(RAl), it was indicated that relevant surveillance test procedures, mechanical maintenance procedures, system operating procedures, and re-alignment requirements following outages were reviewed. In addition, the licensee states that knowledgeable plant personnel were consulted to verify proper and accurate modeling and assumptions.

2.3.1.3 Screening Process for Pm-Initiator Human Actions A qualitative screening was performed in the sense that if improper valve positioning could be detected through specified component actuations following test or maintenance (e.g., pump flow tests), if mispositioned valves or components could be detected from status indicators on the main control panel, if a mispositioned component was automatically realigned by an ESFAS 36

I '

d signal, or if the misalignment of valves did not result in a significant impact on flow rate, the i respective components were not modeled. All other pre-initiator restoration events were given detailed HRA analysis and included in the IPE models.

!. 2.3.1.4 Quantification of Pr6 Initiator Human Actions j All restoration faults were quantified using the Technique for Human Error Rate Prediction (THERP) described in NUREG/CR-1278. A detailed discussion of the application of the i methodology to restoration events was provided in the licensee's response to the NRC's RAI.

1 The discussion indicated that in the process of performing the quantification of pre-initiator !

events, a detailed review was conducted of relevant procedures and documents such as removal i and restoration logs and locked valve tagging sheets, etc. This information was used to determine the appropriate " recoveries" to be applied in using THERP to quantify the pre- l

} initiator errors. De response to the RAI indicated that a thoughtful and reasonable application

of the THERP methodology was used to quantify the pre-initiator restoration events. Factors !

. addressed included the use of restoration lists (administrative controls), independent verifications j with check-off provisions, and the length of the procedures being used. It was assumed that i

! skilled personnel would be involved in performing the task and that the stress level was optimal.

j Potential dependencies within and between pre-initiator events were considered. It was l j . determined that plant practices allowed the restoration faults modeled to be assumed independent.

, In addition, walkdowns were conducted to ensure that environmental factors would not ,

{ contribute to dependencies between events.

l

, 2.3.2 Post-Initiator ..uman Actions :

l Post-initiator human actions are those required in response to initiating events or related system ;

failures. Although different labels are often applied, there are two important types of post- i

initiator human actions that are usually addressed in PRAs: response actions and recovery

. actions. Response actions are generally distinguished from recovery actions in that response j actions are usually explicitly directed by emergency operating procedures (EOPs). Alternatively,

! recovery actions are usually performed in order to recover a specific system in time to prevent

! undesired consequences. Recovery actions may entail going beyond EOP directives and using l systems in relatively unusual ways. Credit for recovery actions is normally not taken unless at ;

l least some procedural guidance is available, i l

De review of the human reliability analysis (HRA) portion of the IPE determines the types of j post-initiator human actions considered by the licensee and evaluates the processes used to

~

, identify and select, screen, and quantify the post-initiator actions. The licensees treatment of :

operator action timing, dependencies among human actions, consideration of accident context, a j and consideration of plant-specific PSFs is also examined.

4 t I

a

[ 37 j

l

(

2.3.2.1 Types of Post-Initiator Hunan Actions Considered

. The Summer IPE addressed both response and recovery type post-initiator human actions.

. Response type actions were those modeled on the basis of normal, abnormal, system, or emergency operating procedures. Apparently one non-proceduralized subtask of a response-type action was modeled with agreement from plant operations that it would be proceduralized. The l change was made in the loss of chilled water abnormal operating procedure to allow operator l recovery. 'According to the~ licensee, modeling of recovery type actions per se was limited to actions associated with the repair or restoration of components to operable conditions within a given amount of time. They did not " involve the ability of the plant operators to respond to events via procedures." As is discussed further below, different quantification techniques were used for response and recovery actions. Fourteen recovery events are listed in the submittal (and in the response to the RAI). The fourteen events provide HEPs for recovering service water, chilled water and component cooling water under different conditions and for different time frames. None appeared to require extraordinary behavior on the part of the operators.

2.3.2.2 Process for Identification and Selection of Post-Initiator Hurnan Actions ne submittal states that operator actions "important to accident mitigation were identified during the plant response tree development... through an examination of the plant operating procedures" (including EOPs, abnormal procedures etc.). The submittal also states that a control room visit was performed and documented and that interviews with operators were conducted to validate and revise the models. As described in the submittal, the interviews involved three SROs at Summer and indicated a systematic review of the procedures and a thorough examination of -

operator actions. An interview checklist was used to ensure that important information was obtained. He selection process was iterative in that the licensee's engineering, operations, and simulator training personnel had opportunities to review the response actions selected and their modeling. Identification of recovery actions occurred primarily after initial quantification and was also iterative in that after each re-quantification , new dominant contributors would be addressed for potential recoveries. Thus, it appears that activities were conducted that would j

. to help ensure appropriate modeling of operator actions.

2.3.2.3 Screening Process for Post Initiator Response Actions A formal screening of operator actions was not performed. The licensee states that early in the l IPE process a decision was made to conduct a detailed evaluation of each operator action. The

- goal was "to obtain an operator response model of the plant that is as realistic as possible."

2.3.2.4 Quantification of Post-Initiator Hunan Actions All' post-initiator response type actions were quantified through the use of the Technique for Human Error Rate Prediction (THERP) described in NUREG/CR-1278. A general discussion i of the application of the methodology to response actions was provided in the licensee's response l to the NRC's RAI. A review of the discussion regarding the quantification of response actions.,

in conjunction with a review of the licensee's HRA analysis notebook, suggests that a detailed i 38 ;

analysis of operator actions was conducted. The human actions were quantified with a systematic (but modified) application of the THERP methodology. Per THERP, PSPs for stress level and crew redundancy were considered, as were potential dependencies between and within events, e.g., accident sequence context was evaluated. While the systematic application of the (modified) THERP methodology appeared to produce relatively consistent HEPs, there are several aspects of the quantification of post-initiator response type actions performed by the licensee which clearly have the potential to be problematic. Each of these aspects are discussed below.

One concern is with the licensee's interpretation of THERP in regards to how the quantification of the diagnosis phase of a response type action should occur and how the time available for the action should be considered. In determining the failure probability of a post-initiator response type action, the actual time available for the diagnosis phase was not computed and therefore did not have a direct impact on the HEP. Rather, a process was followed to determine whether their ,

was " adequate" time for the operators to diagnose and conduct the needed actions. The overall time windows were determined using MAAP code analyses, TREAT code analyses, and in some cases hand calculations. Apparently, the occurrence of the initial indication that an action is required was considered in determining the available time. Training and operations personnel were then used to amu whether the average times needed to diagnose and complete the actions would exceed the available times. On the basis of these judgments, if it was determined that the ,

average time needed for a given task would exceed the available time window, then the HEP l was set to 1.0. Otherwise the actions were quantified using non-time dependent aspects of l THERP. In their response to the NRC's RAI, the licensee stated that if "the operators have

- more time than the average amount of time needed to complete an action, then it is assumed that the operators performance in diagnosis and action execution is not believed to be time dependent." An obvious limitation of the approach is that the impact of time limits and time pressures on the operators is not directly considered. Most HRA models assume that the less ,

time there is available, the lower the likelihood of success. However, the impact of stress ;

(which may or may not be time related) was at least generally treated by using the stress 1 multipliers from THERP (a multiplier of five for high stress levels or two for moderate stress levels). In addition, when less than a five minute time-window was involved, the nominal HEPs were not reduced by any PSFs. De licensee also noted that potential recovery of a given i event could be time-dependent. )

i The above approach was defended in the response to the RAI on the grounds that the THERP handbook states on page 12-10 that "with the advent and acceptance of symptom-based procedures, it is possible that the need to diagnose an unusual event may diminish in importance

. for PRA." Dey note that the THERP handbook also states that "we must base our cognitive models (that is THERP's cognitive models) on current written procedures that are not symptom '

oriented in most cases." On the basis of these statements in THERP and the fact that Summer did have symp;om based procedures, the licensee decided that it was inappropriate to use the time dependent diagnosis models in THERP. Dey argue that the diagnosis HEPs in THERP are for " knowledge-based" actions as opposed to the rule-based actions asked when using symptom based procedures. Hus, the BHEPs for " diagnosis" were selected from the alarm or 39

__ _. _. ___ _._____.__. _ _ _ . _ . _ _ . _ _ _ - - . _ . _ _ . ~. _ _ _ _

i i !

annunciator response model tables such as Table 20-23 in THERP or from tables addressing l

j rule-based actions such as Table 20-7. The licensee argues that this approach is conservative i because the time-dependent diagnosis value would normally be multiplied with the " recovery" i' values from the annunciator response model in THERP (as illustrated in Figures 21-2 and 21-5

. of THERP). In the response to the RAI, the licensee selects five operator actions and j requantifies them 'using the diagnosis models along with the guidance for quantification from i THERP, demonstrating that the values used in the Summer IPE were the same or higher than i those obtained when using the diagnosis model.

In the response to the RAI and in the HRA system notebooks, the licensee does discuss the

~

general factors considered in quantifying the HEPs. Apparently, errors of commission and l omission were included per THERP and THERP's set of PSPs were applied considering the

{ plant specific context. In addition, it appeared that a modification of THERP's scheme for

within crew dependence and recovery was applied that would produce slightly more conservative

! values than would be obtained using THERP's approach. However, the licensee's credit for I

recovery of local actions through " routine checks" (0.16, 0.32, or 0.8 depending on stress level) 1 and their recovery credit for " slack time" (0.21) seemed optimistic, particularly given the credits !

j. taken for recovery by multiple control room personnel. The slack time recovery credit was l l '

given whenever the time available exceeded the assumed time needed by 60 minutes. The !

! application of local recovery credit and slack time credit is not an explicit part of THERP and !

! is apparently basud on the expert judgments of the analysts performing the Summer HRA.

i Another potent al concern was the application of a " PSF" of 0.1 to all errors of commission !

(EOCs) because' Summer's operators are highly skilled and well-trained and symptom-based i procedures are used. (Recall that the licensee argues that THERP's HEPs are based on non- i symptom based procedures). While such a reduction in the context of THERP is debatable, ;

EOCs were not addressed at all in most IPEs. Thus, it could be argued that the inclusion of l EOCs in any form provided for more realistic estimates of HEPs, which was a stated goal of the Summer IPE. 1 In summary, it is clear that the licensee conducted a systematic and detailed HRA. The HRA analysis notebook indicates that the demands placed on operators.in specific scenarios were considered and that relevant d==%cies were' addressed. In particular, context specific factors were considered and modeled in the HRA. However, problems arise from the licensee's interpretation of THERP in regards to the treatment of diagnosis errors (particularly the inappropriate consideration of time) and their application of recovery credits that appear to go beyond that indicated by THERP, e.g., slack time. The licensee defends their interpretation of THERP and provides examples to illustrate that the HEP values they obtained are not any lower than would be obtained using the THERP diagnosis model. While the licensee did appear to closely follow THERP in their five illustrations, it should be noted that they " exercised" the

- model to its fullest in the sense that the values obtained are about as low as could be obtained with the model,' e.g., credit was taken for multiple control room recoveries even in short-time

~ frame scenarios. Such values are onlyjustified in the THERP model when very detailed analysis is performed and such credit is not generally applied across all or even most actions. Thus, 40 l

i

_ _ _ _ . _ . . . -_ _ _ _ _ .. _ _._ _ _ _ ._ _ _ _ _ _ . . ~ . _

i 4 l there are several aspects of the modified THERP which could have produced unrealistic or underestimated HEPs. In particular, the diagnosis failure probability for short-time frame events could be underestimated due to the lack of a direct consideration of time and events in which credit for local recovery or slack time were taken could also be underestimated.

l A review of the HEPs for all the post-initiator response type actions indicates that in many instances the HEPs tend to be lower than those obtained for similar events in other IPEs.

However, in most cases, the relative ranking of the HEPs for the modeled events did not appear l unreasonable. . Two exceptions included an HEP of 2.8E-3 for manual trip along with an HEP i of 4.59E-6 for emergency boration. Manual trip is usually considered an "immediate operator action" that is memorized and well practiced, and very low probabilities of failure are usually assigned. Alternatively, initiating emergency boration is an event for which only ten minutes are assumed available and for which considerable stress would be likely. While it is unlikely that such a low value would have been obtained with the THERP diagnosis model, this event would usually be asked only in cases where ATWS related hardware failures had occurred. In such a context and given the relevant emergency procedures available, it is not unreasonable to expect a fairly low operator failure probability for initiating emergency boration.

1 Regardless, in spite of the tendency to have relatively low HEPs, the licensee's consideration of dependencies along with their detailed analysis appears to have resulted in a reasonable ranking of events in terms of their HEPs. The main concern with low HEPs is that potentially ,

important events may have been truncated out. However, the calculational cutoff frequency was I reported to be 1.0E-12 (pan 3-178 of the submittal). In addition, the top 250 dominant l sequences, accounting for S2% of the CDF, were subjected to a sensitivity analysis. Importance !

measures indicated the several of the most important human actions had low HEPs, but were still i found to be important in terms of either risk reduction or risk achievement (see Section 2.3.2.5).

Thus, it does not appear that the low HEPs precluded identification of potential vulnerabilities related to operator actions. 3 2.3.2 4.1 Estimates and Coulderation of Operator Respouc Time The determination of the time available for operators to diagnose and perform event related actions is a critical aspect of HRA. As discussed above, the licensee's failure to appropriately consider the impact of time on diagnosis could have led to unrealistic or underestimated HEPs.

2.3.2.4.2 Other Perfonnance Shaping Factors Considered As noted above, the licensee's application of THERP apparently included appropriate consideration of PSFs for stress and crew redundancy during accident scenarios. Although the

- submittal and the HRA analysis notebook indicates that factors such as simulator training, ambiguous proceduralized steps, and feedback to the control room were used in assessing operator action failure probabilities, the way in which these factors influenced resulting HEPs was made clear. Consideration of human factors aspects in the control room were not mentioned either.

41

2.3.2.4.3 Consideration ofDependencies Two basic types of dependencies are normally considered in quantifying post-initiator human actions: 1) time dependence and 2) dependencies between multiple actions in a sequence or. cut set. One type of time dependence is concerned with the fact that the time needed to perform an action influences the time available to recognize that a problem has occurred and to diagnose the need for an action. As discussed above, this type of time dependence was not treated in the Summer IPE.

Another aspect of time dependence is that when sequential actions are considered, the time to complete one action will impact the time available to complete another. Similarly, the sooner one action is performed, the slower or quicker the condition of the plant changes. This type of time dependence is normally addressed by making conservative assumptions with respect to accident sequence definitions. One aspect of this approach is to let the timing of the first action in a sequence initially minimize the time window for subsequent actions. The occurrence of cues for later actions are then used as new time origins. In the discussion on dependent events presented in the submittal, it is indicated that the time window for subsequent tasks in accident sequences is considered in determining dependency.

The second type of dependence considers the extent to which the failure probabilities of multiple human actions within a sequence or cutset are related. There are clearly cases where the context of the accident and the pattern of successes and failure can influence the probability of human error. Th"s, in many cases it would clearly be inappropriate to assume that multiple human actions in a sequence or cut set would be independent. Furthermore, context effects should be examined even for single actions in a cut set. While the same basic action can be asked in a number of different sequences, different contexts can obviously lead to different likelihoods of success.

Several discussions in the submittal and in the licensee's response to the RAI suggest that potential dependencies among the operator actions were considered. The submittal states that the conditional failure probabilities between operator actions in the same accident sequence were 1 evaluated. The evaluation considered "the stress level of the preceding event on which the subsequent task is dependent". It also considered the " time window for the second task, the amount of slack time for the second task, the complexity of the second task, and the type of procedural guidance." Consideration of these factors " led to a judgment of the level of dependency of the subsequent task on the preceding task." The dependency models in THERP were then used to adjust the relevant HEPs. In discussing the treatment of dependencies in the licensee's response to the RAI, it appeared that in most cases events from the fault trees were assumai to be independent. Several events were discussed and justifications for assumptions of independence were provided. In the latter part of the response to RAI question number 13, several criteria for as essing dependencies were presented. Part I addresses dependencies in manipulating two or more of the same type of component, part ii covers dependencies between subtasks of a procedure, and Part III addresses dependencies betwen top events. Part III states that since "THERP provides no direction on determining dependency levels among events, 42

moderate dependenc/ was assigned to each identified case." The latter comment is somewhat in contradicdon m tt e discussion of dependencies provided in the submittal and discussed above.

Nevertheless, it appears that the licensee was aware of the importance of considering depenencies and had a systematic approach for addressing dependcacies.

2.3.2.4.4 Quantytcation ofRecowry Type Actions As discussed above, the fourteen recovery events modeled were for recovering service water, chilled water, and component cooling water under different conditions and for different time frames. The licensee indicated that recovery probabilities were determined on the basis of judgments from "four plant experts." The licensee's response to the RAI described a relatively detailed and systematic procedure that was used to obtain the judgments and compute the resulting HEPs. The general approach involved estimating the probability of recovering individual component failures that determine the system failures and combining those probabilities by a weighted average. The weighting is based "on the importance of the component failure to the system failure, that is, the cutset probability for that component."

Assuming expert judgmeets had to be used, neither the approach nor the resulting HEPs appeared obviously unreascnable.

2.3.2.4.5 Human Actions in the Flooding Analysis Most potential flooding scenarios were qualitatively eliminated in the Summer IPE. Post-initiator operator actions were apparently considered in the analyses that were conducted. but a discussion of how the HEPs were obtained could not be found. Apparently, the aT.c models and HEPs used for the other initiators were used. The response to the RAI indicated that the pre-initiator events modeled for other initiators were also modeled in the flooding scenarios.

2.3.2.4.6 Human Actions in the Lewi 2 Analysis In Section 4.3.1 of the submittal which discusses the back-end analysis, it is stated that MAAP ;

analyses were done to " establish timing of key events for human reliability analysis and to l understand sequence progression." However, no additional information could be found i regarding any special HRA done for the level 2 analysis.

2.3.2.5 Important Human Actions j

'Ihe licensee's response to the RAI provided a list ofimportant human actions. The criteria for inclusion in the table was a risk reduction worth (RRW) greater than 1.005 and/or a risk achievement ~ worth (RAW) greater than'2. The events included in the licensee's table are - !

presented below in Table 8, along with their RRW, RAW are and their HEP. A review of the !

. HEPs associated with each event indicated that at least some of the HEPs might be considered low compared to HEPs obtained for similar events in similar plants. However, the THERP i methodology is known to result in relatively low probabilities when justified by a detailed analysis.

43

Tebic 8 Important Hum:n Actirns .

Event Description RRW RAW "y,"

1.007 2.382 4.84E-3 initiate Bleed & Feed (Actuate SI) 1.037 1.000 1.0 Establish Condensate Feedwater 1.001 6.081 3.71E 4 Establish low-pressure Hot Leg Recirculation 1.011 4.960 2.83E-3 Initiate Si and Establish EF 1.001 3.182 2.4E-4 Establish Low-pressure Cold Leg Recirculation (RHR Pumps Running)-

1.004 4.608 9.18E-5 Establish IAw-pressure Cold Leg Recirculation (RHR Pumps Stopped) 1.004 5.394 8.49E-4 Establish High-pressure Cold Leg Recirculation (RHR Pumps Stopped) 1.058 1.983 5.3E-2 Align Alternate Cooling to Charging Pumps 1.053 1.151 2.08E-1 Align and Start Chiller C and Pump C to Train B

Start Second CCW Pump on Failure of First ' l.022 -1.986 1.12E-3 Pump 1.087 1.094 8.10E-1 Recover at Least One Train of SW When Both Trains Failed but Supported Within 2 Hours (Loss of SW Initiator)

Recover at Least One Train of SW When Both 1.064 1.007 8.90E-I Trains Failed But Supported Within 2 Hours (Transient Initiator)

Recover Train A of SW When Train A Failed 1.044 1.010 8.10E-1 and Only Train A Support is Available Within 2 Hours (Transient Initiator)

Recover Train B of SW When Train B Failed 1.015 1.004 7.80E-1 and Only Train B Support is Available Within 2 Hours (Transient Initiator)

Recover at Least One Train of Chilled Water 1.062 1.267 1.80E-1 When Both Trains Failed but Supported Within 12 Hours (Loss of Chilled Water Initiator)

Start Chilled Water Loop B During Transient 1.003 3.479 1.19E-3 Start CCW Pump B or C During Transient 1.001 3.334 6.07E Start Train B ESF Equipment From Control 1.061 1.936 ' 5.70E-3 Board During Transient

! 44 l

l l

l

2.4 Back End Technical Review 2.4.I Containment Analysis / Characterization 2.4.1.1 Front-end Back-end Dependencies Containment event trees (CETs), which are used in most of the IPEs for Izvel 2 analysis, are not developed in the VCSNS IPE. The traditional core damage analysis (i.e., Ievel 1) and containment analysis (i.e., Izvel 2) portions of the Probabilistic Risk Assessment (PRA) were integrated in the VCSNS IPE through the use of " plant response trees" (PRTs) that depict the l

combinations of events that model the plant behavior from the initiating event to an end state j characterized by retention of fission products within the containment boundary or release of ;

fission products to the environment. l Since a single event tree (i.e., the PRT) is used for both level 1 and level 2, the development )

of plant damage states (PDSs) as interface for the level 1 and level 2 analyses is not required !

in the VCSNS IPE. However, grouping of core damage sequences to PDSs is performed in the VCSNS IPE. It is used to consolidate the large number of accident sequences into a small number of damage states (called accident sequence damage states or PDSs in the IPE submittal) such that all sequences within a particular damage state can be treated as a group for assessing accident progression, containment response, and fission product release.

Sequence grouping is discussed in Section 3.1.6 of the IPE submittal. The parameters used in the IPE for sequence grouping include:

Accident initiator, !

Core melt timing,

Core injection, containment spray, and containment heat removal status l

Containment isolation and bypass status l

RCS pressure at the time of core melt. ;

I The accident initiators for the VCSNS PDSs include transient, station blackout (SBO), ,LOCA, l t

SGTR, ISIDCA, and ATWT. De timing of core melt can be early (within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months of accident initiation), intermediate (2 to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ), or late (6 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ), and the RCS pressure can be i either high or low.

. De conditional probabilities of the PDSs for the various accident initiators are: 50.7% for SBO, ,

- 21.3% for transient,20.9% for small LOCA,6.7% for medium LOCA, and 0.3% for SGTR ,

~

and 0.1% for ISLOCA. The most probable PDS is SSE121H (41% CDF), a PDS of SBO

' sequences with early core melt at high RCS pressure and with both containment spray and !

containment heat removal available (with power recovered before 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months ). This is followed i by TRE13IH (21% CDF), a PDS of transient initiated sequences, with early core melt at high RCS pressure and the availability of containment spray'(CHR not available).

45 ;

i

2.4.1.2 Containment Event Tree Development

l As discussed above, a single PRT is used in the VCSNS IPE for both the Level 1 and 12 vel 2 analyses. De PRT, which is an event tree, is developed and quantified for, each initiating event ;

in the IPE. The PRT explicitly includes the analysis of containment systems normally assessed I in the 12 vel 2 analysis, and containment condition is addressed in the PRT by the availability l of these system described in the success criteria for containment integrity developed in the IPE.

According to the success criteria, containment integrity is maintained if containment heat -

removal (CHR) is available. Based on plant-specific MAAP analyses and containment pressure l capability (142 psig, the median containment failure pressure), successful containment heat i removal can be provided by one of two RBCUs or one RHR heat exchanger (with associated recirculation train). .

)

De quantification of the containment failure probabilities for VCSNS is based on plant-specific )

MAAP analyses and phenomenological evaluations of the various failure modes, or mechanisms, l

. identified in NUREG-1335. The evaluations are presented in phenomenological evaluation summaries (PESs) which are not included in the IPE submittal. However, brief discussions of the evaluations and the results obtained from these evaluations are provided in the submittal.

According to the submittal, the containment failure modes that are addressed in the PESs include those associated with hydrogen combustion, direct containment heating (DCH), steam explosions, molten core-concrete interaction (MCCI), vessel blowdown, thermal loading on penetrations, containment isolation failure, containment bypass, and containment overpressurization by noncondensible gas generation, steam generation, or hydrogen burn.

Accordir.g to the submittal, modeling and bounding calculations, based on extensively compiled experimental data and phenomenological uncertainties (complemented with MAAP calculations in some cases), composed the general approach used in these evaluations. Based on these evaluations, all of the above containment failure modes, except for containment overpressure, containment isolation failure, and containment bypass, are considered in the IPE as unlikely failure modes and thus not included in containment failure quantification for VCSNS.

The dismissal of some of the containment phenomena is based on a comparison of the containment pressure load and the containment pressure capability. The containment pressure capability used in the comparison is 142 psig, or the median containment failure pressure. It is noted that, although the estimated pressures for these phenomena are less than the median, or even the lower bound (taken as the 5th percentile value), of the containment failure p essure, a finite, but small failure probability can be obtained by comparing the pressure loads with the containment fragility curve presented in the IPE submittal. A simple comparison of the pressure load with the median (or lower bound) containment failure pressure may therefore fail to identify some failure modes that have a small but finite contribution. This may be a problem if this failure mode involves significant uncertainty. However, this does not seem to be a problem for the VCSNS IPE, because even with the consideration of uncertainties, the contribution from the omitted failure modes to total containment failure is not expected to be significant. On the other

, hand, the lack of consideration of these failure modes in the IPE in a structured way, as can be provided by a CET, precludes a systematic means to examine the relative (quantitative) 46 l

importance of these failure modes and the effects of some recovery actions (e.g.,

depressurization) on these failure modes. Some of the items that are of interest are discussed in ,

the following. l Unlikely Containment Failure Modes Containment failure modes are discussed in Section 4.3.2 of the IPE submittal. Although all important severe accident containment failure modes that are discussed in NUREG-1335 are addressed in the IPE submittal, most of them are ignored and not evaluated in containment failure quantification. 'Ihese include those n%W with the following containment phenomena: ;

Hydrogen combustion,

Direct containment heating (DCH),

Steam' explosions,

Molten core concrete interaction (MCCI),

Thermal attack of containment penetrations, and

Vessel thrust force.

Phenomenological evaluations were performed in the IPE for. the above phenomena. The phenomenological evaluation summaries (PESs) prepared for the IPE investigated both the likelihood of occurrence and the probable consequences of these accident phenomena. The PESs were based on available experimental information from the open literature, as well as information developed using the Fauske & Associates, Inc.-(FAI) experimental facilities.

For the first two phenomena, hydrogen combustion and DCH, according to the IPE conservative estimates of containment pressures from these phenomena were obtained and compared with the containment pressure capability to determine their effect on containment failure probability. In

~ the IPE, the assessment of hydrogen deflagmtion assumed in-core hydrogen production of 100-percent oxidation of all Zirconium and metallic constituents of the lower core plates, and

bounding containment pressure from adiabatic isochoric complete combustion (AICC) of the assumed hydrogen inventory. This resulted in a containment pressure of 114 psia, within the lower bound containment failure pressure (defined in the IPE as the 5 percentile value,135 psia). For DCH, the containment pressure estimated in the IPE is 91 psia if it is combined with a hydrogen burn, and 61 psia without hydrogen burn. The DCH modeling methodology used in the IPE includes consideration of the debris mass that could potentially be particulated in the reactor cavity and the instrumental tunnel, and the fraction of entrained (particulate) debris that could escape the reactor cavity and disperses to the containment atmosphere. According to the IPE only 13.5% of entrained core debris is expected to be dispersed to the annular compartment of the containment.

The potential of deflagration-to detonation transition (DDT) was also evaluated in the IPE.

According to the submittal, the hydrogen mole fraction in a dry VCSNS containment reaches only 14.3% if 100-percent of all Zirconium and the lower core plate are oxidized. With the 47

I f 6

consideration of the mixture intrinsic flammability and the type of geometry, it is concluded in

the PESs that failure of the VCSNS containment by DDT is very unlikely.

a The assessment of hydrogen combustion and DCH in the IPE seems reasonable. However, i

- although the estimated containment pressures obtained in the IPE for these phenomena were described in the IPE submittal as conservative, they are less than that estimated for the worst !

case in NUREG-1150 for Zion. For example, for the worst case, the pressure rise in the {

containment due to HPME for Zion has a mean value of 105 psi. This is primarily due to the j significant uncertainties associated with these phenomena. l Of the containment failure modes listed above, MCCI may cause late containment failure. In the ,

VCSNS IPE, ex-vessel debris coolability is not discussed as an issue in containment failure quantification. Rather, MCCI was evaluated in the PESs by a simple bounding analysis. Results of the bounding analysis indicate that even if 100-percent of the decay heat is present in the ,

reactor cavity and is contributing to concrete attack, melt-through of the cavity basemat will not l occur within the mission time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (the bounding analysis predicted basemat failure in {

150 hours0.00174 days 0.0417 hours 2.480159e-4 weeks 5.7075e-5 months ). The small effect of MCCI on containment failure may be partially attributed to the large cavity floor area (716 ft2 ) for VCSNS. According to the IPE, the depth of the debris in the I reactor cavity ranges from 19 to 24 cm for an upper bound estimate of the debris mass in the l reactor cavity (250,000 lbm). j Likely Containment Failure Modes The following containment failure modes are considered in the IPE as likely failure modes and are included in containment failure quantification:

Containment overpressure, .

Containment isolation failure, and

Containment bypass. .

In the VCSNS IPE, containment overpressure failure is primarily due to containment pressurization from the generation of steam and non-condensible gases with containment heat removal not available.

Temperature-induced steam generator creep rupture, which is considered in other IPEs, is not addressed in the VCSNS IPE. However, it is discussed in the licensee's response to RAI level 2 Question 6. According to the response, ISGTR is not addressed in the IPE because information available for Zion-like reactors indicates that, under high RCS pressure condition, it is more likely to have hot leg or surge line failure than ISGTR. ISGTR is therefore ignored in the IPE.

It is noted, however, that a finite, although small, probability of ISGTR (with a 1.8% mean value for RCS at setpoint pressure) is used in the NUREG-1150 analysis for Zion.

The probability of ISGTR increases with the restart of the RCPs. The licensee's response to RAI level 2 Question 6 also discusses this issue. It is admitted in the response that the operation of 48

4 i

j , .

the RCP (which clears the loop seals) during high pressure sequences following steam generator secondary side dryout may lead to an increased risk of ISGTR. However, according to the response, VCSNS has implemented Westinghouse ERG Maintenance Item #DW-93-019, which procedurally prevents operators from restarting the RCPs if the steam generator water level is too low. The condition that increases the probability of ISGTR is therefore not likely to occur at VCSNS. Furthermore, the frequency of the core damage sequences that have both a high RCS pressure and a dried-out SG secondary side is small for VCSNS (0.8% of total CDF). Therefore, '

the probability of containment bypass will not significantly increase even if all these sequences )

result in ISGTR. '

i Containment Failure Modes l

In the VCSNS IPE, containment bypass is due to SGTR or ISLOCA. Induced SGTR is not j considered as a credible containment failure mode. The only failure mode considered in the IPE 1 for early containment failure is containment isolation failure, and the only late containment failure mode considered in the IPE is that from containment overpressurization in cases when containment heat removal is not available, i 2.4.1.3 Containment Failum Modes and Timing The VCSNS containment ultimate strength evaluation is described in Section 4.3.2 of the IPE submittal. Containment failure pressures were obtained in the VCSNS IPE by a plant-specific ,

structural analysis performed by Gilbert Associates. The dominant failure modes were found to be: membrane stress in the vertical direction of the containment wall, hoop stress in the i containment wall, membrane stress in the dome, and shear failure at the basemat-cylinder ,

junction. A fragility curve was created in the IPE by assuming normal distributions for the above i failure modes. The standard deviation for each normal distribution was based on material. i properties tests and generic data for uncertainties due to modeling and engineering. The total fragility, which was obtained by combining the individual distributions using Monte Carlo techniques, has a mean failure pressure of 142 psig. The lower and ' upper bounds for containment failure are defined in the IPE as the 5th and 95th percentile values, respectively. I They are 120 psig and 154 psig for VCSNS. )

I In the VCSNS IPE, a leak-before-break behavior is assumed for containment overpressure failure. A break area of 0.03 ft 2is used in the IPE for source term calculation (using MAAP ;

code). The effect of containment failure size on source term determination is evaluated in the l IPE in the sensitivity studies.

- l The containment failure pressures and their distributions obtained in the VCSNS IPE seem to be consistent with those obtained in other IPEs. Although the assumed break area is small, 49

. l l

I I

.. - . . - - - - -.-.- - -- - . - .- - - - - ~_ - - - - . --

sensitivity study performed in the VCSNS IPE shows an insignificant effect of the assumed break area on source term calculation ***.

2.4.1.4 Containment isolation Failure Containment isolation status is one of the PRT top events. It is also indicated by the sixth digit in the 7-digit PDS designator. Containment isolation failure is discussed briefly in Section 4.3.2 of the IPE submittal. Additional discussion is provided in the licensee's response to RAI (I.evel 2 Question 5). In the IPE, only pipes with diameters greater than 2 inches are evaluated, and results show that the probability of containment isolation failure for VCSNS is about 3E-3 (Table 4.4.4-4). According to the descriptions provided in the IPE submittal and the licensee's response to the RAI, all five areas identified in the Generic Ietter regarding the evaluation of containment isolation failure are addressed in the IPE.

2.4.1.5 Systern/ Human Responses The availability of the systems that are important to level 2 accident progression is determined in the PRT and their status is described in PDS definition. Recovery of these systems during accident progression for level 2 analysis is not discussed in the IPE submittal. According to the results presented in the IPE submittal, power is recovered at 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months (at which time the operator recovers spray injection and the RBCUs) for one SBO PDS (40.0% _ CDF) and not recovered within the mission time (48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months ) for the other SBO PDS (9.5% CDF). For the SBO PDS in which power is not recovered, containment failure does not occur within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , and mitigating actions are required to prevent containment failure beyond 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months (i.e., the mission time).

2.4.1.6 Radionuclide Release Characterization Since the VCSNS containment event trees have been incorporated into the PRTs, the PRT end states define the radionuclide release characteristics for VCSNS. As discussed above in Section 2.4.1.1 of this report, the PRT end states (or accident sequences) are grouped to a set of PDSs, and each PDS includes sequences with similar damage states in terms of the initiating event, expected timing of core damage, status of the ECCS and containment heat removal systems, the state of the containment, and the RCS pressure when core damage occurs. Each PDS thus defmes a set of faulted functions that summarizes by function a set of system faults that would result in similar radiological consequences. In the VCSNS, the PDSs are further grouped to 10 source term bins (STBs) for sequence selection and source term calculation (by the MAAP code). One sequence is selected from each source term bin for source term determination.

- - The lack of sensitivity of fission product release to contaia= ant failure size is probably due to the availability of containment spray for the calculated sequences. The effect may be more significant if containment spray is not available.

50

1

> In addition to source ter.a bins, release categories (RCS) are defined in the VCSNS IPE by containment failure timing (early or late), containment failure mode (overpressure, not isolated, or bypassed), and the airborne fractional release of fission products to the environment. Nineteen RCS' are defined in the VCSNS IPE. De source term bins are assigned to the release categories based on the source term results obtained from MAAP calculations for the STBs. Results showed I

five release categories with non-zero frequencies. They are (Table 4.4.4-4):

Release Category A - No containment failure within 48-hour mission time, but failure could eventually occur without further mitigating action; noble gases and less than 0.1%

volatiles released, (11.5% total CDF),

Release Category S - Success; containment integrity maintained; normal leakage only,

-(65% total CDF)

Release Category T - Containment bypassed with noble gases and more than 10% of the volatiles released, (0.4% total CDF)

Release Category K - Late containment failure w% noble gases and less than 0.1%

volatiles released (containment failure greater than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after vessel failure, 21% total CDF)

Release Category E - Containment failure before vessel failure with noble gases and less than 0.1% of volatiles released (containment not isolated,0.3% total CDF).The release categories are defined in the IPE to provide a general characterization of the release profile obtained in the IPE for VCSNS. Detailed release fractions for the various radionuclide groups are obtained in the IPE and reported in the IPE submittal for the 10 source term bins (STBs). Among these ten STBs, two involve containment bypass, one each involves isolation failure or late failure, and six involve no containment failure.

According to Table 4.4.4-1 of the IPE submittal, the calculated release fractions for volatile fission products are 84% for ISLOCA sequences (Release Category T), 23% for the SGTR sequence (RC T), 0.07% for the isolation failure sequences (RCE), and less than or equal to 0.01% for the other sequences, ne volatile fission product release reported in the IPE submittal for the late containment failure sequences is extremely low. The release fraction of volatile fission products for STB 5 (release fraction of 2E-7), the only STB that involves late containment failure, is lower than that of other STBs in which the containment remain intact (release fractions vary from 4E-7 to 1E-4). Review

- of the results reported in the IPE submittal indicates that containment spray is available for all

~t he sequences in STB 5, and that the containment failure time calculated by MAAP code for the selected sequence is 47.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , only 0.2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months before the mission time (also.the calculation termination time). It seems that the low release for STB 5 may be due to the short release time and the small containment break area assumed in the IPE. However, according to the licensee's response to RAI I.evel 2 Question 9, because of the operation of containment spray, the release of volatile fission products is not expected to change significantly for long term release, beyond 51

-- - -- - ~ . _ - - ..- . - - . - _ . _ . _ . - - - - - - . - - - -

! the I.evel 2 mission time, or the use of a containment break area greater than that used in the .

2

[ IPE calculation (0.03 ft ).

j 2.4.2 Accident Progression and Containment Performance Analysis

2.4.2.1 Severe Accident Progression f Sequence selection for fission product release characterization is discussed in Section 4.4.3 of i- the VCSNS IPE. In the VCSNS IPE, source term analyses (by the MAAP code) were performed only for dominant PDSs. The selected PDSs include the PDSs for the top 20 functional

- sequences and three additional PDSs with containment bypass and isolation failure. Based on the potential for radiological release from the containment, these 23 PDSs are further grouped to

} 10 source term bins (Table 4.4.3-2 of the submittal). A representative sequence is then selected from the sequences in each source term bin to determine the release fractions for that bin using the MAAP code. Sequence selection in the VCSNS IPE is based on either the frequency of the ;

! sequence or the expected bounding magnitude of the sequence in the source term bin. It is noted

that because early containment failure due to high pressure phenomena are not expected in the 1

VCSNS IPE, high- and low-pressure sequences are binned to the same source term bins. The-

! sequences selected from the source term bins for source term calculation include one ISLOCA i j sequence, one SGTR sequence, two transient sequences, two SBO sequences, three small LOCA

sequences and one medium LOCA sequence.

The sequences selected for source term analyses and the source terms definition used in the IPE

> seem to be adequate.

?

2.4.2.2 Dominant Contributors: Consistency with IPE Insights ;

i -

level 2 results on radionuclide release characterization (or containment failure mode definition) i are discussed in Section 4.4 of the submittal. Table 9, below, shows a comparison of the

conditional probabilities for the various containment failure modes obtained from the VCSNS

IPE with those obtained from the Surry and Zion NUREG-1150 analyses.

i As shown in Table 9, the conditional probability of containment bypass for VCSNS is 0.4% of total CDF. Most ofit is from steam generator tube rupture as an initiating event (0.3% of total CDF). Induced SGTR is not considered in the IPE as a credible failure mode. The contribution a from ISLOCA is small (0.1%), but it results in the highest releases.

Since all phenomena that may cause an early containment failure are considered in the IPE as

.unlikely to cause containment failure and thus not included in containment failure quantifictJon, l the conditional probability of early cen"inment failure for VCSNS is rero, The probabrJty of 4

containment isolation failure is 0.3%. All of it is from transier.t sequences.

j l

52 l

n --- ,

Table 9 Containment Failure as a Percentage of Total CDF l

Containment Failure VCSNS IPE+ Surry 1150 Zion 1150 Early Failure Negligible + + 0.7 1.4 Late Failure 20.5 5.9 24.0 Bypass 0.4 12.2 0.7 Isolation Failure 0.3 Intact 76.5 81.2 73.0 CDF (1/ry) 2.0E-4 4.0E-5 3.4E-4

%e data presented for VCSNS are based on Table 4.4.4-4 of the IPE submittal. He total is 97.7%. The probability of " Intact" containment includes that from "no containment failure within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , but failure could eventually occur without further mitigating action" 11.5% CDF).

++ The phenomena that may cause early contamment failur(e are not considered in containment failure cal evaluation summaries prepared by FAI.

guantification based on phenomeno "

1 '

in idd !" klly R!l"l*: *l?l 'Imately 8f%

l 1

The conditional probability of late containment failure for VCSNS in 20.5% of total CDF. It is ;

' I primarily from containment overpressure failure due to loss of containment heat removal.

Because of the long time it takes to melt-through the containment basemat, late containment l

failure by basemat melt-through is not considered in the IPE as a credible containment failure i mode even if the debris is not coolable. Based on the results presented in the VCSNS IPE, ,

l LOCA and SBO sequences do not contribute to late containment failure, all late containment i

- failure comes from transient sequences. In fact, containment failure is not predicted in the IPE i

to occur for LOCA and SBD sequences. Although containment failure does not occur for LOCA and SBO sequences, about 10% of small LOCA sequences and 20% of SBO sequences results in a containment state that requires mitigating actions beyond the 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months mission time. On the 4

other hand, because of the availability of the RBCU system containment failure does not occur for all median LOCA sequences.

2.4.2.3 Characterization of Containment Performance As shown in Table 9, the core damage frequency (CDF) for VCSNS is lower than that obtained in NUREG-1150 for Zion but greater than that obtained in NUREG-1150 for Surry. The conditional probability of containment bypass obtained in the VCSNS IPE is less than that obtained in NUREG-1150 for Surry, but comparable to that obtained in NUREG-1150 for Zion. -

The smaller containment bypass probability for VCSNS can be partly attributed to the lack of l consideration of induced SGTR in the VCSNS IPE. The bypass probability for VCSNS could be a fraction of a percent if NUREG-1150 data for ISGTR ( 1.8% for high pressure sequences, i which is about 70% of all VCSNS sequences) were used. -l Another feature of the VCSNS IPE is the lack of consideration of any early failure modes in 53-

)

! l

j. containment failure quantification. The early containment failure modes that contribute in the NUREG-1150 analyses for Surry and Zion include those from steam explosion and containment

! pressure load associated with HPME. Should the data used in the NUREG-1150 analyses for in-vessel steam explosion (0.8% and 0.08% for low pressure and high pressure sequences, ;

j respectively) and HPME (higher estimated pressure in NUREG-1150 than in VCSNS IPE) be ;

! used in VCSNS, the conditional probability of early containment failure could be comparable i to those obtained in NUREG-1150. I j The C-Matrix, which in other IPEs shows the conditional probabilities of CET end states (or I containment failure modes) for the PDSs, can be obtained from Table 4.4.3.2 of the VCSNS j IPE. According to the VCSNS IPE, the ten PDSs can be mapped one-to-one to the ten source term bins, which can be further grouped to the five release categories.

{

2.4.2.4 Impact on Equipment Behavior i The effects of harsh environmental condition on the operation of containment sprays and

! containment fan coolers are not discussed in the IPE submittal but are discussed in the licensee's l response to the RAI (Level 2 Question 7). In the response, the potential adverse effect of

! containment pressure and temperature, humidity, and aerosol plugging on the operation of fan j coolers are discussed.

i

. 2.4.2.5 Uncertainties and Sensitivity Analysis I Sensitivity studies were performed in the VCSNS IPE to evaluate the effects of potential in-4 vessel and ex-vessel phenomena on containment failure timing and the related source-term j release (p4-55). However, their effects on containment failure probabilities were not evaluated i in the IPE because most containment failure modes were considered in the VCSNS IPE as unlikely to occur and thus not included in the quantification. According to the IPE submittal, uncertainties associated with the modeling of these unlikely phenomena, which were discussed t in the individual evaluations provided in the phenomenological evaluation summaries (PESs),

j did not impact the conclusion obtained from the conservatively based phenomenological

summaries. The phenomena that were discussed in the PESs (and thus their uncertainties on j containment performance are not discussed in the IPE submittal) include: hydrogen combustion,

j. steam explosion, DCH, vessel thrust force, early containment failure due to pressure load or attack by core debris, and long-term core concrete interaction.

j Phenomenological uncertainties not considered in the PESs were addressed in the IPE by 4 performing MAAP sensitivity studies. This was accomplished in the IPE by varying certain MAAP model parameters in selected base-case sequences. The ranges of MAAP mode parameter

variation for IPE sensitivity analyses were based on the recommendations provided in EPRI documentation. The parameters investigated in the VCSNS sen: itivity studies (for source terms) using MAAP calculations and results of the sensitivity studies are the following:

Hydrogen burn completeness -- minimal effect on containment performance.

54

1

In-vessel hydrogen production / core relocation (the MAAP core blockage model not used in the IPE base cases) - the analyses of the base cases are conservative. ,

Hydrogen combustion in containment (the effect of jet burning and auto-ignition) -

termination of these effects may lead to more energetic global burn, but results are similar to those of base cases.

- Hot leg creep mptum fallum (base cases assumed no hog leg creep rupture) - Hot leg rupture eliminates HPME but decreases volatile fission product retention in the primary system. As a result, volatile FP release is more than doubled, and non-volatile fission ;

product release is also increased because of a greater amount of concrete ablation. j

Reduced debris coolability (the critical heat flux for the debris water interface) - l Changing the MAAP parameter FCHF from 0.1 to 0.02 will cause an additional 0.5 foot concrete ablation but does not inhibit debris quenching.

Isolation failun ama (from 3 inch in the base case to 8 inch) - Both volatile and non-volatile releases increase by an order of magnitude.

SGTR bmak ama (cross section area of a r. ingle tube for the base case, 50% and 150%

of the cross-sectional area of a single tube in the sensitivity cases) - The smaller break area delays core damage by 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and causes a reduction on volatile release from 23%

to 15%. Increasing the break size reverses this trend.

ISIDCA break area (0.1 ft 2for the base case,0.034 ff and 0.545 A for the sensitivity cases) - Sequence progression was accelerated for the larger ISLOCA, but source term results were similar to the base case. The trends are reversed for smaller ISLOCA.

Containment fallum pressure (142 psig for base case,119 psig for the sensitivity case)

- Containment failure occurred about 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months earlier, but led to no increase in volatile fission product release and a large increase in the noble gases release (because of the ;

longer release time to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months in the sensitivity case). Spray recirculation limits volatile i

releases, e Containment failure size (0.03 ft 2for the base case, 0.1 ft for the sensitivity case) - ,

'Ihe larger break size results in rapid containment pressure drop and higher noble gases l release. Spray recirculation limits volatile releases.

Failure to isolate (the effect of containment spray on late failure releases) - Source term release is greatly increased by the absence of containment sprays. Volatile fission product release is increased by an order of magnitude.

As discussed above, the sensitivity studies reported in the IPE submittal involve the use of the MAAP code. 'Ihey are used to evaluated the effects of some parameters on source term release 55

timing and magnitude. Uncertainties of accident phenomena on containment failure probability are not discussed in the IPE submittal but are discussed in the phenomenological evaluation summaries prepared by the licensee in support of the IPE. The variation of containment failure i probability due to uncertainties is not addressed in the IPE because the licensee believes that the i phenomena are " conservatively" as==d in the PESs and uncertainties on these phenomena will 1 not affect the evaluation of containment performance.

i 2.5 Evaluation of Decay Heat Removal and Other Safety Issues This section of the report summarizes the review of the evaluation of Decay Heat Removal l

. (DHR) provided in the submittal. Other GSIs/USIs addressed in the submittal were also reviewed.

2.5.1 Evaluation of Decay Heat Removal 2.5.1.1 Examination of DHR l

The IPE addresses decay heat removal (DHR). Several methods of DHR are mentioned:

1. For transients secondary cooldown and depressurization is used (using either emergency feedwater, EF, or main feedwater, FW, and condensate, systems), feed and bleed (i.e.

HPI system, the pressurizer PORV, and the associated operator actions).

2. For small LOCA events some decay heat is removed through the break while the remainder is removed by the EF System or feed and bleed operation. l

3. During a small LOCA event or after feed and bleed cooling, when recirculation or normal RHR cooling is established, decay heat removal is accomplished by the RHR ,

heat exchangers or the RBCUs. !

)

'Ihese methods are described in detail in the submittal. However, neither the submittal nor the _

RAI responses provided clear-cut quantitative information about the CDF contributions of the DHR and its constituent systems (including feed and bleed). Instead, in the RAI responses ,

the Fussel-Vesely importance of top events associated with the systems modeled for DHR are listed. 'Ihe list below is limited to those systems / components which have an importance greater than 1%. (One has to be careful with the interpretation of these importance values, because the top events include the random failure of the system, as well as the guaranteed failure due to support system failure.)

56

d- )

l

. . l System / Component Importance (%)

Low-Pressure Recirculation 21.92 1 High-Pressure Injection 17.22 RBCUs- 4.81 Iow-Pressure Injection 4.09 EF 3.74 i

Pressurizer PORVs 2.84 High-Pressure Recirculation 2.04

, SG Pressure Relief 1.12

Rmt on the system and plant function unavailability values listed in Table 9 of the submittal !

the RAI responses provide data about the relative impact of the loss of suppon systems on the frontline systems that perform the DHR functions.

The data show, that with the exception of the EF system, the considered system unavailabilities generally increase 10 to 25 times from the all support available cases to the one train support I available cases. The . EF system unavailability results show a modest increase of approximately j 5 times when one MDEFP train is unavailable, and a large unavailability increase ( about 400 l times), when only the TDEFP train is available.

Since neither the system importance nor the system unavailabilities reveal whether the majority of DHR system failures are in combination with support system failures (i.e., limiting the trains available) the licensee, to asses this in the RAI responses, applied the following approach:

ne 100 CDF sequences listed in Table 3.4-3 of the submittal were reviewed for DHR failures.

From the top 22 CDF sequences each contributing '1% or more to the total CDF only 2 sequences were identified that include DHR failures when support was available for all trains.

From all the 100 sequences only 12. sequences were found to include a DHR failure when support was available for all the trains. He 12 sequences contribute less than 10 % of the total CDF. For the rest of the sequences having DHR failures, support system failures have limited the number of trains available.

He RAI response concludes: The CDF contributions due to "all- train available" failures of the DHR systems are small because the multi-train designs are reliable.

The results are consistent with the DHR system design features of:

(1) a two train high pressure injection / recirculation system with three 100% capacity pumps;

.(2)- a two-train low pressure injection / recirculation system with two 100% capacity pumps; (3) a three-train emergency feedwater system with two 100% capacity motor driven pumps

~

and one turbine driven pump; (4) two trains of reactor building cooling units (one train required for success);

(5) three pressurizer PORVs (2 of 3 were modeled for success,' but further analysis could show only 1 of 3 would be required); and 57

. _ _ _ . ~. . _ _ _ _ _ . . . _ _ _ - _ _ _ . . _ - . _ _ . _ _ _ _ _ _ _ . _ _ _ _

, (6) multiple steam release paths through the atmospheric steam dump valves to thb i condenser, the steam generator PORVs and the steam generator safety valves.

4 i-Major contributors to failure of emergency feedwater, feed and bleed, high/ low pressure ;

injection and recirculation, pressurizer PORVs, RBCUs, SG Pressure relief were not explicitly .

analyzed within the context of the DHR evaluation. Other information on some failure types,-

] however, are given. For instance; the submittal (in Table 10 describing DHR vulnerability

insights ) states that the failures of feed and bleed operations are not high contributors to the

, CDF. This statement is based on the fact that only four transient sequences can be identified i where EF failure is followed by feed and bleed or operator action failure (Sequences 64,75, 82, 89) and these sequences contribute less than 1% to the total CDF.

j The submittal also states that the dominant human errors with respect to DHR are errors

associated with failure to establish emergency feedwater following power recovery in an SBO

, and failure to establish ECCS recirculation. However, neither are dominant contributors to core

' damage.

I 2.5.1.2 Diverse Means of DHR

The IPE modeled the diverse means for DHR except the use of the power conversion system.

The reasons for this are given in the submittal and the RAI responses explaining why the MFW system, or parts thereof cannot be credited in a small LOCA. They are reiterated here: When 1 emergency feedwater is not available the VCSNS operators are instructed in the Response to loss of Secondary Heat Sink EOP (EOP-15.0) to establish feed flow from the condensate system 2 through valve alignments, and to' start one of three condensate pumps and one of four feedwater i

booster pumps. The operator has to stop all RCPs, send an I&C crew to perform local actions l l to defeat feedwater isolation so that feedwater bypass regulating valves and isolation valves can

] be opened, depressurize the RCS to about 1925 psig, and depressurize at least one SG to less 1 than the shutoff pressure of the feedwater booster pumps (350 psig). The local actions required j by the I&C crew include installing several jumpers in two different termination cabinets, and l removing a fuse in a third _ cabinet. For the IPE , this source of feedwater was not credited.

l Based on an analysis using the TREAT-PC code and on human reliability analysis talk-throughs it was deemed that the time (approximately~ 10 minutes) required for the operators to complete the required actions was insufficient. (An additional impetus that could have lead the licensee to take this approach was the fact that the condensate and feedwater pumps are powered from

non class IE power.)

2.5.1.3 Unique Features of DHR i

Within the context of the DHR evaluation the submittal calls attention to the following unique feature of the VCSNS:

"Very little sharing occurs between systems at VCSNS. Sharing between trains is limited to the ' swing' pumps in the SW, VU, CCW, and High-Pressure 1

L 58

j .. .

! Injection Systems which are isolated with ' double' isolation valves. No specific >

single point vulnerabilities were identified via the IPE."

Other unique plant features within the context of the DHR evrluation were not described in the submittal. Unique . VCSNS plant features, including those wh:ch are associated with the DHR function already have been described in Section 1.2 and therefore 3re not repeated here.

l-Rawi on the results of the IPE's DHR evaluation and the RAI responses, the licensee considers that USI-45, Shutdown Decay Heat Removal, with respect to internal events and internal j . flooding events is resolved.

The licensee provided a detailed discussion of the DHR function. Still, the evaluation does not

]

provide clear quantitative information about the contribution of total DHR and its diverse means to CDP. Therefore, the review finds, the NRC's request to obtain a thorough evaluation of g the VCSNS's DHR function is only partially fulfilled.

4 2.5.2 Other GSIs/USIs Addressed in the Submittal In addition to USI A-45 (DHR Evaluation) the following USI is considered in the submittal:

USI A-17, Systems Interactions in Nuclear Power Plants. NRC has determined that the licensee needs to take two actions to resolve this issue: a) consider insights from the appendix of NUREG-1174 in implementing the IPE requirement for an internal floodingassessment, and b) continue to review information on events at operating nuclear power plants.

De licensee states that a) above was answered by an extensive analysis of internal flooding and water intrusion. After incorporating the flooding scenarios into the plant model and quantifying the results, the internal flooding was a relatively small contributor to the overall frequency of core damage (about 0.8% of the total).

As for part b), the utility presumably it is doing what was requested.

The licensee considers this issue to be resolved.

l No other USIs or Generic Safety Issues (GSIs) were addressed in the submittal. However, the l licensee stated, (Section 3.4.4) that SCE&G may elect to pursue resolution of other safety issues l

. using the IPE at a later date, '

. 2.5.3 Response to CPI Program Recommendations De CPI recommendation for PWRs with a dry containment is the evaluation of containment and equipment vulnerabilities to localized hydrogen combustion and the need for improvements. ;

Although the effects of hydrogen combustion on containment integrity and equipment are 59 ;

discussed in the submittal, the CPI issue is not specifically addressed in the submittal. Mo're f detailed information on this issue is provided in the licensee's response to the RAI (Level 2 Question 8). According to the response, walkdowns performed by FAI and VCSNS indicated that the open design and significant venting areas for the subcompartments within the containment help ensure a well-mixed atmosphere, a feature which inhibits combustible gas ;

pocketing. Although well-mixed atmosphere is expected in most of the containment areas, the walkdown did identify one potential location for hydrogen pocketing, in the vicinity around the ;

"C" accumulator at the 436 ft elevation. However, the walkdown noted that no ignition sources were found at the 436 ft elevation and that at worst, hydrogen combustion at this elevation could destroy the vertical duct risers, with no potential for challenging the structural integrity of the .

containment. A detailed assessment for hydrogen deflagration to detonation transition also l showed that it was unlikely to lead to containment failure. ;

2.6 Vulnerabilities and Plant Improvements l The vulnerability issue was explicitly treated in the submittal using the NUMARC 91-04,

" Severe Accident Closure Guidelines". In the RAI responses the licensee emphasizes that the primary reason for selecting this method from various other vulnerability " uncovering" methods ,

(system level importance calculations, review of top sequences, or review of initiating event contribution to the total CDF) was the aim to be consistent with the industry. The identification of the vulnerabilities was not limited to using the NUMARC process. It was done as an ongoing process throughout the whole time period of the IPE program and implicitly includes all the knowledge gained from the complete IPE process. ;

Thus, following the guideline's request, the core damage sequences were grouped into ,

i functional core damage categories (and subcategories) for evaluating core damage results and into dominant core damage sequences leading to containment bypass. (The top 250 leading accident sequences were used as the basis for evaluation, representing about 92 % of the CDF.) ,

The resulting categories subsequently were evaluated to determine whether any plant-specific vulnerabilities exist at VCSNS. To screen for plant vulnerabilities the NUMARC criteria were .

used. The NUMARC guidelines were used also to determine if additional actions need to be

- taken to address vulnerabilities.

Table 3.4.2-1 of the submittal shows 11 such functional core damage categories.

For illustration, the first four leading ones are also described below, including the cost effective i actions considered by the utility: l i

i

1) Category IIA. Induced LOCA sequences with loss of primary makeup or adequate heat removal in the injection phase.

Categon CDF:'1.31E-04/r.-year, 64.4% of total CDP. l 60 .

l i

I

i Subcategories:

SBO; CDF: 4.33E-05/r.-year,21.3% of total CDF.

CD is due to failure to recover offsite power in time to mitigate the loss of inventory through the RCP seals.

Utility's position: Since SBO is a generic issue under study by the industry and NRC, there is no immediate plan to address this subcategory other than through Severe Accident Management Guidelines (SAMGs). However, the RCP seal O-rings will be replaced (see more about this issue in the " improvements". portion of this Section). A ;

plan to add a Fire Service System cross-connect for emergency RCP thermal barrier ,

cooling was abandoned. l LOSP; CDF: 2.31E-05/r.-year,11.4% of total CDF.

82% of the category CDF is due to failure of a DG on one train and failure of chilled water (VU) on the other train.

No credit was given for recovery of offsite-power or DG, but the restoration of the chilled water (with the help of the new Total Loss of Chilled Water AOP) was credited.

In addition, it was assumed, that the loss of CCW booster pumps (due to loss of BOP power) will fail cooling to the RCP thermal barriers. These sequences have not credited possible restoration of the VU system or the RCS depressurization to slow the seal leak rate to extend the time available to restore the VU system.

~

i

- Utility's position: By giving credit to the (so far) non credited recoveries the contribution of this subcategory to the CDP would decrease into the 1.0E-05/r. year to 1.0E-06/r.-

year range. Thus, this subcategory requires only the implementation of SAMGs.

LSW; CDF: 1.70E-05/r.-year, 8.4% of total CDF.

Failure of Service Water leads to degradation and eventual failure of the VU system.

This leads the operators to use the Loss of Chilled Water AOP.

Utility's position: Application of the modified version of this AOP will significantly lower the contribution of this mWory to CDF to the 1.0E-05/r.-year to 1.0E-06/r.-

.. year range. A sensitivity study, mentioned earlier in this TER, addressed this issue.

LVU; CDF:1.07E-05/r.-yr, 5.3% of total CDF.

I l

Mitigation of this event in the IPE only addresses restoration of a failed VU train while continuing seal cooling via the thermal barrier heat exchangers by the CCW system.

i 61

l Utility's position: The I.oss of Chilled Water AOP directs the operators to establish ;

dernate means of cooling the charging pumps so seal injection can continue. In addition l a better " chiller rotation" policy will reduce the time a chiller will be down. The contribution of this subcategory to CDF is expected to be reduced to the range of 1.0E-05/r.-year to 1.0E-06/r.-year. ( See the previously mentioned sensitivity study.) ,

TRS.& FLOOD; CDF:3.69E-05/r.-year,18.1% of total CDF.

l This subcategory is dominated by failure of both trains of SW, both trains of VU, and ;

combinations of SW and VU trains.

Utility's position: Application of the I.oss of Chilled Water AOP and revised transient l event frequencies will lower the CDF contribution of this subcategory to the 1.0E-05/r.-

year to 1.0E-06/r.-year range. (Sensitivity studies, mentioned elsewhere in this TER ,

address these issues.) l 1

I

2) Category IIIB; Small LOCAs with loss of primary coolant makeup or adequate heat removal in the recirculation phase.

CDF: 1.85E-04/r.-year, 9.1% of total CDF.

85% of the category's CDF is related to failure of low pressure recirculation (folicwing successful high pressure injection, EF actuation and depressurization). The primary contributor to failure of low pressure recirculation is failure of the signal for RWST low-low level to initiate the switchover. 'Ihe EOPs provide steps for the operator to open the sump valves if this operation fails automatically.

The recovery of the failed operator action was not considered in the IPE model. No credit was taken for RWST refill or the depressurization of the primary system prior to requiring' recirculation mode cooling. l I

Utility's position: Crediting these actions would reduce the CDF of this category to the j

-level which requires only SAMG considerations.

3)- Category IA; Transients involving loss of both _ primary and secondary heat removal in

- the injection phase.

CDF: 1.16E-05/r.-year, 5.7% of total CDF. I l

60% of this category is due to failure of the TDEF pump during SBO, the remainder is related to failure of MDEF and TDEF pumps with subsequent failure of feed and bleed ;

during LOSP and other transients.

i 62

.. . - - . . . . - _. -.i

The dominant contributor t:, tne TDEF pump unavailability is test and maintenance. A large fraction of the DG unavailability is also associated with maintenance. While the Tech. Specs. prohibit concurrent maintenances of the TDEF pump and either DGs the IPE does not account for this exclusion. Also, in the IPE no credit is taken for recovery of the DGs, only offsite power is addressed.

Utility's position: Due to the conservatism in the IPE model the magnitude of the category frequency can be adequately reduced by applying only SAMGs.

, -4) Category IIB; Induced LOCAs with loss of primary coolant makeup or adequate heat removal in the recirculation phase.

CDF: 7.12E-06/r.-year, 3.5% of total CDF.

The sequences in this category are RCP seal LOCAS due to SBO events or due to support system failures leading to loss of injection or loss of RCP seal cooling.

The IPE model treated these sequences conservatively; e.g., recovery of failed DGs in SBO sequences was not considered, RWST refill following failure of recirculation was not credited, loss of Chilled Water AOP ( for establishing alternate cooling to the !

charging pumps so RCP seal injection can continue) has not been credited for transients, I etc. l l

Utility's position: Due to the conservative modeling this category needs only to be be addressed by SAMGs.

The criterion used in the IPE to determine whether a vulnerability related to unusually poor containment performance exists is :

"Any source term analysis bin which represents containment failure, bypass or failure to isolate, occurs with a frequency greater than IE-5 events per year, and in which a single function, system, operator action, or other element can be identified which substantially contributes to the total frequency. The present state-of-the-art of containment system analysis (as noted in Generic letter 88-20) maybe considered when evaluating any potential vulnerability identified by the Criterion."

. Based on the above criterion, no plant-specific vulnerabilities were identified by the VCSNS Level 2 analysis.

Rawd on the above vulnerability screening process it was identified that the primary IPE-driven enhancement to plant safety was the development of an AOP to address a total loss of chilled water. This AOP represents that improvement where the most cost effective " safety benefit" could be obtained. In addition, accident categories were designated to be sources of input for 63

d

, . . l the implementation of any future severe accident management program at VCSNS, consistent

l. with the plant, industry, and NRC forthcoming direction.

De RAI response reiterates that from the point of view of vulnerability the lone remaining issue is SBO, i.e., the RCP's O-ring replacement. The Westinghouse guidance is to replace the standard O-rings with the new high temperature O-rings. (For planned implementation see the next portion of this Section.)

l Section 6.1 of the submittal describes the plant improvements. It was not clear, however, whether the plant improvements described were being proposed or were actually implemented.

De RAI responses provided a summary of the plant improvements discussed in the submittal and also the improvement to eliminate the depautancy of the CCW water pumps and charging pumps on the VU system for cooling. l Because of the concise and tabular form of this summary, it will be reproduced below in Table

10. For each improvement, the following information is provided:

description ofimprovement,

date the improvement was implemented in the plant or status of evaluation,

whether or not the improvement was credited in the IPE,

the impact of the improvement on the CDF, e the basis for the improvement.

As will be noted on this Table, the majority of the improvements have not been credited in the IPE. De first improvement was evaluated in a sensitivity study and given in the submittal. The impact of the elimination of CCW and charging pumps' dependency on the VU system (Item 11) was evaluated in a study after the IPE results were submitted to the NRC. ( For completeness, the licensee provided a modified table for CDP. by initiating events and another modified table for top event importance ranking.) The CDF is reduced to 1.22 E-04/r.-year from the IPE submittal's value of 2.04E-04/r.-year.

The.RAI response emphasizes that it is difficult to quantify the benefits of several of the improvements due to the qualitative nature of the changes. De benefits of several of the

. improvements are qualitatively assessed to be relatively small (Items 2, 7).

~

l l

i 1

i i

i

_ - .- .I

Table 10 Summary and Status of VCSNS Improvements ]

f Date Plant Improvenoemt Insprovement Description implemented CDP' Imp t in IPE I. Ahernate Dc@ abnormal operating procedure," Total less of 763 IPEcredit 2.04E 44" IPE I chargingpump Chilled Water." Use AOP following loss of both trains of only for Vulnerability cooling chilled water. Ahernate cooling for charging pumps is ~ LOSP event established,usingthey. 'u a!Dem^ m eralized WaterSystem or the Fire Scrwce System, so RCP seal in. ection can be Sensitivity 1.54E-04 maintamed. credit for all 1

2. Chilled Water ' A " chiller rotation" policy to reduce the time a chiller will be 163 No NA IPE System ' down has been implemented Data has indicated a Vulnerability Reliability correlation between chiller downtime and failure to start probability.

3. Desel Generator The Fire Serwce System is a backup to the Serwce Water 962 No credit in NA,but will IPE System IPE for reduce SBO Analysis O Temperature System for DG cooling, but the Fire Scrwee System is not attemate tc,, y due Morutonng sized to maatam the DG at rated load. Steps were =Mert to an D. ,.ay Operatag P.de to monitor DG coolingd to failure of

~.,~a-ae and renha load if ,~ 4-s increase.

^

DG serwce water

4. Energizmg Revised EOP " Response to loss of S- : y Heat Sink" to 862 Yes NA, included IPE System 3

P. ;- PORV directoperatorstoree pz anyPZRPORVblockvalves inIPE Analysis Block Valves that were closed and racked out. The steps were moved up Subnuttal in the piecedure to allow operators more time to prepare for report feed and bleed before -..y:e: loss of heat sink. results"

5. UseofMain Use the turbme-driven Feedwater System pumps to supply Not No NA,but will IPE System Feedwater Pumps feedwater to the SGs if the L. e.ay Feedwater System implemented rc<h- the Analysis for aImas of Heat fails. Currently, EOPs call for using feedwater booster CDF due to I'

Sink Event pumps winch require SG Q.e_ us;esi to less than 305 transients that psig (the HRA eowed the operator could not complete the do not lead to .

required steps in the available time). consequential LOCAs f

i

i Table 10 Summary and Status of VCSNS Improvements l C Imp '"

Improvement Description Imple ented D -b Plant Imprwement in Plant 6/91 No NA,but will IPE Related

6. Bypasses and The congtwized BISI System, which provides a graphic improve Improvement Inoperable Status control room indication of critical system operability, was operator Indication (BISI) reviewed and updated based on insights gained during the awareness of IPE system analyses.

system yakaiu 12/93 No NA,but will IPE System

7. Reactor Building Operators are required to re-establish instrument air to the improve feed Analysis him .a' Air piada PORVs to ensure sufficient air supply is and bleed Supply . available for multiple opemngs of the PORVs during feed availability and bleed. Locally opemng of the valve dominating failure to re-establish instrument air was included as an improvement.

The IPE results have been used to identify drill scenarios that 2/93 No NA,but there IPE Related S 8. Training and would be in.yivvm.w.:

Eiio.m.g can be used in training and emergency planning.

some benefit Plannmg Input to HEPS lowermg CDF Use of new RCP seal O-ring to provide better performance Willbephased No NA,but will IPE

9. New RCP Seal O- Vulnerability under loss of thermal bemer cooling and set in ection in during improve rings normal pump abilityof the conditions maintenance plant to starting with withstand the 1997 Fall SBO outage (Refuel 10) e e

_ _ _ _ . _ _ _ . _ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ . . . _ . _ _ _ . _ _ _ _ _ _ . _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _._ ~ .. _ . -

Table 10 Summary and Status of VCSNS Improvements Plant Improvement Improvement Description Imple ented i IPE CDFS Impr e nt in Plant Altemate and diverse cooling source for RCP thennal barrier No NA, but could IPE Risk

10. Fire Water Informed to address loss of RCP seal cooling events. reduce CDF Co.wae:non for Not Planned due to SBO Improvement

. RCP Thermal events Barrier Cooling i164 No 1.22E-04 IPE Risk

1 Elimmaton of Change the cooling dependency of the CCW pumps and Informed

1. CCW and chargmg pumps from the chilled water system to the CCW improvement Chargmg/SI system Pump Chilled Water D # .k.ay Key switches have been provided, with the keys kept in the 1164 No NA,but will IPE Risk

12. Installation of key control room, to bypass FW isolation signals during a loss of reduce CDF Informed switches to allow due to loss of L..y.v.c. w.:

O use of de heat sink accident.M heat sink feed dunng a loss events of EF.

NOTES:

1. This column provides the core damage hv..cy with the ;my c. cwa.t implemented.

2. The results presented in the IPE Submittal report credit the "Imss of Chilled Water" AOP during loss of offsite power event only.

3. The IPE does include the action to re-sa and open a closed pressunzer PORV block valve if closed. in order to initiate feed and bleed cooling. However, based on PSA input, the operator action to re-energize any closed and de-energized block valve has been moved to the front c4 the Loss of Heat Sink EOP. This will increase the allowed operator action time beyond the original 30 minute assumption, and increase the likelihood of sm: cess. A new HEP has not been calculated for this pido change.

4. The switches eliminate the need to install umpers and remove a fuse, in order to re-open the FW isolation valves after an Si has occurred. The original HRA i

analysis of the time available to establish condensate feed end the required actions to enable %=te feed (i.e.,,umpers and fuses) led to the conclusion that the regered actions could not be completed in time. Therefore, the HEP for OAF (Establish Condensate Feed) was set to a value of 1.0 (i.e., assumed to fail).

The use of the new switches will be included in a future PRA model update. No impact on CDF is available at this time.

.a . .m m k .a e au p .ai1-a,+.. a,.a nam,, ar

e w. , , - -t wmA. 4 , A a..nsan a 9

e 1

e i

68

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS Strengths of the VCSNS IPE are primarily associated with its " philosophical approach", nicely formulated in the RAI responses: the preparation and use of the IPE at VCSNS "is not driven by the ' pursuit' of lower CDF numbers". De observation of the reviewer is that this statement of the licensee is indeed accurate, and expressed by the relatively high value of the total CDF.

One can see that an integral part of the IPE development process involved quantifying the model with limited recovery actions, a tendency of using pessimistic initiating event frequencies and plant specific failure rates and in several cases making pessimistic assumptions (see the vulnerability screening process). Therefore, in some cases, more realistic assumptions or crediting a proceduralized recovery action lowers the frequency of a particular sequence, or category of sequences. But in other cases, such as the Loss of Chilled Water (VU), based on the IPE, a need was identified for a plant change. For instance: "The development of the Loss Chilled Water AOP involved producing a new procedure, pre-staging dedicated hoses, fittings, and tools, and training the operations staff" (to operate a charging pump using a temporary demineralized water connection). "After the IPE was submitted , a decision was made to further eliminate the dependency on VU by using the more reliable CCW water system to cool the i charging pump skids and the CCW pump motors. In addition, dedicated connections were j installed on the new charging pump cooling lines for ' Emergency Cooling' in the event CCW ;

l is lost. These connections are in an easily amwi, open area on an elevation directly above the charging pumps. A new Total Loss of CCW procedure was written to address the loss of CCW l and take advantage the pre-staged hoses, and proximity to back-up chilled water, demineralized ,

water, and fire service water sources. This modification had been considered years before, but _

not until the IPE process was complete had the magnitude of the change on plant safety been understood. This is one of the key benefits of the IPE/PSA process, and demonstrates the adherence to the intent of Generic Letter 88-20 in understanding the most likely severe accident i sequences."

Other positive aspects of the Level 1 of the IPE are as follows: Thorough analysis ofinitiating events and their impact, descriptions of the plant responses, application of the observations of reviewers and usage of plant specific data where possible to support the quantification of !

initiating events and component unavailabilities. The presentation of the analysis is well structured, the quantification process is systematic and traceable. The effort seems to have been ;

evenly distributed across the various areas of the analysis. !

No major weaknesses of the Level 1 IPE were identified. Minor weaknesses are: the application

, of generic MGL common-cause factors for a large variety of plant components of diverse nature, i and including guaranteed failures (due to support system failures) in the importance measure of top events. ,

i The HRA review of the Summer IPE indicated that a viable approach was used in performing the HRA. While the modified THERP method applied by the licensee has several problems and i limitations, it did not appear that the nature of problems were significant enough to have 69 1

i

! l

, prevented the licensee from identifying important HRA related vulnerabilities. Thus, tilt " '

submittal appears to meet the intent of Generic letter 88-20 in regards to the HRA. Important elements pertinent to this determination include the following:

1) The submittal indicated that utility personnel were involved in the HRA and the procedure reviews, discussions with operations and training staff, and walkdowns of f operator actions represent a viable process for confirming that the HRA portions of the IPE represent the as-built-as operated plant.

2) 'Ihe analysis of pre-initiator human actions focused on restoration faults. Miscalibrations ,

I of various sensors and instruments were determined not to be important for several reasons. While the arguments provided by the licensee were not unreasonable, it should

. be noted that miscalibration events have been explicitly modeled in other IPEs and in some instances have been shown to be significant contributors. Thus, the licensee's treatment of miscalibration events may have precluded identification of potentially important pre-initiator events (even if they were not major contributors) and must therefore be considered a weakness of the HRA.

i

3) The licensee conducted a systematic and detailed HRA of post-initiator human actions. ;

The HRA analysis notebook indicates that the demands placed on operators in specific scenarios were considered and that relevant dependencies were addressed. In particular, context specific factort, and dependencies were considered and modeled in the HRA.

However, problems arise from the licensee's interpretation of THERP in regards to the treatment of diagnosis errors (particularly in terms of their inappropriate consideration of time) and their application of recovery credits that appear to go beyond that indicated by THERP, e.g., slack time recovery credit. The licensee defends their integretation j of THERP and provides examples to illustrate that the HEP values they obtained are not ;

any lower than would be obtained using the THERP diagnosis model. While the licensee did appear to closely follow THERP in their five illustrations, it should be noted that they ' exercised" the model to its fullest in the sense that the values obtained are about i as low as could be obtained with the model, e.g., credit was taken for multiple control l room recoveries even in shon-time frame scenarios. Such values are only justified in the l THERP model when very detailed analysis is performed and such credit is not generally applied across all or even most actions. Thus, there are several aspects of the modified ,

THERP which could have produced unrealistic or underestimated HEPs. In panicular, the diagnosis failure probability for short-time frame events could be underestimated due to the lack of a direct consideration of time and events in which credit for local recovery or slack time were taken could also be underestimated.

A review of the HEPs for all the post-initiator response type actions indicates that in many instances the HEPs tend to be lower than those obtained for similar events in other ,

I IPEs. However, in most cases, the relative ranking of the HEPs for the modeled events did not appear unreasonable. Two exceptions included an HEP of 2.8E-3 for manual trip

. along with an HEP of 4.59E-6 for emergency boration. Manual trip is usually 70

...a considered an "immediate operator action" that is memorized and well practiced, and very low probabilities of failure are usually assigned. Alternatively, initiating emergency boration is an event for which only ten minutes are assumed available and for which '

considerable stress would be likely. While it is unlikely that such a low value would have been obtained with the THERP diagnosis model, this event would usually be asked only in cases where ATWS related hardware failures had occurred. In such a context and given the relevant emergency procedures available, it is not unreasonable to expect a fairly low operator failure probability for initiating emergency boration.

Regardless, in spite of the tendency to have relatively low HEPs, the licensee's consideration of dependencies along with their detailed analysis appears to have resulted in a reasonable ranking of events in terms of their HEPs. The main concern with low HEPs is that potentially important events may have been truncated out. However, the calculational cutoff frequency was reported to be 1.0E-12 (page 3-178 of the submittal).

In addition, the top 250 dominant sequences, accounting for 92% of the CDF, were subjected to a sensitivity analysis. Importance measures indicated that several of the most important human actions had low HEPs, but were still found to be important in terms of either risk reduction or risk achievement (see section 2.3.2.5). Thus, it does not appear that the low HEPs precluded identification of potential vulnerabilities related to operator actions.

4) Fourteen recovery events modeled were for recovering service water, chilled water, and component cooling water under different conditions and for different time frames. The licensee indicated that recovery probabilities were determined on the basis of judgments from "four plcnt experts." The licensee's response to the RAI described a relatively detailed and systematic procedure that was used to obtain the judgments and compute the resulting HEPs. The general approach involved estimating the probability of recovering individual component failures that determine thi system failures and combining those probabilities by a weighted average. The weighting is based "on the importance of the component failure to the system failure, that is, the cutset probability for that component." Assuming expert judgments had to be used, neither the apprnach nor the resulting HEPs appeared unreasonable.

5) A list of important human actions based on their contribution to core damage frequency was provided in the submittal.

The important points of the technical evaluation of the VCSNS back-end analysis are ;

summarized below: l i

The back-end portion of the IPE supplies a substantial amount of information with regards to the subject areas identified in Generic Letter 88-20.

1 j

)

1 l

71 ;

l l

De Virgil C. Summer Nuclear Station IPE provides an evaluation of all phenomena'of

imponance to severe accident progression in accordance with Appendix I of the Generic 12tter. ,

Except for containment overpressure failure, isolation failure, and bypass, all other containment failure modes are considered as unlikely and thus not included in containment failure quantification. These include all phenomena that may cause early containment failure (steam explosion, hydrogen combustion, and DCH), and some phenomena that may cause late containment failure (molten core debris interaction and thermal attack of containment penetrations). Uncertainties of these phenomena on containment failure probabilities are not included in the sensitivity studies. ,

Induced steam generator tube rupture is not considered in the IPE. According to the response to RAI, Westinghouse Maintenance Item #DW-93-019, which procedurally prevents operators from restarting the RPS if the steam generator water level is too low, has been implemented at VCSNS. This reduces the concern of ISGTR at VCSNS.

Although the containment integrity success criteria require CHR for success, containment failure is not assured in the level 2 analysis if CHR is not available. For example, the SBO PDS with power not recovered within the 48-hour mission time (thus no CHR) is assigned in the IPE to a release category that has no containment failure within the 48-hour mission time. On the other hand, a transient PDS with CHR not available but with containment spray available is assigned to the late failure release category.

. The release fraction of volatile fission products for late containment failure is stated in the submittal as less than that for no containment failure. This is primarily due to the operation of the containment spray and the long time between accident initiation and late containment failure (almost 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months after accident initiation). The release fraction for late containment failure will significantly increase if containment spray is not available.

De elimination, and thus exclusion, of most containment failure modes from containment failure quantification limits the use of the 12 vel 2 analysis for systematic evaluations of the relative importance of the these failure modes and the investigation of potential benefit of recovery actions on overall containment performance.

72

. = v

4. REFERENCES i

[GL 88-20} Crutchfield, D.M., Individual Plant Etunination for Severe Accident l Vulnerabilides, U.S. Nuclear Regulatory Commission Generic Ixtter 88-20, November 23,1988.

[NUREG-1335} individual Plant Examination: Submittal Guidance, U.S. Nuclear j Regulatory Commission Report NUREG-1335, August 1989.

i

[1PE Submittal) V.C. Summer Nuclear Station, Individual Plant Examination Report in Response to Generic letter 88-20, the South Carolina Electric and Gas Company, Westinghouse Electric Corporation, Fauske and Associates Inc., June,1993.

[RAI Rc!.ponses} Response to the NRC Requestfor Additional information on the VCSNS IPE, the South Carolina Electric and Gas Company, March,1996.

[VCSNS FSAR} Virgil C. Summer Nuclear Station, Final Safety Analysis Report, the South Carolina Electric and Gas Company,xxx,19xx.

4

[NUREG/CR-4550} Ericson, D.M., Editor, et al., /:nalysis of Core Damage Frequency

internal Events Methodology, NUREG/CR-4550, Vol.1, Rev.1, Sandia

National Laboratory, January 1990. ,

[NUREG/CR-2815] Probabilistic safety analysis Procedure Guide, Revision 1, August,1985.

l

[NUREG/CR-4780] Procedures for Treating Common Cause failures in Safety and Reliability Studies, Vol.1, February 1988; Vol.2, January 1989.

[NUREG/CR-1278} A.D. Swain and H.E. Guttman, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Applications : Technique for Human Error Rate Prediction, NUREG/CR-1278, U.S. Nuclear Regulatory Commission, Washington D.C.,1983.

t 73

_

ML20140H579

Text

SUMMARY

Navigation menu

Search