ML20149E678
| ML20149E678 | |
| Person / Time | |
|---|---|
| Site: | Oyster Creek |
| Issue date: | 02/17/1994 |
| From: | Weber B SCIENCE & ENGINEERING ASSOCIATES, INC. |
| To: | NRC |
| Shared Package | |
| ML20149E682 | List: |
| References | |
| CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-92-553-008, SEA-92-553-008-A2, SEA-92-553-8, SEA-92-553-8-A2, NUDOCS 9406210219 | |
| Download: ML20149E678 (33) | |
Text
. -. -
SEA 92-553-008-A:2 February 17,1994 Oyster Creek Nuclear Power Plant IPE:
Front-End Review Cnntractor Technical Evaluation Iteport NltC-04-91-066, Task 8 1
llernard Weber, DNV Technica, Inc.
Andrew Wolford, DNY Technica, Inc.
John 1)arby, Science & Engineering Associates, Inc.
Performed for:
Science and Engineering Associates, Inc.
Ily:
DNV Technica, Inc.
Prepared for the Nuclear llegulatory Commission cf q.() (e 2 / 0 2 1 3 - X A j
11.1.3 Review of IPE Quantitative Process 25 11.1.3.1. Quantification of the Impact of Integrated Systems and Component Failures 26 i
11.1.3.2 Fault Tree Component Failure Data 27 11.1.4 Review of IPE of PIE Approach to Reducing the CDF 28 11.1.4.1 Methodology for Identification of Plant Vulnerabilities 28 11.1.4.2 Plant Improvements and Planned Modifications 29 11.1.5 Review of Licensee's Evaluation of D11R Function 30 11.1.5.1 IPE's Focus on Reliability of DIIR 30 1I.1.5.2 IPE Considered Diverse Means of DliR 30 11.1.5.3 Unique Features 30 i
111.
OVERALL EVALUATION AND CONCLUSION 31 j
t
[
[
+
t l
i i-r l
iii i
l I
r I.
INTRODUCTION 1.1 SEA Review Process This report summarizes the review of the IPE Submittal for Oyster Creek, The issues raised in this report are based on a review of the Submittal only. Also, a visit to the OCNGS site is outside the scope of this review. The purpose of this review is to identify issues related to the IPE front-end analyses for OCNGS and to supply these f' dings to the NRC. The Review m
Process is provided in Figure 1, and subsequently described below.
The review was performed by reviewers from DNV Technica Inc. (DNV), under contract to Science and Engineering Associates Inc. (SEA). The reviewers followed the process used by SEA to perfonn previous IPE front-end reviews.
This report does not include an evaluation of licensee responses to NRC questions that were generated based on our review.
I.1.1 Review of FSAR and Tech Specs The NRC provided the submittal to SEA in September. The submittal was subsequently transmitted to the reviewers at DNV. DNV began work on October 1,1992. Between October l
1 and October 18, the review focused on a detailed review of the submittal to develop an understanding of the front-line and suppon systems, and to identify apparent deficiencies,if any, in the information assembly process of the IPE. The purpose of the preliminary review was to ident_ify specific areas in the FSAR that should be consulted for confirmation, clarification, and additional discussion of information in the IPE submittal.
I i
On October 14 and 15,1992, the latest Updated Final Safety Analysis Report (FSAR) and Technical Specifications (Tech Specs) for OCNGS were reviewed. This review was performed at NRC NRR using up-to-date documentation provided by the NRR project manager. The focus of this review was to gain a better ur'.:rstanding of various plant systems, plant design, and accident analyses.
4 9
f 1
t
r a
ACTIVITY RESULT Receive Oyster Creek Nuclear Power Plant IPE Submittal 1r Receive FSAR List of items of Interest Technical Specifications Based on Plant Design ir 1r Review Oyster Creek Nuclear List of items Interface issues with
................... y Power Plant IPE Submittal to be Human Factors and Resolved Back-End Review 37 Complete Data Sheets
+
Draft Review Report to NRC 1r 1r incorporate Review Comments Final Review Report to NRC on Draft Report u
Figure 1. SEA Step 1 Review for Oyster Creek Nuclear Power Plant Unit 1 Front-End IPE l
l
1.1.2 Review of IPE submittal Between October 16 and November 13 a detailed review of the JPE submittal for OCNGS was performed. A 1.evel 2 PRA was submitted by Oyster Creek to satisfy IPE requirements.
A i
smaller report was submitted to address issues not covered in the PRA. The OCNGS Probabilistic Risk Assessment (PRA) was completed in December,1991 and revised in June,1992. A
'roadmap' was provided with the submittal to guide the reader to specific sections of the PRA which satisfied IPE requirements. The OCNGS PRA itself has not been subjected to a separate review by NRC.
The review effort incorporated a horizontal review of all aspects of ' front-end' issues as well as vertical reviews of selected key issues. The findings of this review are documented in Section 11 of this report. The review procedure focused on each item listed in the ' Step l' Review j
Guidance Document.
1.2 OCNGS IPE Methodology The PRA was performed using a new version of the PLG Inc. method. The PLG method has been referred to as the "large event tree, small fault tree approach," in that the dependencies are considered by split fractions on the event trees rather than the logical linking of fault trees. The latest modi 0 cation to this technique is the rules based approach in which the event trees are represented by tables of rules; successful outcomes are not typically shown in the rules tables, only core damage outcomes. The tables of rules effectively replace the event trees, and in the Oyster Creek submittal, no event trees are provided for the front-end analysis.
l Detailed fault trees were developed down to the component level for each front-line and support system in the plant.
In all, 25 separate systems were modeled.
Operator actions were incorporated into the system fault trees. Containment heat recovery was addressed as a separate module, using specialized event trees. Common cause failures were assessed only at the system level.
Both generic and plant-speciDe data were incorporated into the fault trees.
The quantification of core damage frequency via the large event trees was carried out using the ' rules methodology,' as implemented by the RISKMAN software package. An uncertainty analysis was performed on the major contributors to the CDF.
3
)
The methodology, although complete, was difficult tofollow and at times a bit confusing.
The methodology used in the IPE front-end analysis of OCNGS meets the criteria stated in NUREG-1335.
l 1.3 OCNGS Plant The OCNGS is a single unit facility located in Ocean County, New Jersey. The prime contractor and NSSS supplier was General Electric. Burns and Roe, Inc. provided engineering support and construction management. The unit achieved initial criticality in May,1969 and was plac ed into commercial operation in December,1969.
i The unit is a Boiling Water Reactor (BWR-2) with a Mark I type containment. The plant is a i
'non-jet pump' BWR with five external loops for forced circulation of primary coolant.
Shutdown cooling is provided by the main feedwater/ condenser system. Backup cooling is i
provided by two isolation condensers, an Automatic Depressurization System (ADS), or a two-l train low pressure core spray system.
I.3.1 Similar Plants and PSAs The reviewer did not nnd a listing of similar plants or a list of PSAs of similar plants. The only other BWR-2 vintage plant is Nine Mile Point Unit 1 (NMP-1). The FSAR states that j
certain original design features of OCNGS, particularly in the areas of reactor, pressure vessel, j
are similar to BWRs of the same vintage; however, because modi 6 cations have taken place at OCNGS and those facilities over the course of time, a detailed comparison would not be meaningful.
The major differences between OCNGS and NMP-1 are that OCNGS ha., two isolation condensers, while NMP-1 has four.
4
O 1.3.2 Unique Features Oyster Creek is a BWR-2 reactor, one of only two in existence. A Mark I containment is used.
It is similar in design to the other BWR-2, Nine Mile Point Unit 1.
Unique features of the Oyster Creek design include:
Combination safety / relief valves are not used at OCNGS; such valves are typically seen in later vintage BWRs. Separate safety and relief valves are used at Oyster Creek. The relief valves are not air operated but do require DC power to open.
There is no high pressure ECCS system, and no low pressure coolant injection system (LPCI). Later BWR designs have steam-driven or motor driven high pressure core spray and LPCI in addition to a low pressure core spray system.
The station batteries have a three-hour capacity. Some plants have longer hattery
+
capacities, this is important since DC power is required to open the relief valves and depressurize the system.
There is no reactor core isolation cooling system (RCICS). Cooling is provided by isomtion condensers as a backup to the main condenser.
There is an offsite combustion turbine which is interconnected to the unit to provide backup power during a station blackout.
There are no (internal) jet pumps at Oyster Creek, recirculation flow is provided by five external pumps.
Dedicated containment venting is available.
l
+
Based on these unique features, it was identiDed that the key areas for review are reactor depressurization sequences, and station blackout sequences lasting more than three hours.
II.
CONTRACTOR REVIEW FINDINGS t
11.1 Review and Identification of IPE Insights i
This section presents our findings, includ;ng a summary of IPE strengths and weaknesses. The following sections address cach work area explicitly in the order they appear in the SOW.
i 5
~
l 11.1.1 General Overview of Front-End Analysis
{
11.1.1.1 Completeness Check t
A detailed review of the OCNGS IPE submittal was performed between October 16 and November 13. The initial review effort focused on the documentation to verify that all required information was presented in detail, according to the guidelines of NUREG-1335. Since the submittal consisted of a PRA with supplemental documentation and a cross-reference table, this review was time-consuming. The cross-reference table was helpful, but not completely adequate.
For instance, the description of methodology for some major subtasks were found among the study details, not in the summary report. The Review Guidance as provided by the NRC was used extensively in this review of the PRA/IPE submittal.
Except for minor discrepancies cited throughout this review, the documentation provided is considered to be complete.
11.1.1.2 Methodology Check The submittal employs the " rules modules" approach to the quantification of plant risks. The methodology is described briefly in Section 2 of the OCPRA. Detailed fault trees were constructed for front-line and support systems. System interdependencies were handled via specific rules which governed the quantification of the modules. Common cause failures were incorporated directly into the fauit tree models. Intrinsic component dependencies, such as common environments, testing or maintenance, were treated within each system, but not across systems. Recovery actions were applied as separate modules in the quantification process. An t
uncertainty analysis was performed. In conclusion, the methodology used in the OCNGS IPE
~
submittal is consistent with the methods identified in Generie Letter 88-20 and NUREG-1335.
1 1
l Very little description is provided regarding the actual quantification of the model. In fact, the generation and evaluation of results does not appear in Figure 2-1 or in the text of Section 2.
6
11.1.1.3 Process to Confirm Representation of As-lluilt As-Operated Plant Sections 1.3 and 1.4 of the submittal provide the sources of documentation and methods used to familiarize the utility staff with the as-built, as-operated plant. The information used to generate the IPE front-end analysis came from a variety of sources: Updated FSAR, Technical Specifications, Operations Plant Manual, Emergency Operating Procedures. P&lDs and Electrical Diagrams, and other related documents. To familiarize the PRA staff and verify the accuracy of the models, the following procedure was used:
general walkdowns to familiarize the team with the arrangement of the site and plant systems systems analysis walkdowns, often with a cognizant plant engineer, STA, or operator, to review pertinent information plant model walkdowns to verify the impacts of initiating events, systems interactions and system interdependencies internal flood analysis walkdowns to verify component locations, collect source information, determine propagation paths and determine flood impacts repetitive reviews of the Event Sequence Diagrams (ESDs) were performed, in meetings with various utility personnel - including operations, safety analysis and training departments - to verify the validity of the plant models.
This procedure is thorough and would ensure that the plant models represent the as-built, as-operated plant. The ESDs are very helpful in documenting plant response to accident initiating events.
1I.1.1.4 Internal Flooding Methodology The OCNGS flood analysis was divided in to two parts: one completed as part of the Level 1 PRA in which LOCA initiating events are propagated through the base plant model, the other performed as a separate ' screening' analysis of specific flooding events.
For the Dood events which appear explicitly in the Level 1 PRA, Good effects are addressed in the rules modules for the mitigating systems analyses. For the screening analyses, Good source 7
i and equipment location data were compiled and catalogued. Only components which were deemed to be significant to plant risk were included. Using component and source infonnation, potential Dooding events were identified. Conservative isolation and recovery actions were then applied to the:;e Goods.
l No critical internal flood areas were identified. The screening analysis showed a total CDF of 1
2.lE-7, which represents about 5% of the core damage frequency. Approximately 78% of the flood-induced CDF is due to floods in the Turbine Building (TB), the remaining occurred in the Reactor Building (RB). Significant contributors to CDF due to flood were:
+
circulating water line failure in TB service water line failure in RB.
Flood fregaencies were quantified using the March 1990 Database for Probabilistic Risk Assessment of Light Water Reactor Power Plants, Volume 9, Flood Data. The frequencies for each building were partitioned according to the number of systems in the applicable OCNGS buildings.
The reviewers were unable to find a separate summary of results for the internal flood efTects which were included in the LOCA analysis, for LOCAs outside of containment that are not isolated.
In our judgement, the analysis was thorough, although difficult to follow. Without the benefit of a plant tour,it is difficult to gain a clear understanding of the spatial aspects of the flood analysis. We are not convinced that all flooding sources or water propagation efTects have been considered. Based on the details provided, the central conclusion namely that there is no significant threat from internal flooding - seems reasonable. We do, however, have one comment:
8
l l
On page 7.1-19 of Section 7.1.2.2 of the PRA, flooding and subsequent loss of core spray was disregardedfollowing a small above core LOCA outside containment in the Reactor Building that is not isolated. The reason for disregarding this is that suj]icient flow will be diverted to the torus via the ADS, and there will not be enough steam and water in the Reactor Building to cause afailure of the core spray pumps. A manual operator cction is most likely needed to open the EMRVs in this case, yet the event was screened out. No reference is provided to substantiate this conclusion.
11.1.1.5 Utility Peer Review l
Details of the independent peer review are provided in Appendix D of the Level 1 PRA. The PRA was reviewed using two parallel efforts: one by an independent in-house review group i
(IlllRG), the other by an external consultant. Both reviews took place early in 1991.
The lillRG was comprised of a multi-disciplinary and multi-organizational group of management personnel not directly mvolved in the Level 1 PRA. The group met on nine occasions from to February to May,1991. Based on the comments listed in Appendix D, the group performed an in-depth review of the PRA.
i Reviews by plant personnel who were not familiar with PRAs occurred mostly at the Event Sequence Diagram (ESD) level. As stated in the PRA, "it is sometimes difficult to directly link the ESD with the plant models rules. This provides further justification for the reader to ensure that theyfully understand the plant rulesfiles rather than focusing solely on the ESD diagrams and discussions."
The external review was performed by Dr. David H. Johnson, a consultant from PLG. The nature of the comments indicate that his review was detailed. It is worth noting that the independent reviewer was also the project manager for PLG's contribution of the Level 1PRA.
i 9
11.1.2 Review of Accident Sequence Delineation and Systems Analysis 11.1.2.1 Initiating Event Review The review of initiating events was carried out as recommended by Section 3.1.1 of the Draft Review Guidance provided by the NRC. The findings of the review are as follows.
The identification of initiating events (IEs) was perfonned using a ' master logic diagram' based on all plant safety functions. The master logic diagram was coistructed to guide the effort of searching for ways in which the hazard of radioactive material release may become unacceptable by a loss of control of the essential safety functions. The diagram is similar to a fault tree in construction in that it depicts various conditions which might lead to a release of radioactive material. The approach represents a thorough method for identifying possible IEs. The master logic diagram appears to omit containment hypass sequences. The diagrams produced a list of initiating events at the ' functional' level.
The list of final IEs was produced from the logic diagram by reviewing plant and industry operating experience, other PRAs, and feedback from other parts of the risk model (i.e. systems analyses). The completeness of the list was verified by a review of operating procedure manuals (OPMs).
The OCNGS PRA reports initiating events as groups, rather than distinct events. At this level, f
it is difficult to determine if any events were screened out during quantification. Based on the information presented in Section 4.6. some events were screened.
The OCNGS IPE appears to not,iustify screening out of several initiating events namely:
l l
l 1.
Feedwater line breaks outside containment 2.
Core flow blockage initiating events l
3.
Leakage at CRD or instrumentation penetrations or RWCU hottom head piping from the bottom of the vessel.
10
l No llVAC-related IEs were analyzed. The Updated FSAR at OCNGS concludes that safety related equipment is capable of operating without room cooling, including the control room.
Some rooms require ventilation fans, such as electrical switchgear rooms, but these failures l
are not modeled explicitly as initiating events.
The OCNGS PRA provides a detailed discussion of the dependencies between IEs and mitigating
]
systems. including front-line and support systems. Table 7.3-8 is the ' Initiating Event Impact Table' which provides a summary of how each initiating event group affects the split fractions used in the model.
The quantification of initiating events is described in Section 4.6 of the Level 1 PRA. This section provides a detailed discussion of the methodology and considerations used in the IE quantification process.
The methodology used to develop plant-specific IE frequencies was the same as that used to quantify component failure probabilities for this study. The method is based on the Bayesian interpretation of probability, and involves the development of a prior distribution for ' generic' information regarding an event probability. The event probability is then modified using plant-specific evidence. Some initiating events, such as loss of TBCCW, were quantified using a systems-analysis approach.
The generic plant frequency distribution is taken from operating experience reported for 29 BWRs. Not all BWR data were used for all events because of differences in plant designs.
Plant-specific data were taken from Oyster Creek Scram Data and transient event reports. Error factors, or similar information regarding the distribution of generic data, are not provided in the IPE. This is important information, since the error factors can heavily influence the final point estimate used in the CDF quantification.
The quantification of IE frequencies is reasonable. The submittal makes effective use of both generic and plant specific data. The LOCA data is not referenced, however. Also, a spot-j check of a key IE - Loss of Offsite Power - showed that an error factor of approximately 11
4 t
12 was used for this event tassuming a lognormal prior distribution). T pically, this data 3
comes from public utilities conunissions and is of very high quality. One would expect an error factor of less than 3.
The high error factor tends to reduce the mean value.
l Assuming an error factor of 3, instead of 12, produces a mean value of 6.2E-2 rather than 3.2 E-2: almost twice the value used in the IPE. Furthermore, if the plant evidence were 1, instead of 0, with an error factor of 3, the 1.OSP frequency jumps to 8.0E-2. Since the LOSP initiator dominates this IPE (and many others) an examination of the prior distribution and plant-specific evidence may be warranted.
Several of the more likely initiating events, such as reactor trip and turbine trip have fairly low i
frequencies at Oyster Creek - between 0.7 and 0.9 per year. It is not unusual to see 3-4 turbine trips per year. The low values for these more likely events may be due to the maturity of the plant.
i in summary, the initiating event data have been derived from a combination of generic and plant-specific data. The sources have been identified, in most cases, although some of the LOCA data is not referenceable. The discussion of initiating event quantification is thorough. The impact of initiating events on front-line and support systems has been modeled.
i A better description of the process for screening initiating events from consideration should
]
he provided.
4 11.1.2.2 Iteview of Front-line and Support Systems Analysis The following front-line and support systems were analyzed in detail:
Front-line Systems Isolation Condenser Turbine Trip and Bypass Reactor Protection Main Steam Isolation 12 l
. l
Core Spray Containment Spray Recirculation Pump Trip Condensate /Feedwater Automatic Depressurization System (A DS)
Standby Liquid Control Containment Isolation Standby Gas Treatment Firewater Condensate Transfer Control Rod Drive Hydraulics Reactor Building Isolation Main Steam Relief Torus Vent Support Systems AC Electrical Pv,er DC Electrical Power Service Water Turbine Building Closed Cooling Water (TBCCW)
Engineered Safety Features Actuation System (ESFAS)
Circulating Water Instrument Air For each of the above systems, the IPE presented a brief description of the system as modeled, a description of the top events considered, and success criteria. References are provided for the bases of most success criteria. Also provided are support systems required, systems supported, configuration and operation, periodic testing requirements, maintenance, operator actions, the potential to cause an IE, applicable Techhical Specifications, modeling assumptions, split fraction definitions, common cause analysis, and results. The discussions are complete and to the level of detail adequate for review. Fault trees are enclosed, but that is not a requirement.
13
The final list of systems analyzed was developed using a screening process. A preliminary list was developed using a previous PRA for OC and by review of other plants' PR/ss. The FSAR was also used to identify key safety systems. The final list was developed following the completion of the plant logic model. The plant model then provided the criteria for including a system in the final list.
No detailed discussion of IIVAC systems is provided in the Submittal. The Updated FSAR at OCNGS concludes that safety related equipment is capable of operating without room cooling, including the control room, but that some rooms require ventilation fans, such as electrical switchgear rooms. The PRA does model ventilation for some systems, for example, for the 480 V switchgear, bi:t it is not clear if all required ventilation is considered. For example, for the containment spray system, the model assumes that room coolers are not required, but no justification for this assumption is provided.
No discussion of the need for cooling (or justification for the lack of need) for the 4160 V switchgear is provided. (Perhaps the 4160V switchgear is located in the 480v switchgear rooms, for which ventilation is modeled. The PRA j
\\
is not clear on this issue.) We could find no discussion of IIVAC for the control room in the PRA.
No modeling of the recirculation system was performed aside from the recire pump trip system for ATWS sequences, and the consideration of a pump seal LOCA as an initiating event. As discussed later in section 11.1.2.5, the submittal is deficient in not addressing seal cooling during mitigation of transient accident initiating events.
Ilased on the review, it is concluded that all important front line and support systems required for prevention of core damage are modeled in the OCNGS IPE, except for IIVAC and recire pump seal cooling. Furtherjustification for not modeling these systems should be provided.
11.1.2 3 System Dependencies and Support Systems The OCNGS IPE performed a comprehensive analysis of system dependencies and support systems. Inter-system dependencies were treated in three groups: support to support, support 14
l J
to front-line, and front-line to front-line.
Dependencies are examined at different levels, depending on the nature and configuration of the system. Some dependencies are listed at a train level, or subsystems, or complete systems. The information in these tab!es was then used to generate impact tables which provide the split fractions to be used when top events, or combinations of top events are failed.
l As a poim of clarification, in the discussion of top event DB, page 7.4-3 of the PRA states that,
" Failure of this top event is assumed to result in afailure of all equipment that requires battery A and B DC control ar i start power." If this is true, failure of DB should cause a total loss of ADS and other systems dependent on DC power. This condition is not reflected in the model.
If this is not the case, the statement in the PRA should be corrected.
l From the review, it is concluded that the IPE treated dependencies between plant systems in a reasonable and consistent manner. No deficiencies were identified, other than the issues associated with IIVAC and recire pump seal cooling as previously discussed.
11.1.2.4 Treatment of Common Cause Failures Common cause failures are treated, in the OCNGS IPE, by means of explicitly incorporating dependencies in the systems modeling, and implicitly, by quantifying the likelihood of certain faults due to common causes.
i Definitions of common cause, common mode and dependent failure are only given by example, rather than by strictly dc6ning the scope and extent of these types of faults. This lack of definition leaves the reviewer in a questioning state regarding the common use of these terms.
The approach used to quantify dependent failures is the well-known multiple Greek letter (MGL) method developed and refined by PLG. The OC IPE relies heavily upon referenced materials to document the method, procedures and database used in the CCF treatment. A succinct i
development of the Oyster Creek-speci6c MGL database is given in the OCPRA section 4.4.
15
An abbreviated vertical review of the contribution of Diesel Generator CCF to core damage frequency revealed extreme difficulty in simply tracing the database Z_DGS_ through its accident sequence. The numerical value for diesel generator CCF probability appeared quite low in magnitude.
One potential bias that may have been introduced into the quantification of CCF, and which could not be evaluated is the effect of censoring the event data, without corresponding censoring of the population data. Simply put, if the generic database of common cause events is reviewed specifically for potential to occur at Oyster Creek, and some of the events are deemed inapplicable, then a similar exercise must be conducted on all other plants to determine the population exposed to the same CCF event. This bias may need to be investigated further.
i l
Ilecause of the nature of the rules modules approach, the contribution of common cause events to total CDF cannot he easily derived. As a result, significance of common cause events could not be determined for OCNGS.
II.I.2.5 Review of Event Trees The OCNGS does not explicitly use event trees in the quantification of core damage frequencies.
Rather, it uses the rules vethodology - a modification to the event tree approach which is logically equivalent but computationally more efGeient. The rules simply represent the conditions which must be present for the assignment of the status of the top event. No pictorial event trees appear in the Level 1 analysis.
The development of scenarios was accomplished by the construction of event sequence diagrams (ESDs).
ESDs were used to document success paths available to mitigate the i
consequences of initiating events and subsequent system failures. The ESDs are reviewed and then translated into rules. It is important to note that the ESDs provide only guidance to the modeler and a framework for non-PRA analyst reviews. The plant model rules Gles are the only representation of the plant as modeled and quantified. In general, the rule sets are more difficult to peruse than eveat trees.
16
y Functional success criteria is stated in Section 8 of the PRA - Plant Model Endstates. Specific criteria for system success is provided in the system notebooks (Appendix F). In general, the IPE rules development process provides the bases for all success criteria, llowever, there is no overall summary of the criteria, and it is not obvious where the analysis diverged from the FSAR analyses.
The link.ing of transfers between modules is simplified by the use of interim variables. This complicated the review of the linkage between modules. A spot check of some important links, such as transients to LOCAs showed no discrepancies. While it does not affect our conclusions, we do have one comment:
1 The ESDs were very difficadt tofollow with respect to linkages between modules. For example, the reader is transferredfrom Loss of Feedwater Control module to ESD LT3c, which does not exist. Attempts tofind LT3c among module L7'3 also provefutile. Logistic errors such as this do not affect the outcome of the study, but they do make the auditing process veryfrustrating.
The following paragraphs provide our specific comments related to each individual event response modules.
General Transient Module The general transient module is used to evaluate plant response to a broad range of initiating events. Some initiating events enter this module directly; while other.;, particularly those support system failures that lead to plant trips, cascade into the general transient module. This module j
is directly linked to the long term transient model. Initiating cvents explicitly modeled are reactor trips and turbine trips. Top events questioned are appropriate for the IEs identified. They include: reactor trip, turbine trip, CST inventory, condenser vacuum, turbine bypass, control of feedwater (level setdown), mode switch to shutdown, main steam isolation, condensate and l
feedwater systems.
17
The event sequence diagrams show transfers from the general transient module to long tenn LOCA modules. A spot-check of the rules modules verified that this link occurred. This module is complete and no deliciencies were found.
l l
l Loss of Feedwater Control Module This module was developed for a specific initiating event - the loss of feedwater control. This event is separated from the other general transients because the only automatic action expected is a turbine trip on high reactor water level. The event may lead to steamline flooding and l
subsequent failure. Events appearing in this module are turbine trip, reactor scram, CST inventory, condenser vacuum, turbine bypass, main steam isolation, IC isolation, condensate, feedwater, and MSIV closure. This module appears accurate and complete.
1 Long Term General Response Module The long term general response module is used to evaluate the long term plant response to the 1
l general transient and loss of feedwater control modules. This module is quantified in conjunction l
with the support module and either of the aforementioned transient modules. The output of this module is directed to the recovery module and eventually to the plant damage state module.
Functions modeled in this module include recirculation pump trip, isolation condenser actuation, l
condensate transfer, relief valve operation, core spray, containment' spray, ADS, and others.
It should be noted that the success criteria for core spray in the IPE differs from that assumed in the FSAR. While the FSAR Chapter 15 analysis requires two main pumps and l
l one booster pump be operable, the IPE assumes that only one main and one booster pump he operable. This assumption is based on recent LOCA analyses for OCNGS.
The general transient module does not address the integrity of the recirculation pump scab following a general transient. That is, there is no consideration of recirculation pump seal LOCAs occurring during the mitigation portion of a general transient. If the recirculation pumps at OCNGS are typical of IlWRs, the seals are cooled by injection (probably from the CRD system) or by controlled leakage with cooling by the pump lube oil / bearing cooling water system; however if both these modes of cooling are lost, the seals will fail even if the l
l 18
pumps have tripped. The loss of seal cooling affects five pumps at Oyster Creek. Also, Oyster Creek has isolation condensers instead of a ItCIC system, and contrary to the case with RCIC, core cooling does not directly involve injection to the vessel, and therefore losses through the seals are not directly compensated for. Sections 8.1.1 and 8.2.1.2 of the Pila indicate that long term makeup to the vessel is not required when cooling with the isolation condensers is provided.
l Issue 1.9.37 of the 17 Salt for Oyster Creek states that the leakage resulting from loss of seal cooling is acceptable for two hours; however, this does not justify ignoring the long term requirements for seal cooling or the consequences of the loss of seal cooling. For example, if a seal leak rate of 100 gpm is assumed, and a vessel inventory of 200 gal per inch is assumed with 300 inches of water normally availabic above the top of the core, then without makeup to the vessel the top of the core will uncover in about 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. The seal LOCA l
can be isolated by closing the isolation valves in the recirculation piping, but this requires recognition of the event and electrical power.
This module is considered deficient because it does not address the possibility of a post-transient LOCA via the recirculation pump seals.
P Small LOCA Module The small LOCA spectrum of breaks is assumed to include those leak sizes below which depressurization due to inventory loss is not expected to reduce RpV pressure below core spray or condensate pump shutoff head before the onset of core damage. An equivalent hole size for small LOCAs is not stated in the IPE submittal. PRAs for IlWRs typically consider several small LOCA break sizes for steam / water breaks, since steam flashing provides more efficient depressurization.
The following functions are modeled in the small LOCA analysis: reactor trip, condensate, feedwater ADS, core spray, fire water system (possible backup to core spray), and MSIV closure.
l 19 t
Because plant response may vary depending on the location of the break, six small LOCA groups are defined. The interfacing systems LOCA (ISLOCA) is included as a small LOCA group.
A review of the rules modules for small LOCAs shows that the rules are functionally correct and account for short term plant response to small LOCAs at varying locations.
Large LOCA Module TiGs module addresses short term plant response to large LOCAs. Due to the design of the Oyster Creek reactor core, there are a number of possible locations for a large LOCA that will not allow RPV reflood above the top of active fuel (TAF). For this reason, the JPE modeled two basic categories of large LOCA: above core and below core, depending on the break location with respect to TAF. A feedwater line LOCA outside contahiment is not addressed, as mentioned in Section ll.L2.1 of this review.
This module considers the following front-line systems: reactor scram, condensate storage tank, condensate, core spray, and fire water injection (backup to core spray). An interfacing systems large LOCA (overpressurization of the RWCU) is included in the large leaks below TAF.
A review of the rules modules for large LOCAs shows no deficiencies or inconsistencies for the IEs identified. The feedwater line LOCA was not addressed.
Long Term LOCA Response Module This module models the long term plant response to both small and large LOCAs. All LOCA initiating event _s utilize this module. The output of the long term LOCA response module is input 1
to the recovery module which is in turn analyzed by the PDS module. The long term LOCA module addresses the performance of the following systems: primary containment isolation, containment cooling, containment venting, reactor building isolation, and standby gas treatment.
These systems primarily provide containment cooling and isolation functions. The rules module is functionally correct, no deficiencies were found.
20
)
l l
Containment IIcat Removal Recovery Module This module is used in the Oyster Creek IPE to address the recovery of song term containment heat removal. This form of recovery applies to scenarios in which long term vessel injection is t
available from sources outside containment, with continuing discharge of decay heat to containment, eventually challenging the strength of the primary containment.
i The functions which are modeled in this module include: long term recovery of de power bus C, recovery of core spray, recovery of instrument air, recovery of torus vent, and long term RPV cooldown. Although it is shown as a single module, separate sub-modules are created for general transient and LOCA response. The
- put from this module is then directed into the PDS module.
The module is functionally correct. No deficiencies were found.
7 I1.1.2.6 Dominant Sequences The mean core damage frequency for OCNGS is 3.7E-6/yr. The IPE reports CDF in the following ways:
initiator contributions to CDF
+
system contributions to CDF
+
opemtor action contributions to CDF plant damage state contributors to CDF.
t A general narrative of the sequences is given in the rationale for specific initiators, systems, of operator actions appearing as dominant' contributors. Detailed narratives for each of the top 20 scenarios are provided in Appendix C. These contribute to about 62% of the total CDF.
i l
1 Dominant Initiating Events The dominant IEs are: Loss of Offsite Power (Station Blackout), Turbine Trip, Reactor Trip, MSIV Closure, Total Loss of Feedwater, Loss of Condenser Vacuum, and Loss of TBCCW.
Together, they account for about 76% of the total CDF. The largest other contributors are La 21
4 of Intake Structure, Electric Pressure Sensing Regulator Fails Low, and a Large LOCA Below Core, each contributing about 37c to the total CDF.
Dominant System Failures The system failure which contributes most to the CDF is Electro-Matic Relief Valve (EMRV) failure to close (importance of 48%). Essential AC power buses contribute to 37% of the CDF.
DC power buses contributed to about 33% of the CDF. The IPE takes credit for an offsite emergency power source for its LOSF recovery model, however the amount of credit is not relatively large. The emergency offsite source - an offsite combustion turbine - is not yet in place, but is scheduled to be in operation after the 14R outage.
Dominant Iluman Actions Human actions contribute approximately 21% to the total CDF. The operator actions as modeled in the PRA range from post-trip control to emergency actions, to recovery of systemic or functional failures. The important operator actions with regards to CDF are: initiation of containment cooling, initiation of core spray, recovery of DC power, recovery of offsite power, initiation of IC makeup, and containment venting. No single operator action is disproportionately j
larger than the others, in fact, the top ten operator actions contribute from 2.76% to 1.03% to the total CDF.
Dominant Equipment Failures Failure of an EMRV to close is significant because it allows reactor coolant to discharge to the torus (equivalent to a small LOCA) which requires ADS to allow for low pn ssure coolant injection. The continued heat rejection to the torus presents demands on the containment cooling systems. The absence of containment cooling can lead to loss of NPSH for the core spray pumps.
It is noted that a common cause failure of the DGs does not appear explicitly in the top sequences. It appears in the top sequence but is effectively masked. The modeling of the common cause failure of the DGs is rather confusing, due to the change in variable names i
22
w-.
for the CCF event from EE4 to EDD. Furthermore, the narrative describes the events as if they were independent failures.
Dominant Sequences The following paragraphs summarize the domi:t sequences in the IPE. The reviewers performed a spot check of the CDF calculation, based on the list of sequences provided in Appendix C of the PRA (Detailed Results). In some cases, we could not reproduce the calculational value provided in the text. The IPE results in Section 3 (and Appendix C of the I
PRA) represent point estimate values and should correspond to our spot-check calculations. In
^
the sequences below, our hand-calculated value is shown in parentheses. The difference in our estimate and the value quoted in the IPE is because the IPE included some success events with probabilities slightly less than 1.0 - we assumed 1.0 for these events.
7.69E-7 (9.lE-7)
Loss of offsite power, followed by independent failure of both emergency j
diesel generators (station blackout) with successful lift of EMRVs and actuation of the isolation condenser. At least one of the EMRVs fails to close. Attempts to recover offsite power fail, leaving no source for reactor level makeup. Reactor level drops below the top of active fuel, regardless of IC operation. Fuel failure is assumed to occur shortly thereafter.
Scenario timing is 37 minutes from IE to core damage. The recovery of offsite power event (mean probability of failure.258) includes credit for the future emergency power source at the Forked River Site, adjacent to OCNGS.
1 2.59E-7 (2.7E-7)
Turbine trip IE, followed by independent failures of both divisions of DC power for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. Loss of DC power disables all 4160 VAC switchgear.
DGs may start and run, but cannot be loaded onto buses, resulting in a station blackout. Reactor makeup is not possible; bnwever, MSIVs will close on the loss of DC power. Safety valves will cycle, eventually depleting reactor inventory until fuel is uncovered. Scenario timing, from lE to core damage is only about 20-30 minutes.
23
2.10E-7 (2.2E-7)
This scenario is identical to the above scenario. except that the IE is a reactor trip.
1.23E-7 (1.3E-7)
This scenario is identical to the above two scenarios, except that the IE is a inadvertent closure of an MSIV.
1.16E-7 (1.6E-7)
Loss of offsite power with EMRV failure to close and failure of core spray system. DGs successfully start and load, and core injection is aligned through the CRDs. Initial post-trip pressure is reduce by the EMRVs, one of which fails to close. Core spray experiences an independent failure.
CRD injection is unable to match flow out of the EMRV and core uncovery results.
i l
Similar narratives are provided for 15 additional sequences.
1 The submittal provides an excellent presentation of results with resc>ect to the front-end analysis. The level of detail is sufficient to identify dominant contributors.
i 11.1.2.7 Front-End and Back-End Interfaces The Level 1/ Level 2 interface was accomplished through a set of Plant Damage States (PDS).
Rules modules were used in place of event trees to delineate all possible PDSs. These modules examined all possible Level 1/ Level 2 interfaces such as containment cooling and torus venting.
The PDS quantification was performed using the R/SKMAN code, similar to the process followed to quantify the core damage frequency. The PDS screening criteria used a truncation value of 5E-10, although, if sequences were combined for simplification, the truncation limit became zero.
Extensive combining of PDSs was performed to keep the number of distinct states below the code limit of 150. This was performed by consolidating zero or low frequency endstates into combined endstates. No further information is provided on how the consolidation was performed. For example, the cutoff limit for sequence quantification was found as a footnote in a large printout of sequences.
24
Based on our review, the following conclusions have been drawn:
Important sequences were not screened out. It is possible that consolidation may have caused some sequences to be incorrectly categorized, although this does not j
appear to be the case. The screening criteria is consistent with NUREG-1335 guidelines.
The bases for grouping logic is not provided in the IPE. This should be provided in some form.
Plant Damage States explicitly considered all important reactor and containment systems. The Level 1 sequences contain all necessary information for the PDS analysis, therefare no systems were added in the PDS modules.
The IPE does not address the timing of the containment failure with respect to the failure of core cooling equipment by high temperature. In other words, the IPE does not address, upon loss of cooling to the containment and torus, which failurc occurs first: containment due to overpressure, or core cooling equipment due to high temperature or loss of adequate NPSliA. This important physical insight should be addressed.
II.I.2.8 Multi-Unit Considerations Oyster Creek Nuclear Generating Station is single unit facility. Multi-unit considerations are not applicable.
II.1.3 Review of the IPE Quantitative Process The OCNGS IPE used the RISKMAN code package for sequence quantification and plant damage state analysis. A description of how the' code produced qualitative and quantitative results is not provided. Details are provided in Section 5.4 of the PRA, with broad references to the integrated quantification process. Informative details pertaining to the quantification process should be provided.
A truncation limit of IE-13 is reported in the table of top 100 sequences, Appendix C of the Level 1 PRA. No truncation limits were reported in the systems analysis.
A truncation limit of SE-10 was used in the plant damage state screening analysis.
25
~.
\\
To evaluate the uncertainty in the results, a dominant scenario model was developed consisting of sequences which represented 95% of the core damage frequency. Probability distributions for l
initiating events, component failure data, and human errors were then input to the model. Monte Carlo mathematical methods were then used to propagate uncertainties through the dominant scenario model. The overall approach to uncertainty is widely accepted and no deficiencies were found.
Frequency distributions were plotted for total core damage frequency and the top six plant damage states' frequencies. The point estimate for the CDF is 3.69E-6/yr. The CDF distribution based on the uncertainty analysis is:
Mean:
3.69E-6 95th percentile:
9.82E-6 Median:
3.2E-6 (taken from Figure 9.1-1 of PRA) 5th percentile:
1.31 E-6 The top 100 most dominant sequences are provided in Appendix C of the PRA.
The quantification process is valid, although details of the procedure are scattered throughout the PRA. It would be convenient if these details were concentrated into a single location.
l l
1 11.1.3.1 Quantification of the Impact ofIntegrated Systems and Component Failures Split fractions were quantified separately in the CDF calculation. Because component-level information is lost in the process, the qu'antification of CDF is fully integrated only by use of the dependency matrices.
A sensitivity study was performed on several key variables in the study: loss of offsite power recovery, EMRV failures to close, and recovery of containment heat removal (including recovery of DC power and containment spray). An analysis was made regarding the sensitivity to data and some key assumptions. The analyses conclude that changes to data or assumptions regarding 26 r
\\
l the LOSP and containment heat removal recoveries do not have a significant effect on overall results. The same is not true for the case of the EMRVs. The study concludes that relaxing assumptions for the EMRVs would reduce total CDF by 187c, but those same conclusions fail to point out that a 107c increase in failure probabilities produces a 59c increase in total CDF.
It would have been benejicial to examine the sensitivity to changes in data or assumptions pertaining to events which hare traditionally dominated other PIMs, such as conunon cause failure of both emergency diesel generators.
11.1.3.2 Fault Tree Component Failure Data In general, the OCNGS PRA database was developed using a Bayesian update process to combine the cumulative experience from a large population of nuclear plants with a comprehensive plant-specific database that represents a collection of over 10 years of operational and maintenance experience at Oyster Creek. The following sections discuss the submittal's i
treatment of fault tree component failure data. Separate discussions are presented for plant-specific, generic, and common cause component failure data.
Plant-Specific Data t
The IPE for OCNGS made extensive use of plant-specific records for failure data, success data,
[
and maintenance / testing unavailabilities.
Components recommended by NUREG-1335 for analysis with plant-specific data include: emergency core cooling pumps, batteries, diesel generators, electric buswork, and breakers. All of these components, except electrical buswork, were analyzed. In addition, service water pumps, instrument air, primary containment isolation, ADS valves, and other components were quantified using plant-specific das.
Generic Data All generic data is listed in Table 4.3-8 of the Level 1 PRA. No description is provided
~
regarding the generic data used. Error factors are not presented, either. The only information provided is a reference to PLG's database for nuclear reactor PRAs. Since 27
s t
only 50 component failure rates utilized plant-specific data, this leaves a vast amount of failure data without a description of the data sources.
Common Cause Data The approach used to quantify dependent failures is the well-known multiple Greek letter (MGL) i method developed and refined by PLG. The OC IPE relies heavily upon referenced materials to document the method, procedures and database used in the CCF treatment.
Essentially, the development of the plant specific database begins with an industry-wide database of dependent failure events, and by way of engineering review, determines the vulnerability of the Oyster Creek plant systems to each individual failure event. Modifications to the individual events are made to correct for dissimilarities in equiprnent physical parameters and levels of system redundancy (i.e. 3 train system versus 2 train system). Of vital importance, it should be noted that the data are censored at this point in the data analysis, if individual events are deemed inapplicable (not possible in Oyster Creek). A comment was made on 4.4-1, "the primary source of generic common cause data.. was the PLG generic common cause database", yet we could find no other event data source documented. Specifically, we would expect an Oyster Creek event reponing system to have been utilized, or mentioned.
11.1.4 Iteview of IPE Approach to iteducing the CDF 11.1.4.1 Methodology for Identification of Plant Vulnerabilities 1
This section presents our comments regarding our review of the IPE's methodology to identify 1
plant vulnerabilities. The OCNGS IPE presents a clear definition of a vulnerability as "any core damage sequence that exceeds IE-4 per reactor year, or any containment bypass sequence that exceeds IE-6 per year." No vulnerabilities were found, according to the IPE submittal's definition. The reviewers accept the conclusion that no vulnerabilities exist at Oyster Creek.
It is possible, using the OCNGS criteria, to have a component contribute to 99'7c of the CDF, and yet no vulnerabilities would be identified by their numerical criteria.
28
i i
11.1.4.2 Plant Improvements and Planned Modifications Despite having no identified vulnerabilities, a number of potential areas for low-cost i
improvements were developed that could, according to the licensee, enhance overall reactor safety:
1.
Development of an emergency procedure for Loss of Offsite Power.
2.
Development of an emergency procedure for Loss of DC Power.
i 3.
Evaluate the purchase of a portable DC power generator.
4.
Increased training on the importance of core spray system.
5.
Changes to maintenance scheduling for the core spray system to improve downtime.
6.
Programs instituted to reduce blockage and fouling of the isolation condensers.
7.
Modifications (after 15R) to implement the Reactor Overfill Protection System.
8.
Consider the development of specific guidance, training, and procedures for reactor overfill transients.
9.
Increased emphasis in training on key operator actions as defined by the IPE.
These low cost modifications show a good application of IPE insights. The impacts of these planned modifications were not quantified however. In light of the strong dependencies on DC electric power, the purchase of a portable DC generator (item #3 above) should be evaluated.
The IPE already takes credit for the following planned modifications (implemented after 14R):
1.
Use of the Forked River site for alternate AC power.
2.
A hard-piped containment vent system.
3.
Provisions for an all-manually initiated containment spray system.
29
11.1.5 Review of the Licensee's Evaluation of the DlIR Function II.I.5.1 IPE Focus on Reliability of DIIR The OCNGS IPE modeled the plant's dependency on the DilR function. Failure to remove decay heat is reflected in the 1.evel 1 PRA as plant damage sequences with LII for the second I
and third characters. These damage states contribute to about 4% of the total calculated core I
damage frequency. The licensee considers this value low er.ough to declare the issue closed.
The reviewers contend that the criteria for identifying DlIR dependency is not consistent with the IPE definition of DilR. Ily focusing strictly on containment heat removal, many other facets of DilR are omitted.
b 11.1.5.2 IPE Considered Diverse Means of DIIR The IPE considered several diverse means of DlIR. The various means of D11R, in order of preference are:
1.
Feedwater/ Condenser 2.
Two isolation Condensers with makeup from firewater 3.
Containment Spray / Emergency Service Water, if EMRVs are available 4.
liard-piped containment vent system (to be installed in outage 14R) 5.
Firewater makeup to vessel using EMRVs.
The systems themselves were modeled in the IPE along with the support required for operation.
The issue of recirculation pump seal failures after a general transient has not bee, adequately addressed and this affects the resolution of DHR issues.
l 11.1.5.3 Unique Features The Oyster Creek facility has several unique features with respect to DHR:
i 30
There is no high pressure ECCS system, and no low pressure coolant injection system (LPCI). Later BWR designs have steam-driven high pressure core spray and LPCI in addition to a low pressure core spray system.
The station batteries have a three-hour capacity. Some plants have longer hattery capacities, this is important since DC power is required to open the relief valves and depressurize the system.
There is no RCIC system. Cooling is provided by a passive convection cooling system (isolation condensers).
Dedicated containment venting is available.
Ill.
OVERALL EVALUATION AND CONCLUSION The OCNGS IPE submittal is based on a Level 2 PRA for internal events. The overall methodology is consistent with Generic Letter 88-20 and NUREG-1335. The information i
provided supported a horizontal review.
The submittal includes a full set of system analyses for both front-line and support systems. The initiating events list includes events typically appearing in PRAs for BWR plants; however, a few have been omitted, such as leaks in the RWCU line or feedwater line breaks outside containment. The IE frequencies were derived using a reasonable approach, although the errors i
factors were not provided.
The systems analysis portion is complete. Fault trees were drawn for most syrtem failures. All major front-line and support systems were modeled, with the possible exception of recirculation pump seal cooling. Loss of liVAC room cooling is not included, based on FSAR analyses. A combination of plant specific and generic data were used to quantify basic event probabilities.
Common cause failures were evaluated using the Multiple Greek Letter Method and are propagated correctly through the model. Some data censoring occurred which may require further investigation.
31
The overall quantificatio. af CDF was performed using the rules methodology - an evolution of the large event trec / small fault tree method. This method is credible, however, it is not amenable to review. Risk results were presented in an excellent manner.
In conclusion, it is our opinion that the OCNGS IPE is a good Level 1 PRA, with minor weaknessee,. Responses to the issues raised in this review will help to correct for weaknesses in the submittal. The approach follows industry practice and it supports OCNGS's conclusion that no vulnerabilities exist at the facility. Further information should substantiate this conclusion.
l
\\
32
og EttCLOSURE 3 OYSTER CREEK itto;VIDUAL PLAtil EXAMINATIott TEClltilCAL EVALUAT10tl REPORT (BACK-EtIO) l l
1