1,.. . - w

                     !                                          & A e
                 <   i #4 '

i 15 4 : o I ss4 ij PWRs B&W

       >4                    .

Support system failures are important because they defeat redundancy in front-line systems.

                             . Ability to feed-and-bleed without operator actions reduces CDP for most B&W plants.
                             . Plants with Byron-Jackson pumps generally have lower contributions from RCP seal LOCAs.
                             . B&W plants have manual ECCS switchover to recirculation,
          ~

which increases the contribution from recirculation failures for LOCAs. i l Figure 3.10 Reported IPE CDFs and key perspectives for the B&W PWR plant group. 3 39 NUREG-1560, Draft

3. Core Damage Frequency Perspectives ime T/

es 2. imm : a a a r. 4 . ya 1M5 : ya h Taa a ITK

                        &                                                                          g g                    saa 1                                                                           a tKm :                            a             a             4                    y          a a
  &                                   a 4

h haa , 12 4: kaa a

  &                                                                                 A o

U

   < nma                               r SBO         ATWS              T          SGTR   LOCA       ISLOCA          FLD
            'For Dmne4aese, transiente include SBO contribution Figure 3.11        Reported IPE accident sequence CDFs for B&W plants.

Transients are generally considered to be important contributors to CDF and containment failure frequency because they involve relatively high initiating event frequencies coupled with support system failures that defeat the redundancy in systems available to mitigate potential accidents. LOCAs are more important for these PWR plants than for BWR plants (see Section 3.2) because there are fewer systems available in the PWRs to provide LPl. SBO accidents are important for some B&W plants because they leave few systems available to prevent core damage. One licensee (Oconee 1,2&3) identified internal flooding accidents as being important, reflecting a plant-specific weakness to a turbine building flood. None of the licensees found ATWS SGTRs, or ISLOCAs to be important contributors to CDF. (These accidents are normally low contributors because of the low frequency of the initiating event.) The diverse scram systems installed in all B&W plants for the ATWS rule contribute to the lower ATWS frequency for these plants. Although SGTRs and ISLOCAs are generally found to be low contributors to CDF, they can be important risk contributors since they bypass containment. The variation in the reported IPE results is attributed to many factors including plant-specific design features, modeling assumptions, and variation in data (including the probability of operator errors). Rese factors and the improvements being considered by the plants to address weaknesses are summarized in Table 3.11, and are discussed below for each important accident class. NUREG-1560 Draft 3 40

l l

3. Core Damage Frequency Perspectives Table 3.11 Summary of CDF perspectives for the B&W plant '

group. Accident Important design features, operator important importance actions, and model assumptions plant improvements  ! Transient accidents l important for Design of RCP seals, which affects Training enhancements or procedural  : nearly all B&W susceptibility to RCP seal LOCAs modifications to reduce the probability of plants RCP seal LOCAs l Capability to feed-and-bleed without operator action at most plants Plant-specific operational and design i changes: I SW and CCW design, and

• replacing manual crossover valves between dependency of front-line systems on LPI pumps with motor operated valves j these systems (MOVs) that < an be remotely operated i from the control room l Time window used for plant-specific
• staggering of liPI pump use during loss of data SW events
• providing alternative ventilation to Modeling of common cause failures maintain SW operation upon loss of IIVAC <

LOCAs important for most Factors that affect time to perform the Procedural changes or training enhancements l B&W plants manual switchover to ECCS to improve the reliability of switchover from recirculation: injection to recirculation

• size of RWST l
• containment spray setpoint (higher improvements to extend the period of l setpoints avoid diverting the ECCS injection from the borated water storage tank supply to containment sprays) (BWST)

Design of LPI system and modeling improvement to cope with simultaneous 11PI  ! of common cause failures suction valve failures  ! SBO accidents important for - Design of RCP seals, which affects Addition of air-cooled diesel generator many B&W plants susceptibility to RCP seal LOCAs i Additional battery capacity Availability of alternative RCP seal cooling Procedural changes for DC load shedding AC power reliability (number of Procedural changes for replenishing diesel diesel generators, crosstic capabilities fuel oil for long-term diesel use between units, diverse AC power sources) Battery life 3-41 NUREG-1560, Draft l l l l

t

3. Core Damage Frequency Perspectives Table 3.11 Summary of CDF perspectives for the B&W plant group. -

1 Accident important design features, operator Important importance actions, and model assumptions plant improvements -  ; internal Flood Accidents Only important for Plant layout (separation and Modified procedures to extend water supplies one B&W site compartmentalization of mitigating during internal flooding events system components) Procedural change to minimize potential for flood propagation j A1WS accidents Not important to Diverse scram system reduced ATWS None identified CDF for any contribution for all plants B&W plants SG1R accidents Not dominant for Modeling of operator actions to Procedural changes to improve the  ! any B&W plants isolate tne rupture and provide long- probability of steam generator isolation term heat removal during SGTR Modified severe accident management guidelines to refill BWST during SGTR ISLOCAs Not important for Compartmentalization and separation Procedural and training modifications to any B&W plants of equipment reduce the likelihood of ISLOCA Transients are 'mportant contributors to CDFfor nearly all B& Wplants. This accident class involves events that cause the reactor to trip followed by failure to bring the reactor to safe shutdown. The sequences primarily involve failure to remove decay heat by either steam generator cooling or primary system feed-and-bleed cooling. Sequences with failure to replace reactor coolant inventory following an accident-induced LOCA (normally an RCP seal LOCA) are ale,o important at some plants. Transients represent a broad category, covering both general initiators (such as rer. dor trip or loss of main feedwater) and support-system initiators (such as loss of SW or AC/DC bus). The failures leading to core damage for transients are found to be quite plant-specific, llowever, some key factors affecting the CDF from transients are common among many of the submittals. These key factors involve plant-specific design and operating conditions, as well as the modeling of plant systems and operating history in the IPEs, as follows:

• Susceptibility to RCP seal LOCAs - Three B&W sites use Byron Jackson RCPs, which the industry -

believes are less susceptible to RCP seal LOCAs than other designs. The remaining two sites use either Westinghouse or Bingham International pumps. For the sites with Byron Jackson pumps, the IPEs only  ; considered RCP seal LOCAs to be credible for sequences with both loss of all seal cooling and operator l NUREG-1560, Draft 3 42 i 1

3. Core Damage Frequency Perspectives failure to trip the RCPs. He remaining sites include the possibility of RCP seal LOCAs even with the RCPs tripped, which increases the CDF for RCP seal LOCA sequences. He importance of RCP seal LOCAs was also influenced (to a lesser extent) by the availability of backup systems to cool the seals when the normal configuration fails (e.g., safe shutdown facility), and the use of difTerent support systems for cooling the RCP seals than for providing injection (so that loss of a single system does not lead to an unmitigable LOCA).

• Feed-and-bleed cooling - Six B&W units have llPl pumps with shutoff heads above the SRV setpoint, and one plant (Davis-Besse) has a shutoff head that is near the SRV setpoint. Herefore, operator action is not necessary for feed-and-bleed cooling to succeed for most B&W plants; even if the operator does not open the PORVs, llPI will automatically actuate, and feed-and-bleed cooling will occur at the SRV setpoint. He Davis-Besse IPE submittal considers the SRV setpoints to be sufficiently uncertain that 11PI might not be able to lift the SRVs; as a result, operator action will be necessary to open the PORV for cooling to succeed.
• SW and CCW dependencies - Most plants have a relatively high dependence of other plant systems on CCW and/or SW systems. Some B&W plants have relatively diverse SW/CCW systems, and have capabilities for crossticing systems. Dese plants generally show less vulnerability to failures in SW and CCW systems. Ilowever, loss of either of these support systems is still important to the overall transient CDF for B&W plants.
• Data - Some variability in the results is attributed to the treatment of plant data. Some licensees use data only from the most recent five years, while others included older plant operational data. De more recent data generally indicates fewer plant trips and better equipment reliability; as a result, incorporating older data into the failure frequencies gi.'es higher values than limiting the data to more recent years. A related factor that influences the IPE results is that some licensees tend to use lower values for common cause failures, which reduces the CDF.

All B&W licensees are considering or implementing improvements to address the factors that contribute to the CDF from transients. Most licensees (ANO 1, Davis-Besse, Oconee 1,2&3, and TMI I) are considering training enhancements or procedural modifications to reduce the probability of RCP seal LOCAs. He remaining improvements discussed in the IPE submittals are plant-specific operational and design changes. Some examples of these changes include replacing manual crossover valves between LPI pumps with MOVs that can be remotely operated from the control room, staggering IIPI pump use during loss of SW events, and providing alternative ventilation to maintain SW operation with loss of IIVAC. LOCAs are important contributors to CDFfor most of the plants in this group. He most common LOCA contributors are small LOCAs, but some plants are instead dominated by medium LOCAs. Small LOCAs are generally the larger contributors to CDF because they have a higher initiator frequency. The dominant contributor to core damage is ECCS failure during recirculation (after the BWST has been drained and the suction is being transferred to the containment sump). Recirculation involves realigning systems, and typically involves more j components than required for the injection mode. In addition, operator action is required to perform this switchover l at the B&W plants. He reliance on operator action and the complexity in switchover lead to a higher failure probability than for injection failures. I he LOCA CDF results are quite similar for the plants in this group; however, there is variability regarding the most important specific failures: l 3-43 NUREO-1560, Draft I

3. Core Damage Frequency Perspectives Switchover to recirculation - The plants in this group require manual actions to initiate recirculation, and are designed so that HPR draws suction from low-pressure systems during recirculation. Some plants have large RWSTs so that the switchover to recirculation is either not necessary or is significantly delayed, giving the operators more time to complete the necessary actions for the switchover to recirculation. He containment sprays also draw from the RWST during the injection mode; as a result, plants with spray actuation occurring at lower containment pressures deplete the RWST more quickly, giving less time for the operators to perform the switchover of ECCS to recirculation. Two submittals have a relatively large contribution from medium LOCAs because of the shorter time available (relative to small LOCAs) for the operators to perform the manual switchover.

LPI system characteristics and modeling - ne most important system failures for LOCAs in B&W plants involve failures of the LPI system. The specific failure mode varies among the plants, but the most common failures involve common cause failure of pumps to start, common cause valve failures, and LPI pump cooling failures. The IPE submittals list fewer plant improvements related to LOCA concems than are listed for transients. Davis-Besse and TMI I are considering procedural changes or training enhancements to improve the reliability of the switchover from injection to recirculation. In addition, licensees are considering improvements to extend the period of injection from the BWST at Davis-Besse, and to cope with simultaneous HPl suction valve failures at Oconee 1,2&3. SBO accidents are important contributors to CDFfor many B& Wplants. SBO accidents involve an initial LOOP followed by failure of the emergency onsite AC power sources. The failure of AC power sources results in failure of all injection systems and failure of motor-driven AFW. This leaves only turbine-driven AFW available to cool the core and no systems available to provide injection to make up the loss through any RCP seal LOCAs that develop during the transient. Generally, plant design and operational features have a larger impact on the SBO CDF than do modeling characteristics, but no single factor dominates. Combinations of factors are usually important, and those combinations vary from plant to plant. Overall, the most influential factors are as follows: Susceptibility to RCP seal LOCAs - Three B&W sites use Byron Jackson RCPs, which the industry believes are less susceptible to RCP seal LOCAs than other designs. He remaining two sites use either Westinghouse or Bingham International pumps. As mentioned in the discussion of transients, the IPEs for plants with Byron-Jackson RCPs only consider RCP seal LOCAs to be credible if the RCPs are left running when seal cooling is lost. He RCPs w : trip when offsite power is lost, so RCP seal LOCAs are not considered important for SBO sequences at these plants. The remaining sites (those with Bingham Intemational or Westinghouse pumps) include the possibility of RCP seal LOCAs for SBO, which increases the SBO CDF. Ilowever, the availability of backup cooling from the safe shutdown facility at one of these plants (Oconee) reduces the impact of RCP seal LOCAs for SBO. Number of emergency AC power sources - Most B&W plants have two emergency diesel generators per unit to provide backup power when offsite power is lost, llowever, Oconee has a unique design in which backup power is provided by lines (hydroelectric and combustion turbine generator) from two other plants. In addition, Oconee has a standby shutdown facility with an independent diesel generator. Three Mile Island Unit I has the capability to crossconnect to the diesel generator at Unit 2. The additional redundancy in emergency AC power sources for these plants reduces the SBO CDF. NUREG-1560, Draft 3 44

l l

3. Core Damage Frequency Perspectives

• Battery depletion time - Battery power is needed to provide AFW control for r.:ost plants. (Davis-Besse indicates that AFW can be controlled manually.) Thus, when the batteries are depleted, all cooling is lost

and core damage follows. Battery depletion times range from 2 to 6 hours for this group, and the plants with the shortest battery life also have the highest SBO CDFs.

Two licensees indicated that they are considering or implementing plant improvements for SBO-related concerns. ANO I added an air-cooled diesel generator and additional battery capacity, while Davis-Besse is evaluating procedural changes to add redundancy to power supplies, provide for DC load shedding, and guide the replenishment of diesel fuel oil for long-term diesel use. Internalflooding is importantfor one B& Wplant. Intemal flooding events involve rupture of water lines that result in a release of water that can directly cause the failure of required mitigating systems and/or other mitigating systems as a result of submergence or spraying of required components. The effects ofintemal flooding are highly plant-specific, depending on the layout of equipment within the plant and the relative isolation of rooms. Because of this diversity of design and layout, each plant has different vulnerabilities to flooding, and generic conclusions regarding flooding can not be drawn. All of the B&W plants have internal flooding contributions ofless than 10% except Oconee 1,2&3. The intemal flood contribution for Oconee is dominated by turbine building floods resulting from SW failures that submerge main and EFW pumps because the drains are not large enough to prevent water buildup. A TWS a hot a dominant contributor to CDFfor any of the B& Wplants. ATWS sequences involve a transient, followed by failure to shut down the nuclear chain reaction by inserting the control rods. Power generation continues at levels far in excess of normal decay heat. An ATWS sequence can be mitigated by pressure control and heat rr.noval. Because of the low frequency of failure to scram, ATWS is a small contributor (less than 3% of CDF) for all the plants in this group. All of the licensees have installed a diverse scram system to comply with the ATWS rule; this system increases the scram probability and decreases the frequency of ATWS sequences. SGTR is not a dominant contributor to CDFfor any of the B& Wplants. SGTR sequences involve leakage from the primary to the secondary through a ruptured steam generator tube, followed by either failure to mitigate the leak or failure to establish long-teim core heat removal. SGTR accidents are a minor contributor to plant CDF at all B&W plants (less than 5% of CDF) because of the relatively low frequency of the rupture occurring and the relatively high probability of the operators isolating the rupture. ISLOCAs are not dominant contributors to CDFfor B&Wplants. ISLOCAs, however, can be significant contributors to risk because the releases bypass containment. The low CDF contribution is attributed to the low frequency of the LOCA initiator combined with its negligible-to-minimal impact on other systems. His low impact results from the compartmentalization and separation of the equipment. 3.3.2 CE Plant Perspectives Table 3.12 lists the CE plant group which includes 15 plant units (represented by 10 IPE submittals). j Table 3.12 Plants (per IPE submittal) in the CE group. ANO 2 Calvert Cliffs I&2 Fort Calhoun 1 St. Lucie 1&2 Maine Yankee Millstone 2 Palisades Palo Verde 1,2&3 > San Onofre 2&3 Waterford 3 l l 3-45 NUREG-1560, Draft l l l

o 4 i 3. Core Damage Frequency Perspectives j r

  - As shown in Figure 3.12, the CDFs for the CE plants as a group are comparable to the CDFs for the bulk of the                    l PWRs.                                                                                                                             4 i

4 U.,@50 < ^s:m: , s > .,.s.

                         . .s 4
                                                             -- ~ j                                      .

7g , Oh[yy%p c M ih j

                                                                                     +7c.z.

s-

                                                                                                                             @)gy    j 15 4                                                                                                    in    l
                                                                                                                               )? y  ;

a og 'M { {,_ t ..a i

• a l

h up;120j; l

• i l :la
• g

                                                                *j l 4

• 2 i

i

                                                                                          - ^-

j is4 l P h i i i 15 4 - 15 4 PWRs CE  !

                                                                                            +Q sh                                   \

n:gpy%EhLh , w ggy gy;; t 3 g .g;= s s .,a , I

           .m.
            ~.    '

Support system failures are Laportant because they defeat A l redundancy in front-line systems. J i a Some CE plants without PORVs can feed-and-bleed usmg l other valves.  !

                                                                                                                             , ma    l Some plants without feed-and-bleed cooling capability can                                      *
                                                                                                                                 ~

l compensate by depressurazing the steam generators to use l condensate as an attemative to feedwater.  ; t LOCAs are important for most plants, but modeling and j re--- '=-ry in feed and bleed capability reduces the importance  ! for one plant (Fort Calhoun). , j

                                                     $$                                         ^

gk

                                                                                                                         ~

i <

                                                ,,                                                      6% "y Figure 3.12       Reported IPE CDFs and key perspectives for the CE PWR plant group.

NUREG-1560, Draft 3-46

l

3. Core Damage Frequency Perspectives Calvert Cliffs 1&2 have a CDF well above other CE plants, primarily because of a higher dependence on 11VAC and less capability (relative to other CE plants) to remove decay heat through the steam generators or feed-and-bleed cooling. Transients or LOCAs are usually the most important contributors to overall CDF, with SBO often a significant contributor as well(see Figure 3.13).

1MM .

        'C" e

aa (1EM a&& aa fa

                                                          'b                           #

2 Aaa

• AA A

g 1tua i ',' A o a , gx Ma a a , j ", N A_ ^ 3-

n. a aaa ea a l E 1Em a _L '

l In Y a

                                                                                               <aa a              aa l

E * 'a asa a

        .g g 1EW :                                                      a o                                                                                       a O

a

          < 1Ma                    :.                                                                          -

SBO ATWS T SGTR LDCA ISLOCA R.D 4 vtr Fort cahaun and c*nt cute U2, ve=ene haud soo conehman

• h Yeh defered M % ardude NEE Figure 3.13 Reported IPE accident sequence CDFs for CE plants, In general, based on the IPE submittals, the following classes of accidents are most important to CE plants:
• transients 4
• LOCAs
• SBO - the loss of all offsite and onsite AC power Transients are generally considered to be important contributors to CDF and containment failure frequency because they involve relatively high initiating event frequencies coupled with support system failures that defeat the redundancy in systems available to mitigate potential accidents. LOCAs are important for these plants because there are generally even fewer systems or levels of redundancy available to mitigate such accidents than there are for many transients. SBO accidents are relatively important for CE plants because they leave few systems available to prevent core damage. For two units (one IPE submittal), ATWS accidents were identified as somewhat important (10% or i

3-47 NUREG-1560, Draft

i j

3. Core Damage Frequency Perspectives j greater contributor to plant total CDF) mostly because of analysis assumptions. Only one licensee identified internal l flooding accidents as being somewhat important (14% contributor to plant total CDF), and only one licensee l identified ISLOCAs as contributing 10% or more to the total plant CDF. In these specific cases, a combination of analysis assumptions and plant-specific features caused these accidents to be somewhat important. None of the licensees found SGTR sequences to be important CDF contributors.

Dese latter types of accidents are normally low contributors, in part because of the relatively low frequency of the initiating event and the relatively high probability of the operators isolating the rupture. Nonetheless, SGTR and ISLOCAs can be important contributors to risk since they bypass containment. The variation in the reported IPE , results is attributed to many factors, including plant-specific design features, modeling assumptions, and variation in data (including the probability of operator errors). Dese factors and the improvements under consideration by l the licensees to address weaknesses are summarized in Table 3.13 and are discussed below for each important accident class. Table 3.13 Summary of CDF perspectives for the CE plant group. F Accident Important design features, operator actions, and model Important importance assumptions plant improvements Transient accidents  ; important for nearly Degree of IIPI and AFW dependence on support systems Improving procedures and - all CE planu (SW, CCW, AC/DC bus,IIVAC) training for dealing with loss of ventilation systems, Success criteria for feed-and-bleed (PORV capacity and particularly for switchgear, redundancy, credit for attemative relief valves) battery, and DC bus and inverter rooms ' Ability to depressurize the steam generators and use condensate for heat removal Adding temperature alarms for  ; switchgear, battery, and DC Lower susceptibility to RCP seal LOCAs because of RCP bus and inverter rooms seal design Enhancing procedures and Long-term makeup to AFW (water supply size, attemative equipment for crossticing supplies, procedures, operator training) buses LOCAs " Important for many Automatic switchover to ECCS recirculation None identified CE plants LOCA initiating event frequency SBO accidents important for many AC power reliability (number of diesel generators, cmsstic , Adding additional power CE plants capabilities between units, diverse AC power sources) sources Diesel generator cooling dependencies Extending availability oflong-  ; term heat removal:  : Diesel generator reliability

• improving availability of altemative water supplies .

Battery life to AFW '

• use of firewater for steam ,

generator cooling Adding portable generator for battery charging l l l NUREG-IS60, Draft 3-48 l

3. Core Damage Frequency Perspectives Table 3.13 Summary of CDF perspectives for the CE plant group.

                       ~

d Accident Important design features, operator actions, and model Important importance assumptions plant improvements ATWS accidents Only important for Assessment of the fraction of time that a plant has None identified one CE plant (2 unfavorable moderator temperature coefficient

units)

Intemal flood accidents e important for two Plant layout (separation and compartmentalization of Revising procedure to CE sites (three units) mitigating system components) maintain door open SGTR accidents Not dominant for Modeling of operator actions to isolate the rupture and None identified any CE plants provide long-term heat removal l

ISLOCAs

Not important for Compartmentalization and separation of equipment Adding valve checks or testing any CE plants i

Transients are important contributors to CDFfor nearly all CEplants. This accident class involves events that cause the reactor to trip, followed by failure to bring the reactor to safe shutdown (either failure to remove decay heat or failure to replace reactor coolant inventory following an accident-induced LOCA). Transients nepresent a broad category, covering both general initiators (such as reactor trip or loss of main feedwater) as well as support-system initiators (such as loss of SW or AC/DC bus).

    'Ihe specific failures leading to core damage for transients are quite plant-specific.110 wever, some key factors in the IPEs collectively affect the CDF contribution from transients as well as the dominant types of transient scenarios
  . (e.g., core damage during injection and recirculation). These involve plant-specific design and operating conditions, as well as the assumptions made in the IPEs. The modeling issues are important to the results and, in some cases, represent a significant area of uncertainty:

Degree of support system dependence - Variability in the support systems needed for AFW or EFW and high pressure safety injection (llPSI)is important to the overall transient CDF for CE plants. Dependencies on SW, CCW, specific AC/DC buses, and ilVAC can be especially significant. For example, only half of the submittals model the need to cool the liPSI pumps for seal / bearing cooling during injection for feed-and-bleed cooling Omission of this consideration from the other half of the submittals is typically based on a combination of analysis and assumptions. The Calvert ClitTs submittal, which covers two plant units, includes a dependence on llVAC for ilPSI. Specific power bus loads and the extent to which these are shared among AFW/El W, liPSI, and PORVs can also be important, as demonstrated by the significance of specific bus faults to the transient CDF for at least ANO-2, Calvert Cliffs, and Maine Yankee. The latter licensee even models dual bus faults as possible initiating events. The specific configurations vary considerably among the plants, however, and plants with less dependence on these supports and/or greater redundancy in their design tend to be more tolerant of transient initiators. j l 3-49 NUREG-1560, Draft j l

3. Core Damage Frequency Perspectives

• Success criteria for feed-and-bleed - Some CE plants do not have PORVs (or alternative relief valves).

As a result, they cannot use feed-and-bleed cooling, or they do not have redundancy in the features needed for feed-and-bleed cooling, which limits the effectiveness of feed-and-bleed. For example, the Calvert Cliffs units require both PORVs for successful feed-and-bleed (their PORVs are small). As a result, these units do not always credit feed-and-bleed as a possible heat removal system in response to a loss of main feedwater event because the RCS will remain above the 11P1 shutoff head unless the reactor is tripped within 10 minutes. Maine Yankee, Palisades, and ANO-2 all have less redundant or unusual bleed designs. Plants with lower transient absolute CDF values generally (but not always) either have redundancy in the feed-and-bleed function, and/or take credit for both feed-and-bleed cooling and steam generator depressurization (discussed below).

• Ability to depressurize the steam generators and use condensate for heat removal - Some C plants have the ability to use steam generator depressurization and heat removal with condensate whenever all feedwater (main and auxiliary) is lost. For example, the Palo Verde and San Onofre units do not have PORVs and so cannot use feed-and-bleed cooling.110 wever, these units credit steam generator depressurization and use of condensate as a successful means of heat removal. Calvert Cliffs does not credit steam generator depressurization and use of condensate for heat removal because of the small single ADV for each steam generator. he ability to use steam generator depressurization and condensate for heat removal is plant-specific, and reduces the transient CDF for those IPEs that ir.clude this strategy.
• Susceptibility to RCP seal LOCAs - Re industry generally considers susceptibility to RCP seal LOCAs to be lower for CE plants than for many other PWRs. His assumption is based on the typical Byron-

         .lackson 4-stage seal design (or an equivalent) used in CE plants, and the analyses and actual tests performed by the CE Owner's Group regarding this issue. Because of these analyses and tests, all CE submittals use models that are considered realistic for the RCP seal failure potential in CE plants. Nevenheless, some variability exists among the CE plant IPE submittals in the associated flow rate and probability of these LOCAs. In some cases, a small but possible chance for RCP seal LOCAs is considered in the IPE. In other cases, the IPE model does not consider the potential for such a failure. Since such events increase the demand for coolant injection during transient scenarios, the specific models used and their bases are a factor in the relative importance of transient scenarios.

• Long-term makeup to the AFW/EFW -he long-term ability to supply water to the suction for AFW/EFW  ;

and the associated actions are particularly significant for transients with no induced LOCA conditions. His ] source of water is required to ensure long-term heat removal until shutdown cooling can be initiated.  ! Variability in water supply size, alternative supplies, procedures, and operator training all influence the relative importance of this characteristic. Most licensees are considering or have already implemented improvements to address the factors that increase the CDF from transients. De most common plant improvements are aimed at increasing power reliability during LOOP i scenarios. Many of these improvements can also benefit other types of accidents, especially those involving SBO. I Dese improvements include adding additional power sources, improving procedures and training for dealing with the loss of ventilation systems (particularly for switchgear, battery, and DC bus and inverter rooms) adding temperature alarms for these rooms, enhancing procedures and equipment for crossticing buses, and extending the i availability of long-term heat removal (such as improving availability of alternative water supplies to AFW or considering the use of firewater for steam generator cooling). In a few cases, these modifications have already been completed and are credited in the IPEs; at most plants, however, the modifications are either being installed or are still under consideration. NUREG-1560, Draft 3-50

3. Core Damage Frequency Perspectives LOCAs are important contributors to CDFfor manyplants in this group. Thc most common LOCA contributors are small LOCAs, but all CE plant IPE submittals conclude that large or medium LOCAs have a relatively significant contribution. Small LOCAs are generally the larger contributors to CDF because they have a higher frequency and, I if IIPSI should fail, they cannot be directly mitigated using core Hood tanks and LPI without manual depressurization. LOCAs are dominated by failures during either injection or recirculation, depending on the specific plant. He relative contribution from injection failures is generally higher for CE plants than for other PWR plant groups. 1 he plant features and assumptions mentioned above for transients also influence the specific contributions to LOCA l core damage scenarios for CE plants and affect the relative importance of injection and recirculation accidents. I Nevertheless, the absolute CDFs from LOCAs for the CE plants all fall within approximately one decade with the exception of one unit (Ft. Calhoun Station). Ft. Calhoun Station has redundancy in both its feed-and-bleed capabilities (even for very small LOCAs), and } IPSI is not particularly susceptible to suppon system faults.

However, perhaps the most noteworthy difference between Ft. Calhoun Station and the other CE plants is the relatively low LOCA initiating event frequencies reported in the Ft. Calhoun Station IPE submittal in all of the LOCA categories (small, medium and large), these frequencies are generally 4 to 20 times lower than the frequencies reported in other CE plant IPEs. It is not certain whether this is indicative of pessimistic values used by the other plants, or optimistic (i.e., low) values used in the Ft. Calhoun Station IPE. Ilowever, this factor alone can account for the differences in the LOCA CDF results. None of the licensees indicated that plant improvements are being made speci6cally to address LOCA-related issues. 110 wever, the improvements for transients indicated above will somewhat affect the LOCA CDF to the extent that the overall reliability of heat removal is increased. SB0 accidents are important contributors to CDFfor some of the CE plants. SBO accidents involve an initial LOOP followed by failure of the emergency onsite AC power sources. The failure of AC power results in failure of all injection systems and motor-driven AFW or EFW. His leaves only turbine-driven AFW/EFW available to cool the core and no systems available to provide injection to make up the loss through any RCP seal LOCAs or stuck-open primary relief valves that may develop during the transient. Generally, plant design and operational features have a larger impact on the SBO CDF than do modeling characteristics, but no single factor dominates. Combinations of contributors are usually important, and those combinations vary from plant to plant. Overall, the two most influential factors appear to be as follows:

• Number of emergency AC power sources and their dependencies - This factor has a direct innuence on the probability of a SBO, and thus is an important factor in the significance of core damage induced by SBOs. He number of emergency diesel generators (usually two per unit) directly affects the reliability of the emergency AC power system. Further, a few plants have a diverse AC power source, such as a gas turbine generator or swing or other diesels, and so are less susceptible to common cause failures of diesel generators. Configuration differences range from units with just one diesel per unit with a swing diesel between units (such as Calvert Cliffs) to two diesels per unit with additional backup capability existing or being added (such as Palo Verde). Calvert Cliffs is in the process of adding diesels to improve their onsite power reliability. Additionally, the staff noted that the nature of diesel dependencies can somewhat influence the overall onsite reliability. For example, Ft. Calhoun Station and San Onofre use self-cooled diesels with a radiator design, making them less susceptible to cooling dependency faults. Maine Yankee has a backup diesel that uses firewater as the cooling source. Plant-specific operating history can also be important, accounting for the order-of-magnitude difference in diesel generator failure-to-start probabilities.

3-51 NUREG-1560, Draft

3. Core Damage Frequency Perspectives

• Battery depletion time - Plants need battery power to provide plant status indication and control for the steam-driven AFW/EFW, including assurance of a long-term water supply for heat removal. He longer the battery life, the more likely it is to successfully provide heat removal using AFW/EFW while simultaneously increasing the chances of recovering AC power to eventually achieve a safe and stable plant state. Thus, for all plants in this group, when the batteries are depleted, all cooling is lost and core damage  !

ensues. One notable exception involves the Palisades plant, which credits AFW operation for six hours beyond battery depletion on the basis of manual control and the nitrogen station capacity for keeping the AFW valves open. Battery depletion times range from two to eight hours for this group, with the longer times reflecting plants using load shedding. Plants with the longer credited battery depletion times tend to exhibit a lower SBO CDF. He staff noted that the RCP seal failure models used in the CE plant IPEs (i.e., the very unlikely potential for a significant RCP seal leak as a result of the loss of all seal cooling during a SBO), minimizes the need for liPI during a SBO. His increases the significance of the continued operability ofjust the steam-driven AFW/EFW and hence increases the significance of the battery depletion time relative to plants for which a pessimistic RCP seal failure model is used (thereby requiring earlier AC power recovery to be able to operate coolant injection systems). Other features that might at first be thought to be important to SBO are in fact not so important. For instance, a low or high initiator frequency for offsite power does not necessarily correspond to an associated low or high SBO CDF. In fact, in some cases, the opposite result occurs. Since all the plants in this group rely on a steam-driven AFW/EFW train to provide heat removal during a SBO, variability in the availability and reliability of this equipment among the plants will be expected to be important to plant CDF. Ilowever, differences in the database for this equipment are not very large, making this variability a relatively small factor compared with the others discussed above. The plant improvements related to increasing the reliability of AC power that are discussed above for transients are also beneficial for SBO accidents. In addition, one licensee (Waterford), indicated that they would assess the benefit of adding a portable generator for battery charging. A TWSis not a dominant contributorfor CEplants. ATWS sequences involve a transient, followed by failure to shut down the nuclear chain reaction by inserting the control rods. Power generation continues at levels far in excess of normal decay heat. An ATWS sequence can be mitigated by pressure control, boration, and heat removal. Because of the low frequency of failure to scram and the credit taken for the above mitigating features, ATWS is a relatively low contributor to CDF (less than SE-6/ry) for all but one plant in this group (Calvert Cliffs). In that single exception, the higher ATWS contribution reflects the analysis assumptions and the assessment that the plant has an unfavorable moderator temperature coefficient for a large fraction of the time (40%). The result is an analysis that does not credit the mitigating features mentioned above, assuming instead that an ATWS leads directly to core damage. His pessimistic stance leads to an ATWS CDF that is a factor of six greater than the next highest plant ATWS CDF among the CE plants. Internalflooding is generally not ingportantfor CEplants. Internal flooding events involve ruptures of water or steam lines resulting in water or steam releases that can directly cause the failure of required mitigating systems or cause their failure as a result of submergence or spraying of required components. He effects of internal flooding are highly plant-specific, depending on the layout of equipment within the plant and the relative isolation of rooms. Because of this diversity in design and layout, each plant has different vulnerabilities to internal flooding events. Nevertheless, based on screening methods, all plants in this group report CDFs from internal flooding in the range of IE-6/ry to IE-7/ry (or even lower) except for Calvert Cliffs and Ft. Calhoun Station. Calvert Cliffs performed NUREG-1560, Draft 3-52

3. Core Damage Frequency Perspectives a more rigorous analysis that accumulated the combined effects of nearly a dozen flood scenarios (rather than using a series of individual screening arguments) that collectively contribute to an internal flood CDF of about 1.5E-5/ry (a 6% contribution to total CDF). It is unclear whether the flooding contribution will be significantly higher for other plants if they us'e the screening approach employed by Calvert Cliffs. For Ft. Calhoun Station, the flood-related CDF (about 2E-6/ry) represents about 14% of the total plant CDF. As a result, the licensee is implementing plant improvements to address this issue.

SGTR is not a dominant contributor to CDFfor CEplants. SGTR sequences involve leakage from the primary to the secondary through a ruptured steam generator tube. Core damage results either from failure to mitigate the leak or failure to establish coolant makeup and long-term core heat removal. Relative to other contributors, SGTR sequences are minor contributors to plant CDFs at CE plants (less than SE-6/ry) because of the low frequency of the rupture occurring, coupled with credit taken for operator actions and equipment used to mitigate the event. Although minor, the contribution to CDF is highly dependent on the assessed failure probabilities associated with human actions designed to mitigate such events. Although this is an area of higher uncertainties, it does not have a significant impact on the overall plant CDF. However, SGTR can contribute significantly to risk because the releases bypass containment. ISLOCAs are not dominant contributors to CDFfor CEplants. ISLOCAs, however, can be significant contributors to risk because the releases bypass containment. The low CDF contribution results from the low frequency of the LOCA initiator, combined with its negligible-to-minimal impact on other systems. This low impact is attributed to the compartmentalization and separation of the equipment. 3.3.3 Westinghouse 2-Loop Perspectives Table 3.14 lists the Westinghouse 2 loop plant group, which includes 6 plant units (represented by 4 IPE submittals). Table 3.14 Plants (per IPE submittal) in the Westinghouse 2-Ioop group. l Ginna Kewaunee Point Beach 1&2 l Prairie Island 1&2 l l l As a group, the Westinghouse 2-loop plants have CDFs in the middle of the range spanned by all PWRs, as illustrated in Figure 3.14. The importance of specific accident classes to CDF varies significantly from plant to plant, as shown in Figure 3.15. However, the following accident classes are most important for the Westinghouse 2-loop plants:

• transients i
• LOCAs
• SBO - the loss of all offsite and onsite AC power
• SGTRs 3-53 Nf) REG 1560, Draft

3. Core Damage Frequency Perspectives

                                   #                         4 15 4 .
        ;    v                                    ^ *.
                                                 ...A.
     =           ,,4 I

11lll

                 $a4 ,

lm ^ lI a a l L d is4 Ir

         ]o4u is4 PWRs                          W-2
                          . Support system failures are important because they defeat redundancy in front-line systems.
                          . Relatively high dependence of front-line systems on SW and CCW increases CDF for transients.
                          . A substantial contribution to transients arises from instrument air failures that fail PORVs.
                          . LOCA CDF is increased by the requirement for manual actions to switch to ECCS recirculation.

m Figure 3.14 Reported IPE CDFs and key perspectives for the Westinghouse 2-loop PWR plant group. NUREG-1560, Draft 3-54

3. Core Damage Frequency Perspectives icEm a-C N

     . taE=

N AA AA k A A 6 gg hi gg AA k10E6 _.A R TJ r-g a g a& 3 1K4 : 6 G 8 $4 E &A L g____$ - - - A

    &                                         A                                                    AA o

O

      <1.0E4 SBO      A1WS            T        SGTR        LOCA          ISLOCA         R.D Figure 3.15      Reported IPE accident sequence CDFs for Westinghouse 2-loop plants.

, in general, transients are important contributors to CDF and containment failure frequency because they involve relatively high initiating event frequencies coupled with support system failures that defeat the redundancy in systems available to mitigate potential accidents. LOCAs are more important for these PWR plants than for BWR plants (see Section 3.2) because fewer systems are available in the PWRs to provide LPl. SBO accidents are important for some Westinghouse 2-loop plants because they leave few systems available to prevent core damage. Half of the Westinghouse 2-loop IPE submittals had contributions from SGTR sequences ofless than 10%, while the other half had contributions greater than 10%. One licensee identified internal flooding accidents as being important. All of the plants had ATWS contributions of less than 1%, and all of the plants had ISLOCA contributions of less than 10%. These accidents are normally low contributors because of the low frequency of the initiating event and the failure to scram. Although ISLOCAs are generally found to be low contributors to CDF, they can be important risk contributors since the releases bypass containment. 3 55 NUREG-1560, Draft

3. Core Damage Frequency Perspectives The variation in the reported IPE results is attributed to many factors including plant-specific design features, modeling assumptions, and use of data (including the probability of operator errors). These factors and the improvements being considered by the plants to address weaknesses are summarized in Table 3.15, and are discussed below for each important accident class. i Table 3.15 Summary of CDF perspectives for the Westinghouse j 2-loop plant group. l Accident Important design features, operator actions. Important importance and model assumptions plant improvements Transient accidents l Important for all Degree ofIIPI and AFW dependence on SW Upgrades related to IA:

Westinghouse 2- and CCW = adding crosstics , loop plants

• reducing IA dependencies on other support i RCP seal cooling is not dependent on SW or systems i CCW, except in one plant
• changing valve failure modes to avoid water diversion upon loss ofIA Modeling of RCP seal LOCA probability and size Dependence of PORVs on IA LOCAs j 1mportant for all Manual actions needed for switchover to ECCS Revised hardware and procedures needed for Westinghouse 2 recirculation recirculation loop plants Size of RWST (smaller tanks give less time for

( Revised training programs for feed-and-bleed l operators to perform the switchover) procedures , Whether containment sprays will be actuated Revised technical specifications to align (causing more rapid depletion of the RWST) ECCS pumps to the RWST rather than boric acid storage tank while in standby Assessment of human error probability for performing switchover to recirculation SBO accidents Important for some AC power reliability (number of dicsci Added or upgraded diesel generators or gas Westinghouse 2- generators, crosstie capabilities between units, turbine generators loop plants diverse AC power sources) . l Upgraded power distribution l Diesel generator reliability  : Added bauenes t Frequency of LOOP Improved reliability of turbine-driven AFW: l Modeling of RCP seal LOCA probability and

• connection to use firewater for cooling size AFW pumps e equipment modifications to improve .

t Backup cooling for RCP seals reliability of AFW pumps Provided attemative RCP seal cooling from technical support center diesel generator  ;

                                                                                                                                                )

NUREG-1560, Draft 3 56

                               - . - = -                 --                  ...         - .- -                     -     -. -

I J

3. Core Damage Frequency Perspectives Table 3.15 Summary of CDF perspectives for the Westinghouse 2-loop plant group.

Accident Important design features, operator actions, Important importance and model assumptions plant improvements SGTR accidents important for one Modeling of operator actions to isolate the Modified procedures for coping with SGTRs Westinghouse 2- rupture and provide long-term heat removal loop plant Intemal flood accidents Important for some Plant layout (separation and Changes to procedures for identifying and Westinghouse 2- compartmentalization of mitigating system coping with floods (e.g., maintaining doors loop plants components) closed, or revising procedures to isolate leakt) Changes to plant layout (e g., changing swing direction of doors) ATWS accidents Not dominant for Assessment of the fraction of time that the plant None identified Westinghouse 2- has an unfavorable moderator temperature loop plants coefficient ISLOCAs Not important for Compartmentalization and separation of Leak testing for isolation valves Westinghouse equipment 2-loop plants Procedure modifications for identifying and mitigating ISLOCAs Transients are lonportant contributors to CDFfor all Westinghouse 2-loop plants. This accident class involves events that cause the reactor to trip followed by failure to bring the reactor to safe shutdown (either failure to remove decay heat or failure to replace the reactor coolant inventory following an accident-induced LOCA, normally an RCP seal LOCA). Transients represent a broad category, covering both general initiators (such as reactor trip or loss of main feedwater) as well as support-system initiators (such as loss of SW or AC/DC bus). He failures leading to core damage for transients are quite plant-specific. However, some factors that affect the CDF from transients are common among many of the submittals. The key factors involve plant-specific design and operating conditions as well as the assumptions made in the IPEs. He modeling assumptions regarding RCP seal LOCAs affect the results and represent an important area of uncertainty. Dese assumptions and other important factors are as follows

• SW and CCW dependencies - ne Westinghouse 2-loop plants have a relatively high dependence of other plant systems on CCW and/or SW. He configurations vary considerably among the plants, however. For  !

example, the motor-driven AFW pumps depend on SW for cooling at Point Beach and Ginna, but are independent of cooling water (except as an alternative water source) for Prairie Island. An important cooling water dependency for the Westinghouse 2-loop plants is the configuration for cooling the RCP seals l and charging /HPI pumps, which is discussed below. Because of the relatively high dependence on CCW ' 3-57 NUREG-1560, Draft i I

3 Core Damage Frequency Perspectives and/or SW, loss of either of tl se support systems is important to the overall transient CDF, but the contribution is generally lower than for the other Westinghouse plant groups.

• RCP seal design - RCP seal LOCAs do not contribute as much to the CDF for Westinghouse 2-loop plants as for other Westinghot;se plant groups because of plant design characteristics that reduce the associated I threat and because of modeling assumptions used in the IPEs (see the discussion below). However, the contribution from RCP seal LOCAs is still signincant. Charging pumps, which are separate from HPI pumps, can cool the RCP seals for all Westinghouse 2-loop plants. These charging pumps are air-cooled at all Westinghouse 2-loop plants, but the Prairie Island charging pumps indirectly depend on SW because SW failure results in a delayed failure of AC to the charging pumps. On average, this group of Westinghouse plants is less dependent on CCW and SW of RCP seal cooling, thereby reducing the contribution from transients with RCP seal LOCAs relative to other Westinghouse plant groups. Other design factors that affect the frequency of RCP seal LOCAs include the availability of backup systems (e.g.,

technical support center diesel generator for Kewaunee and Ginna, or CCW crosstics at Prairie Island) to cool the seals when the normal conSguration fails. In addition, these plants use different support systems to cool the RCP seals than to cool the systems that provide injection. As a result, loss of a single system does not lead to an unmitigable LOCA.

• RCP seal LOCA model - All Westinghouse 2-loop licensees used the Westinghouse seal LOCA model, which tends to give lower probabilities of seal failures and lower leak rates than other models used in IPEs for Westinghouse plants. However, implementation of the Westinghouse model varied somewhat among the Westinghouse 2-loop plants, and this variation had a signi6 cant impact on the results. For example, Prairie Island used a relatively low leak rate from the RCPs for cases with seal LOCAs, giving considerable time for recovery of failed equipment.
• IA dependency- Although not generally the dominant contributor, IA failures are substantial contributors to transients for the Westinghouse 2-loop plants. The pressurizer PORVs rely on IA for all plants in this group. As a result, loss of IA removes the capability to use feed-and-bleed cooling. In addition, the unavailability of the PORVs to relieve RCS pressurization imposes more demands on the SRVs, thereby increasing the probability of LOCAs that cannot be isolated. The Ginna IPE shows the greatest dependence on IA, with about one-quarter of the plant CDF initiating with IA failure.

All of the licensees are considering or have implemented improvements to address the factors that increase the transient-related CDF. Most of the IPEs addressed improvements aimed at increasing the reliability of AC power during LOOP scenarios (e.g., adding or upgrading diesel generators or gas turbine generator, upgrading power distribution, and adding batteries). About half of the plants addressed upgrades related to IA (e.g., adding crosstics, reducing IA dependencies on other support systems, or changing valve failure modes to avoid water diversion upon loss ofIA). All of the licensees also considered improvements to address plant-specific issues. At some plants, these modifications have been completed and were credited in the IPEs; at other plants, the modifications are still under consideration. LOCAs are important contributors to CDFfor all plants in this group. The LOCA contributions for the Westinghouse 2-loop plants are generally dominated by small LOCAs, because of the higher small LOCA initiator frequency. The dominant contributor to core damage for LOCAs is ECCS failure during recirculation. Recirculation involves realigning systems, and typically involves more components than required for the injection mode; this complexity leads to a higher failure probability, in addi: ion. the Westinghouse 2-loop plants require operator action to align the systems for recirculation; this also increases the probability of failure. NUREG-1560, Draft 3 58

3. Core Damage Frequency Perspectives The IPE submittals for the Westinghouse 2-loop plants did not show a large variability in the contribution from LOCAs. The relatively small variability observed among the plants, as well as the difference in contribution relative '

to other Westinghouse plants are primarily related to the switchover of ECCS from injection to recirculation. Generally, plant design and operational features had about the same impact on the LOCA CDF as did modeling characteristics. Overall, the most influential factors are as follows: Switchover to recirculation - All of the Westinghouse 2-loop plants require manual actions to initiate j recirculation. This need for manual action increases the CDFs, panicularly for large and medium LOCAs in which there is less time available for the operators to perform the actions. For small LOCAs that remain j

,           at RCS pressures above the shutoff head of the LPI pumps, ilPR is needed. The Westinghouse 2-loop                l plants achieve HPR by aligning the llPI pumps to draw suction from low-pressure systems during                  )

recirculation. %e time available for performing the realignment varies among the plants because of factors I such as the size of the RWST, and whether the containment sprays will be actuated for the LOCAs (causing more rapid depletion of the RWST). These factors, as well as the assessed probabilities of the operator successfully performing the alignment afTect the reliability of the switchover from injection to recirculation. For example, Point Beach had the greatest large LOCA contribution to CDF for the Westinghouse 2-loop plants, primarily because the Point Beach licensee based the IPE on a pessimistic value for operator failure j to perform the switchover. Most licensees indicated that plant improvements are being made to address LOCA issues. These improvements involve hardware and procedures needed for recirculation, revised training programs for feed-and-bleed procedures, and revised technical specifications to align ECCS pumps to the RWST (rather than the boric acid storage tank) while in standby. SB0 accidents are important contributors to CDFfor some Westinghouse 2-loop plants. SBO accidents involve an initial LOOP followed by failure of the emergency onsite AC power sources. This failure of AC power sources results in failure of allinjection systems and failure of the motor-driven AFW. This leaves only turbine-driven AFW available to cool the core and no systems available to provide injection to make up the loss through any RCP seal LOCAs that develop during the transient. Generally, plant design and operational features have a greater impact on the SBO CDF than do modeling characteristics, but no single factor dominates. Combinations of contributors are usually important, and those , combinations vary from plant to plant. Overall, the most influential factors are those discussed below: Number of emergency AC power sources - The number of emergency diesel generators directly affects the reliability of the emergency AC power system, and varies among the four Westinghouse 2-loop sites. The two single-unit sites each have two emergency diesel generators. Of the dual-unit sites, one has three emergency diesel generators, and the other has four emergency diesel generators. In addition, one dual-unit site (Point Beach) has a gas turbine generator available to provide emergency power. Technical suppon center diesel generators are available at the two single-unit sites, and these diesel generators can power the charging pumps to cool the RCP sea's. This relatively high availability of emergency power at all of the Westinghouse 2-loop plants contributes to the lower contribution from SBO relative to the other Westinghouse plants. Plant operating data- The plant data for Ginna and Prairie Island indicate low LOOP frequencies and high reliability of the emergency diesel generators. This is a key reason that these two plants have the lowest SBO contributions for the Westinghouse 2-loop plant group. 3-59 NUREG-1560, Draft i

3. Core Damage Frequency Perspectives

• Modeling of RCP seal LOCAs - Because seal cooling is lost during a SBO, RCP seal LOCAs are important for most Westinghouse plants. As noted in the discussion of transients above, all Westinghouse 2-loop IPEs used the Westinghouse model for characterizing RCP seal LOCA frequency and leak rate. As a result, the Westinghouse 2-loop plants have a lower overall contribution from RCP seal LOCAs than other Westinghouse plant groups.110 wever, the implementation of the seal LOCA model varied somewhat among the submittals, introducing some variability into the results.
• Backup cooling for RCP seals - Some plants have backup capabilities for seal cooling (e.g., technical support center diesel generator for Kewaunee and Ginna). His capability reduces the frequency of SBO sequences with RCP seal LOCAs.

He plant improvements related to increasing the reliability of AC power that are discussed above for transients are also beneficial for SBO accidents. In addition, some licensees indicated that plant improvements are under consideration or have been implemented to enhance the reliability of turbine-driven AFW (e.g., providing connection to use firewater for cooling the turbine-driven AFW pumps, or equipment modifications to improve the reliability of the pumps), or to provide alternative RCP seal cooling during SBO accidents from the technical support center diesel generator.  ; SGTR is an important contributor to CDFfor one of the Westinghouse 2-loop plants. SGTR sequences involve leakage from the primary to the secondary through a ruptured steam generator tube, followed by failure to either mitigate the leak or establish long-term core heat removal. The SGTR accident class is an unusually high contributor - to plant CDF for one Westinghouse 2-loop plant (Ginna). Although lower than Ginna, the other Westinghouse 2-loop plants have SGTR CDFs that are generally higher than for the other PWRs. Because the releases bypass containment, the impact on risk results is also important for these plants. ne SGTR contribution to CDF is primarily driven by the treatment of operator actions. Rese accidents require considerable operator involvement, with procedures that vary among the plants. In addition, modeling of operator errors and strategies to respond to the SGTR varies considerably among the IPEs. The high SGTR contribution at Ginna appears to be primarily an artifact of the stringent success criteria applied for inventory control. Ilowever, the licensee indicated that, as a result of the IPE, the procedures for coping with SGTRs are being evaluated for possible improvements. Internalflooding is importantfor some Westinghouse 2-loop plants. Internal flooding events involve rupture of water lines that result in a release of water that can directly cause the failure of required mitigating systems and/or , other mitigating systems because of submergence or spraying of required components. The effects of internal flooding are highly plant-specific, depending on the layout of equipment within the plant and the relative isolation of rooms. Because of this design and layout diversity, each plant has different vulnerabilities to flooding, and generic conclusions regarding flooding can not be drawn. He plants with the largest flood contributions typically were dominated by floods that affected support systems such as electric power and SW, which have plant-specific designs. Most licensees indicated that plant improvements are under consideration or have been implemented to reduce the - potential for core damage from flood scenarios. Dese improvements include changes to procedures for identifying and coping with floods (e.g., maintaining doors closed, or revising procedures to isolate leaks), as well as changes to plant layout (e.g., changing the swing direction of doors). A TWS is not a dominant contributorfor any of the Westinghouse 2-loop plants. ATWS sequences involve a transient, followed by failure to shut down the nuclear chain reaction by inserting the control rods. Power generation NUREG-1560, Draft 3 60

1 1

3. Core Damage Frequency Perspectives continues at levels far in excess of normal decay heat. An ATWS sequence can be mitigated by pressure control and heat removal. Because of the low frequency of failure to scram, and because none of the plants in this group operate with PORV block valves closed, ATWS is a low contributor (less than 1% of CDF) for all of these plants.

ISLOCAs are not dominant contributors to CDFfor the Westinghouse 2-loop plants. ISLOCAs, however, can be significant contributors to risk because the releases bypass containment. The low CDF contribution results from the low frequency of the LOCA initiator, combined with its negligible-to-minimal impact on other systems. This low impact is attributed to the compartmentalization and separation of the equipment. 3.3.4 Westinghouse 3-loop Perspectives i Table 3.16 lists the Westinghouse 3 loop plant group, which includes thirteen plant units (represented by 9 IPE submittals). Table 3.16 Plants (per IPE submittal) in the Westinghouse 3-loop group. Beaver Valley 1 Beaver Valley 2 Farley 1&2 North Anna I&2 Robinson 2 Shearon IIarris i Summer Surry 1&2 Turkey Point 3&4 s As a group, the Westinghouse 3-loop plants tend to have the highest plant CDFs of the PWRs, as illustrated in Figure 3.16. The importance of specific accident classes to CDF varies significantly from plant to plant, as shown in Figure 3.17. Ilowever, the following accident classes are important for many of these plants: i

• transients 1
• LOCAs
• SBO - the loss of all offsite and onsite AC power In general, transients are important contributors to CDF and containment failure frequency because they involve relatively high initiating event frequencies coupled with support system failures that defeat the redundancy in systems available to mitigate potential accide' ts. LOCAs are more important for these and most other PWR plants than for BWR plants (see Section 3.2) bsause fewer systems are available in the PWRs to provide LPl. SBO accidents are relatively important for the Westinghouse 3-loop plants because they leave few systems available to prevent core damage. A few licensees 'Jentified internal floodine accidents as being important, generally reflecting plant-specific weaknesses. All but onr of the plants hr' ATWS con 6ttions ofless than 10%, and all of the plants have SGTR sequences of 10% or less. All of the nicensees reported Cbi . Gom ISLOCAs that are less than 3% of the plant CDF.

3-61 NUREG-1560, Draft

3. Core Damage Frequency Perspectives

                                       ~                                         '
                                            '        *          ^

up m & ,

                                          ^                                          '~              <*
                                        ,         lQQl
                                                              +      "' ' ?.y)
                                                                                                                    /
                            #                                                                                              s  -

iQPe

     'y                  SM.
                                                                     .       *a

• aa .;.

L g- *;" j [- 1482 eaaa

                                                                                                            ** a I.                                                   llilj
         ,       I                                                      :n.

I smm A A gg4 I_ ' sma PWRs W4

         ^
                                                ,                                                         4                                 g7
                                                                                                                       >                              m~;p
                                                                                                                                          ^

v

      '                          '                                       ^

v

                                                                                                      <         -kMfjh      w s  's      ;;;                +

x

                              .      Support systern failures are important because they defeat redundancy in front-line systems.
                                                                                                                                                '            s  ,

M - Relatively high dependence of front-line systems on SW, CCW, and . HVAC increases CDP for transients. l ag < e RCP seal LOCAs are higher contributors to transients for ' Westinghouse three-loop plants than for other Westinghouse plant

                ??"                  groups because of generally higher dependence on CCW and modeling assumptions.

m. \

              -               . . LOCA CDF is increased for most plants by the requirement for                                                          a
                                                                                                                                                        ~

manual actions to switch to ECCS recirculation at those plants.

                              .       Variability in SBO is primarily driven by redundancy of emergency                                                          l AC power sources and modeling of RCP seal LOCAs.

I

       %                                             W ?%                     <

l

                          ~
                                                        <  ?%                                                                       ,

gg,

                                                            .                                      ~

j l l 1 Figure 3.16 Reported IPE CDFs and key perspectives for the Westinghouse 3-loop PWR plant group. NUREG-1560, Draft 3-62

3. Core Damage Frequency Perspectives 1.0E-03 AA 6

m W A

   > 1.0E 04                                        A o                       A                       8                        A Us                        "           A                                                          ]A' g

A M 2 A 6

                            "                      A_
   $1.0E-05

• A g AA h A

                                                               *                       {'

D C u d , A G 3 fa A A A C' M A 8 1.0E A G AA A m aa E n N A N M e 1.0E O" - u O

    < 9.0E-08                                                                                      u SBO         ATWS            T      SGTR        LOCA ISLOCA FLD Figure 3.17       Reported IPE accident sequences CDFs for Westinghouse 3-loop plants.

These accidents are normally low contributors because of the low frequency of the initiating event and the relatively high probability of the operators isolating the rupture. Nonetheless, SGTR and ISLOCAs can be important risk contributors since the releases bypass containment. De variation in the reported IPE results is attributed to many factors, including plant-specific design features, modeling assumptions, and use of data (including the probability of operator errors). Rese factors and the improvements being considered by the plants to address weaknesses are summarized in Table 3.17, and are discussed below for each important accident class. 3-63 NUREG-1560, Draft

3. Core Damage Frequency Perspectives Table 3.17 Summary of CDF perspectives for the Westinghoust 3-loop plant group. .

Accident Important design features, operator actions, Important i importance and model assumptions plant improvements Transient Accidents Important for all Degree of IIPI and AFW dependence on SW Providing backup cooling for charging Westinghouse 3-loop and CCW pumps so that RCP seal cooling can be plants maintained Dependence of RCP seal cooling on SW or CCW Replacing RCP seals with the newer temperature-resistant design Modeling of RCP seal LOCA probability and size Dependence on IIVAC (particularly switchgear) I LOCAs Important for most Most plants have automatic switchover for low- Revising hardware and procedures needed Westinghouse 3-loop pressure recirculation (LPR), but require manual for recirculation plants actions for switchover to llPR , Changing feed-and-b!ced procedures Ability to depressurize the RCS by aggressively , cooling down using steam generator ADVs so LPI can be used when llPI fails Ability to refill the RWST SBO accidents Important for many AC power reliability (number of diese! Adding diesel generators i Westinghouse 3 loop generators, crosstic capabilities between units, plants diverse AC power sources) Improving diesel generator reliability and maintenance programs Battery life Adding procedures for crossticing buses r Modeling of RCP seal LOCA probability and size Improving load shedding procedures Backup cooling for RCP seals Providing independent battery charging capability Dependence of switchgear on IIVAC . Providing attemative RCP seal cooling l during SBO Intemal flood accidents i important for some Plant layout (separation and Changing procedures for identifying and l Westinghouse 3-loop compartmentalization of mitigating system coping with floods sites components) l Changing plant layout (e.g., adding dikes, ) water-tight doors, or backflow prevention devices in drains) 1 J ATWS accidents Not important for most Plant operation with PORV block valves closed Implementing modifications to remove Westinghouse 3-loop power to the bus if the reactor trip plants breaker fails NUREG-1560, Draft 3-64

3. Core Damage Frequency Perspectives Table 3.17 Summary of CDF perspectives for the Westinghouse 3-loop plant group.

Accident Important design features, operator actions, important importance and model assumptions plant improvements SGTR accidents Not important for Modeling of operator actions to isolate the implementing procedures to isolate steam Westinghouse 3-loop rupture and provide long-term heat removal generator with ruptured tube plants implementing procedures to depressurize steam generators when llPI fails ISLOCAs Not important for any Compartmentalization and separation of Implementing procedures and training to Westinghouse 3-loop equipment enhance operator response to ISLOCAs plant I l 1 Transients are inportant contributors to CDFfor all Westinghouse 3-loop plants. This accident class involves events that cause the reactor to trip followed by failure to bring the reactor to safe shutdown. This may involve - either failure to remove decay heat or failure to replace reactor coolant inventory following an accident-induced LOCA, normally an RCP seal LOCA. Transients represent a broad category, covering both general initiators (such  ! as reactor trip or loss of main feedwater) and support-system initiators (such as loss of SW or AC/DC bus). The failures leading to transient-related core damage are quite plant-specific. However, some key factors affecting the transient-related CDF are common among many of the submittals. Rese key factors involve plant-specific design and operating conditions, as well as the assumptions made in the IPEs. He modeling assumptions regarding RCP l seal LOCAs affect the results and represent an important area of uncertainty. The key factors are identified and discussed below: SW and CCW dependencies - At most of the plants, there is a relatively high dependence of other plant j systems on CCW and/or SW. The configurations vary considerably among the plants, however. For example, motor-driven AFW requires SW cooling at 11.B. Robinson, while the Shearon liarris pumps are self-cooled. Particularly important for the Westinghouse 3-loop plants is the configuration for cooling the RCP seals and charging /llPI pumps, which is further discussed below. Because of the relatively high dependence on CCW and/or SW, loss of either of these support systems is imponant to the overall transient-related CDF. Susceptibility to RCP seal LOCAs - For some plants, the importance of RCP seal LOCAs is reduced because of plant design characteristics that reduce the associated threat. nese include the availability of backup systems (e.g., firewater or crosstics to a second unit at the site) to cool the seals when the normal configuration fails. ney also include the use of different suppon systems to cool the RCP seals so that loss of a single system does not lead to an unmitigable LOCA. He modeling of RCP seal LOCAs varied considerably among the IPEs, with some using low leakage probabilities and leak rates, while others used much higher values for both parameters. His variability has a significant impact on the results. For example, the North Anna IPE indicated a low contribution from sequences involving RCP seal LOCAs, primarily because seal leakage was assumed to be minimal if the operators are able to successfully 3 65 NUREG-1560, Draft

3. Core Damage Frequency Perspectives depressurize the primary system. At the other extreme, the dominant transient sequence at Turkey Point involved loss of CCW that induced the failure of both flPI and cooling to the RCP seals, leading to an RCP seal LOCA that cannot be mitigated.

• IIVAC dependency - ne dependency of systems on llVAC for the Westinghouse 3-loop plants varied between the extremes of IIVAC not being needed to llVAC being required for key systems such as electrical switchgear. This variation affects the trvuient-related CDF for this group, with dependency on llVAC increasing the CDFs for the affected plants, ror example, Surry,11.B. Robinson, and Beaver Valley have significant contributions to CDF from transients wis failure of tWAC to electrical switchgear.

All of the licensees are considering or have implemented improvements to address the factors that increase the transient-related CDF. He most common plant improvements are aimed at reducing the potential for RCP seal LOCAs (e.g., providing backup cooling for charging to maintain RCP seal cooling, or replacing seals with the newer temperature-resistant design). Other improvements increase the reliability ofAC power during LOOP scenarios (e.g., adding diesel generators, improving diesel reliability and maintenance programs, adding procedures for crosstieing buses). All of the licensees also are considering improvements to address plant-specific issues. At some plants, these modifications have already been completed and were credited in the IPEs; at other plants, the modifications are still under consideration. EXJCAs^~DTdntJ10rrans s:vruirs*lusivra iv EOYjor uruvai plssruis in ilsl> giveny. Tun LOCA L&Ghibuhaus fur all Westinghouse 3-loop plants except li.B. Robinson are dominated by small LOCAs, because of the higher small LOCA initiator frequency. He dominant contributor to core damage is failure of ECCS during recirculation, but a few plants are dominated by failures during injection. Recirculation involves realigning systems, and typically involves more components than required for the injection mode; this complexity leads to a higher failure probability. In addition, some plants require operator action to align the systems for recirculation; this generally increases the probability of failure. Generally, plant design and operational features had about the same impact on the LOCA CDF as did modeling characteristics. Overall, the most influential factors are those discussed below:

• Switchover to recirculation - At most of the plants some manual actions are required to initiate recirculation because liPR draws suction from low-pressure systems. Ilowever, the switchover of the low-pressure systems from the RWST to the containment sump is automatic at most of the plants; this simplifies the actions required of the operators, thereby increasing the probability of successfully completing the action. Plants without this automation tend to have higher LOCA CDFs, particularly for large and medium LOCAs, in which there is less time available for the operators to perform the actions. At II.B. Robinson,  ;

for example, the switchover is manual, and this plant has the highest LOCA CDF for the Westinghouse 3- l loop plants. ): I

• Alternative actions to mitigate a LOCA - Some licensees credit alternative actions such as depressurizing the RCS using the steam generator ADVs when liPI fails during a LOCA or refilling the RWST if i recirculation fails. He ability of these strategies to succeed is plant-specific and it is not clear whether l l

other licensees can use the same strategies. Ilowever, the strategies are found to be important for those submittals that credited the actions.  ! Very few licensees indicated that plant improvements are being made to address LOCA issues. De indicated improvements involve hardware and procedures needed for recirculation, and changes to feed-and-bleed procedures. NUREG-1560, Drafl 3-66

_~_ __ .__ _ _ _ _ ._ __._ __ _ _ - _ . _ _ . _ _ _ __._____m__._ 4 1 4

)                                                                                          3. Core Damage Frequency Perspectives b            SBO accidents are important contributors to CDFfor many of the Westinghouse 3-loop plants. SBO accidents j            involve an initial LOOP followed by failure of the emergency onsite AC power sources. He failure of AC power sources results in failure of all injection systems and failure of motor-driven AFW. His leaves only turbine-driven l                                                                                                                                     ,

i AFW available to cool the core and no systems available to provide injection to make up the loss through any RCP l 1 seal LOCAs that develop during the transient. l Generally, plant design and operational features have a larger impact on the SBO CDF than do modeling , t , characteristics, but no single factor dominates. Combinations of contributors are usually important, and those combinations vary from plant to plant. Overall, the most influential factors are those discussed below: i e Modeling of RCP seal LOCAs and seal design - Because seal cooling is lost during a SBO, RCP seal  !' LOCAs are important for most Westinghouse 3-loop plants. As noted in the discussion of transients above,

RCP seal LOCA modeling varies among the submittals, and has a significant impact on the results. Backup capabilities for seal cooling (e.g., crosstics between units for North Anna and Surry) are also important.

j

• Number of emergency AC power sources - De number of emergency diesel generators (usually two or j three per unit) directly affects the reliability of the emergency AC power system. Further, a few plants have j the ability to crosstie between units or have extra diesel generators available. This reduces the SBO CDF, j particularly if the diesel generators are of diverse design, thereby reducing the potential for common cause

       ~

failure. For example, turxey i vini h s fa em;rgency--dbrd-genesta s-and--five4kekstart--fe e!

generators at the site (two nuclear units). This significantly reduces the SBO CDF for the plant. Modeling of common cause failures can also be important; for example, use oflow common cause failure probabilities

! significantly lowers the SBO CDF for Shearon Harris and Farley.

• Battery depletion time - Although some licensees indicated that they have the capability to manually l control AFW when DC power is lost, most licensees indicated that they need battery power to provide AFW control. Thus, for most plants, when the batteries are depleted, all cooling is lost and core damage ensues.

] Battery depletion times range from two to eight hours for this group, with the longer times tending to reduce the SBO CDF. f ) ne plant improvements related to increasing the reliability of AC power that were discussed above for transients are also beneficial for SBO accidents, in addition, some licensees indicated that plant improvements are under [ < consideration or have been implemented to extend the availability of DC power (e.g., improved load shedding . procedures or providing independent battery charging capability). Other improvements will reduce the susceptibility l to RCP seal LOCAs (e.g., replacing RCP seals with high-temperature o-rings or providing alternative RCP seal j cooling during SBO accidents). Internalflooding is ingportantfor some Westinghouse 3-loop plants. Internal flooding events involve tupture o( water lines that result in a release of water that can directly cause the failure of required mitigating systems and/or l 1 cause system failure because of submergence or spraying of required components. He effects ofintemal flooding are highly plant-specific, depending on the layout of equipment within the plant and the relative isolation of rooms. l Because of this design and layout diversity, each plant has different vulnerabilities to flooding, and generic j' conclusions regarding flooding can not be drawn. He plants with the largest flood contributions are typically i dominated by floods that afTect support systems (such as electric power and SW), which have plant-specific designs. i

he plants with the highest CDF contributions from internal floods indicated that plant improvements are being I considered or have been implemented to reduce the potential for core damage from flood scenarios. R ese 3-67 NUREG-1560, Draft l

i I _ _ __ _ , - - - . , - _

                                                                                                                           \

3. Core Damage Frequency Perspectives improvements include changes to procedures for identifying and coping with floods, as well as changes to plant layout (e.g., adding dikes, water-tight doors, or backflow prevention devices in drains).

A TWSis not an important contributorfor most Westinghouse 3-loopplants. ATWS sequences involve a transient, followed by a failure to shut down the nuclear chain reaction by inserting the control rods. Power generation continues at levels far in excess of normal decay heat. An ATWS sequence can also be mitigated by pressure control and heat removal. Because of the low frequency of failure to scram, ATWS is a relatively low contributor (less than 10% of CDF) for nearly all plants in this group. The single plant with a significant ATWS contribution (Beaver Valley 1) operates with two of the three PORV block valves closed, thereby reducing the relief capacity of the primary system during the early phase of an ATWS. SGTR is not a dominant contributor to CDFfor Westinghouse 3-loop plants. SGTR sequences involve leakage from the primary to the secondary through a ruptured steam generator tube, followed by either failure to mitigate the leak or failure to establish long-term core heat removal. SGTR accidents are a minor contributor to plant CDF (less than 10%) at the Westinghouse 3-loop plants because of the low frequency of the rupture occurring and the relatively high probability of the operators isolating the rupture. liowever, the contribution to risk is more significant at many plants because the releases bypass containment. Although minor, the SGTR contribution to CDF is primarily driven by the treatment of operator actions in the IPEs. SGTR accidents require considerable operator involvement, with procedures that varied among the plants. In adaiffo1r,'fnodeting ofoperator errormdstr::tegien varied considerably ameng the IPEs. Although this area contains _ _ __ large uncertainties, it does not have a large impact on overall plant CDF. ISLOCAs are not dominant contributors to CDFfor Westinghouse 3-loop plants. ISLOCAs, however, can be significant contributors to risk because the releases bypass containment. The low CDF contribution results from the low frequency of the LOCA initiator, combined with its negligible-to-minimal impact on other systems. This low impact is attributed to the compartmentalization and separation of the equipment. 3.3.5 Westinghouse 4-Ioop Perspectives Table 3.18 lists 32 plant units (represented by 20 IPE submittals) of the Westinghouse 4-Loop plant group. Table 3.18 Plants (per IPE submittal) in the Westinghouse 4-loop group.

 ~

i Braidwood 1&2 Byron I&2 Callaway Catawba 1&2 , Comanche Peak I&2 DC Cook I&2 Diablo Canyon I&2 fladdam Neck Indian Point 2 Indian Point 3 McGuire 1&2 Millstone 3 Salem 1&2 Seabrook Sequoyah 1&2 South Texas I&2  ! Vogtle 1&2 Wans Bar 1 Wolf Creek Zion I &2 The Westinghouse 4-loop plants span nearly the entire range of CDFs reported for PWRs, as illustrated in  ! Figure 3.18. One dual-unit plant (Zion 1&2) has a CDF considerably below the other PWRs. His outlier primarily reflects more optimistic modeling (relative to the other PWRs) of success criteria, operator actions, and common cause failures. The importance of specific accident classes to CDF varied significantly from plant to plant, as shown in Figure 3.19. NUREG-1560, Draft 3-68

        -                              _      -     .             .- =-         . .-                    .__     - . _ . __      . _-.

3. Core Damage Frequency Perspectives

                              /

saem , A a s I ff* I a ..

              ,'          tasm ,                           e se                            ,,

l!ilg

n.i 11 9 :

i* I j ,mm . ' tasm ,

                     .I_

imm i _ . _ . . PWRs W4 j l l l i 4

• Support system failures are important because they defeat l redundancy in front-line systems.

                                . Relatively high dependence of front-line systems on SW and                                       i CCW increases CDP for transients.

a Variability in contribution from RCP seal LOCAs reflects differences in both plant designs and modeling assumptions.

                                -    Plants requiring manual actions for ECCS switchover to recirculation tend to have higher LOCA CDFs.

l Figure 3.18 Reported IPE CDFs and key perspectives for the Westinghouse 4-loop PWR plant group. NUREG-1560, Drafi 3-69 d

3. Core Damage Frequency Perspectives imm .

C e k 6124: l'

                                                                 "                  a

[ xr d' 'A g W h st - g g $.. I Ml A 7C "* ! gj Ak ka e aa AA 1.OE4 aa g

                                                                               "   N         "

• A&

g ,, && 'A aa T t.0E 07 : M

a. ..

I $ o u

                                               '                             YA                A'
     < 1.0E4                                   n                             :=                           =

SBO A1WS T SGTR LOCA ISLOCA FLD

                ' Indian Fbirt 2 defarred 6tamd flooding andysis to IFEEE Figure 3.19            Reported IPE accident sequences CDFs for Westinghouse 4-loop plants.

De following accident classes, however, were important for many of these plants: I

• transients l
• LOCAs SBO - the loss of all offsite and onsite AC power in general, transients are important contributors to CDF and containment failure frequency because they involve relatively high initiating event frequencies coupled with support system failures that defeat the redundancy in systems available to mitigate potential accidents. LOCAs are more important for these PWR plants than for BWR plants (see Section 3.2) because fewer systems are available in the PWRs to provide LPl. SBO accidents are relatively important for the Westinghouse 4-loop plants because they leave few systems available to prevent core damage.

A few licensees identified internal flooding accidents as being important, generally reflecting plant-specific weaknesses. With the exception of a single outlier plant in each category, none of the licensees found ATWS or SGTR sequences to be important contributors, and none of the licensees reported significant CDFs from ISLOCAs. These accidents are normally low contributors because of the low frequency of the initiating event and the relatively high probability of the operators isolating ruptures in steam generator tubes. Although SGTR and ISLOCAs were generally found to be low contributors to CDF, the releases can be imponant risk contributors since they bypass containment. NUREG-1560, Drafl 3-70

I l i l  : ( l t l l 3. Core Damage Frequency Perspectives , ! i The variation in the reported IPE resula is attri'>uted to many factors including plant-specific design features, l modeling assumptions, and use of data (incluang the probability of operator etTors). These factors and the improvements under consideration by the licensees to address weaknesses are summarized in Table 3.19, and are discussed below for each important accident class. Table 3.19 Summary of CDF perspectives for the. Westinghouse 4-loop plant group. N Accident Important design features, operator actions, Important l importance and model assumptions plant improvements Transient accidents important for nearly all Degree ofIIPl and AFW dependence on SW and Adding a new CST Westinghouse 4-loop CCW pl ants Using firewater to extend the  ! Dependence of RCP seal cooling on SW or CCW availabihty of AFW l Modeling of RCP seal LOCA probability and Using of backup city water to extend l l size the availability of AFW 1 1 Replacing RCP seals with the newer ! temperature-resistant design Providing backup cooling for RCP seals LOCAs important for many Degree of automation of switchover of ECCS to Revising hardware and procedures Westinghouse 4-loop recirculation needed for recirculation l plants l Design of IIPR (drawn directly from sump Upgrading feed-and-bleed training instead of drawing suction from LPR) Size of the RWST Ability to depressurize the RCS by aggressively l cooling down using steam generator ADVs so ' l i LPI can be used when llP1 fails Ability to refill the RWST SBO accidents 1. l Important for many AC power reliability (number of diesel Adding or upgrading diesel generators Westinghouse 4-loop generators, crosstic capabilities between units, or gas turbines plants diverse AC power sources)  ; Improving diesel generator reliability  ! RCP seat material and maintenance programs j Backup cooling for RCP seals Adding procedures for crossticing buses Modeling of RCP seal LOCA probability and Improving load shedding procedures size Improving battery capacity 13attery life Providing independent battery charging

 ,                                           Diesel generator reliability                            capability i

Implementing procedures for manual ! operation of AFW when control power (DC) is lost 3-71 NUREG-1560, Drafi i l l L__ ____ - _,

i j

3. Core Damage Frequency Perspectives Table 3.19 Summary of CDF perspectives for the Westinghouse 4-loop plant group.

Accident Ireportant design features, operator actions, Important importance and model assumptions plant improvements 1 Internal flood accidents j 1 Important for some Plant layout (separation and compartmentalization Modifying demineralized water system 1 Westinghouse 4-loop of mitigating system components) sites ATWS accidents Not dominant for most Plant operation with PORV block valves closed Installing AMSAC Westinghouse 4-loop plants Adding altemative scram button SGTR accidents Not imponant for most Modeling of operator actions to isolate the Implementing procedures for coping Westinghouse 4-loop ruptare and provide long-term heat removal with SGTR plants ISLOCAs Not important for any Compartmentalization and separation of Implementing procedure modifications Westinghouse 4-loop equipment plant Providing RIIR isolation valve leakage monitoring system Transients are ingportant contributors to CDFfor nearly all Westingirouse 4-Loop plants, This accident class involves events that cause the reactor to trip, followed by failure to bring the reactor to safe shutdown (either failure to remove decay heat or failure to replace the reactor coolant inventory following an accident-induced LOCA, normally an RCP seal LOCA). Transients represent a broad category, covering ger.eral initiators (such as reactor trip or loss of main feedwater), as well as support-system initiators (such as loss of SW or AC/DC bus). l ne failures leading to core damage for transients are quite plant-specific. However, some key factors affecting the  ! transient-related CDF are common among many of the submittals. nese key factors involve plant-specific design and operating conditions, as well as the assumptions made in the IPEs. He modeling of RCP seal LOCAs affects ih- results and represents an important area of uncertainty. He key factors are identified and discussed below: l SW and CCW dependencies - Most of the plants exhibit a relatively high dependence of other plant systems on CCW and/or SW. Rus, loss of either of these support systems is important to the overall transient CDF. For example, the dominant trarnient sequence at D.C. Cook is a loss of CCW leading to a RCP seal LOCA that cannot be mitigated. He configurations vary considerably among the plants, however, and plants with the ability to use alternative cooling configurations (when the primary cooling system is lost) generally have lower transient-related CDFs. Susceptibility to RCP seal LOCAs - For some plants, the importance of RCP seal LOCAs is reduced because of plant design characteristics that reduce the associated threat. Dese include the use of the newer seals (which are less susceptible to leakage than the older design), availability of backup systems (e.g., safe shutdown facility) to cool the seals when the normal configuration fails, and use of different support systems NUREG-1560, Draft 3-72

l

3. Core Damage Frequency Perspectives to cool the RCP seals (so that loss of a single system does not lead to an unmitigable LOCA). %e modeling of RCP seal LOCAs '.Tries considerably among the IPEs, with some using low leakage probabilities and leak rates, while others used much higher values for both parameters. his variability had a significant impact on the results.

Most licensees are considering or have implemented improvements to address the factors that increase the transient-related CDF. The most common plant improvements are aimed at increasing the reliability of AC power during LOOP scenarios (e.g., adding or upgrading diesel or gas turbines, improving diesel reliability and maintenance l programs, adding procedures for crossticing buses). Other improvements include extending AFW availability (e.g., adding a new CST, using firewater, using backup city water), and reducing the potential for RCP seal LOCAs (e.g.,  ; replacing seals with the newer temperature-resistant design, or providing backup cooling for RCP seals). At some I plants, these modifications have already been completed and were credited in the IPEs; at other plants, the modifications are still under consideration. l l LOCAs are important contributors to CDFfor manyplants in this group. %e most comvr.on LOCA contributors are small LOCAs, but some plants are instead dominated by large or medium LOCAs. The small LOCAs are , generally the larger contributors to CDF because they have a higher frequency. De dominant contributor to core damage is ECCS failure during recirculation, but a few plants are dominated by failures during injection. ) Recirculation involves realigning systems, and typically involves more components than required for the injection I mode; this complexity leads to a higher failure probability. Generally, plant design and operational features had a larger impact on the LOCA CDF than did modeling f characteristics. Overall, the most influential factors are those discussed below,

• Switchover to recirculation - Most plants require some manual actions to initiate recirculation because HPR draws suction from low-pressure systems. However, the switchover of the low-pressure systems from the RWST to the containment sump is automatic at many plants. His simplifies the actions required of the operators, and increases the probability of successfully completing the action. At Haddam Neck, for example, the switchover is manual, and this plant has the highest LOCA CDF for the Westinghouse 4-loop plants. For ice-condenser plants in particular, the lower containment design pressure results in earlier actuation of containment sprays. As a result, so there is less time to perform the switchover. Herefore, the degree of automation is panicularly important for ice-condenser plants.
• Size of RWST - Some plants have larp KW3Ts so that the switchover to recirculation (and the associated complications discussed above) is either not necessary or is significantly delayed, giving the operators more time to complete the necessary actions for the switchmer to recirculation. Larger RWSTs were found to have an important effect on the LOCA-related CDF. For example, the two plants with the lowest LOCA CDFs (Braidwood and Byron) have relatively large RWSTs, and do not require switchover to recirculation for small LOCAs.
• Alternative actions to mitigate a LOCA - Some licensees credit alternative actions such as depressurizing the RCa using the steam generator ADVs when HPI fails during a LOCA, or refilling the RWST if recirculation fails. De ability of these strategies to succeed is plant-specific, and the strategies may not be feasible at other plants. However, the strategies were found to be important for those submittals that credited the actions.

3-73 NUREG-1560, Draft

3. Core Damage Frequency Perspectives Very few of the licensees indicated that plant improvements are being made to address LOCA issues. He indicated improvements primarily involve hardware and procedures needed for recirculation, and feed-and-bleed training upgrades.

SBO accidents are important contributors to CDFfor many Westinghouse 4-Loop plants. SBO accidents involve an initial LOOP followed by failure of the emergency onsite AC power sources. He failure of AC power sources results in failure of all injection systems and failure of motor-driven AFW. This leaves only turbine-driven AFW available to cool the core and no systems available to provide injection to make up the loss through any RCP seal LOCAs that develop during the transient. Generally, plant design and operational features have a larger impact on the SBO CDF than do modeling characteristics, but no s,.igle factor dominates. Combinations of contributors are usually imponant, and those combinations vary from plant to plant. Overall, the most induential factors are those discussed below: Modeling of RCP seal LOCAs and seal design - Because seal cooling is lost during a SBO, RCP seal LOCAs are important for the Westinghouse 4-Loop plants. As noted in the discussion of transients above, RCP seal LOCA modeling varies among the submittals, and has a significant impact on the results. Another important factor is whether the plants have replaced the RCP seals with the newer temperature-resistant design. Vogtle for example, has installed the new seals, and as a result has a relatively low contribution from SBO accidents that involve RCP seal LOCAs. (However, SBO accidents without seal LOCAs are relatively high for this plant.) i Number of emergency AC power sources - The number of emergency diesel generators (usually two or l three per unit) directly afTects the reliability of the emergency AC power system. Funher, a few plants have l a diverse AC power source, such P0 & gas turbine generator or an independent safe shutdown facility, and l are less susceptible to commori ' ause failures of diesel generators. Plant-specific operating history can also be important. For example, the operating history drives Vogtle to have the highest SBO CDF for this plant group. Battery depletion time - Although some licensees indicated that they have the capability to manually control AFW when DC power is lost, most licensees indicated that they need battery power to provide AFW l control. Thus, for most plants, when the batteries are depleted, all cooling is lost and core damage ensues. ! Battery depletion times range from 1 to 12 hours for this group, with the longer times redecting plants ! making extensive use of load shedding. Plant improvemena related to increasing the reliability of AC power that are discussed above for transients are also beneficial for SBO :.cJdents. In addition, many licensees indicated that plant improvements are under consideration ! or have been imple mtri. 'o extend the ava;1doility of DC power (e.g., improvements to battery capacity, improved load shedd;ng procedures, provir.ing independent battery charging capability). In addition, a few licensees implemented procedures for ;.anual operation of AFW when control power (DC) is lost. 1 internalflooding is importantfor some Westinghouse 4-Loop plants. Internal flooding events involve rupture of ,

  .%cr iines that result in a release of water that can directly cause the failure of required mitigating systems and/or   j cause system failure because of submergence or spraying of required components. De effects of intemal Gooding are highly plant-specific, depending on the layout of equipment within the plant and the relative isolation of rooms.

Because of this design and layout diversity, each plant has different vulnerabilities to Cooding, and generic NUREG-1560, Draft 3 74

_._ .___. _ ~_._ _ _.._ _ _ . _ _ . - _ _ _ . _ _ . . _ _ _ _ _ _ _ _

3. Core Damage Frequency Perspettives conclusions regarding flooding can not be drawn. Le plants with the largest flood contributions are tvpcally {

dominated by floods that affect support systems such as electric power and SW, which have plant-specific designs.  ! A TWSis not an important contributorfor most Westinghouse 4-Loop plants. ATWS sequences involve a transient, followed by failure to shut down the nuclear chain reaction by inserting the control rods. Power generation continues at levels far in excess of normal decay heat. An ATWS sequence can be mitigated by pressure control and heat l removal. Because of the low frequency of failure to scram, ATWS is a relatively low contributor (less than 10% , l of CDF) for nearly au plants in this group. The single plant with a significant ATWS contribution (Indian Point 3) operates with the PORV block valves closed, thereby reducing the relief capacity of the primary system during the early phase of an ATWS. SGTR is not an important contributor to CDFfor most Westinghouse 4-Loop plants. SGTR sequences involve > leakage from the primary to the secondary through a ruptured steam generator tube, followed by either failure to mitigate the leak or failure to establish long-term core heat removal. SGTR accidents are a minor contributor to  ! plant CDF at most Westinghouse 4-loop plants because of the low frequency of the rupture occurring and the  ! relatively high probability of the operators isolating the rupture. However, the contribution to risk is more significant , at many plants because the releases bypass containment. Although nearly always minor, the SGTR contribution to CDF is primarily driven by the treatment of operator , actions in the IPEs. These SGTR accidents require considerable involvement from operators, with procedures that vary among the plants. In addition, modeling of operator en ors and strategies varied considerably among the IPEs. Although thh area contains large uncertainties, it does not have a significant impact on the overall plant CDF. ISLOCAs are not dominant contributors to CDFfor the Westinghouse 4-loopplants. ISLOCAs, however, can be

significant contributors to risk because the releases bypass containment. The low CDF contribution results from the low frequency of the LOCA initiator, combined with its negligible-to-minimal impact on other systems. This low impact is attributed to the compartmentalization and separation of the equipment.

l i 1 l l 3 75 NUREG-1560, Draft i

l i

4. CONTAINMENT PERFORMANCE PERSPECTIVES  ;

i l 4.1 General Containment Performance Perspectives , When the accident progression analyses in the Individual Plant Examinations (IPEs) are viewed globally, they are,

for the most part, consistent with probabilistic risk analysis (PRA) containment performance analyses performed l previously. Failure mechanisms identified as important in the past were shown to be importe.nt in the IPEs as well.

I The significance of individual containment failure mechanisms is often determined by particular features of a containment class. In general, the IPEs confirmed that large volume containments are less likely to experience early structural failures than the smaller boiling water reactor (BWR) pressure suppression containments. liowever, as indicated in Figure 4.1, considerable variability exists in the conditional containment failure probabilities (CCFPs) reported within each containment class"". This variability exists in the reported frequencies of containment failure as well. The importance of early radionuclide releases to all risk measures (i.e., acute and latent health effects including land contamination), has been established in previous PRAs that included consequence calculations, in keeping with the l significance of such early releases,the containment performance analyses described in the IPE submittals emphasized the phenomena, mechanisms, and accident scenarios that could lead to early releases. These involve early structural failure of the containment, containment bypass, containment isolation failures, and for some BWR plants, deliberate venting of the containment. j As a group, the pressurized water reactor (PWR) large dry containments analyzed in the IPEs had significantly smaller conditional probabilities of early structural failure than the BWR pressure suppression containments analyzed. On the other hand, containment bypass and isolation failures are, in general, more significant for the PWR containments. As shown in Figure 4.1, however, these general trends often do not hold true for individual IPEs because of the considerable range in the results. For instance, CCFPs for both early and late failure for a number of PWR large, dry containments are higher than those reported for some of the pressure suppression containments. Differences in containment designs account for much of the observed differences in failure probabilities indiceted l in Figure 4.1. This is also true for the variations between containment classes, as well as differences between individual plants in the same containment class. In a significant number of cases, unique plant-specific containment features are identified in the analyses as leading to important failure mechanisms. liowever, differing assumptions in the accident progression modeling also play a major role in explaining the significant variability in the results. l Differences in modeling assumptions are not surprising, since considerable uncertainty still exists regarding the loads imposed on containments by the phenomena postulated in an accident progression analysis. Table 4.1 summarizes key observations regarding containm ent performance. The subsequent sections of this chapter discuss the containment performance perspectives in some detail. Chapter 12 of Part 3 of this report provides additional in-depth discussion of the containment performance results reported in the IPEs and the perspectives drawn from them. l i 4 I " Conditional containment failure probability is defined as the probability of containment failure conditional on 4 core damage having occurred. Chapter 14 provides a more detailed discussion on the definition and estimation of conditional failure probability. 4-1 NUREG-1560, Draft

l

4. Containment Performance Perspectives i 6

u

               ,u-

!

• su u:

swa u-u -  :. I..uu. ./ i. y  :$1  ! t u: . ,. _ti g u: _i ',g

                                                                            ,g:

2

                                        %          ra                                W
                                                                            .n.a     r j u:   <

i.'a u: '.' u b d' d L' ;t

                          .-        %~-~                      .-          ,      --

l .EnBa Enna 1 i l l l

• The large volume containments of PWRs are, on average, W

less likely to experience early structural failures than the smaller BWR pressure suppression containments. l l

• Probability of bypass is generally higher in PWRs because of

their higher operating pressures and the use of steam generators. i i

                     . Specific containment features as well as differing assumptions regarding containment loads lead to the observed variability.

Figure 4.1 Reported IPE CCFPs (given core melt) and key perspectives on containment performance for all plants. NUREG-1560 Draft 42

4. Containment Performance Perspectives Table 4.1 Summary of key containment performance perspectives for LWR containments.

Failure mode Key observations Early failure The large-volume containments of PWRs are, on average, less likely to experience early structural i failures than the smaller BWR pressure suppression containments I Overpressure failures, primarily from anticipated transients without scram (ATWS), fuel-coolant interaction (FCI), and failures due to direct impingement of core debris are found to be important i contributors to early failure for most BWR containments; hydrogen burns are found irnportant in , some Mark III containments l I The higher probability of early structural failures of BWR Mark I plants, compared to the later BWR I containments, is driven to a large extent by drywell shell melt-through* . Phenomena associated with high-pressure melt ejection (IIPME) are the leading causes of early failure for PWR containments Isolation failures are found to be significant in a number of large dry and subatmospheric containments The low probability of early failures for ice condensers (relative to the other PWRs) appear to be driven by analysis assumptions rather than plant features For both BWR and PWR plants, specific design features lead to a number of unique and significant l containment failure modes l Bypass Probability of bypass is generally higher in PWRs, in part, because of the contribution from steam generator tube ruptures (SGTRs) Bypass, mostly from SGTR, has probabilities comparable to early structural failure for both PWR containment types Bypass is generally not important for BWRs L at: failure Overpressurization when containment heat removal (CllR) is lost is the primary cause of late failure in most PWR and some BWR containments liigh-pressure and temperature loads caused by core concrete interactions (CCIs) are important for late failure in BWR containments Containment venting is found to be important for avoiding late uncontrolled failure in some Mark I IPEs The larger volumes of the Mark 111 containments are partly responsible for their lower late failure probabilities (in comparison to the other BWR containments) The likelihood of late failures often depends on the mission times assumed in the analysis i

• As noted in Chapter 8 there has been a considerable change in the state-of-knowledge regarding some severe accident phenomena in the time since the IPE analyses were carried out.

4-3 NUREG-1560, Draft

1

4. Containment Performance Perspectives 4.2 BWR Containment Performance Perspectives As noted in Section 1.4, BWR plants are separated into three groups (Mark I,11 and 111), according to the type of pressure suppression containment used, for the purpose ofidentifying containment performance perspectives from j the submitted IPEs. One early BWR, Big Rock Point, is housed in a large dry containment (similar to that used for i PWRs) and therefore is discussed in Section 4.3.1. l The results follow expected trends and indicate that the early Mark I containrnents are generally more likely than i the later Mark 11 and Mark 111 designs to fail during a severe accident. Ilowever, the ranges of predicted failure probabilities are quite large for all containment designs, and there is significant overlapping of the results. The variability in the results is attributable to a combination of factors including plant design differences such as the reactor pedestal and drywell floor configuration, drywell flooding, containrient construction (steel versus concrete),

and combustible gas control; modeling assumptions; end d iferences in re;overy actions that could be taken during a severe accident. Significant variability exists with regard to the contributions of the difTerent failure modes for each containment group. liowever, IPEs for plants in all three containment groups reported a significant probability of early or late structural failure conditional on core damage occurring. Dese results are expected because smaller pressure suppression containments have been found to have relatively high containment failure probabilities in past PRAs. Sections 4.2.1 through 4.2.3 discuss important factors that impact the probabilities of the failure modes shown in Figure 4.2 for each containment group. In general, each con'.ainment group has different factors that influence the failure modes. This often occurs because of differences in containment design between the three groups. For example, shell melt-through (caused by contact with core debris) is found to be the most important contributor to early containment failure for Mark I containments. This failure mechanism is possible for Mark I containments because the pedestal and drywell floor are at the same level, and core debris can reach the containment wall (which is usually steel). By contrast, the core debris cannot easily reach the containment wall in Mark 11 and Mark Ill containments; therefore, other failure mechanisms are found to be important for these designs. Specifically, accidents in which CllR is lost or inadequate are found to be. important contributors to early failure in Mark 11 plants. In Mark 111 plants, early failure is primarily caused by energetic events, such as FCis and hydrogen combustien events, flydrogen combustion is unlikely in Mark I and D plants because their atmospheres are inerted during operation. Late containment failure can be caused by gradual pressure buildup associated with non-condensible gas release, basemat melt-through, or hydrogen combustior, events. Gradual pressure buildup caused by CCI is found to be an important contributor to late failure in Mark I and 11 containments. Ilowever, hydrogen combustion is found to be  ! important to the probability of late failure in Mark 111 containments. Finally, venting can be important to the probability of containment integrity, loss (early and late in an accident sequence) for some BWR plants. Differerces in the modeling of venting contribute to the variability of the results. l ne containment performance results for all operating BWRs using pressure suppression containments are shown in j Figure 4.2 and perspectives are summarized in Table 4.2. NUREG-1560, Draft 4-4

1

4. Containment Performance Perspectives l

l

          ,S'  I' i

1ui u' l l j _ r l l 3 u: l  ; [ .A: .

                                                             **                                            i t                                                 T                           !

l u .,

                              .                          m                            7                    l ui               .t       '                   '

• i ui (,,

s! _

g. j n' A = - -

                                                             =            =           "
                     .-         r.,  -        . -          , -          .-       r.,  -                    ,

mw mm w w w I Mark i Mark u Mark is i . . - y g.

• The higher early structural failures of Mark I plants (versus the later BWR containments) are driven to a large extent by drywell shell melt-through.
• Bypass and containment isolation failures are generally not important for BWRs.

l The large volumes of Mark III plants are partly responsible for their lower late failure probabilities (in comparison to , other BWR containments). l i l

                                                             /

i Figure 4.2 Reported IPE CCFPs (given core melt) and key perspectives on containment performance for BWR plants. I l l 4-5 NUREG-1560, Draft

4. Containment Performance Perspectives Table 4.2 Performance summary for BWR containments.

Failure - Failure mode Important design features, operator Important mode importance actions, and model assumptions plant improvements Early Significant probability Ifigh pressure loads at the time the core debris Alternative water sources failure for most BWRs, melts through the reactor vessel, FCI, and for flooding of the , regardless of direct impingement of core debris are identified drywell floor containment type as contributors to early failure in BWRs Less restrictive drywell Isolation failures not Shell melt-through is found to be the most spray initiation criteria important for BWRs important contributor to early failure for Mark I plants. Specific design features, and Operator training on assumptions regarding core debris depressurization characteristics and the absence or presence of water in the drywell. determine the importance of shell melt-through for individual plants flydrogen burns are found to be important in some Mark III IPEs ATWS sequences are found to be important contributors in some BWR IPEs Specific design features play an important role , in many analyses I Bypass Not important for Bypass via emergency condenser is identified None identified BWRs as a group by one IPE Late Significant probability Iligh-pressure and temperature loads caused by Ensuring that the drywell , floor is flooded failure for most BWRs, . CCI are an important failure mode. Specific somewhat less important design features (size of sumps), as well as for Mark III assumptions regarding core debris Altering venting criteria containments characteristics and the absence or presence of to account for water in the drywell, determine the importance temperature effects for individual plants Excessive safety relief valve (SRV) discharge into a hot suppression pool is also found to lead to late failure in some cases Late combustible gas burns are important in some Mark IIIs plants Containment venting is found to be an important way of avoiding uncontrolled containment failure for some M. ark I and III I containments l NUREG-1560, Draft 4-6

1 l

4. Containment Performance Perspectives 4.2.1 HWR Mark I Perspectives Table 43 lists the Mark I containment group, which includes 22 BWR units (represented by 17 IPE submittals).

All of the plants in the BWR 2/3 group and most of the plants in the BWR 3/4 group have Mark I containments. These containments have relatively high strength, but small volumes, and rely on pressure suppression pools to condense steam released from the reactor pressure vessel during an accident. Table 4.3 Plants (per IPE submittal) in Mark I containment group. Browns Ferry 2 Brunswick I&2 Cooper Dresden 2&3 Duane Arnold Fermi 2 Fitzpatnck flatch I&2 Ilope Creek Millstone i Monticello Nine Mile Point i Oyster Creek Peach Bottom 2&3 Pilgrim I Quad Cities 1&2 Vermont Yankee Figure 43 shows the Mark 1 CCFPs of the various containment failt.re modes reported in the IPEs, and Table 4.4 summarizes the IPE results. 1.0 I h (Lt - aa aa ju  ! e a QJ 2 ' E i 3 1 j 0.6 : 'A 1! *

• l i

[c.s ,

  .s                                                                4 E4                                                                                         s     a o                                                                                                              )

o a 1 j0.3 2

                                                                    ,g                               4 g;                                                            $"a o ,,.

a'a i a a 0.0 '  :^ff! Bypass Eartyfalltse I.atefalltse Figure 4.3 Reported IPE CCFPs for BWR Mark I containments. 47 NUREG-1560, Draft

4. Containment Performance Perspectives Table 4.4 Performance summary for BWR Mark I containments.

Failure Failure mode Important design features, operator Suggested plant mode importance actions, and model assumptions improvements Early liigh probability for Shell melt-through is found to be the most Alternative water sources for j failure most plants in this group important contributor to early failure of flooding of the drywell floor I J Mark I plants, which are susceptible to direct impingement by core debris as a Less restrictive drywell spray result of their steel containment and reactor initiation criteria , pedestal-to-drywell communication Operator training on Specific design features, as well as depressurization assumptions regarding core debris characteristics and the absence or presence of water in the drywell, determine the importance of shell melt-through for individual piants , High pressure loads at the time the core debris melts through the reactor vessel is also a significant contributor to early failure ATWS sequences are found to be important contributors in some IPEs isolation failures are not important Bypass Not important for this Bypass via emergency condenser is None identified plant group identified by one IPE Late Significant probability liigh-pressure and temperature loads caned Ensuring that the drywell failure for most plants in this by core / concrete interactions are an floor is flooded group important failure mode Ahering venting criteria to Specific design features (size of sumps), as account for temperature i well as assumptions regarding core debris effects characteristics and the absence or presence of water in the drywell, deter.nine the importance for individual plants Containment venting is found to be an important way of avoiding uncontrolled containment failure in some IPEs The IPE results indicated a significant probability of early and/or late containment failure for most Mark I containments. Accidents that cause structural failure of the drywell shortly after the core debris melts through the l reactor vessel have been found to be dominant contributors to risk in past PRAs. The importance of individual failure mechanisms depends on plant-specific features and, in some cases, on modeling assumptions; however, the following mechanisms were found to be important causes of early structural failure for many Mark I containments: NUREG-1560, Draft 48 l 1

4. Containment Perfonnance Perspectives drywell shcIl melt-through caused by direct contact with the core debris (i.e., shell melt-through) e drywell failure caused by rapid pressure and temperature pulses at the time of reactor vessel melt-through In general, these failure mechanisms can be important to risk because of the relatively short time available for radioactivity decay, natural deposition processes, and accident response actions. In addition, drywell failure implies that radionuclides released from the damaged core bypass the suppression pool. (Significant retention can occur if aerosol radionuclides pass through a suppression pool.) Because of the relatively short time to radionuclide release and the magnitude of the release, these failure mechanisms have been found to be important to all risk measures (i.e., acute and latent health effects including land contamination) in past studies that included estimates of offsite consequences. These failure mechanisms can also occur for any accident class that involves release of a significant amount of core debris from the reactor vessel.

Other failure mechanisms are identified as being imponant in a few IPEs. For example, drywell failure caused by gradual pressure and temperature buildup associated with gases and steam released during CCI was imponant in some IPEs. In other IPEs, venting was found to be an imponant contributor to the release of radionuclides. Ilowever, accidents that bypass containment (such as interfacing systems loss of coolant accident (ISLOCAs) or involve containment isolation failure were not important contributors to the core damage frequency (CDF) in any of the IPEs for Mark I plants. These accidents were also not important to the likelihood of either early or late containment failure because their frequencies of occurrence are so much lower than the frequencies of early structural failure caused by other accidents that dominate the CDF. Each failure mechanism is discussed in more detail below. Shell melt-through is found to be the most important contributor to early containment failure for Afark I containments, given core melt. This failure mechanism has a relatively high likelihood of occurring in Mark I containments. 'Ihis is because, for most Mark I containments the reactor pedestal and drywell floor are at the same level and openings exist between the pedestal region and the floor. This design allows core debris to flow across the drywell floor and induce the failure of the steel drywell shell either by direct melt through or by creep rupture. The capability to flood the drywell floor, the design configuration of the drywell, and assumptions regarding core debris dispersal on the drywell floor determine, on a plant-specific basis, whether shell melt-through is a significant containment failure mcchanism. The most important plant features and modeling characteristics are discussed below: Drywell floor flooding - The presence of a water pool on the drywell floor mitigates shell melt-through in all of the submittals. The benefit of water on the drywell floor before vessel failure (at low pressure) as a mitigating mechanism for shell melt-through is significant (NUREG/CR-5423a2)) and utilities with Mark I containments may wish to consider this benefit when developing their accident management plans. Containment design configuration - The design of the drywell sump and drywell floor can prevent or mitigate shell melt-through in some Mark I containments. For example, containment sumps in the Monticello plant are large enough to contain the molten core material and thus prevent it from reaching the containment boundary. In the Oyster Creek drywell, a concrete curb prevents or limits core debris d'Theofanous, T.G., et al., " Probability of Linear Failure in a Mark 1 Containment," University of California, Santa Barbara, NUREG/CR-5423, August 1991. l 4-9 NUREG-1560, Draft l

                                                                                                                       )

4. Containment Performance Perspectives from reaching the containment shell. Also, the Brunswick containment is unique among Mark I designs because it is constructed of concrete (with a steel liner) rather than steel. Thus, even if the molten core debris reaches the Brunswick containment, it would be difficult to thermally degrade such a thick concrete structure.

• Core debris characteristics - The amount of core debris released to the drywell and the fluidity of the core debris assumed in the IPEs determine whether or not shell melt-through occurs. Shell melt-through is found to be an important contributor to the likelihood of early containment failure if a large amount of high-temperature core debris is assumed to be released to the drywell. Under these circumstances, the core debris can flow across the floor and melt through the shell. Shell melt-through is not an important mechanism for causing containment failure if smaller quantities of core debris at lower temperatures (less able to flow across the floor) are assumed to be released into the drywell. As different modeling assumptions can produce such significantly different results (i.e., containment failure versus no failure),

any actions taken by the utilities to mitigate this failure mechanism should reflect this uncertainty. Therefore, as water can effectively mitigate shell melt-through, utilities with Mark I containments may wish to ensure a flooded drywell floor in order to eliminate the uncertainty regarding containment failure caused by this mechanism. A number of utilities are being proactive in identifying minor hardware modifications and procedural changes to ensure a flooded drywell floor before reactor vessel melt-through. The availability of alternative water sources to the drywell spray header, such as water from a diesel-driven fire water pump during an station blackout (SBO) has shown to significantly reduce the likelihood of early failure in the Browns Ferry IPE. Another example is the Monticello plant, where connections are available to enable the operators to use residual heat removal service water for containment spray. The Nine Mile Point I submittal mentions the potential benefit of supplying the drywell sprays from external sources such as the containment spray raw water pumps. At Peach Bottom, the capability exists to supply the sprays with water from an external pond or the emergency cooling tower. Several IPEs, suc5 as those for Duane Arnold and Monticello, also discuss the possibility of relaxing restrictions on drywell spray initiation in the current emergency operating procedures (EOPs), thus pmviding greater assurance that there would be water on the drywell floor. High-pressure and temperature loads at the time the core debris melts through the reactor vessel are a significant contributor to early containment failure for Afark I containments. This failure mechanism occurs in Mark I containments because of their relatively small volumes. High-pressures and temperatures occur in containment when the reactor coolant system (RCS) depressurizes as the core debris melts through the reactor vessel. Hydrogen (from clad oxidation) and steam are the driving forces for pressurization. If the pressure pulse exceeds the ultimate pressure capability of the containment, failure will occur at the weakest location in either the wetwell or the drywell. The RCS pressure at vessel melt-through, the containment failure location, and modeling assumptions regarding the rate of RCS depressurization and the amount of core debris dispersed determine whether this failure mechanism is a significant contributor to early containment failure for individual Mark I containments. The most important accident characteristic, design features, and modeling assumptions are discussed below:

• RCS pressure at &c time of vessel melt-through - Containment failure via this mechanism is prevented if the RCS is depressurized before the core debris melts through the reactor vessel. The risk significance of this failure mechanism therefore depends on the impo tance of accident classes in which the RCS is at high-pressure (such as transient events with failure of the automatic depressurization system). A number NUREG-1560, Draft 4 10

4. Containment Performance Perspectives of utilities explored the possibility of enhancing the depressurization capability of the RCS, but they identified adverse effects that require careful consideration.

Containment failure location - The containment failure location can significantly influence the importance of this failure mechanism. If failure occurs in the wetwell, significant retention of the aerosol radionuclides occurs in the suppression pool, making it less likely that this failure mechanism will lead to the release of significant quantities of radionuclides. Conversely, if failure occurs in the drywell, the radionuclides are released without the benefit of pool scrubbing and the release can be much higher. RCS depressurization characteristics - The rate of RCS depressurization (at vessel breach), steam generation, and characteristics ofcore debris dispersal determine the importance of this failure mechanism. If rapid depressurization is assumed (as a result of a large opening in the reactor vessel) high pressure pulses can occur. These pulses have a high likelihood of causing containment failure, in addition, if a large amount of high-temperature core debris is assumed to be released and dispersed into the containment atmosphere, it can directly heat the atmosphere and containment failure is very likely to occur. Containment failure does not occur iflower depressurization rates combined with less core debris dispersal are assumed. i 1 Ways of preventing or mitigating the pressure and temperature loads at vessel melt-through include enhanced RCS { depressurization capability, containment venting, and spray operation. Of these possible actions, RCS i depressurization is potentially the most effective. Containment vents of sufficient capacity to mitigate pressure loads at the time of vessel melt-through (with the RCS at high-pressure) do not exist in most Mark I containmems and would not be practical to install. Similarly, spray operation cannot effectively mitigate all pressure loads associated with RCS depressurization during severe accidents. In the IPEs, a number of utilities explored controlled depressurization of the RCS before melt-through of the reactor vessel as a strategy for mitigating rapid overpressure failure of Mark I containments. Enhancement of the emergency depressurization capability was also an issue raised as part of the Nuclear Regulatory Commission's (NRC's) Containment Performance Improvement (CPI) Program. Although some utilities recognized the benefit of this strategy, a number of potential adverse effects were also noted. For example, iflow pressure injection (LPI) l systems are not available, depressurization causes a loss of coolant inventory that can significantly reduce the time I to fuel damage and vessel melt-through. This, in turn, reduces the time available for other recovery actions. Given the uncertainty associated with pressure loads and the potentially adverse effects, some utilities recommend further study before implementing this strategy. High-pressure and temperature loads caused by core-concrete interactions are a significant contributor to late containment failure for Mark I containments. Gradual pressurization at high temperatures caused by non-condensible gases and steam released from the drywell floor during core-concrete interactions can induce the failure of Mark I containments several hours after vessel melt-through. This failure mechanism occurs because of the relatively small volume of Mark I containments. Failure can occur either in the wetwell or in the drywell. Generally, this failure mechanism has been found to be less risk significant than the two early failure mechanisms discussed above. This is because of the longer time available for radioactive decay, natural deposition processes, and accident response. Ilowever, even for late failures, if the failure location is in the drywell, significant radionuclide release can still occur. As a result, this failure mechanism has been found to be important to longer-term risk measures (i.e., latent health effects and land contamination) in several previous PRAs. 4-11 NUREG-1560, Draft

! 4. Containment Performance Perspectives l The significance of this failure mechanism to late containment failure is .Wrmined by whether or not the drywell is flooded, the design configuration of the drywell, the availability of sprays or venting, and modeling assumptions regarding the quantity and temperature of core debris dispersed across the drywell floor. The most important accident characteristic, design features, and modeling assumptions are discussed below:

• Drywell floor flooded - With a flooded drywell floor, it is more likely that the drywell spray and CHR (CHR) systems can control pressurization and prevent structural failure of the containment. Water can cool the core debris and limit concrete erosion (and hence limit gas generation) so that steam is the main driving force for containment pressurization. The drywell spray and CHR systems are designed to condense steam and remove heat from containment. Therefore, these systems can control the containment pressure under j these circumstances.
• Drywell floor not flooded - If the drywell floor is not flooded (and shell melt-through does not occur),

venting may be needed to prevent overpressure failure of the containment. Without water, the hot core debris can cause significant concrete crosion (and hence significant gas release). The heat from this core / concrete interaction can raise the temperature of the drywell to a range where the structural capacity of the steel containment shell is significantly reduced. The quantity of gases released from this interaction also depends on the type of concrete used. For example, limestone concrete releases significantly more gases than basaltic concrete. The drywell spray and CHR systems cannot control the pressure in containment if the driving force for pressurization is non-condensible gases. Under these circumstances, the only way to control pressure is to relieve gases via venting (preferably from the wetwell in order to benefit from pool scrubbing).

• Containment design configuration - The design of the drywell and pedestal region can limit contact between the water and core debris in some Mark I containments. For example, large sumps in the pedestal region produce deep pools of molten core debris, which are difficult to cool with water. Forming a coolable debris bed is particularly difficult if the water is added after the core debris is in the sumps.

Therefore, in some IPEs, core / concrete interactions continue even after water is added to the drywell.

• Core debris characteristics - In the absence of water, the amount and temperature of core debris released to the drywell determine the extent of core / concrete interactions. If a large amount of high temperature core debris is assumed to be released from the reactor vessel, the IPEs predict extensive concrete erosion.

Under these circumstances, even if water is added to the core debris, core / concrete interactions are predicted to continue for some Mark i designs. Conversely, if smaller quantities of core debris at lower temperatures are assumed, much less concrete erosion occurs even without water. Clearly, different modeling assumptions give different results that utilities should consider when developing strategies to mitigate these failure mechanisms. Most utilities use a combination of strategies to mitigate gradual pressure buildup caused by core-concrete interactions. The drywell floor flooding strategies designed to prevent shell melt-through (if successful) will also limit long-term core / concrete interactions and hence noncondensible gas generation. If these early flooding strategies are not successful, most utilities will explore other ways of flooding the drywell floor. For instance, the ! Monticello IPE submittal noted that debris cooling with an alternative injection source (such as fire water) limits l the temperature increase in containment and extends the time to containment failure associated with over- , pressurization. In all of the IPEs, containment sprays were found to be of great benefit for preventing or mitigating late containment failure. In addition to the advantages mentioned earlier, the cooling provided by the containment sprays will retard t NUREG-1560, Draft 4 12

N 1 > 1 I

4. Containment Performance Perspectives the revaporization of radionuclides deposited on containment surfaces. Sprays can also scrub radionuclides existing l in the containment atmosphere and provide a water source for covering ongoing core / concrete interactions.

High-temperature effects are also addressed in other ways in some JPEs. For example, Nine Mile Point I considers raising the preload on the drywell head bolts as a way of increasing the probability of maintaining containment l integrity at elevated temperatures. Finally, all utilities have the capability to prevent late structural failure by , venting. l t Containment venting is an important way ofpreventing and mitigating core damage in hfark I containments. I Venting is used extensively in the IPE analyses to reduce releases and the associated risk. It is also an important element of the CPI Program. In addition, containment venting is sometimes credited with preventing core damage in accidents involving a loss of CHR. It is also used to prevent late structural failure for accidents in which the core melts through the reactor vessel. However, a few utilities stated in their IPEs that their analyses indicated that the installation of a hardened vent does not significantly reduce risk and, therefore, is only of marginal benefit. In one case, the utility stated that the installation of a hardened vent lead to less than 1% reduction in CDF. In response to the recommendations in Generic Letter 89-16"*, most utilities with Mark I containments committed to install a hardened wetwell vent system. (In some cases, a hardened vent was already in place.) A hardened vent leading from the wetwell to outside the containment building provides an independent means for containment pressure relief and heat removal while maintaining a habitable environment in the reactor building. Chapter 3 discusses how the utilities use these venting systems to prevent core damage for some accidents involving loss of CHR. Under these circumstances, venting is " clean" because it occurs before core damage and involves minimal release of radioactivity. l Venting after core damage has occurred, as a means of preventing structural failure of the containment, is considered by most utilities to be a last resort because it can involve significant radionuclide release. The advantage of venting from the wetwell (benefit of pool scrubbing) is emphasized in most IPE strategies. Several utilities also examined the pressure at which venting should be started. The impact of high temperatures on the structural capability of the drywell was also noted. For example, the IPE for Nine Mile Point Unit I reports that at 400'F the containment could fail at pressures below the current venting pressure in the EOPs. Further analysis is recommended to refine the vent actuation pressure. If venting occurs shortly after core meltdown, and the flow path is directly from the drywell or from the RCS to the environment, the suppression pool will be bypassed. Under these circumstances, venting would cause a significant release of radionuclides to the environment. In this context, a number of utilities expressed concern about the current BWR Owners Group guidelines for containment flooding (filling the containment solid with water to a level equal to the top of fuel in the reactor pressure vessel (RPV)) and the venting necessary to carry it out. Since drywell venting (i.e., unscrubbed) is needed to relieve the pressure buildup resulting from the compression of the gas space during containment flooding, there is the potential for an early release of significant magnitude associated with the flooding strategy. A number of utilities speculated that other actions, or even no action, would be preferable to carrying out the containment flooding strategy. Accidents that bypass containment are not importantfor Afark Icontainments. A loss of coolant accident (LOCA) can occur outside containment if the pressure boundary fails between the high pressure RCS and a low pressure "USNRC, " Installation of Hardened Wetwell Vent," Generic Letter 89-16, September 1,1989. 4 13 NUREG-1560, Draft

4. Containment Performance Perspectives auxiliary system (called an interfacing systems LOCA or ISLOCA). If water cannot be supplied to the reactor, core damage will occur and a direct path to the environment can exist. Therefore, these accidents can lead to a large early release of radionuclides liowever, ISLOCAs are found to be unimportant for BWR Mark I containments because of their relatively low frequency (compared with the frequency of accidents that dominate the CDF and can lead to early structural failure). The IPEs reported bypass CDF frequencies that are about an order of magnitude lower in BWR plants than in PWRs. The higher PWR frequencies result in part from the SGTR contribution in the PWR systems.

Although ISLOCAs a e not important for BWRs, the Nine Mile Point 1 IPE identified a unique way of bypassing containment. In that IPE, failure of the emergency condenser tubes caused by high-temperature creep rupture was identified as leading to containment bypass. In a degraded core accident, failure between the primary and secondary side of the emergency (or isolation) condenser provides a pathway for release similar to an SGTR in PWRs. This failure mode is found to have a relatively low frequency (compared with the frequency of early structural failure) at Nine Mile Point 1, and is therefore not important. Isolation condensers are found in one other BWR 2 plant and two early BWR 3 plants; presumably, this bypass accident also applies to these plants. It is therefore necessary to determine that this failure mechanism also has a low frequency compared with the frequency of early structural failure in these other plants. Accidents thatinvolvefailure to isolate containment are notimportantfor Afark Icontainments. Isolation failures can be preexisting or can occur at the time of the initiating event. If the isolation failure is large, and if core melt occurs, radionuclide release can also be large. In addition, because the containment is open at the time of core damage, the offsite consequences can be significant. These events are not important in BWR Mark I plants because of their relatively low frequencies. Preexisting isolation failures in Mark I plants can be precluded because the containment atmosphere is inerted with nitrogen. Therefore, any loss of containment atmosphere associated with preexisting leaks can easily be detected. In addition, failure to isolate the containment on demand is found to be a relatively low-frequency event compared with the frequencies of other accidents that can cause early structural failure of the containment. Containment challenges from ATWS sequences are important in a number of IPEs for plants with Afark I containments. These sequences belong to an accident class in which CHR and containment venting are inadequate. In ATWS events, the energy deposited to the containment can overwhelm the normal CHR mechanisms, as well as the available vent paths, leading to early core damage and containment failure. The inability to remove heat from the containment causes containment failure to occur before core damage. The containment failure in turn can lead to a loss of emergency core cooling systems (as a result of the loss of net positive suction head for pumps drawing from the suppression pool, for instance) with resulting core damage and vessel failure. Depending on the accident progression, core damage could occur first, but containment failure follows quickly. These accidents have been found to be risk significant in past PRAs since core damage, vessel failure, and containment failure can occur within a short time, thus producing conditions for significant release to the environment. However, many IPE submittals indicated that, by proper RPV level control and by opening the maximum number of vent paths, many ATWS scenarios can be controlled. The significance of ATWS events in the different IPEs depends on some plant-specific features (such as the ability of pumps to work with saturated water), as well as on assumptions regarding power level, point in the fuel cycle, and rapidity of operator response. Accidents with successful reactor scram but loss of CHR were found to be relatively unimportant in all IPEs. The ability to vent the containment is a major factor in reducing the importance of this class of accident. Also, the interval between loss of CHR and comainment failure is relatively long in these sequences, allowing time for emergency measures on- and off-site. NUREG-1560, Draft 4 14

4. Containment Performance Perspectives 4.2.2 BWR Mark II Perspectives Table 4.5 lists eight BWR units (represented by five IPE submittals) in the Mark 11 containment group.

Four units (Limerick 1&2 and Susquehanna I&2) are of the BWR 4 type, while the other four units (LaSalle l&2, Nine Mile Point 2, and Washington Nuclear Power 2 (WNP2)) are BWR 5 designs. Mark 11 containments retain many features of the older Mark I containments from which they evolved. They also are characterized by relatively high strength but small volume. In the event of an accident, they depend on a pressure suppression pool to condense the steam released to the containment from the reactor coolant system. However, unlike the Mark I group, most of the Mark 11 containments are of concrete construction. The exception is WNP2, where the containment consists of a steel shell. Table 4.5 Plants (per IPE submittal) in Mark 11 containment group. LaSalle 1&2 Limerick I&2 Nine Mile Point 2 Susquehanna 1&2 Washington Nuclear Power 2 The IPE results for this group are shown in Figure 4.4 and summarized in Table 4.6. 1.0 E9-

]a.:

0.7 2 E 3 ^

$R6 1!

las: s a

.s fR4 8                                                                    aa j 0.3 -                                                                  a                             a o                                                                                                 ' d E

e 0.2 8 R1 a, a R0  :::: ^^ Bypees Eartyfalkse Latefiikse Figure 4.4 Reported IPE CCFPs for BWR Mark 11 containments. 4-15 NUREG-1560, Drafi

l l l

4. Containment Performance Perspectives l l

4 Table 4.6 Performance summary for BWR Mark Il containments.

                                                                                                                                            )

1 Failure Failure mode Important design features, operator Suggested plant mode importance actions, and model assumptions improvements a Early Quite high for several Overpressure failures, primarily from Relaxation of drywell spray failure plants in this group ATWS, are found to be important initiation criteria  ! Isolation failures not FCI and direct impingement of core debris Further study and training important are important in some of the analyses on reactor depressurization i .

Specific design features, especially reactor pedestal design, play an important role in many analyses

• Assumptions regarding the likelihood and magnitude of some severe accident phenomena vary considerably in the analyses ,

Bypass Not important for this Low frequency is reported in CDF analysis None identified plant group Late failure Probability quite high for High-pressure and temperature loads Reconsideration of currerst , this plant group caused by core <oncrete interactions are an containment flooding important failure mode guidelines Excessive SRV discharge into a hot Modification of current suppression pool is also found to lead to venting procedures i late failure in some cases Venting is not important for most plants in this group Accidents progressing to structural failure of the containment, particularly in the drywell, before or shortly after reactor vessel failure lead to the most significant radionuclide releases. As indicated in Figure 4.4, the conditional , probability of these early failures varies considerably among the Mark 11 containments. To a large extent, this variation can be attributed to variations in plant-specific containment features, but modeling assumptions play a role as well. The following failure mechanisms have been found to lead to early failure of Mark Il containments:

• containment overpressure failure caused by a loss of CHR or (inadequate CHR) is important in most Mark II IPE analyses.
• FCI and direct impingement of core debris on the containment boundary play a significant role in some of the analyses.
• rapid pressure and temperature increases at the time of reactor vessel failure are significant in only a few Mark 11 IPE analyses.

I NUREG-1560, Draft 4 16 l

l

4. Containment Performance Perspectives As noted for Mark I containments, these failure mechanisms are important to risk because of the relatively short time available for radioactivity decay, natural deposition processes, and accident response actions. In addition, drywell failure implies that radionuclides released from the damaged core bypass the suppression pool. (Significant retention can occur if aerosol radionuclides pass through a suppression pool.) Because of the relatively short time to radionuclide release and the magnitude of the release, these failure mechanisms have been found to be important to all risk measures (i.e., acute and latent health effects including land contamination) in previous PRAs.

Containment venting does not play a significant role in accident progression in Mark 11 plants, except in the LaSalle 1&2 analysis. Accidents that bypass containment (such as ISLOCAs) or involve containment isolation failure were not important contributors to the CDF in any of the IPEs for Mark Il plants. These accidents are also not important to the likelihood of containment failure because their frequencies of occurrence are so much lower than the frequencies of early stmetural failure caused by other accidents that dominate the CDF. Specific plantfeatures play an important role in accident progression in Mark Hcontainments. While the designs of the primary containment for all Mark 11 plants are similar, and all of them are inerted with nitrogen, there are differences that may affect accident progression and the resultant containment failure modes. The most important j design differences are as follows: J

• Containment Construction - The primary containment of most Mark 11 plants is of concrete construction; however, WNP2 uses a free-standing steel vessel as its primary containment. In the Washington Nuclear 2 IPE, the licensee assumed that if the reactor vessel fails at elevated pressure and an HPME results, sufficient melt could escape the pedestal cavity and damage the containment shell in a manner similar to the shell melt-through failure postulated for Mark I containments.
• Reactor Pedestal Floor Elevation - Among Mark 11 plants, Limerick 1&2 and Susquehanna 1&2 are ,

BWR 4 reactors while the others are BWR 5 reactors. This difference in BWR type does not itself have i a significant effect on accident progression within the containment. However, the reactor pedestal cavity design may. In general, BWR 5 plants have a recessed in-pedestal region (reactor cavity) BWR 4 plants have a flat in-pedestal floor at approximately the same elevation as the ex-pedestal drywell floor. After vessel failure and the discharge of core debris a cavity with its floor at the same level as the rest of the I drywell floor is more likely to allow the corium to spread out through the doorway onto the drywell floor, with the possibility ;f contacting and eroding the downcomer pipes thus creating a suppression pool bypass condition.

• Presence of Downcomers in the Reactor Pedestal Region - Except for Nine Mile Point 2, there are no downcomer pipes in the cavity region of Mark Il containments. For Nine Mile Point 2, with downcomers inside the pedestal region, corium released from the reactor vessel may more easily enter the suppression pool, thus increasing the potential for a severe FCI in the suppression pool. Among the plants without downcomers in the cavity region, LaSalle has no water in the wetwell directly below the cavity area.
• Presence of Drain Tubes - In all Mark 11 plants considered except Susquehanna 1&2, there are drain tubes located in the drywell floor. These drain tubes may fail as a result of direct corium attack or FCI after vessel breach. The failure of the drain tubes will result either in direct containment failure or in a suppression pool bypass.
• Size of the Reactor Pedestal (Cavity) Area - In LaSalle 1&2, the reactor cavity is large enough to contain all of the core debris postulated to be released at vessel breach. This means that failure of the downcomers 4-17 NUREG-1560, Draft

4. Containment Performance Perspectives in the drywell floor (and consequent suppression pool bypass) as a result of direct contact with core debris is less likely than if the core debris could flow out of the cavity and across the drywell floor. On the other hand, the large amount of water that could accumulate in this cavity could lead to significant fuel / coolant interactions when the vessel fails.

The variation in predicted Afark 11 containment performant e can be attributed in part to design differences, however differences in modeling assumptions also play a role. For instance, the small early failure probability for Nine Mile Point 2 may be panially explained by the significan ly higher containment free volume-to-thermal power ratio of this plant compared to other Mark 11 plants. WNP7 has the smallest containment free volume to thermal power ratio. In addition WNP2 uses a steel containment wd its higher failure probability may also be partially attributed to the consideration given in the IPE to contaisment failure induced by the impact of a hot debris jet on the containment shell during HPME. The higher failure probability for LaSalle 1&2 may be panially attributed to the assumption that the cavity drain pipe failures caused by FCI lead to containment failure because a valve in the line fails outside of containment. In WNP2 there is also a high probability of drain line failure from core debris attack or steam explosion, but this is modeled as a suppression pool bypass (not as a direct containment failure). However, exvessel steam explosions may cause the WNP2 containment to fail in other locations, but with a smaller probability. Drain line failure in Limerick 1&2 is also modeled as a suppression pool bypass scenario. In WNP2 and Limerick 1&2, drain line failure leads to containment failure only if suppression pool cooling is lost. All of the reasons for the observed l variation in the conditional probabilities of early failure for the Mark 11 containments were not apparent, since the contributions from the different containment failure modes were not discussed in detail in the IPE submittals. l l The approach used in the Susquehanna 1&2 IPE differs in many respects from that used in other IPEs. As a result, the Susquehanna 1&2 CDF (9E-8/ry) is orders of magnitude lower than that of other plants, and the conditional reactor vessel ed 2ntainment failure probabilities are also very low. Of the total CDF, only about 5% involves vessel breach,1% inytIves containment failure, and le:s than 0.1% involves both containment failure and vessel breach. More than 80% of the CDF is attributed to ATWS events, as is more than 95% of containment failure. Several assumptions used in the Susquehanna 1&2 IPE contribute to the significantly lower CDF and containment failure probabilities. One of the most imponant involves emergency procedures and operator actions. In the Susquehanna 1&2 IPE, the licensee assumed that the EOPs cover all credible plant conditions without ambiguities, inadequacies, or improper actions; that the operator will not make any procedural errors; and that the operator execution error is comparable to the unavailability rate of the equipment required in the operator action. In addition to the high recovery probabilities used in the IPE, the licensee also assumed that there will be a gradual iclease of core debris from the vessel after breach, and the IPE did not consider most of the loading conditions associated with l vessel breach, that may cause an early containment failure. The licensee funher assumed that the corium is quenched, and CCI is prevented, if a water pool is present and continuously resupplied when the debris pour commences; that downcomer and drywell shell melt-through are prevented if there is an overlying water pool for the corium; and that containment venting or failure will not result in the loss of core injection as a result of adverse operating conditions. In general, accident progression issues that have significant uncertainties were either not treated, or were included in the IPE with simplifying and optimistic assumptions.  ; i I Accidents in which CllR is lost or inadequate are important contributors to early containmentfailure in the IPEs for Afark Ilplants. In these accidents, the containment is pressurized by steam generation from an overheated suppression pool, and containment failure often occurs before reactor vessel failure. ATWS sequences in which CHR systems are inadequate are primary contributors to these accident types in most of the IPEs. The LaSalle 1&2 NUREG-1560, Drafl 4 18

i

4. Containment Performance Perspectives IPE reports a conditional containment failure probability before vessel breach of about 0.1. For Limerick 1&2, the i major contributor to early failure is ATWS with a probability also of about 0.1. In Nine Mile Point 2, the leading l contributor to early failure is also ATWS, with a probability about an order of magnitude lower. In the WNP2 1

analysis, early containment failure also seems to result primarily from overpressure failures typified by sequences in which injection is successful, but all viable means of CHR are lost. When the containment fails in these f accidents, the energetic release of steam into the reactor building leads to the failure of all injection systems and therefore to core melt. 4 High-pressure and temperature loads at the time the reactor resselfails are not significant contributors to early $ containmentfailurefor most Mark Il containments. As in Mark I plants, this failure mechanism could occur in } Mark 11 containments because of their relatively small volumes. The RCS pressure at vessel melt-through, the j containment failure location, and modeling assumptions regarding the rate of RCS depressurization and amount of core debris dispersed determine how significant this failure mechanism is to early containment failure for individual i Mark 11 containments. However, this failure mechanism only appears to contribute significantly to early failure in f the Nine Mile Point 2 IPE, and the early failure probability for this plant is small (on the order of 0.05). Ways of preventing or mitigating the pressure and temperature loads at vessel melt-through include enhanced RCS

depressurization capability, containment venting, and spray operation. Of these possible actions, RCS

, depressurization is potentially the most effective. J l i Enhancing the capability for emergency depressurization was recommended for Mark 11 containments as part of the i NRC's CPI program. However, the potentially adverse effects of depressurizing too soon, noted by some utilities j with Mark I plants apply to Mark Il plants as well. For instance, in the WNP2 IPE, the licensee performed a

sensitivity study for depressurization for short-term SBO sequences. According to the IPE, without a source of soolant makeup, the inventory lost during depressurization will result in the core melting about one hour sooner than j if the system were left at high-pressure. The initial conclusion from the sensitivity analysis is that depressurization

of the primary system should be delayed as long as possible; however, once core melt begins it seems prudent to depressurize as quickly as possible. This has two benefits. Namely, if power is restored, LPI systems become  !

j available as sources of core cooling, and if depressurization is at least partially successful, the chances are enhanced l l for delaying containment failure or maintaining the integrity of the containment. l a Again, similar to some Mark 1 IPEs, a number of Mark 11 IPEs (Limerick 1&2 and Nine Mile Point 2) mention j the possibic benefit of relaxing the restrictions on the use of drywell sprays for accident management. This would , help to control drywell temperature and provide some radionuclide release control. I f . High-pressure and temperature loads caused by core / concrete interactions are significant contnbutors to late containment failure for Mark Il containments. Gradual pressurization at high temperatures caused by l noncondensible gases and steam released from the drywell floor and the reactor pedestal area during core-concrete j interactions can induce the failure of Mark 11 containments several hours after vessel failure. This failure mechanism occurs because of the relatively small volume of Mark H containments. Failure can occur either in the ! wetwell or in the drywell. Generally, this failure mechanism is less significant than the early failure mechanisms discussed above because of the longer time available for radioactive decay, natural deposition processes, and  ;

,    accident response. However, even for late failures, if the failure location is in the drywell, significant radionuclide release can occur, making this failure mechanism more important. Containment strength as a function of
;    temperature is also an imponant issue for Mark Il containments because drywell temperature can be very high (up l    to 1000*F) during CCL The containment pressure capability is weakened at high temperature and the drywell seals j     (e.g., drywell head seal) may fail at high temperature. Core / concrete interactions in Mark 11 containments can also I                                                                                                           NUREG-1560, Draft 4-19 I

a

4. Containment Performance Perspectives lead to reactor pedestal failure with subsequent reactor vessel structural support failure. In some Mark Il containments (i.e., those with downcomers or drain lines in the pedestal floor) suppression pool bypass can occur after vessel failure as a result of downcomer failure or drywell floor failure with subsequent containment overpressure from steam.

The significance of these failure mechanisms to late containment failure is determined by the design configuration of the drywell and reactor pedesth! area, the availability of sprays or venting, and modeling assumptions regarding the quantity and temperature of core debris dispersed across the drywell floor. In some IPEs, late containment failure also results when significant discharge occurs from SRVs into a hot suppression pool. Containment failure is assumed to occur in the Limerick 1&2 and Nine Mile Point 2 IPEs when substantial power is produced in the core and discharged through the SRVs to a suppression pool already at high temperature (exceeding 260*F). This assumption is based on the fact that only very limited data exists to support containment integrity at a high SRV discharge rate and elevated containment pressure and temperature. There are a number ofissues with large uncertainty affecting containment failure under these conditions. These issues include the condensation phenomena in the suppression pool, the temperature profile for the quencher device used, and the effect of elevated water levels on the hydrodynamic loads. With the exception of one plant, containment venting does not play a significant role in accident progression for plants with Afark II containments. Containment venting can be used under a variety of situations. Venting can be used to prevent containment failure by providing a controlled release of the containment atmosphere if the containment pressure approaches a predetermined primary containment pressure limit, (PCPL). Venting would usually be used in situations where there is a gradual increase of containment pressure. Under these conditions, venting would usually be grouped among the late release categories. Wetwell venting is the preferred venting path because of the radionuclide sctubbing capability provided by the suppression pool for wetwell venting. Containment venting for containment pressure control is also used during containment flooding. Drywell venting is required after the wetwell venting path is submerged during the containment flooding process. Since drywell venting does not have the benefit of suppression pool scrubbing, the associated releases may be quite severe. In addition to containment pressure control, containment venting could also be used for combustible gas control, should the containment become deinerted. Excluding LaSalle 1&2, the conditional probability of containment venting is 0.1 or less in the IPEs for plants with Mark 11 containments and any releases are grouped with the late failure category. LaSalle 1&2 is found to have a total containment venting probability of about 0.5, (i.e., about 0.4 from late venting and the remainder from early venting). Late venting is frequently used in the LaSalle l&2 IPE for transient events. About one-fifth of the total venting probability occurs for sequences without vessel breach. Although the probability values of the various venting modes are usually not presented in the IPE submittals, some information can be inferred. For example, the Limerick 1&2 IPE considers all three venting modes (i.e., for combustible gas control, containment pressure control, and containment flooding), and the total venting probability is split approximately equally between drywell venting and wetwell venting. In the Nine Mile Point 2 IPE, nearly all of the venting probability is associated with drywell venting, probably used as part of the containment flooding procedure. In the Susquehanna 1&2 IPE, venting is only used when there is no core damage. In the WNP2 IPE, according to the containment event trees, venting is used only when CllR is lost. The window of opportunity for containment venting for WNP2 is rather small since the emergency operating procedures call for venting at about 40 psig; however, if the differential pressure across the valve disk in the preferred vent path exceeds 50 psig, the NUREG-1560, Draft 4 20

l

4. Containment Performance Perspectives t

operators cannot generate sufficient force to open it. This limited opportunity for venting in WNP2 may be part of the reason why venting is not of greater benefit for sequences where CllR is lost. l Several of the Mark II IPEs discuss modifications to current venting procedures. The Nine Mile Point 2 analysis, for example, shows that containment failure is predicted to occur below the currently recommended Nine Mile Point 2 venting pressure when the containment temperature is greater than 650'F. liowever, this IPE also noted that, at lower containment temperatures, venting at the recommended pressure of 45 psig results in a radionuclide release substantially greater than if venting were not called for until a higher pressure is reached. Therefore, the IPE suggests recalculating the venting initiation criteria and inclusion of a temperature-dependent venting pressure.

 'the Nine Mile Point 2 IPE also questioned the venting called for in the BWR Emergency Procedure Guidelines                   I when implementing the containment flooding contingency (i.e., drywell venting or venting of the reactor vessel                f through the main steam isolation valve (MSIVs)). As an alternative, the IPE advocates possible improved response for containment flooding that does not require opening the RPV vent and avoids using the drywell vent unless no other alternative exists. According to the IPE, alternative actions have been shown to produce substantially lower            I releases and much longer times to failure. The IPE submittal stated that even no action is likely to be preferable to the action directed by the EPGs. It should be noted that containment venting may be used in sequences where the containment fails as a result of other causes. In the IPEs, these cases are usually grouped into the containment failure category that has a more severe release.

i Accidents that involvefailure to isolate containment or that bypass containment have low frequenciesfor plants with Afark Il containments. Isolation failures can be preexisting or can occur at the time of the initiating event, if the isolation failure is large and core melt occurs, radionuclide release can also be large, in addition, because j the containment is open at the time of core damage, the offsite consequences can be significant. These events are i not significant in BWR Mark Il plants because of their relatively low frequencies. Preexisting isolation failures in Mark Il plants can be precluded because the containment atmosphere is inerted with nitrogen. Therefore, any loss of containment atmosphere associated with preexisting leaks can easily be detected. In addition, failure to isolate containment on demand is found to be a relatively low-frequency event compared with the frequencies of other accidents that can cause early structural failure of the containment, in the Nine Mile Point 2 analysis, for instance, isolation failure occurs for only 1% of the total CDF despite the fact that Nine Mile Point 2 uses motor operated valves at some of the isolation points that would not automatically close under SBO conditions. The IPE indicated that it could be useful in future operator training to emphasize the need to locally close these valves to provide isolation. If the pressure boundary between the high pressure RCS and a low pressure auxiliary system fails (called an ISLOCA) a LOCA outside containment can occur. If water cannot be supplied to the reactor, core damage will i occur and a direct path can exist to the environment. Therefore, these accidents can lead to a large early release of radionuclides. Ilowever, ISLOCAs are not significant contributors to early containment failure for BWR Mark Il containments because of their relatively low frequency compared with the frequency of accidents that dominate the CDF and can lead to early structural failure. The IPEs reported ISLOCA frequencies that are about an order of magnitude lower in BWR plants than in PWRs. The higher PWR frequencies are, in part, attributed to the , contribution from SGTRs in PWRs. l 4.2.3 BWR Mark Ill Perspectives Table 4.7 lists the Mark Ill containments (4 single-unit BWRs) described in four separate JPE submittals. All four plants use a BWR 6 design. i 4-21 NUREG-1560, Draft (

1

4. Containment Performance Perspectives 1

Mark 111 containments are significantly different from their predecessors, the Mark I and Mark 11 designs, and this l is reflected in the different accident progression expected with these containments. The total free volume of a Mark Ill containment is significantly greater than that of a Mark I or Mark 11. The containment volume-to-thermal power i ratio is about four times that of a Mark I or Mark 11 containment while the containment design pressure and estimated failure pressure are significantly lower than those of Mark I and Mark 11 containments. Because of their relatively larger volume, Mark 111 containments are not inerted. Instead. they rely on glow plug igniters to burn off , accumulating hydrogen during a severe accident and prevent energetic hydrogen events. Table 4.7 Plants (per IPE submittals) in Mark lit containment group. Clinton Grand Gulf 1 Perry 1 River Bend The IPE results for this group are shown in Figure 4.5 and summarized in Table 4.8. 10 i NQ9-h 3 es Q8 - .O 2

  "Q7-                                                                                                                  '

8  ! 3 g Qs:

=

l c lQ5 ,  !

.5 3c Q4'                                                                                                                 -

O a o s  : 1c 03- , O g 3 . E Q2-c ' O a O Q1 a QO  :  ;; Eljpa!is EintyMtre LmeMtre Figure 4.5 Reported IPE CCFPs for BWR Mark Ill containments. NUREG-1560, Draft 4 22 l l 1

1

4. Containment Performance Perspectives Table 4.8 Performance summary for flWR Mark III containments.

I Failure Failure mode importance Important design features, operator Suggested plant mode actions, and model assumptions improvements Early Quite high for a number of FCis and hydrogen burns are found to be Ensuring igniter failure plants important causes reliability j Isolation failures not important ATWS is the leading contributor in one analysis l Venting through the MSIVs is a significant  ! contributor in one analysis Bypass Not important for this plant Low frequency is reported in the CDF None identified 4 group analysis  ! Late Smaller probabilities than for Late combustible gas burns and phenomena Enhanced operator training on severe l failure Mark I and Mark 11. but still associated with core-concrete interaction are significant principal contributors accident phenomena Late venting has a significant probability for some plants in this group In-vessel recovery plays an important role for most plants in this group Since the drywell is completely enclosed by the primary containment in the Mark 111 design, a release to the I environment will be scrubbed by the suppression pool if the containment fails but the drywell remains intact. Early drywell failure is therefore an impostant consideration in the accident progression, and radionuclide release is highest when both the containment and the drywell fail. Since the drywell has a much higher design pressure than the containment, such a failure would most likely be caused by energetic events such as hydrogen combustion and the phenomena associated with vessel breach. These considerations are reflected by the IPE results. The following mechanisms have been identified in the IPEs as important for early containment failure in Mark III containments:

• carly containment failure is primarily caused by energetic events such as FCis and hydrogen burns.
• one plant identified ATWS sequences as the leading contributors to early containment failure.
• primary reactor system venting via the MSIVs, as found in the procedures, was used in one plant and resulted in a significant release mode.

As noted for other containments, early failure mechanisms are important to risk because of the relatively short time available for radioactivity decay, natural deposition processes, and accident response actions. If the magnitude of the release is significant, the relatively short time to radionuclide release means that these failure mechanisms have been found to be important to all risk measures in past PRAs. As defined in the IPEs, early radionuclide release results from early containment structural failure before or shortly after vessel breach, as well as containment 4-23 NUREG-1560, Draft

4. Containment Performance Perspectives isolation failure, containment bypass, and some cases of early venting. With the exception of one plant, accidents that bypass containment (such as ISLOCAs) or involve containment isolation failure are not important contributors to the CDF in the IPEs for Mark III plants. These accidents are also not important to the likelihood of containment failure because their frequencies of occurrence are so much lower than the frequencies of early structural failure caused by other accidents that dominate the CDF. The exception is Clinton, where early structural failure is calculated to be so small that isolation failure becomes relatively significant.

Hydrogen combustion events or energetic events at vesselfailure are the leading contributors to early containment failure for Mark III containments. All of the IPEs for plants with Mark III containments considered early containment failure modes caused by overpressurization from noncondensible gases, hydrogen combustion processes, direct containment heating (DCH), and missile and pressure loads resulting from steam explosions. Hydrogen combustion processes are important because there is a large inventory of zirconium in a BWR core. For example, the Grand Gulf core, which contains approximately 80,000 kg of zirconium, has nearly four times as much zirconium as a PWR core such as the one in Zion. Large amounts of hydrogen are produced from the oxidation of this med during the core damage process. If the glow plugs making up the hydrogen igniter system (HIS) are not working, the hydrogen will accumulate in the containment. In addition, for accidents in which the suppression pool is subcooled, the steam released from the reactor vessel is condensed in the pool. This lack of steam in the containment atmosphere, in combination with the large amount of hydrogen released during the core degradation process, allows mixtures to form that have a high hydrogen concentration. Subsequent ignition of the hydrogen by either random sources or the recovery of AC power can result in loads that not only threaten the containment but can also pose a significant challenge to the drywell structure. While the causes of early containment failures are not discussed in detail in most IPE submittals for Mark III plants, early containment failure seems to be caused primarily by energetic events, such as FCis or hydrogen burns. The conditional early failure probability varies among the four Mark III plants from about 0.03 to 0.5. However, this wide variability in the data mainly results from the small failure probability assigned to Clinton. With the Clinton data excluded, early failure probability among the other three plants varies from about 0.2 to 0.5. The Clinton analysis is discussed further below. AIWS loads are identified in one IPE as the only mechanism capable of causing an early containmentfailure. The Clinton IPE discussed and dismissed containment failure mechanisms associated with vessel blowdown forces, invessel and exvessel steam explosions, thermal attack of penetrations, DCH, and core-concrete interactions. Only overpressurization from steam generation during ATWS and hydrogen combustion during SBO were found to have the capability to raise containment pressure to the failure point within the first 48 hours after accident initiation. Only ATWS sequences, causing overpressurization of the containment before vessel breach as a result of excessive SRV discharge to the suppression pool, were identified as leading to early failure. The dismissal of other failure mechanisms may be attributable in part to design differences between Clinton and other Mark III containments. These differences are discussed further below. A venting scheme considered in one Mark 111 plant produces a significant contribution to the frequency of radionuclide release. Venting of the primary system using the MSIVs results in an early release that is the most severe release mode for Grand Gulf. According to the Grand GulfIPE, the BWR emergency procedure guidelines direct MSIV venting for containment flooding in response to a loss of RPV level indication. The procedure requires establishment of a vent path to the RPV as containment flooding proceeds beyond the top of the drywell weir wall. This vent path is realized by bypassing the containment interlocks and opening the MSIVs regardless of potential releases. This results in a release that bypasses the containment. NUREG-1560, Draft 4 24

4. Containment Performance Perspectives Principal contributors to latefailures in Mark 111 containments are late combustible gas burns and phenomena associated with core-concrete interaction. The phenomena analyzed in the IPEs for Mark Ill plants that may cause late containment failures include (1) overpressurization with high temperatures associated with noncondensible gases and steam, or combustion processes; or (2) containment basemat melt-through caused by basemat penetration of core debris; and (3) vessel structural support failure caused by core debris erosion. Most of the IPE submittals did not provide a detailed discussion on the causes of late containment failure; therefore, specific contributions to late containment failure as a result of the above containment phenomena are not known. Late failures can be inferred to result primarily from late combustible gas burns and pressure and temperature increases, as well as crosion, from core-concrete interaction.1-ligh drywell temperatures are identified as leading to drywellleakage in some of the IPEs. Excluding containment venting, the probability oflate containment failure is in the 0.1 to 0.2 range for most of these plants. As in the case of early failures, the exception is the Clinton IPE, for which the probability oflate containment failure was calculated to be very low.

One IPEfor a Mark 111 plant reported a significantly lower containment failure probability than the IPEs for the rest of the plants in this group. As noted above, both early and late containment failure probability in the Clinton IPE analysis was much below the values found for other plants with Mark llI containments. According to the Clinton IPE, the small containment failure probability is attributed to the large size and greater strength of this containment compared to other Mark 111 plants. The total free containment volume-to-thermal power ratio is more than 600 ft2/MWt for Clinton, while it varies from about 400 to 500 ft /MWt for other Mark 111 plants. S According to the Clinton IPE, containment failure will not occur for transient and LOCA events. Although containment venting could be used during transient and LOCA events, the IPE did not provide any release classes - for this venting since the Clinton calculations showed that the venting pressure is not reached in these events, and, consequently, containment venting is not carried out. Furthermore, even if the containment were vented, the , releases would be small. As a result, early failure occurs only for ATWS sequences that overpressurize the l I containment, and late containment failure and isolation failures occur only in SBO sequences in the Clinton IPE. According to the Clinton IPE, late containment failure is caused by hydrogen combustion, which occurs when power is recovered 24 hours or more following accident initiation. In addition, the Clinton IPE indicated that decay heat power levels alone will be insufficient to cause failure of the containment as a result of overpressurization within the period covered by the containment analysis (48 hours after event initiation). In general, the significant difference in containment failure probabilities between the Clinton IPE and other IPEs for Mark III plants is attributable, in part, to plant-specific features (e.g., large containment volume) and in part to the differing assumptions used. Late containment venting is calculated to have a significant probability in some Mark 111IPEs. Containment venting is used to prevent containment failure by permitting a controlled release of the containment atmosphere if the containment pressure approaches a predetermined limit (the PCPL). The MSIV venting scheme used in the Grand Gulf IPE analysis has been discussed and is not considered in the other IPEs. Most of the venting described in the IPEs for Mark 111 plants is scrubbed by the suppression pool; therefore, the releases associated with this venting are small even if the venting time is early. With the exception of the Grand Gulf MSIV venting, early containment senting, (i.e., venting before vessel breach) does not play a significant role in the IPE analyses.  ; The conditional probability of late containment venting for the Mark 111 IPEs varies considerably and a zero probability was assigned to venting in the radiological release logic for the River Bend IPE. This is because the j vent for River Bend consists of a 3-inch line through the steel containmen:, which is too small to prevent prompt l containment overpressure failure. As a result, venting is credited only if CIIR is lost. According to the River Bend NUREG-1560, Draft 4-25

i I

4. Containment Performance Perspectives IPE, the CHR system is quite reliable and, in those sequences in which CHR would likely to be unavailable (e.g., ,

loss of offsite power), venting would also not be available. t i Although the probability oflate venting was less than 0.02 in the Clinton IPE submittal, the total venting probability indicated in the Clinton containment event trees (CETs) was more than 0.1. However, as noted earlier, most of j this probability was assigned to the "no release category" in the submittal because analysis results showed that the l venting pressure would not be reached for some CET sequences in which venting is assumed to occur in the CET J quantification. . t invessel recovery plays an important role in the accident pmgression analyzed in the JPEsfor Mark 111 plants. { After core damage, vessel breach can be prevented if coolant injection is restored to the RPV. With the exception  ; of the Grand Gulf IPE, where the probability of invessel recovery is not reponed, invessel recovery is significant for the IPEs for Mark 111 plants. The conditional probability of avoiding vessel breach after initial core damage  ; for Clinton is about 0.6, and, according to the results prescated, these cases do not involve containment failure. ' However, containment failure or containment venting are predicted in the accident progression of other Mark Ill IPEs, even if there is no vessel breach. For example, the total invessel recovery probability of 0.5 for Perry is split . into 0.05 involving early containment failure,0.2 involving containment venting, and 0.25 involving no containment i failure. Similarly, the 0.6 recovery probability for River Bend, is split into 0.2 for early failure,0.1 for late failure, and 0.3 for no containment failure. Even with containment failure, the release associated with invessel recovery is generally small because, in the majority of the cases in which vessel breach is averted, the releases are scrubbed as they pass through the suppression pool Furthermore, if the vessel does not fail, there are no exvessel releases such as from core-concrete interaction. j Containment bypass and containment isolation failuns an smallfor most IPEs of plants using Mart til

                                                                                                                               }

containments. 'Ihe primary contribution to containment isolation failures comes from SBO events, but isolation j failures were small or negligible in all IPEs, with the exception of Clinton. For both River Bend and Clinton,  ! isolation failures were calculated to be less than 5% of CDF. While this is small compared to early containment  ! failure for River Bend, it is of the same order as the small early structural failure calculated in the Clinton IPE. ' The probability of containment bypass was found to be negligible in all IPEs. However, the MSIV venting  : discussed in the Grand Gulf IPE leads to a release that bypasses containment and is the most important failure mode  ; in that analysis with respect to radionuclide release. t. 4.3 PWR Containment Performance Perspectives As indicated in Section 1.4, for the purpose of identifying containment performance perspectives from the IPEs l submitted for PWR plants, the PWRs were sepauted into rso groups according to containment type. Specifically,  ! PWRs are classified as large dry containments (including those operating with a subatmospheric internal pressure) i and ice condenser containments. In addition to the PWRs, one early BWR (Big Rock Point) is housed in a large g dry containment. Big Rock Point is discussed at the end of Section 4.3.1. i h

Containment perfstmance results for all PWRs in the two groups are shown in Figure 4.6 and the related perspectives  !

are summned in Table 4.9. The results indicate that most of the containments in both PWR groups have relatively low caditional probabilities of early failure. J NUREG 1560, Draft 4-26 i

                                                   . - _ . .      - _ ~                 =                     ,_

4. Containment Performance Perspectives 12

,       p":

u: r m ~ j .g li u : u! [/ , 7,.

  ,                    Tr                  #1 a4 -                             a.                                            is e                                          n N:          he                  ga ra u:                             .'4 n, a                  ,

e.i : 1.' , r1 o.o l

                                          '4                  '$
                                                               --            Q            ..

sypen sneyvenis. Lee tenia. sn-se serey senw. Ln emme. t.ame Dry & Shanheric jge Condensers 1 ~

             . ne low early structural failures for ice condensers relative to the other PWRs appear to be driven more by analysis assumptions than by plant features.                                                             .

• Bypass, especially SGTR, is important relative to early structural failure for both PWR containment types.

- - Isolation failures are found to be signficant in a number of large, dry and subatmospheric containments.

• He likelihood of late failures often depends on the mission times assumed in the analysis.

Figure 4.6 Reported IPE CCFPs (given core melt) and key perspectives on containment performance for PWR plants. 4-27 NUREG-1560, Draft

l l l

4. Containment Performance Perspectives l

Table 4.9 Performance summary for PWR containments. Failure Failure mode Important design features, operator Important mode importance actions, and model assumptions plant improvements Early Relatively unimportant Phenomena associated with IIPME are Addmg limited barriers to failure for PWRs, but with important for large, dry and subatmospheric protect against direct core some important containments. Importance depends on RCS debris impingement on the exceptions pressure at vessel breach, cavity geometry, containment and modeling assumptions isolation failures Emphasizing operator training relatively important for Rapid steam generation and hydrogen bums, on manual closure of isolation some large, dry and as well as direct debris impingement, are valves subatmospheric important in some of the analyses containments Changing to motor-operated  ; Susceptibility to direct impingement of core isolation valves debris on the containment in the seal table  ; room is important to some ice condensers I i Bypass Relatively important for Dypass can occur as a result of the high Adding training for procedures  ! most PWRs operating pressure and large interface to cope with SGTR between high-and-low pressure systems ' Implementing primary side , SGTR is an important bypass mode for most depressurization to reduce ' PWRs induced SGTR ' Attemative, independent source of feedwater to reduce induced SGTR Late importance varies for The dominant late containment failure mode Emphasis on increasing the failure PWRs, ranging from is overpressurization, which occurs when f likelihood of maintaining a i unimportant to very CIIR is lost coolable debris bed  ! important The limited mission time assumed in some of i the analyses is an important reason for some ' of the low late failure probabilities Significant variability exists in the contributions of the different failure modes for both containment groups. This variability results from plant-specific design features, as well as the modeling assumptions used in the different IPE analyses. The uncertainty of the phenomena associated with flPME, for instance, is reflected in the variation in the likelihood and magnitude of 11PME loads found in the IPEs. Differences in assigning credit for invessel recovery of the core after core damage also play a role in broadening the range of the reported containment failure results. Other reasons for the variability are discussed in the following sections. Important factors that impact the probabilities of the failure modes in Figure 4.6 are discussed for each containment group in Sections 43.1 and 43.2. In general, different factors influence the failure modes for the two groups. For instance, while llPME events often play an important role for early failure in the IPEs with large dry containments, this is not the case for IPEs with ice condenser containments. Ilowever, the fact that the early failure probability for the ice condenser containments as a group appears to be lower than that of the large dry containments as a group is more likely a result of the modeling assumptions used in the five ice condenser IPEs rather than any NUREG-1560, Draft 4 28

4. Containment Performance Perspectives phenomenological or design reasons. In addition, the small number of ice condenser IPEs compared to the large number of IPEs for large dry and subatmospheric containments results in a less diverse analysis range for the ice '

condensers. Containment bypass, especially associated with SGTR, is important for most of the PWR containments and is the major contributor to large, early releases in many of the IPEs. Induced SGTR is also a significant contributor to bypass in a few of the PWR IPEs. 1

                                                                                                                       )

Late containment failure can result from gradual pressure buildup caused by non-condensible gas release, basemat melt-through, or hydrogen combustion events in conjunction with existing elevated containment pressure. Gradual pressure buildup caused by continued steam production and/or CCI is found to be an important contributor to late failure in the PWR containments. I 1 4.3.1 PWR Large, Dry and Subatmospheric Perspectives I l Table 4.10 lists 64 PWR reactor units and 1 BWR unit (described in forty-four submittals) housed in large dry containments. For seven of the PWR units (four submittals) the containments are kept at an internal pressure that is somewhat below atmospheric pressure. All of these containments rely on structural strength and large internal volume to maintain containment integrity during an accident. ) Table 4.10 Plants (per IPE submittals) in large dry and subatmospherie containment group. Arkansas Nuclear One 1 Arkansas Nuclear One 2 Beaver Valley 1 Beaver Valley 2 Big Rcck Point Braidwood 1&2 Byron 1&2 Callaway Calvert Cliffs 1&2 Comanche Peak 1&2 Crystal River 3 Davis Besse  ; Diablo Canyon 1&2 Farley 1&2 Fort Calhoun 1 Ginna l Iladdam Neck Indian Point 2 Indian Point 3 Kewaunee Maine Yankee Millstone 2 Millstone 3 North Anna I&2 Oconee 1,2&3 Palisades Palo Verde 1,2&3 Point Beach I&2 Prairic Island 1&2 Robinson 2 Salem 1&2 San Onofre 2&3 Seabrook Shearon liarris 1 South Texas I&2 St. Lucie I&2 Summer Surry I&2 TMII Turkey Point 3&4 i Vogtle I&2 Waterford 3 Wolf Creek Zion 1&2 1 The IPE results are shown in Figure 4.7 and summarized in Table 4.11. In general, only very severe and rapid pressure loads will fail these containments early; with a few notable exceptions, the probability of early containment failure for plants in this group is quite small. The following factors are found to be important for early containment failure: , 1 l

• phenomena associated with HPME pose the most significant early threat for these containments. l
• in a few cases, specific design features lead to unique and significant failure modes.
• containment bypass, especially SGTR, is an imponant source of significant early release.

l 4-29 NUREG-1560, Draft

1

4. Containment Performance Perspectives l

l I 10 I l 4 0 j k= .9 : 1 j 0.8 i h b aa

• 0.7 -

2 a 3 6

                                                                                                       " ^a i as:

a gasi a a' c ga 4A $

$L4                                                                                                    aa 8

• a a E

n A a 4, a 4 j 4, 4 a w 0.2 - ,' la g a a aa o t'ga tja' g'la !Al a ld$s1 a0 nl!l le !  !!a$4

                                                                                                   ;!^

Bypass Eartyfailure Late failurs Figure 4.7 Reported IPE CCFPs for PWRs in large dry and subatmospheric containments. Table 4.11 Performance summary for PWR large dry and substmospheric containments. Failure Failure mode importance Important design features, Suggested plant mode operator actions, and model improvements assumptions Early Not very important for most plants The leading early challenges for Adding procedures for direct failure in this group, but with some most of the plants in this group are RCS depressurization notable exceptions associated with phenomena occurring with IIPME. Adding limited barriers to isolation failures important in a Assumptions made in the analyses protect against direct core number of plants, especially if no regarding these phenomena often debris impingement on the credit is given for manual isolation determine the early failure containment in the analysis, but releases are probability usually calculated to be small Emphasizing isolation For a few plants, specific design procedures in operator training I features lead to unique and l significant failure modes. In a j number of cases, these involve direct contact of the containment boundary with core debris NUREG-1560, Draft 4 30

H

4. Containment Performance Perspectives 1

- Table 4.11 Performance summary for PWR large dry and subatmospherie containments. Failure Failure mode importance important design features, Suggested plant mode operator actions, and model improvements J assumptions , Bypass Relatively important for most Because of the greater pressure Adding training in procedures plants in this group differential between primary and to cope with SGTR ] . secondary systems in PWRs, and the relatively large interface between Primary side depressurization high and low pressure systems to reduce induced SGTR

provided by the steam generators,

the probability of containment Alternative, independent source  ;

= bypass resulting from ISLOCA or of feedwater to reduce induced

!                                                                  SGTR is as large as or larger than              SGTR carly structural failure in many                                                             ,

PWR IPEs Late Considerable variation among The dominant late comainment Emphasis on increasing the failure plants in this group. ranging from failure mode is overpressurization, likelihood of maintaining a unimportant to very important which occurs when CllR is lost coolable debris bed , The limited mission time assun'ed in some of the analyses is an , important reason for some of the i Iow late failure erobabilities i PWR dry containments are not required to have the intentional ignition systems that are required in PWR ice condenser containments (discussed in Section 4.3.2) since global hydrogen burns, by themselves, are unlikely to cause the failure of these large, robust containments. Ilowever, as part of the NRC's CPI program, licensees with large, dry containments were requested to evaluate (as part of their IPE) containment and equipment vulnerabilities to both local and global hydrogen combustion. Structural failures associated with long-term pressure and temperature buildup or penetration of the containment basemat by core debris are not likely as early failure mechanisms but are both possibilities for late failure mechanisms in these containments. The likelihood of these failures depends on the containment strength calculated, the absence or presence of decay heat removal systems, whether the core debris is coolable, and the length of the mission time considered in the analysis, in some large, dry containment IPE analyses, even with decay heat removal systems inoperable, structural failure may never occur in the mission time frame considered. Isolation failure probability is found to be small for most of these containments, but a number of IPEs report a significant probability for the failure of the containment isolation system. The various containment failure j mechanisms are discussed in more detail below. l l The most important challenges to containment integrity before or at vessel breach are those associated with HPAfE. The containment loads associated with liPME are generated by the addition of mass and energy to the  ! containment atmosphere from the following sources:

• blowdown of reactor coolant system steam and hydrogen inventory into the containment 4-31 NUREG-1560, Draft

4. Containment Performance Perspectives combustion of hydrogen released before and during 11PME interaction between molten core debris and water in the reactor cavity or on the containment floor i e

direct energy transfer between finely dispersed core materials and the containment atmosphere (i.e., DCli) This combined load is referred to as the DCil load in some IPEs. There are significant uncertainties related to the containment pressure loads that can be produced from these energetic events associated with IIPME. The pressure of the reactor coolant system (RCS) at vessel breach is obviously a factor, as is the geometry of the reactor cavity and the presence or absence of water in the cavity. These parameters,plus some additional assumptions, determine the estimated pressure rise at vessel breach. l'owever, the estimated containment pressure load before vessel breach also plays an important role in determining the sarly failure probability. The containment pressure capability curve, particularly the shape of the distribution assumed at the lower pressure end of the curve, is also important. Since a point estimate (rather than a distribution) is m ed in most of the IPEs, a single pressure load estimate is usually obtained and compared with the containment pressure capability to determine the failure probability. In some JPEs, the probability of early containment structuralfailure is determined to be not credible. In one group of PWR IPE submittals that used similar analysis methods, the estimated early containment pressure loads were less than the containment pressure capability: therefore,early containment structural failure was assumed not to occur. These IPEs argued that early containment failure modes, such as those discussed above, are not expected to challenge the containment. Bounding hydrogen burn static pressure increases and DCH pressure increases are estimated in these IPEs and compared to a lower bound containment failure pressure, defined in these IPEs as the fifth percentile value of containment pressure capability. The estimated containment pressure obtained in these analyses is about 110 psia for hydrogen burns and below 100 psia for DCH. By contrast, the calculated lower bound of centainment failure pressure ranges from 100 to 140 psig. Consequently, early containment failure is considerehmt r.redible for these IPEs. The predicted containment pressure loads are higher in IPEs that reported relatively higher early containment failure probabilities (i.e., from 0.05 to 0.1) than the IPEs discussed above that predict no early containment failure. In these analyses, the containment failure pressure is usually reached when the pressure before vessel breach (the " base" pressure) is combined with the pressure increase at vessel breach. Depending on the individual submittal, the higher pressure loads may be attributed to a high containment base pressure before vessel breach, or a greater pressure increase at HPME, or both. The primary cause for a high base pressure is usually the loss of CHR with successful core injection. A typical example is Arkansas Nuclear One Unit 2 where major contributors to early containment failure (conditional probability of about 0. I) are sequences in which core injection is successful in the injec'. ion mode but fails in the recirculation mode, and CHR is not available. Without CHR, the containment pressu e is expected to be already high at the time of vessel failure, and is further expected to exceed the containment failure pressure when vessel failure occurs. Sometimes, design features such as reactor cavity layout also play an important role, as at Millstone 2, where early containment failure was dominated by DCH. According to the Millstone 2 IPE, the large DCH failure probability can be partially attributed to the tight reactor cavity, lack of water in the reactor cavity, and lack of an instrument tunnel, typical of some other Combustion Engineering /Bechtel designs. It should be noted that, for the above cases where the containment base pressure becomes high as a result of loss of CllR, it usually takes many hours for this pressure to build to a significant level. The early failures in these IPEs are defined relative to the time of vessel breach, not relative to the time of accident initiation. NUREG-1560, Draft 4-32

4. Containment Performance Perspectives Because of their high containment pressure capabilities and large containment volume-to-thennal power ratios (44) ,

large dry containments as a group are not likely to fail before vessel breach by slow pressurization from noncondensible gases and steam or early hydrogen combustion.11owever, in some IPEs, containment failure is reported to occur before vessel breach either because of containment pressurization from steam and noncondensibles, or because of a combination of containment pressurization and an early hydrogen burn. For example, according to Modular Accident Analysis Package (MAAP) calculations cited in the IPE submittal, the containment failure pressure of approximately 170 psig may be reached before vessel breach at the Palo Verde plant, which has a conditic.nal early failure probability of about 0.1. The DC11 peak pressure used in the Palo Verde 1,2&3 IPE is also higher than that estimated in other IPEs, varying from around 130 to 180 psig for cases without sprays, and from around 120 to 140 psig for cases with sprays. These values are considerably higher than those estimated in the IPEs that predict no early containment failure (i.e., about 60 to 100 psig). Another example is Maine Yankee with an early failure probability of about 0.1, where one of the major contributors to early containment failure is hydrogen combustion before and at vessel breach. Maine Yankee's analysis also predicted a high DCli load. The DC11 load distribution has a median value of about 115 psia. As previously noted, an obvious parameter that affects the probability of early containment failure from DCH load is the RCS pressure at vessel breach. For those IPEs that assumed small DCII loads, early failure from DCH is negligible. As a result, the RCS pressure at vessel breach is irrelevant. By contrast, RCS pressure at vessel breach is important for IPEs that predicted significant DCil loads and higher early failure probabilities. RCS pressure at vessel breach depends on the RCS pressure at core damage and any RCS depressurization mechanisms between core damage and vessel breach. According to the IPE results, the RCS pressure at core damage for PWRs with large dry containments is most likely high or intermediate (the pressure range where DC11 is possible). RCS depressurization between core damage and vessel breach can occur as a result of operator actions, because of a stuck open valve, or as a consequence of a  ; temperature-inducedhot leg or surge line break. The likelihood of temperature-inducedhot leg or surge line break usually used in the IPEs reflects that used in NUREG-1150(4 5) (i.e., about 70% when the RCS is at the j pressurizer PORV setpoint pressure and less than 5% if the RCS is at about 2000 psia). Sensitivity analyses in one ' IPE indicate that RCS depressurization before vessel failure can reduce the probability of a large early release by , as much as 50%. In some IPEs, like Seabrook, added procedures for direct depressurization of the RCS in case of I a core melt are listed under CPIs. Other plants for which the IPEs show a relatively high likelihood of DCil-related failure, (like Besver Valley 2) state that RCS depressurization will be explored further under accident management. Among PWR IPEs, the conditional probability reported for early containment failure associated with containment overpressurization is exceptionally high for Waterford, at a value of about 0.3. This high probability may be attributed largely to the unusual containment pressure capability curve (or fragility curve) used in this IPE. On the i basis of this curve, the containment failure probability is about 0.3 for a 90-psia containment pressure load. This is a high value when compared with that used in other IPEs. With a similar median containment pressure capability, "The median containment failure pressure (from the containment fragility curve) for large dry containments  ! I varies from about 90 psig to over 150 psig, and has an average value of about 135 psig. The containment volume-to- I thermal power ratio for large dry containments varies from about 630 to 1220 ft /MWt. The average value is I approximately 800 ft3 /MWt. U USNRC, " Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG-ll50, December 1990. 4-33 NUREG-1560, Drafl

4. Containment Performance Perspectives (135 psig for Waterford), other IPE analyses using more conventional fragility curves estimate that containment failure probability is only about 0.05 at pressures of about 100 psig.

In a number ofIPEs, specij1c containmentfeatures lead to unique and significantfailure modes. For instance, the large probability values of early containment failures found in the IPEs for both Palisades and Davis ' BesseM, do not result from the high pressure loads associated with HPME discussed above. Instead, the values are attributed to the special features of the particular containment designs of the plants. The conditional early containment failure probability for Palisades, which is about 0.3, comes primarily from a containment failure mode that is apparently unique to Palisades. The plant feature that contributes to this failure mode is the location of the engineered safety features (ESP) sump. The IPE postulates a flow of molten core debris from the reactor cavity into the ESF sump and subsequently into the ESF recirculation piping. In the IPE analysis, the debris is assumed to eventually melt through the pipe wall and enter the auxiliary building. The maximum failure area is presumed to be twice the area of an ESF recirculation pipe (there are two pipes), resulting in a large containment failure area. For Davis Besse, the largest fraction of early containment failure is associated with the potential failure of the containment side wall via direct contact with core debris. Although this failure mode is generally unlikely for plants with large dry containments, it contributes significantly to early containment failure for Davis Besse, one of the few PWR plants that have large dry containments of steel construction. According to the IPE, side wall failure could occur in the event that a significant portion of the core debris is transported from the reactor cavity up to the basement level of the containment at the time of vessel failure. The debris would be dispersed to an area adjacent to the steel containment wall, where the wall is protected by a concrete curb that is 1.5 ft thick and 2.5 ft high. If the debris is not cooled, the concrete could be ablated, leading to a containment failure several hours after vessel failure. This failure mode is defined in the Davis Besse IPE as one that would result in an early source term. The IPE for Arkansas Nuclear One Unit I is another IPE in which a relatively high early failure probability was not primarily associated with containment overpressurization. According to the Arkansas Nuclear One, Unit 1, IPE, exvessel steam explosions and especially debris impingement on the containment liner are significant contributors to early containment failure. 'Ihe threat from debris impingement is associated with the Arkansas Nuclear One Unit I cavity configuration, which provides access to the containment liner through the incore instrument tunnel. As a plant improvement, the IPE suggested the design of a protective barrier inside the incore instrument tunnel or along the containment linerjust beyond the tunnel. In generQhe IPEs report small contributions to early containment failure by other containment failure modes, such as those associated with invessel steam explosion (alpha mode) and vessel thrust forces (rocket mode). However, in IPEs with a very small overall early failure probability, an alpha mode contribution of a fraction of a percent (based on NUREG-1150 data, for instance) can be as large as the contributions from other early failure mechanisms. The distribution of conditional probabilities of early containment failure for all large dry containments, presented

                                                                                                                           )

in Figure 4.7, shows a range from zero to more than 0.3. This range reflects the considerable uncertainties associated with early containment failure phenomena, and includes the effects of some unique containment features in some  ; plants as well as the different assumptions used in the analyses. l l i i l I l "The probability of early failure for Davis Besse was significantly reduced when, in response to a request for additional information from the NRC, the licensee found a logic error in the original analysis. NUREG-1560, Draft 4 34

i I

4. Containment Performance Perspectives Figure 4.7 also shows that large dry containments as a group are quite robust in response to severe accident l

challenges. nese containments are not very susceptible to containment overpressure challenges because of their large-volumes and high structural strengths. De probability of containment failure is further reduced by invessel recovery actions. (nat is, gross damage and vessel failure are prevented if sufficient coolant injection becomes available after core damage has occurred and the core is cooled invessel.) A few invessel recovery mechanisms are considered in the IPEs. For cases where LPI is available but the primary system pressure is above the shutoff head of the LPI system, LPI initiation can succeed if RCS pressure can be reduced below the LPI shutofT head. As noted above, RCS depressurization can be achieved by operator actions, or it may occur if there is a temperature-induced hot leg or surge line failure. He induced failure is usually assumed to result in a break size in the RCS equivalent to a large-break LOCA, which will rapidly reduce the pressure, allowing for LPI injection. Invessel recovery can also occur in loss of AC power sequences if AC power is restored before reactor vessel failure. Another scenario involves large LOCA sequences in which accumulators are required and fail to inject, resulting in core damage. In these sequences, if LPI is operating and continuously injecting water into the vessel, eventual invessel cooling and prevention of vessel failure is likely. Individual IPEs include the above invessel recovery mechanisms in their models in varying degrees. De Beaver Valley IPEs, for instance, take no credit for recovery of AC power or CIIR after the time of core damage. Some IPEs that take little or no credit for recovery actions state the intention to further explore invessel recovery within their accident management studies. If the core geometry permits, a number of IPEs mention the possibility (some without taking credit for it) of cooling the core in the vessel via exvessel flooding (i.e., filling the cavity with water to submerge a good portion of the reactor vessel and remove heat through the vessel wall). The iPE results show that the dominant late containmentfailure mode is containment overpressurl:ation, which occurs when CllR capability is lost. Phenomena that may cause late containment failure include (1) , overpressurization with high temperatures caused by combustion process or noncondensible gases and steam, (2) containment basemat melt-through associated with basemat penetration by core debris, and (3) vessel structural support failure caused by core debris erosion. Basemat melt-through may happen if CCI is not terminated, either because there is no water in the reactor cavity or because the corium is not coolable even if water is available. Since the basemats of most PWR containments are quite thick, eventual penetration of the basemat by core debris is not certain even if a large fraction of the core is involved in CCI and water is not available. Containment failure as a result of reactor vessel support structure failure is not likely for large dry containments since . the reactor vessel is usually away from the containment walls and there are structures located between the reactor vessel and the containment boundaries. Consequently, even if the vessel support structure fails, this will not cause a containment failure in large dry containments. Derefore, in most PWR IPEs, late failure results from overpressurization. One exception is lladdam Neck, which has one of the largest containment volume-to-thermal power ratios (1220 fi'/MWt) but a relatively weaker containment structure. (The median containment pressure capability is about 90 psig.) According to the lladdam Neck IPE, late containment failure is dominated by containment basemat melt-through because of the relatively thin basemat in the reactor cavity (about 5 fl compared with approximately 10 fl for most other plants), and a relatively l dry cavity floor as a result of the high setpoint for manual initiation of the containment spray system. He IPE for Millstone 2, another plant where the cavity is likely to remain dry, also cites basemat melt-through as the dominant mode of late containment failure. 4-35 NUREG-1560 Draft i

I l 4' Containment Performance Perspectives As indicated in Figure 4.7, late containment failure for the large dry containments considered in the IPEs ranges from zero to about 0.7. This variability is caused by many factors, including what systems are credited for CHR. In i some of the IPEs, fan coolers that are not designed as engineered safety features are credited for CHR. i l One ingportant reasonfor the low latefailureprobabilitiesfound in some IPEs is the use of a 48-hour mission i time. In these IPEs, the probability of reaching the containment failure pressure during the 48-hour mission time > is very low. This is because coatainment pressurization is due largely to the generation of noncondensible gases as l a result of extended CCI in the cavity, and therefore proceeds relatively slowly. That is, pressurization from steam ) generation is small, either because of lack of water or because CHR is working. However, in one IPE, there is no l late containment failure even if CHR is not functioning. The 48-hour cutoff used in these IPEs also excludes basemat i melt-through because penetration of the basemat usually takes longer than 48 hours. These IPEs anticipate that beyond 48 hours, actions such as providing an alternative water source for which emergency procedures may already be in place, along with accident mitigation strategies developed at the Emergency Operations Facilities and the Technical Support Center, would mitigate the basemat melt-through sequences and result in a stable configuration  ! within the intact containment. Containment bypass, especiallySGTit, is an important source ofearly release in many IPEsfor plants with large dry containments. Containment bypass failures include those from ISLOCA, SGTR, or temperature-inducedSGTR. The probability of ISLOCA and SGTR is determined in the CDF analyses of the IPE. The probability of , temperature-induced SGTR is calculated as pan of the accident progression analysis. This failure typically occurs ) if one or more steam generator tubes experience a creep rupture caused by the flow of high-temperature gases from the core when the RCS is at system pressure. l For those IPEs where containment bypass has a significant contribution, SGTR is normally the dominant contributor. For example, SGTR leads to the most serious releases reported in the North Anna 1&2 and Prairie Island 1&2 IPEs. An exception is the St Lucie 1&2 IPE, where ISLOCA is two and three times more likely than SGTR for Units I and 2, respectively. For temperature-induced SGTR, the probability value used in the IPEs is about 0.01; therefore, temperature-induced SGTR is generally not deemed significant in the IPEs. The exceptions are the Prairie Island 1&2 and Shearon Harris IPEs. In the Prairie Island I&2 IPE, the conditional probability of bypass is almost 45% of total CDF, of which two-thirds is attributed to temperature-inducedSGTR and one third to SGTR-initiated events. In the Shearon Harris IPE, the conditional probability for containment bypass is about 0.I, half of which is attributed to temperature- l induced SGTR. The high probability of temperature-induced SGTR in these JPEs results from their consideration of reactor coolant pump (RCP) restart and the high value used for the probability of steam generator tube thermal failure for cases where the RCP is on (0.5 versus 0.01 used in other IPEs). ) According to these submittals, the procedural guidance requires the operators to restan the RCPs when inadequate core cooling conditions are indicated. This restart clears the RCP seals and establishes a natural circulation path, resulting in increased steam generator tube heating and the potential for a temperature-induced SGTR. Secondary side depressurization, also included in the procedures for restoring heat removal, can increase the pressure differential across the tubes and thus may further increase the potential for failure. On the other hand, some of the IPEs cite primary side depressurization as a way to reduce the probability of temperature-induced SGTR. In the Seabrook IPE, the addition of an alternative independent emergency feedwater pump, that could be used during high-pressure core melt sequences is also listed as an improvement for reducing temperature-induced SGTR. Most IPEs do not consider the effect of RCP restart, however, and in some that do, a low probability of temperature-induced SGTR is used NUREG 1560, Draft 4 36

I

4. Containment Performance Perspectives based on the expected limited duration of RCP operation. This variable treatment of temperature-induced SGTR in the IPEs indicates the large uncertainty associated with this issue.

After the Prairie Island IPE, the highest bypass probability is predicted in the Ginna IPE (-0.4), the majority of which results from the CDF analysis. Ginna has the highest bypass frequency found in any of the IPEs for plants with large, dry containments, almost 4E-5/ry. Another IPE with a high bypass conditional probability (almost 03) is the Zion IPE, nearly all of which is attributed to SGTR in the CDF analysis. The IPEs for Braidwood and Byron show a low SGTR likelihood because credit is taken for a new steam generator design that uses smaller diameter j tubes. These tubes reduce the leakage from primary to secondary side in the event of a rupture, and reduce the likelihood of core damage during the initial 24 hours. Isolation failure is important in some IPEs. Isolation failure is assumed to be negligible in some IPEs, and is assumed to have a large conditional probability in others. A large probability of isolation failure is most likely in ) IPEs that assume a lack of operator actions to locally or remotely close the isolation valves if no containment isolation signal is provided. For example, the conditional probability ofisolation failure in the Diablo Canyon 1&2 IPE is about 0.1; this is primarily because little credit is taken for operator action to locally or remotely close the isolation valves. In the li.B. Robinson IPE, the probability of containment isolation failure is about 10% of the total j CDF.11ere, isolation failure is dominated by a plant damage state involving an SB0 followed by an RCP seal J LOCA with no injection, and a leakage path back through the containment spray lines. According to the H.B. Robinson submittal, this failure mode has a low release potential because of resistance and possible plugging of the spray nozzles and plate-out in the piping. No operator action to isolate the pathway is credited in the IPE. i

                                                                                                                           )

Pre-existing isolation failures could be expected to be more readily detected in the subatmospheric containments (i.e., these few PWR dry containments that are kept somewhat below atmospheric pressure).11owever, one of the largest i probabilities for isolation failure is found in the IPEs for Beaver Valley 1 and Beaver Valley 2, plants with subatmospheric containments. These probabilities are large because in these IPEs isolation failure always occurs for SBO sequences. Again, the IPE model does not take credit for operator actions to manually isolate the containment building for these sequences. liowever, since the leak area associated with this isolation failure is small, it does not significantly contribute to radionuclide releases. The same holds true in most IPEs where isolation failure has a significant probability. (The leak area associated with the failure is usually small; therefore, the failure does not contribute significantly to radionuclide releases.) One exception is the South Texas Project IPE. According to that submittal, the most important single cause oflarge early release given a core damage event is a large containment isolation failure. This includes failure to isolate the large supplemental purge penetrations in the unlikely event that a purge is in progress during the accident, and large undetected pre-existing leaks that have been introduced since the last integrated containment leak rate test. The IPEs for the plants with large dry or subatmospheric containments show that the probabilities for isolation failure vary from zero to about 0.1. Plant improvements to reduce isolation failure probability are discussed in most IPEs where the likelihood ofisolation failure was found to be relatively high. For instance, the Ginna IPE cited emphasis of operator training on manual closure of isolation valves upon failure of automatic isolation as an improvement. The IPE for the South Texas Project ne that one plant improvement, based on the early results from the IPE, was the changeover from motor-operated t a operated containment isolation valves in some containment penetrations. Big Rock Point is the only BWRplant that has a large dry containment. This containment is a large, steel sphere with a volume of 940,000 ft .3 The containment volume-to-thermal power (240 MWt) ratio for Big Rock Point 4-37 NUREG-1560, Draft

.- .. -. _ .- - . .. _ - --- - . - - ~ .- - [ i

4. Containment Performance Perspectives f

3 (about 4000 fl /MWt) is significantly greater than those of other plants that use large dry containments (about 3 1000 ft /MWt). , t 6 Big Rock Point uses an emergency condenser for decay heat removal. The containment management systems that can be used during accident conditions include an enclosure spray system and the containment isolation system. For [ this plant, the IPE considers an accident management strategy known as ' Fill-the-Ball'. This strategy is used to provide water to the containment for reactor heat removal in the event of a post-accident system failure. In this , strategy, water is continuously provided to the containment such that the lower portion of the reactor vessel is covered. Procedures directing the operators to fill the containment vessel with water are in place for this strategy. The containment failure probabilities for Big Rock Point are small, about 0.01 for containment bypass and about 0.05 i for early containment failure. The probability for no containment failure (with a radionuclide release that is less than . or equal to the containment design-basis leakage)is about 0.9. No late failures were found. The probability of early l containment failure includes 0.005 from containment isolation failure. Early structural failure primarily comes from l ATWS events with failure to inhibit the reactor depressurization system. Containment bypass failure primarily results from failure to isolate the main steam line in sequences involving spurious bypass valve opening or a steam line  ; break outside the containment. Although less important, ISLOCAs also contribute to containment bypass. The low initiator frequency for ISLOCAs, compared to that for spurious operation of the bypass valve, diminishes its importance for the containment bypass category. 4.3.2 PWR Ice Condenser Perspectives ' Table 4.12 lists nine PWR units (described in five IPE submittals) with ice condenser containments.  ! Tab e 4.12 Plants (per IPE submittal) in ice condenser containment group. t Catawba 1&2 DC Cook 1&2 McGuire 1&2 Sequoyah I&2 Watts Bar I l All of these plants use a Westinghouse four-loop reactor system design. Ice condenser containments have smaller volumes, as well as smaller volume-to-thermal power ratios than other PWR containments. Their containment i strength is also less than that of other types. To avoid excessive containment pressure, these pressure suppression j containments rely on the capability of the ice condenser system to absorb energy accidentally released from the  ! reactor coolant system. The ice condenser containment consists of an upper compartment, a lower companment, and { the ice condenser chamber through which blowdown steam is forced to pass during a LOCA. Similar to BWR Mark i Ill containments, ice condenser containments rely on glow plug igniters to burn off accumulating hydrogen during l a severe accident and thus prevent energetic hydrogen events.  : i 1 Seven of the nine ice condenser units have a cylindrical steel containment surrounded by a concrete secondary containment. The remaining two units (the D.C. Cook plants) feature reinforced concrete containments with steel l liners, and lack secondary containments. ' Figure 4.8 shows the failure probabilities for this group. Table 4.13 summarizes the findings. Among the five ice condenser IPE analyses, the most important causes of early containment failure are as follows: NUREG-1560, Draft 4 3g

1 1 l

4. Containment Performance Perspectives 1.0  !

0.9 - i = j 0.8 {  ; l 0.7 -  ! ] 0.6 i O.5 : ,, { 0.4 i a a o o 0.3 - -e . o o g,1 . . A

                                     &     &                                   A 0.0'                                 " ^                               I8                       "-

Bypass Enriyfailurs Latefailure Figure 4.8 Reported IPE CCFPs for PWR ice condenser containments. Table 4.13 Performance summary for FWR ice condenser containments. 1 Failure Failure mode Important design features, operator actions, Suggested plant mode importance and model assumptions improvements Early Unusually unimportant Causes vary among analyses: direct core debris failure for the plants in this impingement, DCil, rapid steam generation, and group hydrogen bums. Analysis assumptions conceming load magnitude play an important role isolation failures found to in the low probabilities found for car!y failures. be unimportant Also, the ice condenser is credited with considerable energy-absorbing ability in some of the analyses. Depressurization and deeply flooded cavities are also credited 4-39 NUREG-1560, Draft

1

                                                                                                                        )

4. Containment Performance Perspectives  !

Table 4.13 Performance summary for PWR ice condenser containments. Failure Failure mode Important design features, operator actions, Suggested plant ) mode importance and model assumptions improvements ) Bypass Significant when Because of the higher operating pressures in Procedural changes to compared to early PWRs, and the relatively large interface between cope with SGTR structural failure in these high and low pressure systems provided by the IPEs steam generators, the probability of containment Feedwater flow to faulted bypass is relatively large in these analyses steam generator maintained during SGTR Induced SGTR is a major contributor in one analysis because of the restart of the RCPs Additional procedural guidance on RCP restart Late Variable from The dominant late containment failure mode is Emphasis on increasing failure unimportant to more than overpressurization, which occurs when CHR is the likelihood of 50% likelihood lost maintaining a coolable debris bed Limited mission time is a principal reason for low failure probability in one analysis

• direct impingement of core debris on the containment in the seal table room a rapid steam generation, DCif, and hydrogen burns e overpressurization when C11R is not available Although the accident progression models in the majority of the ice condenserIPEs used data from the NUREG-1150 Sequoyah analysis, additional plant-specific models result in lower failure probabilities than those found in NUREG-Il50. The pritaary cause of late containment failure for these containments is found to be overpressure failure in the IPEs. Draining of the refueling water storage tank (RWST) into the failed vessel, and therefore the reactor cavity, with subsequent boil-oft and ice melt contributes to this failure mode. Containment bypass is dominated by ISLOCA and SGTR initiators, but one IPE found temperature-induced SGTR to be dominant because of the restart of the RCPs when inadequate core cooling conditions exist.

The principal causes of earlyfailure vary among the JPEsforplants with ice condenser containments. All five ice condenser submittals have small probabilities of early containment failure (excluding isolation failure). Although each ice condenser IPE evaluated the containment against similar challenges, the most important causes of early containment failure vary among the five ice condenser IPE analyses. Three somewhat different groups of mechanisms are identified as leading contributors to early failure:

• The leading cause of early containment failure in the Sequoyah and Watts Bar IPEs is direct impingement of core debris on the containment cylinder wall in the seal table room of the containment. In this scenario, core debris is swept out of the reactor cavity during an llPME and comes in contact with the containment boundary in the seal table room. Other important causes of early failure in these two IPEs are invessel steam explosion and llPME/ hydrogen burns at vessel breach.
• For Catawba and McGuire, principal contributors to early containment failure include rapid steam generation, DCif, and hydrogen burns. These two IPEs assumed that containment failure caused by the NUREG 1560, Draft 4 40

1

4. Containment Performance Perspectives DCli load is unlikely (only a 0.1 probability) if the ice condenser is available to absorb a significant amount of energy. Since the ice condenser is available in most of the sequences for these two IPEs, this assumption .

probably contributes to a significant reduction in the probability of HPME/DCil failure. { j l In the Cook IPE, the effect ofIIPME is considered for long-term sequence progression in terms ofits effect l on debris distribution. Early containment failures caused by DCli, steam explosion, and vessel blowdown thrust forces are discounted after brief discussions. Failure caused by hydrogen generation and combustion l is also found to be unlikely in the Cook IPE. Early containment failure for Cook is primarily attributed to containment overpressurization when CliR is not available. The early failure conditionalprobabilities for the Ice condenser JPEs are on average smaller than the values obtainedfor the large dry and subarmospheric IPEs. He conditional probabilities of isolation failure and early failure found in the IPEs for the ice condenser containments are, on average, smaller than the values obtained from the IPEs for plants with large dry and subatmospheric containments. His smaller failure probability far ice j condenser containments as a group is somewhat surprising. He containment volume-to-reactor thermal power ratios I for ice condenser containments are a factor of two to three less than those for large, dry containments and subatmospheric containments. He ultimate containment pressure capabilities for ice condenser containments are also , smaller than those for large dry and subatmospheric containments (80 psig versus 130 psig). No single reason for the lower (average) ice condenser failure probabilities is apparent from the JPE submittals. Modeling assumptions such as the availability of the ice condenser and its availability to absorb the energy produced by phenomena like DCil play a role and are discussed below. liowever, it must also be remembered that there are only 5 IPEs for ice condenser plants, a relatively small sample, while there are 45 IPEs for plants with either large, dry or subatmospheric containments. Herefore, much greater variation exists in the likelihood of early failure in this larger group. Depressurl:ation before vessel breach and aflooded reactor cavity reduce the Ilkelihood ofearlyfailure in the JPE models. One way to reduce the threat of early containment failure is to depressurize the RCS before vessel breach. He effective mechanisms for RCS depressurization include temperature-induced hot leg or surge line failure, temperature-induced failure of the RCP seals, and the sticking open or deliberate opening of the power operated relief valves (PORVs). Successful RCS depressurization may allow the LPI system to inject to the RCS and thus avoid vessel breach, or eliminate the challenges associated with IIPME if vessel breach is not avoided. These depressurization mechanisms are considered in all IPEs except the D.C. Cook I&2 IPE, in which the loading conditions associated with ilPME are notjudged to be major concerns. Another factor that may limit the probability of early containment failure is the high likelihood of a deeply flooded reactor cavity. The presence of a large amount of water inhibits the dispersal of debris from the cavity and thus lowers the threat from DCH at vessel breach. This factor is also considered in the IPEs. He D.C. Cook 1&2 IPE mentions additional operator training on the importance of a wet reactor cavity, emphasizing maximum injection from the RWST before switchover to recirculation. While water in the cavity increases the possibility of an exvessel steam explosion, the IPEs deem this to be a minor threat. Although some of the Ice condenser JPEs include much datafrom the NUREG-ilSO Sequoyah analysis, their earlyfailure probabilities are less than the NUREG-IISO valuefor Sequoyah. The lPEs for Sequoyah 1&2 and Watts Bar are similar. Both were prepared by the Tennessee Valley Authority (TVA). While most of the data used in these two IPEs are derived from those presented in the NUREG-il50 analysis for Sequoyah, the early failure probabilities in the Sequoyah I&2 and Watts Bar IPEs are less than that obtained in NUREG-IISO for Sequoyah. He reasons for this are not apparent from the IPE submittals; however, some data are based on plant-specific 4-41 NUREG-1560, Draft

4. Containment Performance Perspectives calculations. Besides containment loading phenomena, the containment pressure capabilities used in the two IPEs are also different (i.e., greater than those used in NUREG-1150).

Another factor that affects containment failure probabilities is the type of core damage sequences previously obtained. One significant difference is the inclusion of the loss of support system initiators in both the Sequoyah 1&2 and Watts Bar IPEs. The data presented in the IPEs show that the combination of transient and loss-of-support-system initiated events contributes more significantly to the total CDF for the IPEs (0.7 for Sequoyah I&2 and 0.3 for Watts Bar) than for NUREG-ll50 (0.04). Since, NUREG-ll50 results indicate that an early containment failure is less likely for transient sequencesthan for other sequences,the smaller early containment failure probabilities for the IPEs may be partially attributed to the greater fractions of sequences initiated by plant transient or loss of support system initiators. Furthermore, a review of the IPE submittals shows that while the pressure increase at vessel breach is primarily based on the NUREG-Il50 data, the baseline pressures immediately before vessel breach are obtained in the IPEs from MAAP analyses and are smaller than those used in NUREG-l l50. Combined with the greater containment pressure capabilities, this leads to smaller containment failure probabilities from the phenomena associated with HPME. Besides the containment baseline pressure, the data used in the IPEs for the calculation of debris impingement, the dominant early failure mode, are based on NUREG-1150 data and should not cause significantly different results. The IPEs for Catawba 1&2 and McGuire 1&2 are also very similar. Both were prepared by the Duke Power Company. Although the CET structures and the quantification processes for the CETs are similar, the conditional probabilities of early containment failure obtained from the quantification are different. This difference may be attributed to the much higher loss of offsite power and thus SBO, probability for McGuire 1&2. Although the total CDFs are similar for the two plants (about 4E-5), the contribution to the total CDF from loss of offsite power is more than 25% for McGuire 1&2 and less than 5% for Catawba 1&2. The quantification methods used in the McGuire 1&2 and Catawba 1&2 IPEs are different from those used in the Sequoyah 1&2 and Watts Bar IPEs (and therefore in NUREG-ll50). The probability of containment failure from direct contact of core debris seems to be less likely in these IPEs than in some others. According to the McGuire 1&2 and Catawba 1&2 IPEs, this failure mode occurs only if there is a sufficient amount ofcorium making contact with the containment wall; even if this condition is met, there is a 0.1 probability that the containment will not fail. The likelihood of this condition depends on the configuration of the reactor cavity and the obstructions in the corium flow path. It is assumed in these IPEs that the cavity geometry is "likely"to limit the amount of corium reaching the seal table such that this failure mode will not occur. Therefore,the probabilities of containment failure frem debris impingement obtained in the two IPEs seem to be smaller than those obtained in the Sequoyah 1&2 and Watts Bar IPEs that used NUREG 1150 data for this failure mode. The probability values used in the Catawba 1&2 and McGuire 1&2 IPEs for RCS depressurization may also be higher than those used in other analyses. In addition to the usual depressurization mechanism considered, these IPEs included depressurization by the operators using steam generator PORVs. The probability of RCS depressurization caused by temperature-induced hot leg or surge line failure is considered to be "likely" in the IPEs. Additionally, the application of this depressurization mechanism seems to be less restrictive than in some other analyses. The probability of operator depressurization using the pressurizer PORVs also seems to be more likely and less restrictive in these IPEs.  ; l According to the Catawba 1&2 and McGuire 1&2 IPEs, the probability values used for containment failure from I DCH are primarily based on the pressure load developed in NUREG-1150. However,it is assumed in the IPEs that NUREG 1560, Draft 4 42

4. Containment Performance Perspectives there is a probability of 0.9 that the containment will remain intact in a DCH event if ice is available in the ice condenser. This may cause a lower probability of DCH failure in these IPEs than in NUREG-Il50. In addition,  !

invessel steam explosions (alpha mode) are not considered in the Catawba 1&2 and McGuire 1&2 IPEs as a potential failure mode. According to the Catawba 1&2 IPE, hydrogen burns are the primary cause of early containment failure, and events which result in the loss of all ac power dominate this containment failure mode. The high reliability assigned to the hydrogen igniter system, because it can be powered by either olTsite or onsite emergency power, is an imponant factor in keeping the probability of containment failure low. The possibility of providing power to the igniters from another independent source of AC power, the safe shutdown facility onsite, is being l investigated at Catawba. The treatment of the accident progression analysis in the Cook 1&2 IPE is significantly different from that in the other ice condenser JPEs. The CET used in the Cook I&2 IPE is small, having only eight top events. The l quantification process is also significantly different. The CET quantification assigns each core damage sequence to a particular CET end state. Since DCH, steam explosion, vessei utrust force, and hydrogen combustion are assumed in the Cook 1&2 IPE as not likely to cause containment failures, they are not included in the quantification of containment performance. The IPE states that providing additional back up power to the hydrogen igniters would not noticeably decrease containment failure at Cook. Containment failure is primarily caused by overpressurization l associated with steaming and/or generation of noncondensible gases.  ; 1 The dominant late containmentfailure modefound in the ice condenser JPEs is overpressurl:ation when CllR \ is lost. The containment phenomena that may cause late containment failures as described in NUREG-1335 ir ' de (1) overpressurization with high temperatures due to noncondensible gases and steam or due to combustion pr< eses and (2) containment basemat melt-through due to basemat penetration by core debris. The results of the IPEs show that the dominant late containment failure mode is containment overpressurization, which occurs when CHR capability is lost. One factor that contributes to the high probability of this failure mode is the draining of the RWST l following reactor vessel failure. According to the IPEs, the RWST water is likely to drain into the failed vessel and thereby into the reactor cavity afler vessel failure, if it has not been injected before vessel failure. The subsequent boiloff of the water leads to ice melt and eventual containment overpressurization. The probabilities of late containment failure reported in the IPEs for the five ice condenser containments vary significantly. The extremely low failure probability for Cook is due to the use of a 48-hour " mission time" for the accident progression analysis. This means that the IPE containment performance analysis is carried out for an accident progression of 48 hours. If the containment did not fail in the first 48 hours, no containment failure is reported. Dismissal of molten core-concrete attack as a containment failure mechanism in the Cook 1&2 IPE is a result of the assumption of the 48-hour cutoff for containment evaluation. It is assumed in the IPE that this time is sufficient to take action to stop further concrete erosion. Isolationfailures are smallfor most of the ice condenser IPEs. With the exception o( Watts Bar, the probabilities ofisolation failure obtained in the IPEs are in general small. The Catawba 1&2 IPE mentions a procedure change to more clearly establish the priority of isolation pathways which must be manually isolated. According to the Watts Bar IPE, the total isolation failure probability obtained from the CDF analysis is about 5 percent of total CDF. The dominant sequence in the plant damage state group that contributes significantly to isolation failure is an SBO sequence in which the operator fails to isolate the contairiment by failing to close the seal cooling return line after a seal LOCA has developed. in the Watts Bar IPE, part of the isolation failure is binned to a bypass plant damage state in the accident progression analysis. 4-43 NUREG-1560, Draft

l

4. Containment Performance Perspectives ISLOCA and SGTR (as an initiator) are the major bypass contributors. In one IPE InducedSGTR dominates.

Containment bypass failures include those from ISLOCAs, SGTRs, or temperature-inducedSGTRs. For the various containment bypass modes, ISLOCA and SGTR are determined in the CDF analyses, and temperature-inducedSGTR is an accident progression phenomenon. In all five IPEs, SGTR is the major contributor to the bypass category from the CDF analysis. Some IPEs (D.C. Cook I&2 for instance) investigated procedural changes to maintain feedwater flow to the faulted steam generator during an SGTR event to reduce releases through a stuck-open safety valve or PORV.

                                                                                                                        )
                                                                                                                        ]

l Temperature-induced SGTR occurs if one or more SGTR tubes have a creep rupture due to the flow of high temperature gases from the core to the steam generators when the RCS is at high-pressure. In NUREG-IISO it was assumed that an induced hot leg or surge line break is much more likely than an induced SGTR if such high temperature conditions exist. Consequently, the probability of induced SGTR was assigned a low probability in NUREG-1150. Considerations similar to that used in NUREG 1150 are used in most of the IPEs and, as a result, the contribution from induced SGTR is not significant in the ice condenser plants except for McGuire l&2 , where the majority of containment bypass is due to temperature-induced SGTR. This high probability for McGuire 1&2 is due to the restart (per procedures) of the RCPs when inadequate core cooling conditions exist. The probability of induced SGTR is assumed to be significantly higher after RCP restarts due to the transport of the hot gases from the core region to the steam generator by forced circulation. Additional procedural guidance, permitting a pump startup only when the steam generator tubes are covered,is recommended in the McGuire I&2 IPE to climinate this concern. Induced SGTR is not considered in the Cook 1&2 IPE. The treatment ofinduced SGTR in the other IPEs is similar to that in NUREG-1150. 4.4 Radionuclide Release Perspectives It is useful to review the results presented in the IPE submittals regarding radionuclide release, especially early release. Perspectives on the reported IPE early release results are provided below. Chapter 12 discusses the releases calculated in the IPEs in more detail. Following the usual convention, the source term which defines the severity of radionuclide release is expressed in the IPEs in terms of the fractions of the radionuclides released to the environment to their total inventories initially in the reactor system. These release fractions are predicted in the majority ofIPEs using either the MAAP com;suter code or the parametric source term prediction code developed in NUREG-ll50. In some IPEs, results from the calculations of both codes (i.e., MAAP or parametric source term) are presented. Early release is of particular concern because of the potential for severe consequences due to the short time allowed for radioa:tivity decay and natural deposition, as well as for accident response actions such as evacuation of the population in the vicinity of the plant. Not all earlyfallures Icad to significant release. The containment failure modes that result in an early release of radionuclides to the environment are containment bypass, isolation failure, and early containment structural failure. In BWR pressure suppression containments early containment venting could also lead to an early release. Not all early failures lead to a significant release, since the amount of the release depends on the failure size as well as the removal or " scrubbing"(if any) of some of the radionuclides within the containment that is assumed to take place. l What is considered to be a significant release varies among the IPEs. In many IPEs significant releases includes those release cases that involve a release fraction of volatile radionuclides equal to or greater than 0.1 (i.e., the release fraction of either the iodine and or cesium group is greater than 0.1 of core inventory). This definition can be used to screen the results reported in most of the IPE submittals, and is used for purposes of the discussion in this section, and the additional information on releases presented in Chapter 12. However, in some IPEs release NUREG-1560, Draft 4 44

4. Containment Performance Perspectives fractions are predicted to be below 0.1 for all containment failure modes. Since there are considerable uncertainties in source term predictions, it seems inappropriate to characterizethese IPEs as having zero significant early release.

Instead, for these IPEs the probability of containment bypass and the part of early failure that involves a large failure { size is used as the probability of early release in the discussion below. Figure 4.9 shows the conditional probability for significant early release of radionuclides by containment type as reported in the IPEs. The reporting of release results in the IPEs varied in the type and detail of the information provided so that in some cases the results discussed below have had to be inferred or estimated. 1.0 I

   .S! a9 -

2 h a8 2

   't c E7 -

0 a

   ~c a6-
   .9 e

o a5-g AA 5R4 m

   .o ka3:                     ,,                                                             &

h

                                                                                                                           ^

c& c at o W" J a

                                                                    'A                                 ,                   1 i

l O AAg ' l l AA AAA A,&

                                                                  " ^ ^

E0 22 _ 1^1^ 1.airgedy& Ice Mirki Mark ll MakRI Simiuiuegiamic Cardnier Figure 4.9 Reponed IPE conditional probabilities of significant early release by containment type. Among the BWR plants with pressure suppression containments, those with Mark I containments show the largest variation in the probability and frequency of significant early release reponed in the IPEs. As indicated in Figure 4.9, the conditional probability for significant early release reported in the IPEs for Mark I containments varies from less than 0.01 to about 0.5. As discussed above, for some IPEs, even the most severe release sequences

are predicted to have release fractions of I and Cs less than 0.1. For example,in the Brunswick IPE, the release i fractions for I and Cs are predicted to be less than 0.01 for early containment failure and close to, but still less than 0.1 for bypass releases. The small release fraction for Brunswick is partly due to the use of a concrete structure for the containment. According to the Brunswick IPE, leakage through the cracks of the concrete walls is the most likely containment failure mode and the release associated with this containment failure mode is small. In Figure 4.9, only the probability of bypass is used for significant early release for Brunswick. Consequently, Brunswick has the lowest 4-45 NUREG-1560, Draft

4. Containment Performance Perspectives probability value for significant early release among the Mark I containments. On the other hand, Browns Ferry and I Fitzpatrick have the highest probability values (nearly 0.5) for significant early releases. The primary contributor l to significant early release for these two plants is shell melt-through. The probability of significant early release for l I

other Mark I plants is equal to or less than 0.2. l l l With the exception of one Mark Iplant, thefrequency of significant early release reportedfor B HRplants is less than IE-5/ry. The frequency of significant early release reported for Mark I plants varies from less than IE-8/ry to 2E-5/ry. The highest frequency for significant early release is from the Browns Ferry IPE, due to a combination of high conditional probability and high CDF. It should be noted that the original Unit 2 Browns Ferry IPE has been updated by the licensee to a multi-unit analysis, but no accident progression analysis was carried out for the update. l so the results shown are from the original submittal. Except for Browns Ferry, the frequencies of significant early release for all other Mark i IPEs are less than IE-5/ry. l l For Mark 11 containments Figure 4.9 shows that the conditional probability for a significant early release varies from less than 0.01 for Limerick I&2 to about 0.3 for WNP2. According to the WNP2 IPE, the three dominant source term categories have release fractions for volatile radionuclides greater than 0.1. It should be noted, however, that although these three release classes are defined as occurring with early failure in the IPE, containment failure and radionuclide release occurs at more than 15 hours after accident initiation. For the LaSalle 1&2 IPE the probability I of large containment failure at vessel breach is used as the significant early release probability in Figure 4.9. The frequencies of significant early release reported for Mark 11 containments vary from less than 3E-8/ry for Limerick 1&2 to about SE-6/ry for WNP2. l Figure 4.9 shows that the conditional probabilities reported in the IPEs for Mark Ill containments for significant early l release approximately range over an order of magnitude. The highest value,0.1, is reported for River Bend where the data presented in Figure 4.9 for significant early release includes the early failure cases with large failure size (i.e., containment dome or anchor failure) since the IPE does not report any I or Cs release fractions greater than 0.1. The conditional probabilities of significant early release reported in the other Mark 111 IPEs are about an order of magnitude lower than River Bend. The frequenciesof significant early release vary from about 2E-7/ry for Peny to about 2E-6/ry for River Bend. The iPE results show thatfor PH Rplants, containment bypass sequences, usually dominated by SGTR sequences, are important contributors to total early as wellas significant early radionuclide release. As discussed above, not all early failures involve significant releases. Isolation failure for some of the IPEs involves only a small leak area, and consequently, results in only small releases and consequences. For instance, the isolation failures reponed for Beaver Valley I and Beaver Valley 2 have high conditional probabilities, but involve only small leak areas, and consequently, result in only small releases and consequences. Even for some of the bypass cases reported in the IPEs, the release point may be submerged under water and the release is thus scrubbed. In SGTR sequences, radionuclide release is more significant if the safety valves or the atmospheric dump valves in the steam line of the faulted steam generator are stuck open rather than cycling. Furthermore, the operation of containment sprays will attenuate radionuclides released to the containment atmosphere and greatly reduce the source term. Figure 4.9 shows that the conditional probabilities of significant release reponed for large dry and subatmospheric containments in the IPEs range over an order of magnitude. Since containment bypass usually causes high releases, the IPEs that have high probabilities of significant early release are those that have high probabilities of containment bypass. For example, the probabilities of significant early release are about 0.1 for St. Lucie Units 1&2, and about 0.3 for Ginna and Zion 1&2. The smallest early release probability is reponed in the Wolf Creek IPE submittal, where the probability of bypass is low and the probability of early failure is assumed to be zero. It should be noted NUREG-1560, Draft 4 46

4. Containment Performance Perspectives that since the frequencies for the release categories are not provided in the Beaver Valley I and Beaver Valley 2 IPEs, the conditional probabilities for Release Type I (for large early containment failures and bypass) are used in Figure 4.9.

Release Type I has a conditional probability of about 0.05 for Beaver Valley Units I and 2. According to these IPEs, Type I release involves scenarios that would result in potentially life-threatening doses in the same time frame as needed to implement protective actions like sheltering or evacuation. For Release Type I, over 80% is due to containment failure at vessel breach caused by containment loads from a HPME event, about 10% is due to bypass, and 5% due to alpha mode failure. SGTR is categorized in the Beaver Valley IPEs as Release Type 11, i.e., small early containment failures or bypasses. Since the release fractions for volatile radionuclides for SGTR events are l usually greater than 10%, if SGTR sequences are considered as resulting in significant early releases,the conditional probabilities for significant early release for Beaver Valley I and Beaver Valley 2 are increased by about 0.05. The frequencies of significant early release reported in the IPEs for large dry and subatmospheric containments vary from lE-8/ry to about 2E-5/ry. Figure 4.9 also shows the conditional probabilities of significant early release reported in the IPEs of PWR plants with ice condenser containments. According to the Catawba 1&2 and the McGuire 1&2 IPEs, only bypass sequences satisfy this criterion, and the probability of significant early release is that of containment bypass. For Cook 1&2, j the probability of significant early release is about 0.05, with about equal contributions from containment bypass and { early containment failure. The probability values use in Figure 4.9 for Sequoyah !&2 and Watts Bar are not ' consistent with the large early failure category defined in the IPEs. In the Sequoyah I&2 and the Watts Bar IPEs, Release Category I is defined as encompassing large early containment failure and large bypasses. However, the release fractions for volatile radionuclides obtained by MAAP calculations for this category are smaller than those for Category II, defined in the IPE as encompassing small, early containment failures and small bypasses. For example, the release fraction for iodine is about 0.05 for Category I and 0.2 for Category 11. This is because in the Sequoyah 1&2 and Watts Bar IPEs, Category 11 is primarily due to containment bypass. To be consistent with the l definition used in this report, the probabilities in Category 11 are used in Figure 4.9 as the probabilities of significant

                                                                                                                              ]

l carly release for Sequoyah l&2 and Watts Bar. The frequencies reported for significant early release in the IPEs for the plants with ice condenser containments vary from less than IE-7/yr to SE-6/yr for the five IPEs. 1 i I i J 4-47 NUREG-1560, Draft

5. HUMAN ACTION PERSPECTIVES An important aspect of the Individual Plant Examination (IPE) program, as described in Generic l_etter (GL) 88-20, is to identify human actions important to severe accident prevention and mitigation. In this context, the human reliability analysis (IIRA) is expected to be a critical component of the probabilistic risk assessments (PRAs) for the IPEs. The determination and selection of human actions for incorporation into the event and fault tree models and the quantification of their failure probabilities can have an important impact on the resulting estimates of core damage frequency (CDF). Not surprisingly, results from the submittals indicated not only that human error can be a significant contributor to CDF, but that correct human action can substantially reduce the overall CDF.

The purpose of this chapter is to summarize the human actions important in the IPEs and to address the degree of variability in the results of the liras across the different IPEs. Of panicular concern is the degree of variability in the quantification of similar human actions across different plants. The degree of variability is important because of the potential impact human error probabilities (HEPs) can have on which human actions and accident sequences are found to be important. After discussing the human actions important for boiling water reactors (BWRs) and pressurized water reactors (PWRs), this chapter addresses some of the potential causes for variability in HRA results, and examines the extent to which variability in HEPs across different plants appears reasonable. In the process ofidentifying the important human actions from the submittals, the staff found that both the methods used to identify important human actions and their documentation are inconsistent across the IPEs. For exa nple, j some licensees used Fussel-Vesely or similar measures to identify important actions, while others used a sensitivity analysis in which all llEPs less than 0.1 were set to 0.1 and the sequences were requantified. Selected human actions were then systematically restored to their original values and reductions in CDF were examined to determine which actions have the greatest impact. Still other licensees identified the human actions that reduce CDF by an order of magnitude and reported these as the important human actions. In some cases, licensees reported the percent contribution to core damage, while in others cases, licensees presented risk achievement worth or risk reduction values. In some instances, licensees provided a list of important human actions, but did not discuss the basis for the list. Nevertheless, most licensees attempted to provide some indication of which actions are impartant. 5.1 Important Human Actions for BWRs This section identifies and summarizes the human actions important in a relatively high percentage of BWR IPE submittals. The staff then provides perspectives regarding the impact of specific plant classes and unique plant designs and characteristics on the importance of human actions. 5.1.1 Human Actions Generally Important for BWRs Table 5.1 lists the most important human actions identified in the staff's review of all 27 BWR IPE submittals l (covering 35 units), along with the percentage of all BWR IPEs finding the action important, and the percentage of IPEs finding the action important as a function of BWR class. Of the 27 submittals reviewed, five are in the BWR 1/2/3 class (covering six units),15 are in the BWR 3/4 class (covering 21 units), and seven are in the BWR 5/6 class (covering eight units). t 5-1 NUREG-1560, Draft i

1 5, Human Action Perspectives Table 5.1 Important human actions ard percentage of BWR IPEs finding the action important. Percentage of BWR IPEs finding the action important important human actions All BWR IPEs BWR 1/2/3s BWR 3/4s B W R 5/6s Perform manual depressurization ~80% -80% -80% -60% Containment venting ~55% -35% ~60% ~60% Align containment or suppression ~55% -70% ~50% -50% pool cooling Initiate standby liquid control ~50% ~70% -50% -40% (SLC) Level control in anticipated ~25% -50% -30% 0% transient without scram (ATWS) I Align / initiate attemative injection -25% -30% ~30% -15% Recover ultimate heat sink ~20% -20% ~20% -25% Inhibit automatic depressurization ~20% ~20% ~20% -25% system (ADS) Miscalibrate pressure switches -15% ~20% -15% -10% ) Initiate isolation condenser N/A -85% N/A N/A Control feedwater events (e.g., ~15% -15% ~20% -15%  ; loss of instrument air) Manually initiate core spray or -15% ~20% -20% 0% l other low-pressure system  ! Miscalibrate low-pressure core ~10% ~20% -15% 0% spray permissive Provide attemative room cooling ~10% 0% -5% ~25% (in the event of a loss of heating, ventilation, and air conditioning (ilVAC) Recover injection systems -10% 0% ~15% -15% NUREG-1560, Drafl 5-2 i

5. liuman Action Perspectives Only afew specific human actions are regularlyfound to be important across allthe BWR IPEs. That is, while many different events are indicated as being imponant, relatively few are important to most of the IPEs. Thus, the staff attempted to group the operator actions according to the funct:oc to be accomplished. For example, events related to aligning an alternative injection source during transients, loss of coolant accidents (LOCAs), and station blackouts (SBOs) are considered important to several licensees. Even though the alternative systems used ranged from firewater to suppression pool cleanup, the function accomplished by performing the action is similar. In order to help capture the general types of events that are important to BWRs, the staff grouped these actions with similar functions and presented them in Table 5.1 along with other imponant individual operator actions.

Afanual depressuri:.ation of the ressef* so that low-pressure injection systems can be used after a loss or unavailability of high-pressure injection systems is important in most BWR IPE submittals. This action is panicularly important in some plants for long-term SBO sequences where depressurization is required to allow injection from firewater systems, after loss of steam-driven systems such as reactor core isolation cooling (RCIC). This human action is important largely because of the fact that most plant operators are directed to inhibit automatic actuation of the ADS by the plant emergency operating procedures (EOPs). Thus, operators must manually depressurize the vessel when injection from low-pressure systems is required to cool the core. The percentage of total CDF accounted for by cutsets including this event ranged from one percent to 44%. While human actions related to an ATWS arefrequently found in the licensees' lists of the top ten important events, the contribution of ATWS events to overall CDFis usually relatively small. The human action to inhibit the ADS is imponant in the ATWS sequences of several submittals. In fact, some licensees assume that because of the instabilities created under low-pressure conditions during an ATWS, core damage will occur if the operators fail to inhibit the ADS. Given this position, it is somewhat surprising to find that only ~20% of the BWR licensees identify inhibition of the ADS as being important. The low percentage results in pan from how licensees model ADS inhibition. Many licensees assume that failure to perform this action has a very low probability, or they do , not model it at all. Other licensees model the failure to inhibit the ADS as resulting in core damage only ifit occurs ) in conjunction with a second failure (e.g., failure of SLC or failure of low-pressure injection flow control). Such a model can reduce the importance of this type of accident sequence and thus the importance of the related human errors. The remaining licensees model the failure to inhibit the ADS during an ATWS as directly resulting in core damage. This human error is noted as being important for approximately 50% of the licensees that model ADS inhibition in any fashion. Two other ATWS-related events are found to be important by several licensees. The operator action to initiate boron injection during an ATWS is important in ~50% of the BWRs, and ~25% identify level control as being important. As with ADS inhibition, the modeling of these events panially impacts their imponance to core damage. For example, some licensees model early initiation of SLC, while others consider both early and late initiation times. The initiation times (important in calculating the llEPs) are based on avoiding adverse conditions, such as , high suppression pool temperatures, and are somewhat variable (ranging from one minute to 45 minutes). Some licensees take credit for alternative means of injecting boron, while others take credit for level control as a means of reducing core power to acceptable levels following SLC failure. All of these variables can contribute to the importance of the failure to manually initiate SLC Modeling of level control is highly variable, with several l different factors influencing the modeling. Whether these actions are important for panicular licensees is, to some l extent, a function of the contribution of the ATWS sequences to overall CDF. The contribution of these events to CDF is usually in the range of 1 percent to 3 percent. J "Section 5.3 discusses the variability in liEPs for this event across the BWR IPEs. 5-3 NUREG-1560, Draft

3 1 l l l S. Iluman Action Perspectives ' Many licensees identify human actions related to decay heat removal as being imponant. Two of the most frequently identified important actions in BWRs relate to decay heat removal (DlIR) sequences in transients and LOCAs. With a loss of the power conversion system and safety relief valves (SRVs) open, containment temperature and pressure must be controlled. The actions to provide some form of containment or suppression pool cooling, j or to vent containment when adequate cooling can not be provided, are important in more than 50% of the IPE  : submittals. Plant characteristics and modeling differences are important factors in determining the impact of these human actions. Plants require DliR actuation before adverse conditions are reached. These conditions can range from reaching a high suppression pool temperature that results in a loss of emergency core coolant system (ECCS) pumps, to reaching a high containment pressure that results in closure of SRVs that are required to remain open to maintain the vessel at low-pressure (for coolant injection from low-pressure systems). liowever, some licensees did not model the failure of DliR as leading to a failure in the ability to inject water into the vessel from the ECCS or from alternative injection systems. In addition, some licensees identified the steam released following containment failure as having a negative impact on the operability of injection systems. In addition, some licensees do not model venting at all. They either do not have reliable venting systems, do not have a strong need to vent, or simply do not take credit for venting. The contribution from these events to CDF generally ranges from 1 percent to 5 percent, with one licensee indicating a 12% contribution. Recovery of service water or some other ultimate heat sink is imponant in approximately 20% of the BWRs reviewed by the staff. The importance of cooling water systems is variable because of the wide spectrum of cooling water systems that are available in the plants. The need to recover such systems is dependent on the cooling requirements of mitigating equipment and the time before it fails upon loss of cooling. When found to be important, these events are usually relevant to multiple classes of accident sequences. In general, the data provided on these events is insufficient to assess their contribution to CDF. Alignment / initiation of an alternative coolant injection source is imponant. This action is important in approximately 25% of the submittals reviewed. The need for an alternative injection system is relevant to loss of DilR and injection sequences (primarily where all normal low- and high-pressure systems are lost). Different plants have different sources for alternative injection, including service water (SW), firewater, the control rod drive (CRD), a unique standby feedwater system, a safe shutdown makeup pump, feed booster pumps, and suppression pool cleanup. Some licensees credit alternative high-pressure injection systems such as the CRD, but most only credit low-pressure systems such as SW. In addition, alternative injection systems are generally credited only in long-term scenarios when sufficient time is available to perform required alignments or when the required coolant injection flow is within the injection system capacity.110 wever, some licensees credit alternative systems in short-term scenarios when the capacities are within makeup requirements and when the alignment is proceduralized and can be accomplished from the control room. CDF contribution for these events ranges from 1 percent to 4 percent. Pre-initiator human actions were imponant in some submittals. Miscalibration oivarious instruments is important in approximately 20% of the BWRs reviewed. Moreover, ~15 percent of the licensees note the importance of failures to restore certain systems after testing or maintenance. The most important events related to instrumentation miscalibration (or failure to restore instruments after testing) involve the calibration of various pressure' switches. Examples include miscalibration of the vessel low-pressure permissive required to open the low-pressure core spray and low-pressure coolant injection valves (noted by - 11 % of the licensees) and miscalibration of pressure switches that allow automatic initiation of an isolation condenser. CDF contribution for these types of events is found to be as high as 6% in several cases. Failure to restore critical systems includes events such as failure to correctly align SLC valves after testing, failure to restore SW after test, and failure to restore high-pressure core spray (HPCS) NUREG-1560, Drafi 5-4

j

5. liuman Action Perspectives after testing or maintenance. The fact that these events are not important for more licensees may be attributable in part to the apparent failure of some licensees to model pre-initiator events. Another factor may be the assignment of either unrealistically low or unrealistically high HEP values for these events. Finally, modeling considerations i

also impact the importance of some of these events. In spite of the importance of pre-initiator events in some instances, there is no evidence that such events are major drivers in determining overall CDF. 5.1.2 Relationship Between BWR Class and Important Human Actions Table 5.1 presents the percentage of the different classes of BWRs for which a panicular human action is found to be important as a result of the licensees' IPEs. The reason for extracting this information is to assess whether any interesting relationships exist between the classes of BWRs and the events found to be imponant (that is, whether certain events are be important for some classes of plants but not others). A review of Table 5.1 suggests several instances in which the importance of particular events may be related to BWR class. However, most of the differences in the human error listing by BWR class are believed to relate to modeling or plant-specific differences , rather than to differences in general BWR vintage designs. Potential relationships are discussed in Chapter 13.  ! 5.1.3 Human Actions important at Selected BWRs Table 5.2 lists human actions identified as being important for a single plant or because they apparently relate to s unique plant design or characteristic. A discussion of several of these human actions and why they are unique to a given plant is presented following the table. Table 5.2 Human actions important at selected BWR plants. Plants ilumen action Big Rock Point, BWR1 Post-incident tecirculation (switchover to recirculation) Big Rock Point, BWRI Tripping of condensate pumps on low hotwell level (prevents loss of pumps) Big Rock Point, BWRI Alignment of firewater system for makeup to the hotwell (refill of hotwell permits continued use of condensate and feedwater as injection source) Nine Mile Point I, BWR2, MKI Recovery of screen house intake (loss of lake intake) Nine Mile Point 1. BWR2, MKI DC load shedding (abo see Clinton) Nine Mile Point 1, BWR2, MKI Load shedding emergency diesel given LOCA conditions and SBO Millstone, BWR3, MK1 Initiation ofisolation condenser before SRVs open following SBO (avoids i problems with stuck-open relief valves (SORVs)  ! Monticello, BWR3, MKI Alignment of bottled nitrogen to SRVs or restoration of MCC41 on loss of ofTsite , power (LOOP) l Pilgrim, BWR3, MKI With both DC buses lost, if operator follows the loss of DC power procedure, both feed pumps will be lost 5-5 NUREG-1560, Draft

I

5. Human Action Perspectives Table 5.2 Iluman actions important at selected BWR plants.

Plants Human action Pilgrim, BWR3, MKI 4160-bus breaker maintenance errors would prevent breakers from changing state, resulting in loss of feedwater, low-pressure injection DilR, etc. Quad Cities IM, BWR3, MKI Initiation of safe shutdown makeup pump - serves as a backup to RCIC for fire scenarios and can be used as an alternative injection source with suction from the condensate storage tank (CST) or firewater syst.m (has redundant electrical supplies from each unit) Fermi 2, BWR4, MKI Manual initiation of unique standby feedwater system Perry, BWR6, MKIII Alignment of feed booster pump or suppression pool cleanup for altemative injection Perry, BWR6, MKIII Reopening of motor feed pump control valves and manually depressurizing injection during ATWS, possibly using condensate from the condenser hotwell (did not take credit for HPCS) Clinton, BWR6, MKIII DC load shedding (also see Nine Mile Point 1) River Bend, BWR6, MKI Operator starts standby cooling tower fans T Millstone 1 is the only isolation condenser (IC) plant where manual actuation of the IC before SRVs open is identified as a human failure event. Successful IC actuation before SRV opening eliminates the potential for SORVs that defeat the use ofICs by requiring a source of coolant injection and by requiring cooling of the suppression pool. Automatic actuation of the IC is also modeled and occurs at a setpoint below the first SRV setpoint. It appears that licensees with other IC plants do not model manual actuation. There is no apparent reason why modeling of this human action is unique to Millstone 1 and why it would not apply to other IC plants. By taking credit for this action, the licensee for Millstone I may effectively reduce the occurrence of transients with SORVs for which the ICs can not be used for mitigation. Big Rock Point is the only BWR 1 currently being operated in the United States. The plant has unique features that require modeling of at least one hmnan error that applies only to that plant. Big Rock Point is like a PWR in that it is housed in a dry containment and, during a LOCA, it requires a switchover from a coolant injection mode to a coolant recirculation mode. Decay heat removal is provided in the recirculation mode by passing the recirculated coolant through a heat exchanger, Failure to perform the switchover to recirculation is modeled as a human error that eventually results in continued injection from exterior sources. Eventually, injection from exterior sources must be terminated to prevent containment failure from high static heads of water. The licensee for Big Rock Point also takes credit for condensate injection for some LOCAs, as do other plants. Ilowever, the licensee for Big Rock Point is the only plant where the licensee identifies a human error in the failure to prevent cycling of the condensate pump breaker caused by condenser hotwell level signals. These signals are generated as the hotwell level is replenished by firewater and subsequently drained again by the condensate pump. This cycling is assumed to lead to failure of the breaker and loss of condensate and can be prevented by the operator tripping the pump on low hotwell level. This failure mode is not believed to be unique to Big Rock Point and could be modeled by other plant licensees. 1 l NUREG-1560, Draft 5-6

  - . - ._. -                  -. _- .               -~. . _ - . _ . . - - . .                   . -     . - -      .       -     -. -      -

5. Human Action Perspectives As shown in Table 5.2, many of the remaining human actions relate to either load shedding or actuation of alternative injection systems. These actions apply to most plants; however, design and procedures are plant specific.

For example, de actions required to initiate the alternative systems, the time available to perform the actions, and the circumstances in which the systems can be used are all plant specific. Therefore, the importance of these human errors varies among the different IPEs. 5.2 Important Human Actions for PWRs his section identifles and summarizes the human actions important in a relatively high percentage of PWR IPE submittals. De staiT then provides perspectives regarding the impact of specific plant classes and unique plant designs and characteri> tics on the importance of human actions. Consistent with the rest of this report, the PWRs are classified as B&W plants; CE plants; and Westinghouse plants with two, three, and four loops (i.e., W-2s, W-3s, and W-4s). Of the 48 submittals reviewed, five of the plants are B&Ws (covering 7 units), ten are CEs (covering 15 units), four are W-2s (covering 6 units), nine are W-3s (covering 13 units), and 20 are W-4s (covering 32 units). 5.2.1 Iluman Actions Generally Important for PWRs Table 5.3 lists the most important human actions identified in the staff's review of all 48 PWR IPEs submittals, along with the percentage of all PWR submittals finding the action important, and the percentage of submittals finding the action important as a function of PWR class. As with BWRs, orly afew human actions are regularlyfound to be Ingportant across all PWR submittals. The human action most consiste.tly important for PWRs is the switchover to recirculation during LOCAs, Other human , actions frequently importar t include feed and bleed, and actions associated with depressurization ar.d cooldown. Only l these three actions are impo tant in more than 50% of the submittals. Rey are discussed in more detail below, along with several other actions frequently found to be important by the licensees. Identified relationships between PWR plant classes and important human actions are discussed in Section 5.2.2, while Section 5.2.3 addresses events important only in selected IPE submittals. l Table 5.3 Important human actions and the percentage of PWR submittals finding the action important. Important human Percentage of IPEs finding event important actions All PWRs B&W CE W-2 W-3 W-4 Switchover to recirculation -80% -85% N/A 100 % -55% -90% (plants with manual or semi-automatic switchover) Feed-and-bleed -60% -45% -60% ~70% ~45% ~70% Depressurization and -50% -60% ~30% 100 % ~70% ~50% cooldown 5-7 NUREG-1560, Draft

5. Iluman Action Perspectives Table 5.3 Important human actions and the percentage of PWR submittals finding the action important.  !

l Important human Percentage of IPEs finding event important actions All PWRs B&W CE W2 W-3 W-4  ; Use of backup cooling ~40% ~45% ~30% -35% -60% ~30% , water systems ' Makeup to tanks for water ~35% -30% ~20% ~35% -40% ~40% supply Restoration of room ~30% -15% ~50% ~35% ~30% -30% cooling (llVAC) Restoration of main -30% -30% -35% ~35% -50% ~30% feedwater (MFW) or condensate to steam generators (SGs)

• Proper control of auxiliary ~25*4 -30% ~40% ~35% 0% ~30%

feedwater (AFW) or emergency feedwater (EFW) Reactor coolant pump ~25% ~45% ~35% ~35% ~15% -20% (RCP) Trips Pre-initiators -25% 0% -50% 0% ~25% -20% ATWS reactivity control ~20% Oa4 -20% 0% ~10% ~35% Water supply for AFW or -15% 0% ~40% -35% -10% ~5% EFW  ! i Initiation of AFW or EFW ~15% 0% -50% 0% -10% -10% Switchover to recirculation on low ECCSlevelis ingportantfor LOCA sequences in most submittalsforplants with semi-automatic or manual switchover. All ten CE plants (15 units) have an automatic switchover, as do four of the other plants. For the 35 plants (58 units) that require operator actions (either completely manual or semi-automatic) to complete the switchover,-80% of the submittals find this action to be important. One possible reason some licensees fail to find this action important may be the fact that the sizes of refueling water storage tanks (RWSTs) vary from plant to plant. Licensees with plants thot have larger RWST capacities may model the small LOCA and long-term transient sequences as not requiring the switchover to recirculation cooling, thereby lessening the importance of the recirculation function and hence human actions related to recirculation cooling. Additionally, some licensees model RWST refill as the action preferred over recirculation cooling, particularly in small LOCA and NUREG-1560, Draft 5-8

5. Iluman Action Perspectives long-term transient cooling situations. This again lessens the overall importance of recirculanon cooling and the corresponding related human actions. For licensees that find the switchover to recirculatico to be an important operation (and report the related contribution to total CDF), the contribution to CDF ranges from less than one 1

percent in several cases to as much as ~16%, with an average contribution of-6%. Many licensees identify the initiation of thefeed-and-bleed operation as being important. his event is important in transient and steam generator tube rupture (SGTR) sequences when all feedwater has failed. In addition, a few licensees find the establishment of an reactor coolant system (RCS) bleed path with ene power operated relief valve (PORV) to be important in small LOCAs. In all, about 60% of the submittals indicate that feed-and-bleed is one of the more important events. Some licensees may fail to find feed-and-bleed impcrtant for a variety of reasons that are interrelated and not easily discernible. For instance, the relative reliability of each plant's AFW or EFW system is a factor since it is only in sequences where AFW or EFW has failed thu feed-and-bleed becomes another important action in the in-depth defense to provide core cooling. Rus, accidmt sequences involving AFW/EFW failure (and thus the need to use the feed-and-bleed function) can vary considerably in frequency, thereby affecting the overall importance of the feed-and-bleed function. Specific support system dependencies can also be important to the overall feed-and-bleed reliability and hence the importance of this baman action. For plants with a higher susceptibility of failing feed-and-bleed because of support system failures, this mode of cooling is less reliable, and the human action of feed-and-bleed operation can be less important. Additionally, many licensees spent considerable effort to model the ability to depressurize the plant and use condensate as yet another way to achieve core cooling. Taking credit for such action further lessens the overall importance of feed-and-bleed function and the related human action. Other factors related to the success criteria for feed-and-bleed, as well as the llEPs themselves, can contribute to the relative importance of this mode of cooling and the related human action. De CDF contribution for this event ranges from less than one percent to 11%, with most submittals showing relatively small contributions from this event, resulting in an average total CDF contribution of about four percent. The depressurhation and cooldown operation, in order to use available sources of core cooling (and in many cases to lessen SGTR leakage), isfound to be important by more than half of the licensees. This action usually (but not always) involves depressurizing the steam generators to cool the RCS and is found to be important in all types of sequences except ATWS, it is most frequently deemed important in SGTR sequences. As a result, $2 percent of the licensees find this human action important. As discussed above regarding the feed-and-bleed function, licensees may neglect to find depressurization and cooldown important for numerous interrelated reasons (including those described for the feed-and-bleed event). Additionally, not all of the plants model this mode of cooling, in some l cases because of the relatively low capacity to depressurize the SGs in some scenarios (depending on PORV, atmospheric dump valve, or other equipment sizes). De CDF contribution for this event ranges from less than I percent to ~7 percent, and is similar to feed-and-bleed. Most submittals show relatively small contributions from this event, resulting in an average total CDF contribution of approximately four percent. 1 None of the remaining human actions are important in more than 40% of the submittals, and none of them consistently contributes significantly to CDF. As shown in Table 5.3, the remaining human actions are not important in a large percentage of the submittals. Recovering and using backup cooling systems, supplying makeup l I for injection sources, and recovering loss of room cooling are important for accident sequences in approximately one-third of the submittals. Several actions related to restoration and appropriate use of MFW and AFW systems are found to be important in several submittals, and RCP trips upon loss of seal cooling is important in about 25% of the submittals. Similar to the BWRs, pre-initiator events, including both miscalibration and restoration errors, are found important in some submittals. De miscalibration errors tend to involve the traditional instruments such as NUREG-1560, Drafl 59

5.11uman Action Perspectives level, pressure, and temperature sensors and transmitters, but the restoration errors, tend to vary across submittals. Examples of important restoration errors include those associated with AFW and EFW systems, diesel generators, and several unique events such as leaving a nitrogen station manual valve closed and removing a jumper in the reactor protection system after refueling. 5.2.2 Relationship Between PWR Class and important Iluman Actions Table 5.3 presents the percentage of the different classes of PWRs for which the submittal repons a particular human action to be important. The information is presented in this way to assess whether any human actions appear particularly important to one class of PWRs as opposed to others. Any observatians of this type may suggest the possibility of plant-class differences that cause certain human actions to be important and not others. While several interesting observations can be made regarding trends that appear to be related to plant-class definitions, the differences are believed to relate to modeling preferences or plant-specific differences rather than to differences in general PWR vendor or vintage designs. Relevant observations on these differences are covered in Chapter 13. 5.2.3 Iluman Actions Important at Selected PWRs Table 5.4 lists human actions identified as being unique for a single plant (or both units at a single site) or because they apparently relate to a unique plant design or characteristic. While the importance of these actions is presented in the licensee submittals using a variety of methods, these actions typically contribute 1 percent to 10 percent or more to the total CDF presented in each submittal. A discussion of several of these human errors is presented following the table. Table 5.4 Human actions important at selected PWR plants. Plants Human action Arkansas Nuclear 1, B&W-2, L-dry Locally open service water jacket cooling valves to diesel generator upon failure of these normally closed valves to open Beaver Valley I&2, W-3, subatmospheric Prematurely secure high-pressure safety injection Beaver Valley 2, W-3, subatmospheric Prevent or otherwise recover from automatic switchover of high-pressure suction from the volume control tank to the RWST if the RWST pathway fails Beaver Valley 2, W-3, subatmospheric Manually align / start safety injection upon failure of both trains of the solid state protection system used for automatic safety injection Calvert Cliffs 1&2, CE-2, L-dry Block spuriously opened PORV with blocking motor operated valve Crystal River 3, B&W-2, L-dry Locally isolate high-pressure makeup pump individual recirculation line when common recirculation valves have failed l NUREG-1560, Draft 5-10 j l

i j

5. Iluman Action Perspectives Table 5.4 Human actions important at selected PWR plants.

i Plants Human action l Crystal River 3, B&W-2, L-dry Manually close open valve between the borated water storage tank  ! (BWST) and the containment sump to prevent drainage of BWST i used for high-pressure injection suction, or use recirculation cooling , early Iladdam Neck, W-4, L dry Isolate core deluge line break to ensure sufficient ECCS recirculation i Iladdam Neck, W-4, L-dry Locally control charging flow given loss of air Kewaunce, W-2, L-dry Manually isolate makeup valve in path between CST and condenser  ! to ensure initial suction for AFWs i l Maine Yankee, CE-3, L-dry Close the reactor coolant system stop valves to stop primary-to-secondary leakage before steam generator overfill (also useful for isolating reactor coolant pump thermal barrier rupture) North Anna l&2, W 3, subatmospheric identify and correct safety injection flow diversion (backflow) through inoperative charging pump discharge check valve Seabrook, W-4, L-dry Recover from a loss of emergency safety features actuation system (ESFAS) by manually starting equipment from the control room Sequoyah l&2, W 4, ice Isolate the component cooling train from the spent fuel heat exchanger to ensure adequate cooling during the recirculation phase of the accident Summer, W 3, L-dry Align and start standby charging pump and chiller upon failure of one chilled water train l Summer, W-3, L dry Restore one chilled water train within 12 hours to support charging l TM1-1, B&W-2, L-dry Throttle high-pressure injection flow to avoid PORV demands and possible stuck-open PORV TMI-1, B&W-2, L-dry Open DilR dropline valves to prevent boron precipitation Nearly all of these important human actions involve the failure to respond to a degraded condition of certain systems or components so as to overcome the failure and successfully achieve the desired result. Which actions are important at which plants appears in many cases to depend on the specific design details at each plant. The specific faults and corresponding responses or recoveries are somewhat dependent on plant-specific design configurations for many of the unique human actions listed above. Nevertheless, it appears that many of these important human actions may have applicability at other plants (to the extent configurations and potential faults are similar), although the relative importance of each action at other plants will vary. For instance, the action listed above for Arkansas Nuclear I clearly depends on the normal state of the diesel generator jacket cooling valves during normal plant operation. 5-11 NUREG-1560, Draft

5. Iluman Action Perspectives Other plants may operate with a similar configuration. Vital bus loads and design specifics for automatic switchover of high-pressure suction can make the Beaver Valley 2 automatic switchover action similarly applicable at other plants. De Calvert Cliffs 1 & 2 action concerning the use of the PORV block valves to mitigate the effects of a stuck-open PORV seem applicable to many plants, yet only the Calvert Cliffs submittal identifies this specific event among the "important" human actions.

Some actions, are similar in nature among a few of the plants listed above, and may also apply at other plants as well. For example, the Crystal River 3 action associated with closing ofTa potential drainage path from the BWST to the containment sump, and the Kewaunee action associated with closing off a drainage path from the CST to the condenser are similar in nature. Other plants may have similar configurations, potential failures, and corresponding human actions. He Beaver Valley 2 action concerning manual alignment and startup of safety injection upon loss of the automatic start signals, and the similar Seabrook action associated with manual startup of equipment upon loss of the ESFAS, may have similar applicability at other plants depending on control system design specifics and the relative reliability of such systems at each plant. One action of particular interest is the Beaver Valley 2 action conceming prematurely securing high- pressure injection, particularly during small LOCAs when the status indication regarding the continued need for injection may be confusing or otherwise uncertain. Whether the source of such " uncertainty" is specific to Beaver Valley 2, or derives from a conservative modeling approach, or whether such an action applies to other plants can not be determined on the basis of the submittal contents. The Maine Yankee action is particularly unique because of the design of this plant. Bis action concerns closure of reactor coolant loop stop valves to mitigate an SGTR or a rupture of an RCP thermal barrier. As such, this action is uniquely dependent on the Maine Yankee design since other plants do not have reactor coolant loop stop valves. In all of the cases discussed above, specific design configuration details and the time and status information available for performing these actions is plant-specific. His results in variability concerning the importance of these actions and likely accounts for the unique importances identified at the plants listed above. However, these imponant human actions may apply to other plants as well, although the relative importances will probably vary. 5.3 Variability in Human Error Probabilities Numerous factors can influence the quantification ofIIEPs and introduce significant variability in the resulting HEPs, even for essentially identical actions. General categories of such factors include plant characteristics, modeling details, sequence-specific attributes (e.g., patterns of successes and failures in a given sequence), depende.1cies, HRA method and associated performance shaping factors (PSFs) modeled, application of IIRA method (corn etness and thoroughness), and the biases of both the analysts performing the HRA and the plant personnel from wham selected information andjudgments are obtained. Although most of these factors introduce appropriate variabbity in results (i.e., the derived IIEPs reflect "real" differences such as time availability and scenario-specific facec,s), several have the potential to cause invalid variability. A discussion of both appropriate and inappropriate iraluences is presented below, followed by a discussion of the variability in the HEPs for a specific event. 5.3.1 IIRA Influences An important factor that potentially leads to differences in results is the HRA method used to derive the HEPs. In quantifying IIEPs, several licensees use a single HRA methodology, while others use a combination of HRA methods NUREG-1560, Draft 5-12 l l 4

l I i 1

5. Human Action Perspectives to address different aspects of the analyses. In general,it appears that the different HRA methods can be grouped into six basic categories with the following distinctive attributes:

(1) A modified version of the Success Likelihood index Afethodology (SLIM) (Ref. 5.1) that telles on subjective estimates of the impact of various performance shapingfactors (PSFs) on the operator's likelihoodoffailure. This method (often referred to as the failure likelihood index methodology), explicitly addresses approximately 23 different PSFs ranging from fairly common factors such as operator training and experience,available procedural direction, and relevant plant indications to relatively ur4ue factors such as the impact of preceding and concurrent unrelated actions on potential operator confusion. This is the only method that consistently relies directly on subjective estimates by experts to derive the HEPs for the post-initiator human actions. In addition, this method is distinguished by the fact that the impact of time on the performance of a task is usually determined on the basis of subjective estimates rather than the time reliability correlations (TRCs) used by most other llRA methods. A characteristic of SLIM-based methodologies is that the process provides a basis for interpolating between upper and lower bounds of the failure probability. These upper and lower bounds must be provided by the analyst separate from the SLIM analysis. Inappropriate selection of these bounds can bias the calculated probabilities of failure. (2) The Electric Power Research Institute (EPRI) cause-based decision tree method described in EPRI-TR-100259'**. This decision tree method considers a number of potential failure mechanisms and associated PSFs in determining the failure probability for the detection, diagnosis, and decisionmaking phases of an operator action. Values from the Technique for Human Error Rate Prediction (THERP) are used to quantify the execution of the human actions. This method generally accounts for time by limiting the consideration of recovery factors (such as verification by additional crew members or availability of the emergency response facility) for only those actions where the available time exceeds some criterion. In some applications of this method in the submittals, time-criticalactions were quantified using the TRCs from the Accident Sequence Evaluation Program (ASEP) (Ref. 5.2) or THERP (Ref. 5.3). Only non-time critical actions are quantified using the decision tree method. (3) The iluman Cognitive Reliability (IICR) method (Ref 5.4) or the Operator Reliability Experiments (ORE) based modification of the llCR method (EPRI NP-6560-L)"". These methods are essentially TRC methods that may also use THERP to quantify the execution of the action. The llCR method itself considers whether an action is " skill-based, ale-based, or knowledge-based"in determining which TRC to use to assess failure probability. The ORE method apparently no longer considers this distinction, but does include a detailed approach that incorporates data collected from simulator exercises for deriving HEPs as a function of time, in most applications of the ORE method, consideration ofplant-specific performance shaping factors is limited. (4) The operator reliability characteri:ation and assessment method described by Dougherty and Fragola (Ref 5.5). In one submittal based on this method, the licensee stated that the method functionally combines Systematic Human Action Reliability Procedure (Ref. 5.6) and HCR, and therefore may in some ways be similar to method (3) above. However, as documented by some licensees, the method l

        "G.W. Parry, "An Approach to the Analysis of Operator Actions in PRA," Daft, EPRI TR-100259, Electric               j Power Research Institute, Palo Alto, CA.
        "A.J. Spurgin, P. Moieni, and G.W. Parry,'A Human Reliability Analysis Approach Usir.g Measurements for Individual Plant Examinations," EPRI NP-6560-L, Electric Power Research Institute, Palo Alto, CA,1989.

5-13 NUREG-1560, Draft

5. Human Action Perspectives separates post initiator human actions into slips and mistakes. It is generally assumed that slips are actions in which the execution of the task is the dominant failure mode, while mistakes are where the cognitive part of the task is less reliable. Thus, for most actions, either the execution or the cognitive portion is quantified (not both). Slips are quantified using a simplified TiiERP method, and mistakes are quantified with a set of'IRCs that vary as a function of whether the actions are taken inside or outside the control room and whether they are based on procedures (i.e., rule-based) or represent recovery actions (which may be trained but are not documented in procedures). In addition, the influence of burden on operators in terms multiple tasks and conflicting demands is considered in quantifying mistakes.

($) The TilERPmethodor the ASEPHRA methodderivedfrom TilERP). Among other PSFs, these methods explicitly consider whether a task to be performed is " dynamic" or " step-by-step" and they have explicit HEP adjustment factors for several different levels of stress. In the application of ASEP (and usually TilERP) licensees use a TRC to quantify the diagnosis portion of an operator action. Upper and lower bounds of the TRC are used to account for various PSFs, such as frequency of training. In some applications of these methods, the number of PSFs actually considered is limited. (6) The Individual Plant Examination Partnenhly (IPEP) methodology which (at least nominally) is a modified version of THERP. This method, apparently only documented in the IPEP IPE submittals, is distinguished by its lack of emphasis on modeling the diagnosis portion of a task, while creating a PSF (referred to as " slack time") that allows substantial credit for potential recovery of initially failed operator actions. In at least some applications of this method, other limitations include arbitrary reductions in failure probabilities, consideration of a limited number of failure modes, and a lack of consideration of dependencies. One intent of the brief descriptions provided above is to point out that while different HRA methods naturally have many commonalities, they may also consider different factors (including PSFs) in deriving HEPs. This situation creates the possibility that essentially the same operator actions can be assigned somewhat different HEPs as a function of the different factors considered by different methods. While some of the accepted methods have been

" benchmarked" to some degree in order to assess the values they produce relative to other methods, it is clear that the potential exists for method-based differences.

The fact that different methods have the potential to produce difTerent HEPs for similar actions does not necessarily imply that they will. Essentially ail llRA methods attempt to consider relevant variables and to systematically factor ' in their impact in determining HEPs. To the extent that the methods consider a reasonable set of variables, and to the extent that those variables are systematically and appropriately addressed, realistic and consistent HEPs can be expected across different methods. It might seem reasonable to compare HEPs for similar actions across the different methods used in the IPEs (in order to determine the impact of each method). Nonetheless, the results of such a comparison can be very misleading. For example, as noted above, analyst bias can influence HEPs, as well as plant characteristics. sequence-relatedfactors, and modeling details. In addition, given the sparse documentation of many of the submittals with regard to the necessary information, in n'ost cases it is diflicult to achieve a valid comparison regarding the specific influence of a given HRA method. Suffice it to say that at least some " unexplained variability" in resulting HEPs can be created as a function of the differences in HRA methe<ls and the ways in which they are applied. The potential impact of methodological affects on HRA results will be addressed in an upcoming NUREG report. In addition to the basic HRA methodology and the associated PSFs used to quantify the post-initiator HEPs, a number of other factors related to how the analysis is conducted can have an impact on the results. Many of these NUREG-1560, Draft 5-14

5. Iluman Action Perspectives i

factors may have a direct impact on the derivation of IIEPs, but reflect the nature and extent of the analysis perforn ed for the IIRA or on how the llRA is incorporated into the PRA. Thus, their influence can be quantitative, l qualitative, or both. Several of these factors and their treatment in the IPEs are discussed below. l l One potentially important factor concerns the extent to which accident progression and context effects are taken into account in determining the llEPs. For example, an operator action indicated by the EOPs can be called for in the context of a variety of different initiators and after different patterns of previous operator and system failures or successes. Therefore,in order to realistically quantify the numan potential for failure or success, context and effects and dependencies acioss a given accident sequence should be considered. While most licensees clearly consider context and dependencies in analyzing post-initiator actions, some do not. Two licensees analyzed operator actions only to the extent needed to determine the conditions that yield the highest failure probability for a given human action event. The llEP for the action in that context only is then quantified, and the resulting " bounding" value is assigned in all cases where the event occurs. Other licensees addressed context only in cases where extreme differences in llEPs was expected, and several either failed to consider context or dependency at all, or at least failed to provide any evidence that they did so in their documentation. Obviously, these types of decisions can lead to variability in quantifying IIEPs and in the knowledge gained by the licensees about the importance of operator actions. i Other factors having a potential impact on the llRA results include whether the analysts conduct simulator exercises to assess the performance of the control room crews in responding to important accident sequences and whether the j analysts conduct walkthroughs of important operator actions that must be performed outside the control room during emergency situations. Conducting simulator exercises and directly evaluating the demands placed on operators who are carrying out actions inside and outside the control room provide the llRA analysts with important information regarding PSFs that is likely to bear on the probability of successfully completing a given task. To the degree that some licensees do or do not evaluate simulator exercises and conduct walkthroughs of specific actions, differences might be expected in lira results. 5.3.2 Example of Variability in IIEPs in order to examine the variability in llRA results from the IPEs and to assess the extent to which variability in results is caused by real versus artifactual differences, the staff examined 11EPs from several of the more important human actions appearing in the submittals across plants. 110 wever, since the staff reached the same general conclusion after examining severalimponant human actions for the BWRs and PWRs, this summary report presents the results from the examination of a single imponant human action. Discussions of the variability in llEPs for several other human actions from BWRs and PWRs are presented in the body of the main report. Figure 5.1 presents the 11EPs used in various BWR submittals for failure to depressurize the vessel during transients. As shown in the figure, a relatively large variability exists across the submittals for this event. Ilowever, there appears to be reasonable explanations for much of the variability in the IIEPs. For values on the high end of the continuum, the events modeled appear to be special cases of depressurization. For example, the high value for Nine Mile Point 1 (N-1) involves depressurization using main steam isolation valves and the condenser, which is apparently not typically modeled. The high value for Peach Bottom 2&3 (PB) and the next to the highest value for Limerick 1&2 (LIM) pertain to the case in which a controlled depressurization is needed to allow use of the condensate system. The highest value for Limerick 1&2 (LIM) pertains to a recovery of a failed automatic depressurization. While the justification for the high values for Big Rock Point (BRP) is not apparent,it is unique relative to the other BWRs in that the plant has some characteristicssimilar to PWRs. The reason for the high value 5-15 NUREG-1560, Draft

i

5. Human Action Perspectives for Cooper (COP) is also not obvious, but the large range of values for that plant apparently relates to the number of SRVs to be used for depressurization.

s.s.e esp W i .e ., - 0 " . g ons 5 5 cc , i.s4 - 3 sev 8 * *

                        .                       ,            :       l-                     ...

s = .. .., . ...  :- ,, V ": ., . i.s4 - *

i. 4 - 's' i

t i.e4 B WR 1/ 2/ 3 BWR 3/4 BWR SIS Figure 5.1 HEPs for depressurization failure by BWR class."*) The explanations for the larEe difference (approximately one and one-half to two orders of magnitude) between the HEP values in the middle range appear to be related, at least in part, to dependencies and initiator- and sequence-specific factors. Several licensees, such as Nine Mile Point 1 (N-1), Dresden 2&3 (DRE), Fermi 2 (FER), and  ; Limerick 1&2 (LIM), conducted relatively detailed analyses and apparently derived multiple values in order to account for specific conditions. These specific conditions include LOOPS, SBOs, loss of DC power, use of turbine bypass valves for depressurization, and loss of feedwater and standby feedwater. Nevertheless, while much of the  ! variability in the middle range of values is clearly explainable, some differences are less clear. For example, the generally lower values for Fermi 2 (FER) and Limerick l&2 (LIM) relative to those from Nine Mile Point I (N 1) and Dresden 2&3 (DRE) are not explainable in a straightforward manner, but may very well result from valid, plant-  ; specific characteristics. , Finally, the reasons for the relatively low HEP values at Cooper (COP), Duane Amold (DA), Fitzpatrick (FIT), Vermont Yankee (VY), and Susquehanna 1&2 (SUS) are not clear. It can be argued that at least the top three or four values from these submittals fall within an acceptable range. It may also very well be the case that plant- l specific characteristicssupport the HEPs on the lower end of the continuum. For example , the relatively low value i for Cooper (COP) is for a long-term DHR sequence in which operators have up to 4 hours to depressurize. The lowest value, from Susquehanna (SUS), is clearly an outlier, but this value is consistent with many of that plant's HEP values and is a direct function of the HRA methodology used in the Susquehanna IPE. l At least some of the variability in HEP values can arise as an artifact of the way in which HRA methods are applied. I Nonetheless, the main point to be derived from examining the HEPs for specific actions across plants, is that, in most 1 HEPs shown on figure are on a submittal basis, and not necessarily a plant-unit basis. NUREG-1560, Draft 5 16

5. Iluman Action Perspectives cases, it also appears that there are reasonable explanations for much of the variability in llEPs and in the results of the llRAs across the different IPEs. Ilowever, such an assertion does not necessarily imply that the llEP values are generally valid. Reasonable consistency can be obtained in } IRA without necessarily producing valid HEPs. An I!EP is only valid to the extent that a correct and thorough application of HRA principles has occu;ted. For example,if a licensee simply assumes (without adequate analysis) that their plant is " average"in terms of many of the relevant PSFs for a given event, but appropriately considers the time availabic for the event in a given context, the value obtained for that event may be similar to those obtained for other plants. Yet, the resulting value may be optimistic or pessimistic relative to the value that would have been obtained if the licensee had conducted a detailed examination of the relevant plant-specific factors. Thus, to reiterate, consistency does not necessarilyimply validity.

In addition, because many of the licensees failed to perform high-quality HRAs, it is possible that the licensees, obtained HEP values that are not appropriate for their plants. 5.4 Similarities and Differences in Operational Observations Across BWRs and PWRs Given the, basic differences between BWRs and PWRs, the preceding discussion has for the most part provided separate observations regarding the submittals for the two different plant types. Nevertheless, the obvious commonalities across the plant types, prompt an examination of potential similarities or differences in the operational and ilRA-related observations:

• Neither BWR nor PWR submittals show a broad consistency in terms of which human actions are found to be important. Given the numerous factors that can influence the IPE results, and the fact that functional redundancy creates the opportunity for quite a few operator actions to be taken to mitigate an accident scenario in both BWRs and PWRs, there is no reason to expect more consistency in what is found to be important for one type of plant as opposed to the other.
• Of the events frequently found to b- important in BWRs and PWRs, the only similar actions are those related to depressurization and cool down.
• Events related to aligning or recovering backup cooling water systems (e.g., service water) are found to be important in approximately one-third of both BWRs and PWRs.
• In both BWRs and PWRs, no individual human action appears to account ior a large percentage of the total CDF across multiple submittals. Taken together, however, human actions are clearlyimportant contributors to operational safety.
• With the exception of the licensees using the IPEP methodology, there is no indication that particular HRA methods are applied more frequently to one type of plant than another. Thus, except for the IPEP plants, there is no reason to expect that any general differences in the results of the PRAs for the two different plant types is related to HRA method (or to any of the more general influencing factors). The IPEP methods are primarily applied to PWRs. ,

in summary, it seems that most of the differencesin the HRA results from the BWR and PWR submittals relate (not surprisingly) to the differences in the systems used in the two types of plants. In terms of more methodological aspects, general patterns of results, and the overall importance of humans in operating the plants, BWRs and PWRs are reasonably similar. 5-17 NUREG-1560, Draft

5. Human Action Perspectives REFERENCES FOR CHAPTER 5 5.1. D.E. Embrey, et al., " Slim-Maud: An Approach to Assessing Human Error Probabilities Using Structured Expert Judgment," Vols.1-2, NUREG/CR-3518, U.S. Nuclear Regulatory Commission, Washington, DC, March 1984.

5.2. A.D. Swain," Accident Sequence Evaluation Program Human Reliability Analysis Procedure,"NUREG/CR-4772, U.S. Nuclear Regulatory Commission, Washington, DC, February 1987.  ; 5.3. A.D. Swain and H.E. Gutman, " Handbook of Human Reliability Analysis with Emphasis on Nuclear Power i Applications: Technique for Human Error Rate Prediction," NUREG/CR-1278, U.S. Nuclear Regulatory , Commission, Washington DC,1983.  ! L 5.4. G.W. Hannaman, A.J. Spurgin, and Y. Lukic, "A Model for Assessing Human Cognitive Reliability in PRA j Studies," 1985 IEEE Third Conference on Human Factors andPower Plants, Monterey, CA, June 23-27, i 1985, institute of Electrical and Electronics Engineers, NY,1985.  ; 5.5. E.M. Dougheny and J.R. Fragola, " Human Reliability Analysis: A Systems Engineering Approach with Nuclear Power Plant Applications," John Wiley and Sons,1988. , 5.6. G.W. Hannaman and A.J. Spurgin, " Systematic Human Action Reliability Procedure (SIIARP)," EPR1 l NP-3583, Electric Power Research Institute, Palo Alto, CA,1984. f i t i i i l I i NUREG-1560, DraR 5-18

6. INDIVIDUAL PLANT EXAMINATIONS WITil RESPECT TO RISK-INFORMED REGULATION 6.1 Role ofIndividual Plant Exsminations in Generic Letter (GL) 88-20 (Ref. 6.1) the U.S. Nuclear Regulatory Commission (NRC) requested that licenseesperform an Individual Plant Examination (IPE) to identify any plant-specific vulnerabilities. In that request, the NRC indicated that a probabilistic risk assessment (PRA) is an acceptable approach to use in performing the IPE.

The NRC further stated, "In addition to being an acceptable methodfor conducting an IPE, there are a number of potential benefits in performing PRAs on those plants without one. " Represen;ative benefits enumerated in the GL included (1) support for licensing actions, (2) license renewal, (3) risk management, and (4) integrated safety assessment. Further, in the PRA Policy Statement (Ref. 6.2), the NRC stated that "the Commission believes that the use of PRA technology in NRC regulatory activities should be increased to the extent supported by the quality in PRA methods and data.. " As a result of the IPE program, licensees elected to perform PRAs for their IPEs. In addition, most licensees have indicated their intent to maintain and update these PRAs and to use them in internal utility decisions and regulatory activities. In this light, these PRAs provide the foundation for the increased future use of PRAs in risk-informed regulation. Therefore, the potential role of these PRAs needs to be examined. This examination, requires consideration of several issues:

• What is a quality PRA?
• How do the IPEs/PRAs compare to this quality PRA?
• What can be said about the quality of the IPE analyses, given the limited scope of the staff's IPE reviews?

These issues are discussed below in light of the scope of GL 88-20. That scope encompasses the core damage and l containment performance impact of intemal events (excluding internal fire) at full power. The GL does not address ) external events (such as earthquakes) and other modes of operation (such as shutdown), or the associated  ; consequences. Therefore, this report provides perspectives on a quality PRA addressing core damage frequency (CDF) and containment performance analysis (Level 1 and Level 2 PRAs) and considering only internal events (including internal Doods) at full power. However, this report also provides perspectives for a Level 3 PRA because a few licensees examined offsite consequences (Level 3 PRA). Perspectives regarding these issues serve as inputs to the guidance being developed for acceptable PRAs to be used to support specific regulatory activities. Therefore, although this document describes key characteristics of the attributes of a quality PRA (Chapter 14), this report does not address the implementation of these attributes for specine regulatory applications. Such implementation issues are addressed in the regulatory guides being developed for that purpose. l 6.2 Characteristics of a Quality Probabilistic Risk Assessment l As in many other forms of engineering analyses, the attributes of a quality PRA evolve over time. Higher levels of modeling sophistication and technicat rigor become possible as PRA practitioners develop new, innovative analysis techniques and generate new or renned data for model quantification. Consequently, the attributes for performing a quality PRA today represent a level of analytical sophistication that (in some areas) surpasses the state-of-the-art of only a few years ago. For example, some procedures reDected in NUREG/CR-2300 (Ref. 6.3) represented the state-of-the art in PRAs in the early 1980s, but are now considered inadequate for a quality, full-6-1 NUREG-1560, Draft

6. Risk-Informed Regulation scope PRA. Publications that reflect enhanced practices in PRA technology beyond NUREG/CR-2300 include N U R E G /C R-2 815 (R e f. 6.4), N U R EG /C R-4 5 50 ( R e f. 6. 5 ), and NUREG/CR-4551 (Ref. 6.6).

To allow a meaningful comparison of the analyses perfonned in response to GL 88-20 against the current attributes of a quality PRA, one must first describe current PRA practices (i.e., standards) applied in the nuclear industry. Key characteristics of these attributes are summarized below. A more comprehensive discussion of the attributes for a quality PRA is provided in Part 4, Chapter 14 of this report. A PRA of a nuclear power plant is an analytical process used to quantify the potential risk to the health and safety of the public as a result of the design, operation, and maintenance of the plant. A full-scope PRA is used to quantify the risk from all events (both internal and external) that can occur at the plant and under either full-power or low-power / shutdown conditions. The risk evaluation involves three sequential parts or " levels"- (1) identification and quantification of the sequences of events leading to core damage (2) evaluation and quantification of the mechanisms, amounts, and probabilities of subsequent radioactive material releases from the containment

 .   (3)        evaluation and quantification of the resulting consequences to both the public and the environment.

A full-scope PRA, as currently defined, does not include evaluation of sabotage events, the sisk from events that lead to releases from other radioactive material sources (such as the spent fuel pool), or the risk to plant personnel from any accident. The analytical work involved in a PRA is only part of the effort required for a quality PRA. Documentation and peer review are also essential elements. The following sections, therefore, address characteristics for both the

   ; technical work and the documentation and peer review.

6.2.1 Characteristics of a Quality Level 1 PRA A quality Level 1 PRA comprises three major elements as follows: (1) delineation of event sequences that, if not prevented, could result in core damage and the potential release I of radionuclides (2) development of models that represent core damage sequences (3) quantification of the models in the estimation of the core damage frequency The first element of a Level 1 PRA delineates event sequences that, if not prevented, could result in core damage j and the potential release of radionuclides. This process is typically divided into two tasks, including identification j of the initiating events and development of the potential core damage accident sequences associated with those events. The identification of initiating events pertains to events that challenge normal plant operation and require successful mitigation in order to prevent core damage. Since there can be tens to hundreds of events that can challenge the NUREG-1560, Draft 6-2

1

6. Risk-Informed Regulation plant, part of this task involves grouping the individual events into initiating event classes that have similar characteristics and require the same overall plant response.

The development of accident sequences involves delineating the different possible sequences of events that can evolve as a result of each initiator group. The resulting sequences depict the different possible combinations of functional and/or system successes and failures (and operator actions) that lead either to successful mitigation of the initiating event or to the onset of core damage. Determination of what constitutes success (i.e., success criteria) to avert the onset of core damage is a crucial part of the accident sequence analysis task. The second element of a Level 1 PRA involves developing models for the mitigating systems or actions delineated in the core damage accident sequences. This process typically comprises a single task referred to as systems analysis. This task involves modeling the failure modes of the plant systems that are needed to prevent core damage, as defined by the core damage accident sequences. This modeling process, which usually involves the use of fault trees, defines the combinations of equipment failures, equipment outages (such as for testing or maintenance), and human errors that cause failure of the systems to perform the desired functions. The third element of a Level i PRA involves estimating of the plant's core damage frequency and the associated statistical uncertainty. This process is typically divided into three tasks, including data analysis, human reliability analysis, and quantification and uncertainty analysis. The data analysis involves determining the initiating event frequencies, equipment failure probabilities, and equipment maintenance unavailabilities. Plant maintenance and other operating records are evaluated to derive plant-specific equipment failure rates and the frequenciesof the initiating events. Where insufficient plant experienceexists, failure rates and initiating event frequencies based on industry-wide " generic" databases are used to complete the database used in the risk analysis. The human reliability analysis involves evaluating the human actions that are important in preventing core damage. This evaluation involves identifying operator actions and quantifying the associated error probabilities. Human reliability analysis is a special area requiring unique skills to determine the types and likelihoods of human errors germane to the sequences of events that could result in core damage. I The quantification and uncenainty analysis involves integrating the initiating event frequencies, event probabilities, and human error probabilities into the accident sequence models to calculate the average annual core damage frequency and its associated uncertainty. The uncertainty analysis reflects the lack of precision in the data or a lack of detailed understanding of the modeled phenomena. Table 6.1 summarizes the key characteristics that would be expected in a quality Level 1 PRA. This summary addresses completeness and quality for each element of a Level 1 PRA. A detailed discussion and description of the exact attributes for a quality Level 1 PRA is provided in Part 4, Chapter 14, of this repon. 6-3 NUREG-1560, Draft

6. Risk Informed Regulation Table 6.1 Summary of characteristicsof a quality Level 1 PRA (only considering full power and internal events, excluding internal fire).

i PRA clement Key task activities Key characteristics and task Delineation of accident sequences Accident

• Identification of
• Thorough identification and grouping of loss of coolant Sequence initiating events accidents (LOCAs), transients (including transient-induced Initiating LOCAs and support systems), and internal flood sources Events
• Exclusion ofinitiating events
• Systematic review with justified elimination of possible initiators
• Grouping ofinitiating events
• Applicable actual experience is used, augmented by analytical techniques to identify initiators
• Grouping of initiating events is sufficiently discriminating Accident
• Accident sequence
• Defined in terms of hardware and timing requirements Sequence model selection Analysis
• Based on best-estimate engineering analyses applicable to
• Success criteria the actual plant design ,

development

• Includes all necessary and sufficient equipment (safety and
• Accident progression non-safety) reasonably expected to be used to mitigate modeling initiators
• Includes functional, phenomenological, and operational ,

dependencies and interfaces l System modeling 1 , Systems

• Selection of systems
• Generally robust level of detail regarding equipment that j 3

Analysis analysis models is modeled, as well as the types of failures and failure modes that are included

• Establishment of system analysis boundaries
• High level of assuredness that the as-built /as-operated ,

equipment configurations are modeled via walkdown of l

• Modeling of system the plant ,

dependencies and  ! interfaces e includes design, operational features, and testing and maintenance aspects under both normal and accident

• Screening /exclusionof environment conditions components and failure modes
• Systematic determination of system dependencies and

, potential interactions t

• Includes hardware, operator, and common cause failures and relevant failure modes that can be supported by relevant data NUREG-1560, Draft 6-4

I i

6. Risk-Informed Regulation Table 6.1 Summary of characteristics of a quality Level 1 PRA (only considering full power and internal events, excluding internal fire).

PRA element Key task activities Key characteristics and task Quantification Data Analysis e identification of data

• Use of plant-specific experience collected from plant sources and models records
• Data input selection
• Plant-specific data quantified with Bayesian update
• Data parameter
• Includes all incidents that affect performance of quantification equipment
• Incidents involving component reliability include all modes of operation .

l

• Incidents involving component testing and maintenance availability and event initiators only involve full-power operation '

iluman

• Model/ method selection
• Human actions selected are consistent with level of detail Reliability in accident sequence delineation and systems analysis Analysis
• lluman event (llRA) identification and
• Includes both pre-initiator and post-initiator errors selection
• Significant errors of omission and response / recovery
• Screening / exclusion of failures are included, while errors of commission are i human events covered on an exception basis  !
• Evaluation and
• Screening considers dependencies and does not pre- l quantification of human eliminate significant accident sequences events
• Uses plant specific performance shaping factors e integration into sequence quantification
• Treats dependencies among human error events and addresses dependencies from accident sequence progression
• Uses plant-specific procedures, talk-throughs, simulator exercises, walk-throughs of ex-control room actions, and careful consideration of timing 6-5 NUREG-1560, Draft

i

6. Risk-Informed Regulation t'

i Table 6.1 Summary of characteristics of a quality Level 1 PRA (only considering l full power and internal events, excluding internal fire).  ! PRA element Key task activities Key characteristics f' and task Sequence

• Quantification
• Treatment of success states and probabilities, where Quantification model/ code selection appropriate, as well as climination of mutually exclusive  !

events

• Selection of truncation values
• Includes uncertainty, sensitivity, and importance measure results
• Integration of IIRA into quantification process
• Sufficiently low truncation limit ensures that 95 percent of the CDF is captured
• Uncertainty analysis i
• Quantification yields a total mean plant CDF with
• Sensitivity analysis identification of dominant accident sequences and i associated mean CDFs internal Flood
• Flood source and
• Identifies both water and steam sources ,

Analysis propagation pathway identification and

• Considers leakage, rupture, and human-induced failures screening
• Propagation pathways examined include all sources  ;
• Flood scenario through which water may pass identification and screening
• Isolation and screening based on engineering analysis
• Flood-related core
• Identifies all core damage prevention and mitigation  ;

damage estimation equipment identified

• Quantification accounts for both flood-induced and random failures l

6.2.2 Characteristics of a Quality Level 2 PRA The primary objective of the Level 2 portion of a PRA is to characterize the potential for, and magnitude of, a release of radioactive material to the environment given the occurrence of an accident that sufficiently damages the core as to cause the release of radioactive material from fuel. To satisfy this objective, a quality Level 2 PRA couples two major areas of analysis to a completed Level 1 PRA:  ! (1) structured, comprehensive evaluation of containment performance in response to the accident sequences identified from the Level I analysis I (2) quantitative characterization of radiological release to the environment that would result from accident I sequences that involve leakage from the containment pressure boundary l NUREG-1560, Draft 6-6

l 1

6. Risk-Infonned Regulation The specific tasks performed in either area can vary substantially from one PRA to another depending on the specific l objectives of the Level 2 analysis, llowever, a quality full-scope Level 2 analysis includes the following three elements in the evaluation of containment performance: l assessment of the full range of credible challenges to containment integrity (i.e., determination of plausible '

failure mechanisms and corresponding structural challenges)

• characterization of the capacity of the containment to withstand various challenges (i.e., determination of performance limits);
• organization and integration of the unce tainties associated with these two evaluations to estimate the probability that containment would fail (or be bypassed) for a given accident sequence A quality assessment of the type and severity of challenges to containment integrity acknowledges the dependence of containment response on details of the accident sequence that resulted in core damage and on the performance of containment safeguard systems in response to that sequence. Therefore, a critical first step involves developing a structured process for defining the specific accident conditions to be examined. Because it is impractical to evaluate severe accident progression and resulting containment loads for each cut set generated by a quality Level I analysis,it is common practiceto group the Level I cut sets into a sufficiently small number of" plant damage states" (PDSs) to render the analysis more tractable. The process by which this simplification of the Level I results is performed involves a systematic procedure to group cut sets that would be expected to result in similar severe accident progression and containment response (and ultimately produce a similar environmental source term). The end result is a smaller list of accident sequences to be evaluated which covers thefu# range of initial and boundary conditions for severe accident progression represented by the original list of sequence cut sets.

The accident sequence analysis performed in a Level i PRA does not always incerporate the reliability of systems that primarily function to safeguard containment integrity during accident conditionx Such systems may include ,

                                                                                                                              ~

containment isolation, fan coolers, distributed sprays, and hydrogen igniters. An assessment of the reliability of these - systems is, therefore, incorporated in a quality Level 2 analysis to account for their failure probability in the analysis of containment response during core damage sequences. l The aspect of a Level 2 PRA that often receives the greatest attention is the evaluation of severe accident progression and the attendant challenges to containment integrity. This is because considerable time and effort can be spent performing computer code calculations of dominant accident sequences. Further, exercising broad-scope accident analysis codes (such as MAAP" or MELCOR (Ref. 6.7)) provides the only framework within which the important interactions among severe accident phenomena can be accounted for in an integrated fashion. Consequently, the results of these calculations typically form the principal basis for estimating the timing of major accident events and for characterizingmaximum containment loads. Although code calculations are an essential part

of an evaluation of severe accident progression, their results do not form the sole basis for characterizingchallenges i to containment integrity in a quality full-scope PRA. This is because certain assumptions are made (either by the model developers or the code user) regarding control physical processes and the appropriate formulation of representative models that cannot be demonstrated to be robust in light of the numerous large uncertainties that persist in severe accident and source-term phenomena. in addition, none of the integral severe accident codes contain "Fauske and Associates,Inc.,"MAAP Modular Accident Analysis Program User's Manual,"Vols.1-2, IDCOR Technical Report 16.2-3, February 1987.

6-7 NUREG-1560, Draft

l

                                                                                                                         )

6. Risk-Informed Regulation models to represent all accident phenomena of interest. As a result, the process of evaluating severe accident progression involves a strategic blend of plant-specific code calculations, applications of analyses performed in earlier PRAs or severe accident studies, focused engineering analyses of particular issues, and experimental data. Although engineeringjudgment and expert opinion continue to play an important role in defining a reasonable balance among these varied sources ofinformation, minimum analysis attributes can be defined to ensure that the results of a quality Level 2 PRA reflect the full range of views in the technical community. These attributes are discussed in Part 4, i Chapter 14, of this report.

The second element of an evaluation of containment performance is the determination of the limits (or capacity) of the containment to withstand challenges to its integrity that may occur during core damage sequences. These challenges take many forms, including elevated static internal pressure, high temperatures,thermo-mechanicalerosion of concrete and steel structures, and (under some circumstances) localized dynamic loads such as shock waves. Realistic estimates of the limits at which the containment structure can no longer withstand these challenges must be generated to provide a metric against which the likelihood of containment failure can be estimated. In a full-scope Level 2 PRA, the attributes of the analyses necessary to characterize containment performance limits are consistent with those of the containment load analyses against which they will be compared, as follows: They focus on plant-specific containment performance; application of reference plant analyses is generally inadequate. They consider design details of the containment structure, such as containment type, the spectrum and distribution of penetration sizes and types, penetration seal configuration and materials, and discontinuities in the containment structure.

• They consider interactions between the containment and neighboring structures, including the reactor vessel and pedestal, auxiliary building (s), and internal walls.

The final, but by no means least important, element of a probabilistic evaluation of containment performance is an explicit and quantitative recognition given to uncertainties in the individual processes and parameters that influence severe accident behavior and attendant containment response. A major distinguishing characteristic of a full-scope approach to evaluating containment performance is the assignment and propagation of statistical distributions for uncertain aspects of the analysis. The key word here is distribution: point estimates of probability are not universally applied to the probabilistic logic model(i.e., containment event tree). The result is a quantitative estimate of the uncertainty in containment performance. Containment performance can be expressed as a single value for the probability of containment failure for any accident sequence, and the mean, median,5* and 95* percentile values can be derived as well. The second, albeit equally important, aspect of a Level 2 PRA is a quantitative characterizationof radiological release to the environment resulting from each accident sequence that contributes to the total core damage frequency. In many limitedscope Level 2 analyses,this information is used solely as a semi-quantitative scale to rank the relative severity of accident sequences. In such circumstances, a rigorous quantitative evaluation of radionuclide release, transport and deposition may not be necessary. Rather, estimates of the order-of-magnitude of release for a few representative radionuclide species provide a satisfactory scale for ranking accident severity. In a quality full-scope Level 2 PRA, however, the characterizationof radionuclide release to the environment provides sufficient information to completely define the " source term" for calculating offsite h::alth and economic consequences for use in a Level 3 PRA. Further, the level of rigor required in the evaluation of fission product release, transport, and deposition directly parallels that used to evaluate containment performance, as follows: NUREG-1560, Draft 6-8

1 2 i

6. Risk-Informed Regulation i

Source term analyses (deterministic computer code calculations) reflect plant-specific features of system design and operation. { Calculations of fission product release, transport, and deposition represent sequence-specific variations in primary coolant system and containment characteristics. The effects of uncertainties in the processes governing fission product release, transport, and deposition are quantified. l l Table 6.2 summarizes the key characteristicsof a quality Level 2 PRA. A detailed discussion and description of the attributes for a quality Level 2 PRA is provided in Part 4, Chapter 14, of this report. l Table 6.2 Summary of characteristicsof a quality Level 2 PRA (only considering j full power and internal events, excluding internal fire). PRA element Key task activities Key characteristics and task l Containment Performance Assessment of

• Determination of accident
• Grouping of cut sets based on accident characteristics that Credible sequences to be assessed influence either subsequent containment performance or resulting Challenges to fission product source tenn l Containment
• Contairenent system l

Integrity performance analysis

• PDS binning or grouping is performed at the cut set level
• Severe accident progression
• Lntire core damage frequency is carried forward into Level 2 analysis analysis
• Methods, scope, and technical rigor of reliability analysis are comparable to that rgplied in Level I analysis
• Containment systems models are linked directly with accident sequence models from Level I to fully account for mutual dependencies
• Long-term performance of containment safeguard systems accounts for degradation of environments within which the system must operate during severe accidents
• Integrated computer code simulations form one (not an exclusive) basis for characterizing accident timing and containment response
• Extensive sensitivity analyses are performed to quantify the efTects of attemative, credible code modeling assumptions
• Independent, specialized engineering analyses are performed to characterize the effects of modeling simplification in lumped-parameter, integral severe accident analysis codes
• Application or adaptation of analyses from surrogate plants is accompanied by analyses to demonstrate applicability
• importance of phenomena not represented in integral severe accident codes evaluated by some other means 6-9 NUREG-1560, Draft

6. Risk-Informed Regulation Table 6.2 Summary of characteristics of a quality Level 2 PRA (only considering full power and internal events, escluding internal fire).

PRA element Key task activities Key characteristics and task Characterization

• Engineering analyses of e Engineering analyses of performance limits account for plant-of Containment structural capacity to specinc design features, such as discontinuities in containment Performance withstand loads shell, penetrations, and interactions with neighboring structures Limits
• Systematic search for
• Evaluation of ultimate pressure capacity is performed using a plant-specific containment finite-element model of sufficient detail to capture the effects of failure modes localized design features (listed above)
• Engineering analyses are performed to characterize likely failure sizes for eact, postulated failure mode Probabilistic
• Development of a
• Logic structure includes explicit recognition of importance time Characterization probabilistic logic structure phases in severe accident progression of Containment to trace severe accident Performance progression (e.g.,
• Interdependence of accident phenomena is treated consistently containment event tree) such that a time-line of accident progression can be created ior each accident sequence
• Assignment of probabilities to uncertain parameters and
• Uncertainty in the quantification of events and phenomena is events in the logic model addressed through the assignment of probability density functions to individual events (logic model provides statistical mechanism for combining the distributions in a consistent manner)

Radiological release Characterization

• Source term definition
• Radiological source term (s) are defined for each accident of Radionuclide sequence in the Level 2 model Release
• Coupling of source term and severe accident
• Uncertainties in the radiological source term for a given accident progression analysis sequence are quantified such that the distribution of plausible environmental releases associated with any sequence can be defined
• Correlations between uncertain parameters associated with fission product release, transport, and deposition and with other aspects of severe accident behavior are identified and treated consistently
• Source term is characterized by sufficient information to calculate environmental consequences in a Level 3 PRA

( 6.2.3 Characteristics of a Quality Level 3 PRA The analysis tasks performed in Level 3 of a quality, full-scope PRA consist of two major elements:

• accident consequence analysis a computation of risk by integrating the results of Level I,2, and 3 analyses NUREG-1560, Draft 6-10

6. Risk-Informed Regulation ne consequences of an accident release of radioactive material from a nuclear power plant can be expressed in several forms such as impacts on human health, the environment, and economics. The consequence measures of

                                                                                                                          )

interest to a Level 3 PRA focus on impacts to human health. These measures are estimated both in societal terms and in terms of the most-exposed individual. De MACCS computer code (Ref. 6.8) is acceptable for use  ! in a quality Level 3 PRA to calculate the consequences based on the radiological source terms generated in the Level 2 portion of the PRA. Table 6.3 summarizes the key characteristics of a quality Level 3 PRA. Additional discussion and description of the attributes for a quality Level 3 PRA and the process of computing risk is provided in Part 4, Chapter 14, of this report. Table 6.3 Summary of characteristics of a quality Level 3 PRA (only considering full power and internal events, excluding internal fire). ' PRA element Key task activities Key charseteristics and task Consequence

• Collection of demographic
• Data regarding local meteorology and terrain, site demographics, Analysis and weather-related data and local land use represent current, plant-specific conditions
• Reduction of source terms
• Source terms used to calculate offsite consequences preserve the from Level 2 analysis for full range of early (mechanistic) and late (stochastic) health consequence calculations effects that would result from actual Level 2 source terms
• Consequence calculation
• Variability in weather are addressed as major uncertainty in consequences 6.2.4 Documentation and Peer Review of a Quality PRA 6.2.4.1 Documentation Documentation is an essential aspect of a quality PRA. The ability to understand the results requires that the inputs and analyses are also understandable. Therefore, " traceability"is an integral part of a quality PRA. A detailed discussion and description of the necessary documentation for a quality PRA is provided in Part 4, Chapter 14, of this report. The discussion covers the documentation required for each element and task of a quality PRA. The key characteristic of quality documentation is that sufficient information is recorded such that a peer reviewer can reproduce the results for each aspect of the PRA. Therefore, the inputs, assumptions, models, supporting analyses, results, and other related information are documented in a quality PRA.

6.2.4.2 Peer Review Peer review is another essential aspect of a quality PRA. The objective of the peer review is to provide the rdditional assurance that information sources, assumptions, models, data, and analyses forming the PRA are sound, and that the results of the analyses are reasonable considering the design and operation of the plant. 6-11 NUREG-1560, Draft

1 h

6. Risk-Informed Regulation l i

A detailed discussion and description for a quality peer review is provided in Part 4, Chapter 14, of this report. The [ key characteristics of a quality peer review are summarized below.  : t A quality peer review includes two major parts:

• review team composition and quali6 cations
• review process  ;

The peer review requires a team of individuals with direct experience in performing all elements of a PRA; I knowledge of the techniques, models, methods, assumptions, scope, etc. associated with each element and task of  ; a PRA is required in a quality peer review. With this expertise, the team can determine whether the proper methods  ! were selected and implemented. The team must also have substantial information concerning the specific plant and f its design and operation in order to perform a quality peer review. This knowledge ensures that the plant is l I accurately modeled in the PRA. In addition, the peer review is intended to be " independent" to ensure that an inherent " bias" is not introduced into the peer review process. Therefore, individuals who performed the PRA and [ other utility personnel are excluded from it.e peer review team. l The peer review is intended to ensure that the analysis is complete and the results are reasonable considering the  ; design and operation of the plant. The peer review is not intended to perfonn a detailed verincation of all inputs I and analyses. Therefore, the peer reviewers are expected to spot check selected portions of the analyses in l conjunction with the goals of the peer review. An optimum peer review is performed during, rather than following l' the PRA. This parallel approach ensures that any denciencies found during a specific phase can be identiDed and corrected in a timely and resourceful manner. t 6.3 Comparison of Individual Plant Examinations with a Quality PRA i The IPEs can be compared to the characteristicsdenned in Tables 6.1 through 6.3 to provide perspectives regarding j the approximate level of completeness and technical quality that constitutes a quality PRA. These perspectives,in i turn, can be valuable in determining the potential role of the IPEs in future risk-informed regulation.  ! During this review, the staff performed a limited comparison of the IPEs (as documented in the submittals and { response to NRC questions)to the characteristicsof a quality PRA (as defined in Tables 6.1 through 6.3). Although f characteristics from each IPE are reviewed as part of this comparison, the staff made no attempt to compare j indi9: dual IPEs against the characteristicslisted in Tables 6.1 through 6.3. Instead, the staff compared the IPEs as  ; a giap. Gome IPEs are obviously better than others in certain areas; for others, adequate documentation was not l always provided to allow a full comparison. The core damage frequency analysis of the IPEs generally compare well to the quality PRA characteristicslisted in  ; Table 6.1. Beginning with initiating events, the modeling of all general plant transient events appears to be complete t for almost all of the plants, although there is variability in whether controlled shutdown events were included. This  ; completeness should not be surprising since these transients have occurred at most plants and are well documented.  ! All of the licensees modeled LOCAs of various sizes (typically small, medium, and large), determined primarily by { the requirements of mitigating systems. Some licensees also differentiated the LOCAs by location (e.g., steam line j versus water line, and inside containment versus outside containment). The modeling of support system transient j initiators, however,is more variable than other initiating events. Most licensees presentedjustifications for modeling f or eliminating various support system initiators. However, a small fraction of the licensees simply eliminated some  : support system initiators without any documentedjusti6 cation. In addition, the basis for elimination, in many cases, l NUREG-1560 Draft 6-12 i

1

6. Risk-informed Regulation was qualitative (i.e., calculations were not provided to support the inclusion or exclusion). A common example of a support system initiator that is not rigorously analyzed is the loss of the control room heating, ventilating and air conditioning (llVAC) system.

The success criteria used for mitigating systems responding to the various initiating events generally is more realistic than that credited in the analyses documented in the licensees' final safety analysis reports. The basis for emergency core cooling system and alternative coolant injection system success criteria is generally well established through references to existing thermal-hydraulic analyses or other PRAs (including the NUREG-il50 studies). Some licensees performed plant-specific calculations to determine whether systems, such as the control rod drive system in boiling water reactors (BWRs), could bc used early to mitigate transients, llowever, a number of licensees did not provide a documented basis for the use of some systems. For example, the use of a single power-operated relief valve (PORV) to depressurize the reactor coolant system (RCS) at some pressurized water reactors (PWRs) may be in doubt because of the size of the PORV. Similarly, the use of firewater for coolant injection at BWRs may be

• limited because of the low head of the pumps. For most IPEs, the success criteria for each individual mitigating system appear to be reasonable based upon past PRAs and what is credited in other IPEs. Ilowever, a few licensees used success criteria for which the bases did not appear to be adequatelyjustified.

Because the IPE submittals do not usually provide the system models, the staff could not thoroughly assess the edequacy of these models. liowever, the submittals generally addressed the failure modes of components, and their dependencies on support systemss. The failure modes included in the system models are generally complete and included hardware failures, testing and maintenance outages, human errors, and common cause failures. The greatest variability relates to the treatment of common cause failures or human error. In general, the licensees mode led common cause failures; however, the submittals considered only components that are required to change state. Further, the actual components modeled vary among the IPEs. As is common PRA practice,most licensees only treated common cause failures within a system; a few modeled failures across systems. In addition, the IPEs gener,tily addressed and modeled the dependencies of systems on support systems.110 wever, the basis for eliminating some dependencies (primarily liVAC dependencies),in some cases, was qualitative and made without apparent calculational support. The dependenciesare included in the models through either fault tree linking or the use of support state event trees. In addition, continued operability of systems in light of phenomenologicalimpacts caused by the accident progression (e.g., harsh environments), were not alwaysjustified in the IPEs, or were treated qualitatively at best. A variety of approaches and methods were used in conducting the liras for the IPEs. Given that some methods rely more heavily than others on subjective estimation techniques and that different methods often consider somew hat different operator performance shaping factors, the possibility exists that different human error probabilities could be obtained for ident.ical human actions using these different techniques. In addition, all of the methods are somewhat vulnerable to the biases of the analysts performing the lira. As far as completeness in modeling human errors, pre-accident errors are ollen given screening values and subsequently screened out or just argued to be insignificant. Some licensees only considered failure to restore components after maintenance and dismissed calibration errors; of.hers included both types of errors. Most licensees included post-initiator operator actions in their IPEs, but consideration of proper timing, plant-specific performance shaping factors, and dependencies between different operator :setions was somewhat variable. In a few cases, licensees assumed that the operator would not make any errors in performing a particular action. Plant-specific procedures are generally used in the llRA evaluations, but the use of simulator exercises and operator talk-throughs is not always evident. 6-13 NUREG-1560. Draft

                                                                                                                           }

                                                                                  = _ _     _ - _.

i

6. Risk-Informed Regulation The data analysis performed in the IPEs varies. For component hardware failures, most licensees used a combination of plant-specific and generic data to quantify their IPE models. Some licensees performed Bayesian updates of generic data while others directly used plant-specific or generic data. The degree of plant-specific data analysis also varies, with some licensees only generating plant-specific data for components assumed to be major contributors to core damage, and other licensees performing a comprehensive analysis for all components modeled in the IPE. A few licensees used only generic data in their IPEs. (The generic data sources used in most IPEs are from the nuclear industry). The treatment of common cause failure data difTered somewhat because of their relatively rare occurrences. Most licensees used only generic data; however, some licensees adjusted the generic data to be more applicable to their plants by reviewing the events contributing to the generic data values and eliminating those events i that were deemed not applicable.

Details of the quantification process used in the IPEs are not always available. However, the submittals generally discussed the methods and computer codes used. Because these methods and codes are adequate to treat the Boolean reduction process, it is expected that the core damage sequences are appropriately generated. The truncation limits are not provided for many of the IPEs; for the ones that provided this information, an adequatelylow cutofiappears to have been used, such that ~90 to 95 percent of the CDF would have been captured. In general, the IPEs do not adequately document the elimination of accident sequences as unimportant becuase of their application of human recovery actions. The IPEs exhibit greater variation in the methods and scope of the accident progression analyses than that found in the core damage frequency analyses. This is commensurate with the guidance of GL 88-20 and NUREG-1335 (Ref. 6.9), which allowed significant diversity in the ways licensees could conduct their containment performance analyses. In many of the IPEs, the containment performance analysis and the source term calculations are more simplified than one would expect to find in a quality PRA. Most licensees used a PDS approach to initiate the containment performance analysis and link the core damage frequency analysis with the accident progression. In most cases, the PDS characteristics were selected so that the  ; impact of initiators, RCS conditions, and availability of mitigating systems were adequately considered. However, in some IPEs, important information like the availability of power is not explicitly carried over to the PDSs and can only be inferred, making the actual availability and operability of mitigating systems less clear. This is the case in some IPEs where a previously existing Level 1 PRA (i.e., core damage frequency analysis) was updated and an accident progression analysis added for the IPE exercise. Also, in a few IPE submittals, the information presented j does not sufficiently describe the linkage between the core damage frequency and accident progression analysis, and ] it is not possible for the staff to judge whether information was adequately carried over. In most of the IPEs, the CDF was adequately conserved in the accident progression analysis (i.e., CDF and PDS l frequency closely agree). However, there are some important exceptions. In a number of IPEs, the CDF from l internal flooding was not carried over to the accident progression. Also, in some IPEs accident sequences below a j certain frequency, included in the core damage frequency analysis, were not carried over to the Level 2 analysis and

                                                                                                                         )

it is not always clear that their contribution to early release was insignificant. Finally, in some IPE accident  ! progression analyses, licensees argued that success criteria used in the Level 1 analysis were too pessimistic and a I number of sequences were dropped from further consideration because they were not believed to actually lead to core l damage, i Most licensees considered the appropriate spectrum of known severe accident phenomena that could threaten their containment in the accident progression analysis. However, not infrequently, licensees dismissed a number of these phenomena with little quantitative justification. In other cases, licensees treated phenomena without properly NUREG-1560,' Draft 6-14

6. Risk-Informed Regulation I

considering the uncertainty attached to their magnitude and timing, and sumciently varied sensitivity analyses were not performed. Additionally, phenomena effects on prolonged use of containment safeguard systems were not always considered. l l The majority of the licensees relied on reference calculations for parts of their analyses, such as quantifying certain ' split fractions in their containment event trees. A significant number of ficensees telied completely on reference plant methods and calculations to carry out their accident progression analyses. While most of these sumcientlyjustify their similarity with the reference plant and adequately account for differences, the justification is unsatisfactory in a few cases, and appropriate sensitivity analyses addressing differences from the reference plant were not performed. In any case, complete reliance on reference plants for the accident progression analyses is not appropriate for a i quality PRA. The majority of licensees performed a thorough and detailed containment failure analysis for their plants; in cases where a reference plant calculation was used in this area also, the analysis cannot be considered up to the attributes j of a quality PRA.  ; The logic and level of detail in the containment event trees found in the IPEs varies considerably. Many licensees l provided good delineation and logic in the trees in their IPEs, while others were too simplified to be considered adequate for a quality PRA. In addition, many licensees deliberately avoided considering the impact of operator performance on the accident progression in their IPEs, especially those conducted for PWR plants. For BWRs, the necessary operator actions in the Level 2 analysis were usually included, although their quantification was sometimes inadequately justified. The mission time considered in the accident progression analyses in some IPEs was only 24 hours. In many others, a 48 hour mission time was analyzed, while still others took the analysis to a point where either a release occurred or a safe stable state was assured. In some analyses that terminated after 24 or 48 hours, sequences which would lead to a late containment failure, beyond the mission time, were binned with no containment failure categories. The source term analyses in the IPEs usually relied on a limited number of selected MAAP runs, and in most cases, did not include a robust sensitivity analysis. In some IPEs, the source tenn binning did not adequately differentiate the timing of the release or the containment failure type. Release results were usually presented in terms of11 fission product groups in MAAP. Some analyses, however, presented only noble gas fractions and those for Cesium and Iodine, while other IPEs reported only ranges of releases, rather than actual core inventory fractions. In general, the source term analyses found in the majority ofIPEs were not adequate for a quality PRA. Only a handful ofIPEs carried out a consequence analysis as part of their examination. A few others briefly referred to Level 3 analyses done for a previous PRA, but without presenting the associated results in the IPE submittal. IPEs for which the licensee conducted a Level 3 analysis used either the MACCS or CRAC2 code (Ref. 6.10) to calculate their results. Sufficient review has not been performed by the staff to compare these Level 3 PRA since the focus of GL 88-20 was on a Level 1/ simplified Level 2 analysis. 6.4 Perspectives on the Individual Plant Examinations The IPEs are a valuable resource for future risk-informed regulation applications. In practice, however, the value of the IPEs will vary from issue to issue and from plant to plant, because the quality of the IPEs is not uniform. Nonetheless, some general conclusions can be reached that would apply to a majority of the IPEs, based on the limited reviews that have taken place. 6-15 NUREG-1560, Draft

6. Risk informed Regulation 1 l

l The IPEs are generally robust with respect to the identification of dominant accident sequences. His is not to say I that particular accident sequence frequencies have been verified or even that the ranking of the sequences is precise, ) but rather that most of the important accident types (those comprising the bulk of the CDF) have been captured. Herefore, if a particular application requires only the identification of important sequences, most of the IPEs are adequate. The staff reviews of the individual IPE submittals have identified relcyant exceptions to this conclusion. With some additional review, many of the IPEs appear to be of sufficient quality to be used in more quantitative applications that are based on the use of sequence frequencies and rankings and the identification of specific dominant contributors. That is, all indications are that the core damage frequency analyses for many of the plants are quality in most areas. Additional review to ensure the technical quality of the applications of the methods would be necessary to ensure these IPEs are acceptable for many quantitative applications. In the area of containment performance and ofTsite risk, the IPEs are less useful. Few licensees performed consequence analyses for their IPEs, and the containment performance and source term calculations were generally simplified or of lesser quality than the core damage frequency analyses. In part, this reflects uncertainties in severe accident phenomena;it also reflects the use of some methods that are limited in nature. Many of the analyses relied heavily on the use of either the MAAP code or a set of industry position papers, neither of which involves a comprehensive treatment of severe accident phenomena. While the IPEs are expected to play a useful role in future risk-informed regulation, there are certain areas where additional attention is required, because some of the IPEs have important weaknesses. One key area is the analysis of plant-specific data. While most of the licensees used at least some plant-specific data, some methods are being used that are inappropriate. Examples include counting zero failures as equal to one-third of a failure in estimating the failure rate, and the incorrect application of the Bayesian updating. In addition, there has been little consistency among the generic data sources used by the licensees, and for a few components, there is a large variability observed in the failure rates (e.g., generic data for failure to start for turbine-driven pumps ranging from SE-3 to 9E-2). Unusually low common cause failure rates are used in a few IPEs. These rates are generally a result of an optimistic examination of the common cause database, leading to the conclusion that the failures of interest are not applicable to that particular plant. This approach fails to recognize that common cause failures are, by nature, rare events that tend to have some plant-specific features. The approach used to eliminate inapplicable failures needs to also consider possible as yet undiscovered failures relevant to that particular plant. Another area of concern involves the development of success criteria. The majority of the licensees appear to have performed realistic analyses with appropriatejustification; however, in a few cases, the use of system level codes, such as MAAP, to detennine thermal-hydraulic success and event timing is questionable. In addition, much of the observed variability in the success criteria is more attributable to the boundary conditions imposed on the analysis by the licensee. Where one licensee may have defined a more expanded boundary condition in crediting (with appropriatejustification) plant systems for mitigation, another licensee may have elected to not perform the necessary analysis, and therefore, not credit the system (s) in the success criteria. Long term success of system operation in harsh environments is not always adequatelyjustified for both the Level I and Level 2 analyses. One of the most important shortcomings for some of the IPEs is the human reliability analysis. Some plants excluded pre-initiators by claiming that those failures are already included in the component random failure data. This assumption is inaccuratebecause some of the most important pre-initiators such as common cause miscalibration NUREG-1560, Draft 6-16

1 1 f

6. Risk-Informed Regulation l occur rarely and, therefore, are not represented in the random failure data. Thus, pre-initiators should always be included in a quality PRA. Of greater concem is the use of invalid HRA assumptions. In particular, several i instances of the application of one of the HRA methods were determined to be inconsistent with the intent of GL 88-20. Additional assumptions made regarding the applications of the method were invalid, and consequently, the methods as applied did not produce consistently reasonable results. The potential impact of methodological effects on HRA results in the IPEs will be addressed in an upcoming NUREG/CR report. .

A number of IPEs appear to be close to quality PRA attributes for their accident progression analysis but, as noted above, containment performance and source tenn calculations in most of the IPEs are too simplified for a quality i PRA, and of a lesser caliber than the core damage frequency analysis. The major gaps separating many of the , Level 2 IPE analyses from those expected in a quality PRA include an insufficiendevel of detail, too great a reliance on reference plant analyses, inadequate or missing uncenainty or sensitivity analyses, and oversimplified source term development. While the containment event trees in some of the IPEs are quite detailed in themselves or supported by detailed  ! decomposition trees, others contain simplified analyses lacking some information necessary to ensure a quality analysis. For instance, in a number of IPEs, the effect of severe accident environmental conditions on system  ; operability is apparently not considered or dismissed without adequatejustification. [ An IPE Level 2 analysis based to a large degree on reference plants does not provide the plant-specific information needed if the IPE is to be useful for future risk-informed regulation applications. Certainly,in assessing containment i structural capability, lack of a plant-unique finite element structural analysis would severely impair the usefulness  ! of the IPE for other applications. The IPE results obtained for the accident progression analysis are point estimates with no uncertainty propagation. The MAAP code was widely used in the IPEs to quantify parts of the accident progression. While some licensees i recognized the limitations in the treatment of severe accident phenomena by MA.AP and supplemented their analyses with infonnation from other sources, many did not and, therefore, did not consider scenarios outside the range of MAAP results. Also, the dismissal of a number of severe accident phenomena in some IPEs, based on the viewpoint of set ofindustry position papers, is inconsistent with the comprehensive treatment of such phenomena that should appear in a quality PRA. Since the develcpment of a robust estimate of the frequency and magnitude of(at least) early releases is essential for application to risk-informed regulation, the problems and lack of detail with many of the IPE source term analyses are significant. In many IPEs, the source term analysis is inadequate to suppon a Level 3 PRA study. In general,the Level 2 analysis in its present form in m sst of the IPEs falls below the attributes of a quality Level 2 analysis in some aspects. Additional work is required i. most cases to bring the entire Level 2 PRA up to current quality PRA attributes, and a complete re-analysis may a necessary in some cases. A ?w licensees actually carried out a Level 3 analysis as part of their IPE, using either the CRAC2 or MACCS code. Obviously, a Level 3 analysis would be needed if a licensee wanted to directly compare their plant-specific analysis results with the quantitative health objectives supporting the NRC's safety goals. i 1 6-17 NUREG-1560, Draft l

6. Risk-Informed Regulation REFERENCES FOR CHAPTER 6 5.1  !!SNRC," Individual Plant Examination for Severe Accident Vulnerabilities- 10 CFR 50.54(f)," Generic Lett.7 88-20, November 23,1988.

6.2 USNRC, "Use of Probabilistic Risk Assessment Methods in Nuclear Regulatory Activities; Final Policy Statement," Federal Register, Vol. 60, No.158, August 16,1995. 6.3 USNRC, "PRA Procedures Guide, A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," Final Report, Office of Nuclear Regulatory Research, Vol.1-2, NUREG/CR-2300, January 1983. 6.4 1. A. Papazoglou, et al., Brookhaven National Laboratory,"Probabilistic Safety Analysis ProceduresGuide," NUREG/CR-2815, BNL-NUREG-51559, January 1984. 6.5 D. M. Ericson, Jr., et al., Sandia National Laboratories," Analysis of Core Damage Frequency: Internal Events Methodology," NUREG/CR-4550, Vol.1, Revision 1, SAND 86-2084, January 1990. T. A. Wheeler, et al., Sandia National Laboratories," Analysis of Core Damage Frequency from Interne! Events: Expert Judgment Elicitation," NUREG/CR-4550, Vol. 2, SAND 86-2084, April 1989. R. C. Bertucio and J. A. Julius, Sandia National Laboratories," Analysis of Core Damage Frequency: Surry Unit 1," NUREG/CR-4550, Vol. 3, Revision 1, SAND 86-2084, April 1990. A. M. Kolaczkowski, et al., Sandia National Laboratories," Analysis of Core Damage Frequency: Peach Bottom Unit 2," NUREG/CR-4550, Vol. 4, Revision 1, SAND 86-2084, August 1989. R. C. Bertucio and S. R. Brown, Sandia National Laboratories," Analysis of Core Damage Frequency: Sequoyah Unit 1," NUREG/CR-4550, Vol. 5, Revision 1. SAND 86-2084, April 1990. M. T. Drouin, et al., Sandia National Laboratories," Analysis of Cor: Damage Frequency: Grand Gulf Unit 1," NUREG/CR-4550, Vol. 6. Revision 1, SAND 86-2084, September 1989. M. B. Sattison and K. W. Hall, Idaho National Engineering Laboratory, " Analysis of Core Damage Frequency: Zion Unit I," NUREG/CR-4550, Vol. 7, Revision 1, EGG-2554, May 1990. 6.6 E. D. Gorham-Bergeron, et al., Sandia National Laboratories, " Evaluation of Severe Accident Risks: Methodology for the Accident Progression, Source Term, Consequence, Risk Integration, and Uncertainty Analyses," NUREG/CR-4551, Vol.1, Revision 1, SAND 86-1309, December 1993. F. T. Harper, et al., Sandia National Laboratories," Evaluation of Severe Accident Risks: Quantification of Major input Parameters,"NUREG/CR-4551, Vol. 2, Revision 1, SAND 86-1309, December 1990. i R. J. Breeding, et al., Sandia National Laboratories,"Evaluatior i Sm m Accident Risks: Surry Unit 1," , NUREG/CR-4551, Vol. 3, Revision 1, SAND 86-1309, October sy90. , l A. C. Payne, Jr., et al., Sandia National Laboratories," Evaluation of Severe Accident Risks: Peach Bottom j Unit 2," NUREG/CR-4551, Vol. 4, Revision 1, SAND 86-1309, December 1990.  ; J. J. Gregory, et al., Sandia National Laboratories," Evaluation of Severe Accident Risks: Sequoyah Unit 1," NUREG/CR-4551, Vol. 5, Revision 1, SAND 86-1309, December 1990. NUREG-1560, Draft 6-18

6. Risk-Informed Regulation !

T. D. Brown, et al., Sandia National Laboratories, " Evaluation of Severe Accident Risks: Grand Gulf ' Unit 1," NUREG/CR-4551, Vol. 6, Revision 1, SAND 86-1309, December 1990. C. K. Park, et al., Brookhaven National Laboratory," Evaluation of Severe Accident Risks: Zion Unit 1," NUREG/CR-4551, Vol. 7, Revision 1, BNL-NUREG-52029, March 1993. 6.7 Summers, R. M., et al., Sandia National Laboratories, "MELCOR I.8.3: MELCOR Computer Code Manuals, Primer and User's Guides," Vol.1-2, NUREG/CR-6119, SAND 93-2185, September 1994. 6.8 Chanin, D. I., J. L. Sprung, L. T. Ritchie and H. N. Jow, Sandia National Laboratories,"MELCOR Accident , Consequence Code System (MACCS): User's Guide," NUREG/CR-4691, SAND 86-1562, Vols. I and 2, ' February 1990. l 6.9 USNRC, " Individual Plant Examination: Submittal Guidance ," NUREG-1335, August 1989. 4 6.10 Ritchie, L. T., et al., Sandia National Laboratories, " Calculations of Reactor Accident Consequences, Version 2, CRAC2: Computer Code User's Guide," NUREG/CR-2326, SANDI,1-1994,1983. J 6-19 NUREG-1560, Draft

7. ADDITIONAL INDIVIDUAL PLANT EXAMINATION PERSPECTIVES 7.1 Safety Goal Implications ne purpose of this section is to use the results of the Individual Plant Examinations (IPEs) to assess how existing i

plants compare with the safety goals of the U.S. Nuclear Regulatory Commission (NRC). %e Safety Goals Policy Statement (Ref. 7.1) established two qualitative safety goals that are supported by two quantitative health i objectives (QHOs) as follows:

            "We risk to an average individual ('O in the vicinity of a nuclear power plant of prompt fatalities that might result from reactor accidents should not exceed one-tenth of one percent (0.1%) of the sum of prompt fatality risks resulting from other accidents to which members of the U.S.

population are generally exposed." (Based on the risk of accidental death in the U.S. this implies a prompt fatality QllO of SE-7 per year).

            "%e risk to the population in the area near a nuclear power plant of cancer fatalities that might result from nuclear power plant operation should not exceed one-tenth of one percent (0.1 percent) of the sum of cancer fatality risks resulting from all other causes."

i (Based on the occurrence of cancer fatalities, this implies a latent cencer fatality QHO of 2E-6 per j year). lt is important to note ti at the safety goals do not represent regulatory requirements that all plants must meet. Uncertainties in the probabilistic risk assessment (PRA) process are sufficiently large that such a rigorous i implementation of the safety goals is not warranted. Rather, the policy statement indicates that the goals should serve as " aiming points or numerical benchmarks." His interpretation of the safety goals should be kept in mind while reading the remainder of this chapter. During implementation of the Safety Goals Policy Statement (Ref 7.2), several subsidiary objectives arose, including  ; a total core damage frequency (CDF) of IE-4 per reactor-year (ry) and a total conditional containment failux probability (CCFP)'"' of 0.1. A "large" release frequency of IE-6/ry was subsequently dropped. (Ref. 7.2) . When comparing the IPE results with the above objectives, it is important to note that the scope of the IPE program j is limited to accidents initiated by internal events (excluding internal fires) that occur during full-power operation. j l herefore, the risk estimates inferred from the IPE results may reflect only a fraction of the total risk of operating the plant. He results of other PRAs that include external events (and internal fires) and other modes of operation (e.g., low-power and shutdown) indicate risk levels comparable with those obtained for internal events during full-i power operation. l "The calculation of individual risk is discussed in Chapter 16 where individual risk is also contrasted with societal risk.

         " Conditional containment failure probability is defined as the probability of containment failure conditional on core damage having occurred. Chaptcr 14 provides a more detailed discussion concerning the definition and estimation of conditional failure probability.

NUREG 190, Draft 7-1

7. AdditionalIPE Perspectives The issuance of the Safety Goals Policy Statement was followed in May 1988 by an " Integration Plan for Closure of Severe Accident Issr.es" (Ref. 7.3), which has several elements, including the IPEs. In response to Generic Letter (GL) 88-20 (Ref. 7.4), the licensees were not requested to calculate offsite health effects (although some did); thus, the IPE results, in general, cannot be directly compared against the health objectives recounted above. However, certain subsidiary objectives can be obtained directly from the IPEs. These numerical objectives are presented in Figures 7.1 (CDF) and 7.2 (CCFP). The values (CDF and CCFP) from the IPEs are generally point estimates.

isa - l

                                                                               =.

f ,.. s.a.wierr OHer**

                                          $1 44                             3gug E                                     !Ija'                             *II i

1,.+ - a y i'i'a .. 4 [ ,sa , *

• 3 ,... .

SWRs PWRs Figure 7.1 Core damage frequency for BWR and PWR IPEs. t.e e.9 - e.e - a s7-e.e - ' ' e.e - e.4

                                              ,                                              a**

e.3 - .. ,ga 4, aan a 0.2 - **

                          ..                                                                  .a e.1
                                                  ** "'*795'**                                '

a;a' Bypass Early Fallure Byeara Early Failure PWRa BWRs Figure 7.2 Conditional containment bypass and early failve probabilities for all BWRs and PWRs. NUREG '4560, Draft 72

d 4 7. AdditionalIPE Perspectives The CDFs for all boiling water reactors (BWRs) and most pressurized water reactors (PWR) fall below IE-4/ry; however, nine licensees representing 15 PWR units reported CDFs above IE-4/ry. CCFPs for bypass and early containment failure are below 0.1 for most of the PWRs. All of the CCFPs for bypass events in BWRs are below 0.1; however, most of the CCFPs for early containment failure are above 0.1. This result is expected because of the nature of BWR pressure suppression containments. Since several plants exceed the subsidiary objectives, the QHOs must be investigated against the IPE results in order to determine how the existing plants compare with the safety goals. However, as noted above, offsite consequences generally were not calculatedin the IPEs. Offsite health effects were reported, though, for five plants in NUREG-1150 (Ref. 7.5). The NUREG ll50 results can then be used to extrapolate the IPE results to risk estimates using a two-step process: (1) NUREG-1150 identified the key containment failure modes contributing to offsite health risks for several plants. Therefore, in the first step, these results are compared with the frequencies of key containment < failure modes (such as early structural failure and bypass) as reported in the IPEs. This comparison permits si inference regarding how the IPE results might compare to the health objectives of the safety goals. (2) In the second step, plants that have relatively high frequencies of key containment failure modes are examined in greater detail to more accurately assess the risk estimates. One objective of the NUREG-1150 study was to gain and summarize perspectives regarding risk to public health from severe accidents at five commercial nuclear power plants. Consequently, the study included calculation of several risk measures, including individual fatality risks, for comparison with the NRC's safety goals. The results reported in NUREG-1150 indicated that the early fatality and latent cancer fatality risk estimates for accidents at all five plants studied are below the NRC's safety goals. On the basis of the NUREG-1150 results, the mean individual early fatality risk at Surry would have to increase by a factor of about 30 in order to approach the early health objective. For Sequoyah or Zion, individual latent cancer fatality risk would have to increase by more than two orders of magnitude to approach the corresponding health objective. This margin does not account for the risk associated with external events plus internal fire and flood and other modes of operation. NUREG-1150 also reported the contributions of the various accident progression bins to mean early and latent cancer I fatality risk for the five plants. inspection of the NUREG-ll50 results clearly suggests that accidents resulting in j containment bypass or early containment failure are dominarst contributors to the risk of both early fatalities and latent cancer fatalities. Consequently, by comparing the NUREG-ll50 results with the frequencies of early containment failure or bypass reported in the various IPE submittals, one can draw conclusions regarding how the existing plants might compare with the NRC's QHOs. Figure 7.3 comparesthe early containment failure and bypass frequencies reported in each of the IPEs with those obtained in the NUREG-1150 study. The IPE results presented are the mean or point estimate frequencies taken directly from the submittals and do not include estimates of uncertainty. The NUREG-1150 results include the mean,5th percentile, and 95th percentile frequencies for each of the five plants studied. A comparisnn of the frequencies of early containment failure or bypass given in Figure 7.3 indicates that most of the IPE results are similar to or lower than the NUREG-ll50 resuits. This implies that most plants have risk levels l similar to those reported in NUREG-1150. However, there are a number of plants that have early containment failure or bypass frequencies that are an order of magnitude higher than the Surry results. If the Surry results are extrapolated to the higher frequencies for these plants, the risk estimates are unlikely to approach the individual 7-3 NUREG-1560, Draft

7. AdditionalIPE Perspectives 15-8 1Ed -

( .- .. . 1 E.e u.... u... &$ % o

                   ""a-                                    ef t' a                                         *,a a              u....                         .

l 18.e

                                      -                    as,a.                       , , , , ,        ;; .J 1

t*  : m i 2 .. 15.F , f

      = t E-e                                                                                           '

surry Zion Settueyah PWRs Peach Gra.d BWRs (itse) (1180) (itse) (nPs) s ottom ouw (irs) (it se) (stse) Figure 7.3 Comparison of NUREG-1150 and IPE results concerning early containment failure and bypass frequencies for PWRs and BWRs. latent cancer fatality health objective because of the margin between the NUREG 1150 results and the cancer fataikv QHO. However, because of the smaller margin between the NUREG 1150 results and the prompt fatality QHO, the l risk estimates for plants with higher frequencies of early containment failure and bypass could approach this health objective. Scaling risk estimates using the ratios of containment failure and bypass frequencies could be misleading. The predicted individual early fatality risk is a complex function of the quantity of radior.ctive materials released, the timing of the release, and site-specific characteristics such as meteorology and the ropulation distribution in the vicinity of the plant. Consequently, the higher frequencies of early containment failurt cod bypass for the IPE results in Figure 7.3 may not translate into equivalent ircreases in early health risk. Therefore, plants with relatively high frequencies of early containment failure and bypass are examined in more detail as discussed below. In the IPE submittals reviewed by the staff,18 licensees (representing 29 units) reported early containment failure and bypass frequencies higher than IE-5/ry. The staff reviewed each of these submittals to determine the frequencies of source terms that would be expected to give rise to early fatalities within a one mile radius of the plant. One licensee (for La Salle 1&2) submitted a Level 3 IPE and was eliminated on the basis of the reported results. For all other submittals, source terms with early releases of iodine (I), cesium (Cs), and tellurium (Te) isotopes (which l mainly impact early health risk) greater than three percent are assumed to have the potential to result in early fatalities within a one mile radius of the plant. These frequencies,in turn, were adjusted by a factor to reflect the fraction of the population actually at risk given a release. For most weather conditions and given an approximately NUREG 1560, Draft 74

7. AdditionalIPE Perspectives uniform population distribution in the plant's vicinity, the plume characteristicswill place approximately two percent j of the population out to one mile at risk of an early fatalny. (Refer to Chapter 16 for a more detailed discussion on this factor.) Therefore, the individual risk of an early fatality was estimated by examining the frequencies of the early containment failure and bypass source terms, with release fractions of the core inventory of I, Cs, Te greater than three percent, multiplied by a factor of 0.02 to reflect plume characteristics.

After this second step,14 units were estimated to have the potential for relatively high individual early fatality risk within a factor of two higher or lower than the early fatality Q110 of SE-7/ry. Of these 14 units, two are BWRs with Mark I containments. For those plants, shell melt-through is the primary cause of early containment failure. l 'Ihis failure mode was identified as a Mark I specific failure mode before GL 88-20 was issued, and has been addressed separately through experimental research and analysis. Of the remaining 12 units, eight are PWRs with large dry containments and relatively high CDFs and CCFPs. The i relatively high CCFP (approximately 0.3) for one plant (Palisades)results from a unique failure mode in which core debris is predicted to melt through a pipe and enter the auxiliary building. The CCFP for five other units, Calvert i Cliffs l&2 and Palo Verde 1,2,&3 is lower (at approximately 0.l) than Palisades and driven by assumptions j regarding early overpressurization failures associated partly with direct containment heating. This failure mode also j was identified before GL 88-20 was issued, and is also being addressed by research activities. Two other units,  ! Ginna and lladdam Neck, have relatively high containment bypass frequencies. The remaining four units are PWRs with subatmospheric containments. The CCFP for two of these units (Beaver Valley 1&2) is also relatively high (approximately 0.3) and isolation failure is an important contributor. The i probability of isolation failure is large because, for station blackout sequences, the IPE model does not take credit l for operator actions to manually isolate the containment. The IPE results for Surry 1&2 are driven mainly by containment bypass. (While containment bypass was also identified as the major contributor to the risk of early fatality from internal initiators at Surry in the NUREG-i l50 study, the mean bypass frequency in NUREG-ll50 was estimated to be more than one order of magnitude smaller than to the IPE result. lience, the mean distribution of the individual risk of early fatality reponed in NUREG-1150 lies well below the early fatality QHO.) While these preliminary estimates of early fatality risk based on the IPE results are approximate, they point to the need to more carefully examine site-specific characteristics at individual plants. For example, the conditional consequences of early failures may be more severe at sites such as Beaver Valley that have a relatively high population density (compared to, say, Ginna) in the plant vicinity. In addition, site meteorology and plant size (i.e., the radionuclide inventory) can also influence offsite consequences. In summary, by comparing the IPE results with the NUREG-1150 study, the staff concluded that, with a few exceptions, most of the IPE results are likely to meet the NRC's QHOs. The IPE results, which only reflect accidents initiated by internal events at full power, imply risk levels below the individual latent cancer fatality health objective. In addition, with the possible exception of a few plants, the IPE results also suggest risk levels below the individual early fatality health objective. Although relatively more plants exceeded the proposed subsidiary objectives, only a fraction of these are found to have the potential for individual early fatality risk levels that could approach the corresponding QllO. 7.2 Impact of the Station Blackout Rule on Core Damage Frequencies A station blackout (SBO) is the total loss of AC power to the essential and nonessential equipment at a nuclear power plant. If an SBO occurred and AC power was not recovered,it would ultimately result in core damage since nuclear 7-5 NUREG-1560, Draft

l I

7. AdditionalIPE Perspectives reactors require AC power for decay heat removal. The SBO rule (Ref. 7.6) requires that nuclear power units perform an analysis to establish a method to cope with an SBO for a specified duration without core damage occurring (coping method). In some instances, licensees implemented unit modifications to improve the unit's ability to endure an SBO. The goal of the SBO rule is to limit the average so contribution to CDF to about IE-5/ry. This goal should be interpreted in the same manner as the safety goals, that is, as an aiming point or numerical benchmark, rather than as a hard and fast requirement. This section provides perspectives on the SBO rule impact on CDF as reported in IPE submittals and on the achievement of the goal of IE-5/ry. In addition, this section identifies and characterizesthe important variables that contributed to the variation in SBO CDF results.

SBO-related information contained in the IPE submittals was used to determine the reported impact on CDF. The submittals were categorized by considering whether the SBO rule was addressed, whether the SBO rule coping method was modeled, and whether the impact of the SBO rule on CDF was reported. Those submittals with insufficient information to categorize the impact of the rule were excluded. In all, the staff reviewed 75 IPE submittals (covering 108 plant units) and various licensee responses to requests for additional information were reviewed to obtain information addressing the SBO rule. For licensees that modeled the SBO rule coping method, the staff compared the average SBO CDF with the rule's goal to determine how well it was achieved. For licensees that did not model the SBO rule coping method, the staff compared the average SBO CDF with the rule's goal to provide insight into the margin for improvement in CDF by implementing the SBO rule. The staff also performed a regression analysis to assess the factors that are directly relevant to variations in the SBO CDF. Ten licensee IPE submittats (covering 15 plant units) reported estimates of the reduction in total CDF that resulted from implementing the SBO rule. The average reported reduction was ~2E-5/ry, ranging from ~7E-6 to ~6E-5/ry. The average reported percent reduction in total CDF was about 20%, ranging from about 10 to 50%. Licensees that met the SBO rule using existing equipment were not included in the average CDF reduction calculation. Of the 108 plant units reviewed by the staff,53 modeled the SBO rule coping method. The variability of the reported SBO CDF was large, ranging from negligible to ~3E-5/ry. The average reported SBO CDF was ~9E-6/ry. The variability of the reported percent SBO contribution was also large, ranging from 0 to about 90%. The average reported percent SBO contribution was about 20%. Figure 7.4 summarizes the reported SBO CDFs for these units. The IPE submittals exhibited a wide range of SBO CDFs relative to the SBO rule goal. Some licensees that modeled the SBO rule coping method reported SBO CDFs about two orders of magnitude lower than the goal, while others reported SBO CDFs about three times higher than the goal. Licensees reporting the lowest SBO CDFs attributed the values to their plants having highly redundant and reliable emergency diesel generator configurations, having intradivisional crosstie capability backed up by an alternative AC power source, having emergency diesel generators that do not depend on room cooling; having a low loss of offsite power (LOOP) initiating event frequency, and having a battery depletion time of 6 hours or more. Licensees reporting high SBO CDFs relative to the SBO rule goal or high percent SBO contributions, attributed the values NUREG-1560, Draft 76

 . - .                             -                                      =.                     .         ..    . _ - .                     .

l l l l 7. AdditionalIPE Perspectives l ! 1.0E-03 1.0E-04

       .                                           r *                                           '

( Average Goal of 550 Rule g-- g *I g -- a 1.0 E-06% g. 1.0E - g ---- - - - -- - --4-- - - - -

                                                                                                                                      - - } .--- _

Average / ,3 Averagejf a ,3 9.0E-S a 4 , 7.0E46 a ,, ,,

                                                    ;:,:.                                      a      .                               .

1.0E-06 a a g  ::.. .. 1.0E e a 1.0E-08 ._22 ._. _; __.2_. LWRs BWRs PWRs Figure 7.4 Units where licensees modeled the coping method. 1.0 E-03 1.0E 04 47 m

                 $                             Average .                                                                  g y, ,, g ,  ,       a V                              1.0 E-0 6 g                                                               2.0 E-06 g            I I                                         t*....                                                                     ..   .J 6-              Goalof SBO Rule                **
                                                                                                        - ,--                         j*.**

{ 1.0E 06 g -y;- - -- - - - - - - - - Averag 9.0 E-08 I ,.0E.0. . . . - .m w I h 1.0E-07 _A.A- ^^ u

                 *

• 1.0 E -0 8 LW Rs BWRs PWRs ,

f Figure 7.5 Units where licensees did not model the coping method. 7-7 NUREG-1560, Draft

7. AdditionalIPE Perspectivea to having only a short time in which to recover offsite power", having a battery depletion time of 4 hours or less, having less emergency diesel generator redundancy, and having a limited supply of water for the auxiliary feedwater system.

Of the 108 plant units reviewed by the staff,27 did not model the SBO rule coping method. The units exhibited large variability in the reponed SBO CDFs, ranging from ~ lE-7 to ~6.5E-5/ry. The estimated average SBO CDF (~ IE-5/ry) was comparable to the SBO rule goal. The 27 units also exhibited large variability in the percent SBO contribution, ranging from about 2% to 70%. The average estimated percent SBO contribution was about 20%. Figure 7.5 depicts the reponed SBO CDFs. The units reviewed by the staff exhibited a wide range of SBO CDFs relative to the SBO rule goal. Some licensees reponed SBO CDFs two orders of magnitude lower than the SBO rule goal without modeling the SBO rule coping method. Others reponed SBO CDFs close to an order of magnitude higher than the goal. Licensees reponing low SBO CDFs attributed the low values to their plants having highly redundant and independent emergency diesel generator configurations, having a low LOOP initiating event frequency, having a battery depletion time of eight hours or more, having operator action to manually control auxiliary feedwater flow following battery depletion, and having a low likelihood of reactor coolant pump (RCP) seal LOCAs. Licensees reporting high SBO CDFs relative to the SBO rule goal or high percent contributions, attributed the high values to their plants having a high likelihood of an RCP seal LOCA during the SBO or a short battery lifetime. For BWRs, a simple regression of the SBO CDFs indicates that the variation in SBO CDFs is caused by several factors. These factors include the LOOP initiating event frequency, battery lifetime, diesel generator configuration, emergency AC power configuration, site weather characteristics, and the independence of offsite power systems. The emergency AC power configuration is the most imponant. For PWRs, the regression of the SBO CDFs indicates that the variation in SBO CDFs is caused by a combination of factor. The emergency AC power configuration and the RCP seal LOCA are the most important. The average reponed reduction in total CDF (~2E-5/ry, of which a significant ponion was due to the reduction in the SBO CDF) is consistent with the average reduction in SBO CDF (3E-5/ry) from the backfit analysis of the SBO rule (Ref. 7.7). The average SBO CDF for all plant units considered in the evaluation (1.5E-5/ry) is comparable to a " typical" estimate (on the order of IE-5/ry) from an evaluation of SBO accidents at nuclear l power plants (Ref. 7.8). The large variability in the SBO CDF results for all the plant units evaluated I (negligible to ~6.5E-5/ry)is also consistent with the variability in the SBO CDF results (-1E-6 to ~ IE-4/ry) from the evaluation of SBO in other studies. I In summary, the results in the IPE submittals indicated that implementing the SBO rule measurably reduces total CDF, largely because of the reduction in SBO CDF. However, there are exceptions in which licensees used j existing equipment to satisfy the SBO rule. The SBO CDF is also impacted by a combination of factors (i.e., design features, site characteristics, and/or modeling assumptions and techniques) unique to each unit. 1 uHaving only a shon time in which to recover offsite power means that the probability of not recovering power is higher than if a longer recovery time was available. NUREO-1560, Draft 7-8

    .       . - .                . _ . . . _ . -    .. -         --     .        .    .- -.                   ~~           _ .

l

7. AdditionalIPE Perspectives 7.3 Comparison with NUREG-1150 in 1990, the NRC published NUREG-ll50, which assessed risk for five nuclear power plants covering both PWR and BWR designs. While these five plants only represent a small sample of designs, it is possible to consider whether the NUREG-IISO results and perspectives are consistent with those found in the IPEs. This section only 4

   . compares the global perspectives discussed in NUREG-il50 with the overall results of the IPEs. This section does j

not provide perspectives regarding a plant-specific comparison between NUREG-II5O and the applicable IPE analyses. Perspectives of this nature are provided in the individual SERs on the five IPEs. 1 ! The average CDFs from the NUREG-1150 PWR analyses fall within the ranges of the CDFs estimated for the ] PWRs in the IPEs. Similarly, the average CDFs for the NUREG-Il50 BWR analyses fall within the ranges of the

,     BWR IPE values. The mix of relative contributions of accident sequences in the IPE results is consistent with the NUREG-ll50 results. For the PWRs, station blackout, transients, and LOCAs are usually the more important contributors. For the BWRs, LOCAs and anticipated transients without scram (ATWS) are generally less important

than SBO and transients.

i The staff also compared the conditional probabilities of early containment failure in NUREG-1150 results with the  ; IPE results. The NUREG-ll50 results (mean values) fall within the range of the IPE results for each containment I type. NUREG-1150 identified that the conditional probability of early failure is significantly lower for PWRs with 4 large dry or subatmospheric containments than for other PWRs and BWRs with pressure suppression containments. This trend is not as apparent in the IPE results. However, the IPE results indicated that BWR containments generally have higher conditional probabilities for early containment failure than PWR plants. For those IPEs with extremely low or high early containment failure probabilities, the probabilities are mainly driven by modeling assumptions and plant-specific features. On the basis of absolute frequency, early containment failures for BWRs are similar to those for PWRs because the higher values for the conditional early containment failure probabilities for the BWR containments are compensated by the lower values for the BWR CDFs. 3 NUREG-1150 provides general perspectives for BWRs and PWRs based on the five plants analyzed. Generally,

the perspectives discussed in NUREG-IISO are consistent with the IPE results; however, there are some notable

exceptions. Table 7.1 summartzes each perspective discussed in NUREG-1150 with a comparison to the IPE-analyses.

4 s 1 1 I l l i 4 i I 79 NUREG-1560, Draft d

7. AdditionalIPE Perspectives Table 7.1 Comparison of NUREG-1150 perspectives with IPE results.

NUREG-1150 perspectives Comparison with IPE perspectives BWRs tend to have lower CDFs than PWRs This finding is less pronounced for the IPEs. LOCAs in BWRs are not as important as in PWRs because BWRs have more makeup systems than PWRs Support systems are crucial to the CDF This finding holds for IPEs. Support systems (electrical power; service water (SW); instrument air; and heating ventilating and air conditioning) failures reduce redundancy of front-line systems Operator recovery actions significantly reduce This finding holds for IPEs. Improvements in emergency operating the CDFs procedures have enhanced the effectiveness of operator recovery actions PropeJy designed crosstics between systems This finding holds for IPEs. Many plants can crosstie a few can substantially decrease the CDF important systems. Administrative control is important to prevent incorrect crosstie Station blackout is important at both PWRs This finding holds for IPEs. SBO contributes relatively more to the and BWRs CDF for BWRs than for PWRs. Ilowever, SBO tends to give a higher absolute frequency at PWRs than at BWRs, partly because of RCP seal LOCAs at PWRs Containment venting can reduce CDF at This finding holds for IPEs. Injection systems can fai! from high BWRs containment pressure, high suppression pool temperature, loss of net positive suction head, or harsh environment in the reactor building following containment failure. Venting can eliminate these failures at some plants Loss of SW or component cooling water can This finding holds for IPEs. Loss of component cooling water or be dominant at PWRs SW may lead to loss of high-pressure injection and RCP seal LOCA. RCP seal LOCA is more important at Westinghouse plants with old seal designs than at other PWR plants Feed-and-bleed is an important safety strategy This finding holds for IPEs. Feed-and-bleed requires power-operated at many PWRs relief valves (PORVs) to be unblocked at most plants. Ilowever, 7 many PWRs have PORVs blocked because of PORV leakage problems Switchover to recirculation is important to This finding holds for IPEs. Substantial variation exists among the l LOCA CDFs at PWRs PWR designs for recirculation switchover, Plants with manual switchover, a smaller refueling water storage tank, and a low containment spray setpoint tend to have higher LOCA CDFs Large dry and subatmospheric containments This finding holds for most IPEs, but with some notable exceptions. are high!y likely to maintain integrity dur5g a For some of these plarts, phenomena associated with high-pressure severe accident melt ejection were important causes of loss of integrity. Isolation i failures and bypass accidents were found to be important in other  ! plants. For a few fants, specific design features lead to unique and l significant failure modes The likelihood of early containment failure is This finding does not hold for IPEs. The opposite trend appears to higher for ice condenser designs than for large be driven by the modeling assumptions made in the five ice dry and subatmospheric designs condenser IPEs rather than any phenomenological or design-related reasons NUREG-1560, Draft 7-10

1 l i l l

7. AdditionalIPE Perspectiver I Table 7.1 Comparison of NUREG-1150 perspectives with IPE results.

J NUREG-1150 perspectives Comparison with IPE perspectives There is a substantial likelihood of early This failure mode was also found to be important in most of the IPEs failure in BWR Mark I containments as a for Mark I plants. GL 88-20 gave licensees the option whether to result of direct attack of the drywc!! shell by address this issue. Some licensees did not consider this issue and the molten core debris potential for early containment failure was found to be low. In other

' IPEs, the likelihood of early failure was high even if shell melt-through was neglected Venting can eliminate some sequences that Most IPE results for Mark I containments include late containment would otherwise result in gradual overpressure venting as a way to prevent late containment failure failure of Mark I containments

, Hydrogen deflagration is the principal The conditional probabilities of early failure in the IPEs were less i mechanism for early containment failure in than the NUREG-ll50 values because of modeling assumptions and BWR Mark III containments high reliability of the igniter system in the IPEs . If core damage is arrested invessel, the Not all IPEs considered this effect. For those that did, the impact on likelihood of containment failure is small for the progression results was significant all containment types Containment bypass events represent a large This finding holds for most of the IPEs and, in some cases, bypass fraction of high-consequence accidents for events dominated the frequency of high-consequence accidents PWR containments I l i i

                                                                                                                                     )

1 l l l 1 7-11 NUREG-1560, Draft

7. AdditionalIPE Perspectives REFERENCES FOR CHAPTER 7 7.1 USNRC, " Safety Goals for the Operation of Nuclear Power Plants: Policy Statement," Federal Register, Vol. 51, p. 30028, August 21,1986.

7.2 USNRC, SECY-89-102, " Implementation of Safety Goal Policy," March 30,1989. 7.3 USNRC, SECY-88-147, " Integration Plan for Closure of Severe Accident Issues," May 25,1988. l 7.4 USNRC, " Individual Plant Examination for Severe Accident Vulnerabilities-10 CFR$50.54(f)," Generic Letter 88-20, November 23,1988. 7.5 USN'RC, " Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG-1150, December 1990. 7.6 USNRC, "less of All Alternating Power," Code of Federal Regulations, Title 10, Section 50.63, July 21, 1988. 7.7 USNRC, " Regulatory /Backfit Analysis for the Resolution of Unresolved Safety Issue A-44, Station Blackout Accident," NUREG-1109, June 1988. 7.8 USNRC, " Evaluation of Station Blackout Accidents at Nuclear Power Plants, Technical Findings Related to Unresolved Safety Issue A-44," NUREG-1032, June 1988. i l 9 l NUREG-1560, Draft 7-12

l

8. OVERALL CONCLUSIONS AND OBSERVATIONS In considering the perspectives summarized in Chapters 2 through 7 (and discussed in greater detail in Chapters 9 through 18), the staff drew certain conclusions and observations regarding the results reported in the Individual Plant Examinations (IPEs). These conclusions and observations address the following areas, as discussed below:

• Generic Letter (GL) 88-20 objective (including improvement of plant safety)
• regulatory follow-up activities plant safety enhancements containment performance improvements additional review of IPE/PRA plants with relatively high core damage frequency (CDF) or conditional containment failure probability (CCFP)
• safety issues unresolved safety issue (USI) A-45 other USIs and generic safety issues (GSis) potential GSis
• plant inspection activities e areas for research
• Commission's Safety Goals
• use of NUREG-1560 accident management maintenance rule risk-informed regulation miscellaneous issues
• probabilistic risk analysis (PRA)

In reading the following conclusions and observations, the reader should consider the scope and limitations of both the individual IPEs and the IPE Insights Program which are discussed in Section 1.3 of Chapter 1 of this report. 8.1 GL 88-20 Objective (Including Improvement of Plant Safety) GL 88-20 (Ref. 8.1) establishtd that " systematic examinations are beneficial in identifying plant-specific vulnerabilities to severe accidents that could befixed with low cost improvements. " To reallie this benefit, GL 88-20 requested that each licensee implement an IPE program to " perform a systematic examination to identify any plant-specific vulnerabilities to severe accidents." Further, GL 88-20 identified the following general purposes for performing an IPE: (1) Develop an appreciation of severe accident behavior. (2) Understand the most likely severe accident sequences that could occur at its plant. (3) Gain a more quantitative understanding of the overall probabilities of core damage and fission product releases. (4) If necessary, reduce the overall probabilities of core damage and fission product releases by modifying, where appropriate, hardware and procedures that would help prevent or mitigate severe accidents. 8-1 NUREG-1560, Draft 3

8. Conclusions and Observations in addition, GL 88-20 noted that "marimum benefitfrom the IPE would be reali:ed of the licensee's staff were involvedin all aspects of the examination to the degree that the knowledge gainedfrom the examination becomes an integral part ofplant procedures and training programs "

Overall, the licensees have met the intent of GL 88-20, conducting systematic examinations of 108 nuclear power plant units. Through these examinations, the licensees have identified existing " vulnerabilities"(or " weaknesses") and more than 500 plant improvements (including hardware modifications and procedural changes) that would potentially help to prevent or mitigate severe accidents. Each licensee elected to perform Level I and 2 PRAs for their !PE. Therefore, as part of their IPE, each licensee completed the following tasks:

• developed a model of the severe accident behavior of their plant
• identified the most likely severe accident sequences based on their PRA model
• estimated the CDF and radionuclide release frequencies based on their PRA model e identified the most likely features needed to prevent and mitigate core damage and radionuclide releases based on their PRA model in addition, almost every licensee performed the majority of the analysis associated with the IPE, relying on contractors primarily for those specialized, technical areas where licensees typically do not have in-house expertise.

In many cases, it appears that this technology was transferred from the contractors to the licensees. As a result of the IPE program, it is clear that licensees have generally developed in-house capability with an increased understanding of severe accidents and PRA. This increased understanding has indirectly increased plant safety. Further, while only a small fraction of licensees actually identified vulnerabilities, nearly all licensees identified areas warranting investigation for potential improvements. (As noted above, licensees collectively identified more than 500 potentialimprovements.) Although it is not possible to quantify the overall, industry-wide impact on plant safety that resulted from these improvements, CDF reductions as high as two orders of magnitude have been reported for certain improvements, in this regard, the IPE program has served as a catalyst to further improve the overall safety of nuclear power plants: therefore, the GL 88-20 initiative has clearly proved a success. 8.2 Regulatory Followup Activities The results of the IPE program, represented by the perspectives discussed in this report suggest the following areas and issues for which the U.S. Nuclear Regulatory Commission (NRC) staff plans to pursue some type of followup activities (as described below): I

• plant safety enhancements l
• containment performance improvements l
• additional review of IPEs/PRAs
• plants with relatively high CDF or CCFP NUREG-1560, Draft 8-2

8. Conclusions and Observations 8.2.1 Plant Safety Enhancements

                                                                                                                             +

Chapters 2 and 9 of this report identify the plant improvements planned or implemented by the licensees. Many of these improvements, although identified on a plant-specific basis, have the potential for generic applicability and, therefore, the potential to further increase reactor safety, as demonstrated by the following significant examples:

• Usingfirewater as an alternative injection sourcefor BWRs. Some licensees have implemented system and procedural modifications to permit use of the firewater system as a backup source oflow-pressure coolant injection (LPCI) to the reactor vessel. The system would be used in the event of long-term accident sequences, primarily aiding the plant during station blackout conditions.

Replacingthesealmaterialfor Westinghousereactorcoolantpumps (RCPs). Some Westinghouse licensees have replaced the o-rings in the RCPs with a more temperature-resistant design that is less susceptible to leakage when seal cooling is lost. This modification reduces the potential for seal-related loss of coolant accidents (LOCAs) sequences that can lead to core damage if inventory makeup is not available.

• Supplying the RCPs with alternative cooling. At some plants, licensees have added backup cooling for RCPs (e.g., by powering charging pumps off the technical support diesel generators). This additional capability reduces the likelihood of sequences without RCP cooling, thereby reducing the threat from RCP seal LOCAs.
• . Addingprocedures andportablefansfor alternative room cooling upon loss ofheating, ventilating, andair conditioning (HVAC). Some licensees have addressed a susceptibility to loss of HVAC by adding procedures such as opening doors to provide ventilation upon indication ofloss of HVAC. Similarly, some i licensees have added backup room cooling capabilities by making portable fans available.
• Revising containment spray initiation criteria in boiling water reactor (BWR) Mark iplants. Some BWR Mark I licensees have indicated that they are considering revised criteria that would permit earlier initiation of containment spray to increase the likelihood of having a flooded drywell floor and the benefits associated with that condition.

J e Revising procedures to preclude RCP restart in pressuri:ed water reactors (PWRs) under core damage conditions, thereby reducing the likelihoodofinducedsteam generator tube rupture (SGTR). Some PWR licensees have modified their emergency operating procedures to preclude RCP restart under conditions that could lead to an induced SGTR. The staff (Office of Nuclear Reactor Regulation) plans to conduct folicwup activities with each licensee to monitor the status of plant improvements. For those planned improvements not yet implemented, the specific actions undertaken by the staff will depend on the actual improvements and their potential impact on plant safety (while cor.sidering the backfit rule). 8.2.2 Containment Performance Improvements in SECY-87-297 (Ref. 8.2), the NRC staff presented its Containment Performance Improvement (CPI) Program as a plan for evaluating generic vulnerabilities related to severe accident containment. This was predicated on the conclusion that there are generic severe accident challenges to each light water reactor (LWR) containment 8-3 NUREG-1560, Draft

I

8. Conclusions and Observations type that should be assessed to determine the adequacy of existing Commission policy, and to ascertain whether

                                                                                                                    )

additional regulatory guidance or requirements are warranted with regard to containment features. The NRC's " Integration Plan for Closure of Severe Accident issues," SECY-88-147 (Ref. 8.3), refers to the close integration of the CPI Program, and the IPE Program. Specifically, SECY-88147 states that the CPI Program " focuses on resolving hardware andprocedural issues related to generic containment challenges, " while the IPE program, "will be examining plant-specific accident vulnerabilities which could threaten containment integrity. " SECY-88-147 further clarified that the NRC staff would first focus its efforts on the BWR Mark I containments. i Technicalinsights arising from the CPI program with regard to these containments were discussed in SECY-89-017,

" Mark 1 Containment Performance Improvement Program" (Ref. 8.4), and summarized in Supplement I to GL 88-20 (Ref. 8.5).

The enclosure to Supplement I stated that the Commission expects that licensees of BWR Mark I plants to seriously consider the following three improvements during their IPEs: (1) alternate water supply for drywell spray / vessel injection (2) enhanced reactor pressure vessel (RPV) depressurization system reliability (3) emergency procedures and training (implementation of Rev. 4 of the BWR Owner's Group Emergency Procedure Guidelines (BWROG EPGs)) Supplement I further stated that the staff planned to communicate directly with each Mark I licensee regarding the use of a hardened vent path. Specifically,the staff contended that licensees should consider the three improvements listed above, should be considered in addition to improvements stemming from the evaluation and implementation of the hardened vent. In Supplement 3 to GL 88-20 (Ref. 8.6), the staff announced the completion of the CPI Program and forwarded the resulting insights to licensees of BWR Mark 11 and Mark 111 containments, as well as PWR containments. Supplement 3 noted that the technical information conveyed might be useful as these licensees conducted their IPEs for severe accidents vulnerabilities. With regard to BWR Mark 11 containments, Supplement 3 stated that, for events where inadequate containment heat removal (C11R) could cause core degradation, licensees are expected to consider (as part of the IPE process) additional CHR capability using plant-specific hardware procedures. In addition, Mark Il licensees are expected to consider the applicability of the Mark I improvements reported in Supplement I to GL 88-20. Similarly, Supplement 3 stated that licensees with BWR Mark Ill containments are expected to evaluate (as part of the IPE) the vulnerability of other plants to interruption of power to the hydrogen igniters. In addition, Mark Ill licensees are expected to consider the applicability of the Mark I improvements reported in Supplement I to GL 88-20, as well as the additional CHR capabilities suggested for Mark Il containments. Further, Supplement 3 noted that the same situation could occur in PWR ice condenser containments as in Mark lli containments with regard to hydrogen detonations following restoration of power. Therefore, licensees with ice NUREG-1560, Draft 8-4 1

8. Conclusions and Observctions condenser containments are expected to evaluate (as part of the IPE) their plants' vulnerability to interruption of power to the hydrogen igniters.

For PWR dry containments, Supplement 3 stated that licensees' IPEs are expected to evaluate the need for improvements (including accident management procedures) related to containment and equipment vulnerabilities to localized hydrogen combustion. In NUREG-1335 (Ref. 8.7), the NRC requested that licensees use its IPE submittals) to " develop .. strategies to minimi:e the challenges and the consequences such severe accident phenomena may pose to the  ! containment integrity and to recogni:e the role of mitigation systems while awaiting their generic resolution. " 1 i in the IPEs, most licensees responded to the CPI Program recommendations related to their type of containment. 11owever, the licensees varied widely in their responses to the CPI recommendations. In several cases, the licensees indicated that they are considering the CPI recommendations, but did not identify them as commitments. In other cases, they are not addressed at all. Section 9.4 of this report provides an overview, grouped by containment type,

                                                                                                                           )

of how the licensees

• addressed the CPI concerns in their IPEs.  !

The CPI Program accomplished the objective of identifying generic issues for each containment type (briefly summarized above), and bringing those issues to the attention of the licensees. Many licensees examined their plants to assess the relevance of the generic issues in light of their plant's particular features and procedures. These  ! licensees then indicated in their IPE submittals either that they had adopted modifications to hardware and'or procedures, or reasons w hy changes were not necessary. For some issues, such as alternative water supplies in BWRs i or adoption of Revision 4 of the BWROG EPGs, many licensees indicated that they had already implemented the needed measures before conducting their IPEs. For other issues, such as enhanced RPV depressurization in BWRs  ; or alternative igniter power supplies in BWR Mark 111 containments or PWR ice condensers, most of the affected licensees stated that no modifications were needed. Ilowever, there were a number oflicensees that did not address some of the CPI items in their submittal. It is important to note that, in general, the IPE process did not identify any new generic containment issues (i.e., issues not previously identified in other safety assessments or the CPI Program). However, some plant-specific containment-related insights derived from the IPEs may be worth pursuing (under the backfit rule) for possible applicability to other plants. Examples include the failure modes related to core debris contact with the containment boundary (found in some IPEs for PWR plants) and the containment bypass caused by isolation condenser failure identified in one BWR IPE). The staff plans to conduct followup activities with each licensee on those CPI items not yet implemented and those not addressed in the IPE submittal. The specific actions undertaken by the staff will again depend on the actual CPI and its potential impact on plant safety. 8.2.3 Additional Review of IPEs/PRAs The staff reviewed each licensee's IPE submittal to determine if the submittal met the intent of GL 88-20. This review, tnerefore, focused on the objectives of the generic letter (whether the licensee's analysis was capable of identifying plant-specific vulnerabilities). The staff's review of the IPEs did not include identifying other potential uses and applications. Licensees elected to perform PRAs for their IPEs; however, only a small fraction of these analyses were provided to the staff in the licensees'submittals. Therefore, to determine whether each IPE/PRA was capable of identifying vulnerabilities, the staff focused its review on the following aspects: 8-5 NUREG-1560, Drail

1

8. Conclusions and Observations

• " completeness" of the PRA and all necessary elements (e.g., whether the licensee performed an initiating  ;

event analysis and addressed support system failure in identifying potential initiators) l I e " reasonableness"of the assumptions, boundary conditions, and data (as substantiated by supporting analyses j and calculations) I l l

• " reasonableness" of the results (given the design and operation of the plant) l The staffs review did not, however, include verifying or validating the licensees' analyses or the supponing calculations. For additional uses of the PRA, such verification and validation may be necessary for panicular i applications. Observations concerning the use of IPEs to support risk-informed regulatory changes and other applications are discussed in Section 8.2.1 of this repon. In addition, Chapter 14 of this report defines the attributes for a quality PRA and Chapter 15 compares the IPEs to those attributes. Particular areas where the IPEs appear to be weak are discussed at length in Chapter 15 and summarized in Chapter 6. Consequently, if an IPE is to be used to suppon risk-informed regulation, additional review may be needed in these areas, depending upon the application of the PRA.

8.2.4 Plants with Relatively High CDF or CCFP in reviewing the results reponed in the IPE submittals, the staff noted that about half of the plants had CDFs and/or CCFP that were relatively high. In all,15 PWR units have CDFs greater than IE-4/yr and 23 PWR units have CCFPs greater than 0.1. No BWR units have CDFs greater than IE-4/yr, but 26 BWR units have CCFPs greater than 0.1. For these plants, the staff is planning followup activities to determine whether additional regulatory actions are warranted. in deciding what actior,s to take, the staff will examine underlying causes of the high CDF and/or CCFP values; that is, the staff will determine the necessary regulatory actions on the basis of whether the value is high because of analysis assumptions or because of the design and operation of the plant. For example, the relatively high CCFP (approximately 0.3) for the Palisades plant (a PWR with a large-volume containment)is attributed to plant specific-features. By contrast, the high CCl'P reported for Waterford is driven largely by modeling assumptions. A high CCFP caused by plant- specific features may warrant attention, whereas a high CCFP driven by limiting or bounding modeling assumptions could require further evaluation regarding the ulidity of the assumptions. 8.3 Safety Issues in examining the IPEs, the staff gleaned perspectives regarding the following three categories of safety-related issues: j l (1) How did licensees address and resolve USI A-45, " Shutdown Decay Heat Removal (DHR)," (GL 88-20 l specifically requested that licensees address this issue). (2) Did licensees'IPE submittals propose resolution of any other USIs or GSis? If so, were those issues , effectively resolved? i (3) Have any new potential safety issues been identified as a result of the IPEs? These three categories are discussed in the following sections. NUREG-1560, Draft 86

8. Conclusions and Observations 8.3.1 Unresolved Safety Issue A-45 l GL 88-20 specificallyrequested that licenseesaddress USI A-45 to determine whetherthe DHR function at operating

plants is adequate, and whether cost-beneficialimprovements could be identified. In its evaluation of this issue, the staff concluded that a generic resolution (e.g., a dedicated DHR system) is not cost effective, and this issue could only be resolved on a plant-speci6c basis. Because the IPEs provide an examination of the DHR systems and their importance, as well as the importance of systems performing other functions, the staff concluded that USl A-45

should be subsumed in the IPE Program.

In NUREG-1289 (Ref. 8.8), the regulatory and backfit analysis of USI A-45, the staff defined the l components and systems related to the DHR function as those required to maintain primary and secondary coolant inventory control and to transfer heat from the reactor coolant system to the ultimate heat sink following reactor ! shutdown for transients (such as loss of feedwater, loss of offsite power, and small-break LOCAs. Support systems (such as standby service water and emergency AC power) required for various modes of DHR were also to be considered. The transition from reactor trip to hot shutdown (excluding the reflooding phase in a large LOCA), the transition from hot shutdown to cold shutdown, and the maintenance of cold shutdown conditions were considered part of the USl A-45 program. However,the USI A-45 program did not concernanticipatedtransients without scram (ATWS), interfacing system LOCAs (ISLOCAs), or large LOCAs. This definition of DHR sequences is an expanded j version of the functional definition used in the IPEs and in this report. By contrast, the IPEs typically defined the DHR function in as involving direct heat removal from the reactor coolant system (RCS) and removal of heat , transported to the containment. GL 88-20 directed licensees to pay particular attention to identifying DHR vulnerabilities as part of their IPEs. However, GL 88-20 did not provide any definition of a DHR vulnerability. Many of the licensees chose to use the same definition or criteria used to identify vulnerabilities associated with other functions modeled in the IPE. In j addition, many chose to use the interim quantitative design objectives provided in NUREG 1289, which stated that

             " limited- scope, plant-specupc PRA could demonstrate the adequacy ofthe existing decay heat removalfunction by documenting that its contribution to core damagefrequency was relativelylow, on the order ofIE-5 per reactoryear or less " Little, if any, cost-beneficialmodifications would be warranted if the core damage frequency was less than l

this value. On the basis of experience gained from applying PRA U.S. light water reactors for USI A-45 and other programs, the staffindicated in NUREG-1289 that the adequacy of the DHR function as calculated in the IPEs and in the IPEs of extemally initiated events (IPEEEs) will fall into three broad categories. As a basis for this categorization, the staff has used the quantitative values presented in Table 8.1. Table 8.1 DHR vulnerability classification eriteria. Category DilR vulnerability Criteria 1 The frequency of core damage due to failures of DilR function acceptably less than 3E-5 per reactor-small or reducible to an acceptable level by simple improvements year (ry) l 2 DHR performance characteristics intermediate between Categories 1 and 3 less than 3E-4/ry but greater than 3E-5/ry , 3 l'requency of core damage so large that prompt action to reduce the greater than 3E-4/ry

• probability of core damage related to DilR failure to an acceptable level is t necessary 8-7 NUREG-1560, Draft l_ _ _ _ _ _ ___

8. Conclusions and Observations In addition to reviewing the DHR vulnerability assessments provided in the IPEs, the staff has compared the IPE results to the criteria in Table 8.1 on the basis of the DHR definitions provided in NUREG-1289 and the IPEs. None of the BWRs fall into the Category 3; that is, no prompt action would be required to fix any identified vulnerabilities. This is true whether the CDF is assessed according to the expanded DHR definition used in the USI A-45 program or the traditional definition used in PRAs, or even if the total CDF is compared to the criteria in Table 8.1. In addition, all of the BWRs fall into Category I when the CDF is assessed according to the traditional definition. A few plants fall into Category 2 when the CDF is assessed according to the expanded DHR definition used in the USI A-45 program. These plants have evaluated improvements as discussed below. Thus, the DHR functions in BWRs are adequate according to the criteria in Table 8.1, regardless of which DHR definition is used.

The above conclusion agrees with the evaluations conducted by BWR licensees. Only two licensees' IPE submittal explicitly identified vulnerabilities associated with DHR systems. The Millstone i IPE reported a vulnerability associatedwith failure ofisolation condenser makeup that could apply to all BWRs in this plant group. The licensee proposed to resolve this vulnerability by procuring a portable diesel-fired pump and implementing proceduresto use that pump to supply water to the isolation condenser. The Fitzpatrick IPE identified a vulnerability (unique to that plant) where failure of either one of the 4.16 kV ac safety buses would result in loss of three of the four residual heat removal (RHR) loops directly or through loss of RHR service water (RHRSW). The licensee was considering installation of an RHRSW header cross-tie, as well as procedure modifications to allow alignment of firewater to the RHRSW system. Loss of DHR is a dominant accident sequence for most BWRs, primarily because such a loss can have a negative impact on continued operation of the coolant injection systems. For some plants, high suppression pool temperatures resulting from a loss of DHR will cause a loss of adequate emergency core cooling system (ECCS) pump, net positive suction head. Containment venting or failure can result in harsh environments in areas surrounding the containment; such environments, in turn, can result in failure of coolant injection systems or required support system components. The dominant contributor to these sequences involves loss of support systems that leads to failure of both DHR and coolant injection systems. In addition, the credit given for DHR systems and alternative injection systems that can function following a loss of DHR also impacts the contribution from loss of DHR sequences. Because of the importance of sequences involving a loss of DHR, many BWR licensees identified related plant improvements. DHR system improvements included hardware modifications to increase DHR system reliability, procedures and hardware to perform containment venting (credited in most IPEs), replacementof drywell spray valve motor operators with environmentally qualified operators, and additional guidance in emergency operating procedures for enhanced use of containment spray. Improvements to coolant injection systems were identified to ensure continued coolant injection following the loss of DHR. These improvements included establishing procedures for aligning LPCI or core spray pumps to the condensate storage tank (CST) and replenishing the CST to prevent high- , pressure coolant injection (HPCI) from switching suction to the suppression pool. Other improvements include  ; increasing the reactor core isolation cooling (RCIC) turbine exhaust pressure trip setpoint, and preventing HPCI l suction switchover to the suppression pool on a high torus level. ] l Many of the licensees also identified improvements related to support systems that impact the DHR function. These include procedures and hardware for aligning firewater for isolation condenser makeup, procedures for aligning alternative systems for cooling the RHR heat exchangers, revised isolation logic for plant service water and the instrument air system, procedures and hardware modifications for crossticing RHRS W trains, and revised procedures and training for losses of support systems. NUREG-1560, Draft 88

                                                                                      --e,

8. Conclusions and Observations As with BWRs (discussed above), none of the PWRs fall into Category 3 (see Table 8.1) when CDF is assessed according to the traditional PRA definition of DHR. Furthermore, only two units ~(Turkey Point 3&4) can be placed in Category 3 when CDF is assessed according to the expanded DHR definition used in the USI A-45 program. The high CDFs for these units primarily derive from RCP seal LOCAs rather than loss of the DHR systems. liowever, the licensee addressed the vulnerability at Turkey Point 3&4 and installed a hose connection between SW and component cooling water (CCW) to increase the reliability for RCP seal and charging pump cooling. This improvement reduced the estimated CDF to IE-4/ry. Although many of the PWRs fall into Category I when the core damage frequency obtained using either of the DHR definitions, the majority of PWRs fall into Category 2.

This suggests that immediate action is not required to reduce any DHR vulnerabilities in these PWRs. However, many of these plants did evaluate and implement improvements as discussed below. As with the BWR licensees, some PWR licensees explicitly reported vulnerabilities associated with the DHR i function. All of the plants reporting DHR vulnerabilities are Category 2 plants. Calvert Cliffs identified a plant-specific vulnerability of the turbine-driven auxiliary feedwater(AFW) pumps resulting from isolation of the steam supply to both pumps during maintenance. Manual isolation valves were added on both sides of the turbine-driven pump steam admission valves to allow for maintenance on one pump at a time. The DHR vulnerabilities reported by the remaining PWR licensees could potentially apply to other PWRs. The licensee for Kewauneeindicated that turbine-driven AFW pump reliability was a vulnerability that would be resolved by scheduled modifications. Similarly, Summer identified failure of turbine-driven AFW during a station blackout (SBO) as a vulnerability and indicated, that because of "conservatisms" in the IPE, the vulnerability would be considered in the development of the plant's Severe Accident Management Guidelines. Finally, Millstone 3 indicated that the failure of AFW and feed-and-bleed occurred in many imponant accident sequences and thus was a vulnerability. In response, the licensee prioritized operator training on the AFW system, recovery of main feedwater, and the primary feed-and-bleed procedure. Accident sequences involving loss of AFW and feed-and-bleed were important for many PWRs. Loss of CHR systems were generally not important in the PWR IPEs. The following primary factors contributed to the importance of DHR sequences in PWRs: a failure of support systems (e.g., service water, component cooling water, AC and DC power, instrument air, and HVAC) required for AFW or feed-and bleed operation failure to provide long-term makeup to AFW = failure of AFW and required feed-and-bleed components. The guidance in NUREG-1335 (Ref. 8.9) indicated that PWRs without feed-and-bleed capability should particularly address the capability of the plant to recover from events involving loss of all feedwater. For many of these plants, the IPEs modeled the depressurization of the steam generator secondaries using the steam dump valves to a pressure l where the condensate system could provide water for cooling. This action assumes that the condensate system is available for many loss of feedwaterevents. When modeled, this action reduced the impact from loss of DHR during all transients for plants with and without feed-and-bleed capability. Many of the PWR licensees identified plant improvements related to the DHR function. These improvements include use of firewater for steam generator cooling, use of alternative water supplies to AFW, changes to feed-and-bleed procedures, equipment modifications to improve AFW reliability, and addition of a new CST. 8-9 NUREG-1560, Draft

8. Conclusions and Observations In summary, the incorporation of the A-45 issue into the IPE program has provided a framework for resolution on a plant-specific basis. Each licensee chose to perform a PRA which by its nature provides a systematic evaluation of a plant's capability to cope with the requirement for decay heat removal. Thus, the IPEs provide the quantitative information necessary to categorize each plant in accordance with the criteria described in Table 8.1. In addition, the IPEs have identified plant-specific vulnerabilities and proposed plant improvements to address DHR and other vulnerabilities. The NRC staff has reviewed this information in the IPEs and havejudged the resolution of the A-45 l issue on a plant-specific basis in the individual staff evaluation reports.

8.3.2 Other Unresolved and Generic Safety Issues GL 88-20 states that "ifa utility (1) discovers a notable vulnerabilityduring its IPE that is topically associated with any other USl or GS1 and proposes measures to dispose of the specific safety issue or (2) concludes that no vulnerability exists at its plant that is topically associated with any USI or GSI, the staff will consider the USI or GSI resolvedfor a plant upon review and acceptance of the results of the IPE. " Furthermore, in NUREG-1335, the NRC specifically requested that licensees discuss the following aspects of the resolution of any other USl or GSI:

• ability of the proposed methodology to identify vulnerabilities associated the USl or GSI
• contribution of each USI or GSI to CDF or unusually poor containment performance (including sources of uncertainty) .

k

• technical bases for resolving the issue l Several licensees elected to use their IPEs to resolve other USIs and GSIs as summarized in Table 8.2.  ;

Table 8.2 Plant-specific summary of unresolved and generic  ; safety issues proposed for resolution.  ; Plant USI/GSI , ANO-1 GSI-23, RCP Seal LOCA GSI-105, ISLOCA , Catawba GSI-105, ISLOCA Davis Besse GSI-23, RCP Seal LOCA GSI-65, Core Melt caused by CCW Failures GSI-77, Flooding by Backflow through drain GSI-105, ISLOCA GSI-128, Electric Power Reliability GSI-143, HVAC Availability GSI-153, Loss of Essential Service Water (ESW) Fitzpatrick USI-A-47, Safety implications of Control System Failures i Hcpe Creek GSI-105, ISLOCA Indian Point 3 GSI-23, RCP Seal LOCA I NUREG-1560, Draft 8 10

l

8. Conclusions and Observations Table 8.2 Plant-specific summary of unresolved and generic safety issues proposed for resolution.

Plant USI/GSI McGuire 1&2 GSI-105, ISLOCA GSI 130, SW Pumps for Multi-Unit Sites Nine Mile 1&2 GSI-A-30, Adequacy of Safety Related DC Power Supply North Anna 1&2 GSI-23, RCP Seal LOCA Oconee 1,2, &3 GSI-23, RCP Seal LOCA GSI-105, ISLOCA GSI-153, Loss of ESW Oyster Creek GSI-101, BWR Water Level Redundancy GSI-105, ISLOCA Point Beach 1&2 GSI-23, RCP Seal LOCA River Bend GSI-23, Seal LOCA GSI-105, Interfacing System LOCA i San Onofre 2&3 USI-A-47, Safety implications of Control System Failures South Texas 1&2 GSI-15, Radiation Effects on RPV Supports GSI-23, RCP Seal LOCA GSI-24, Automatic ECCS GSI-83, Control Room Habitability Surry 1&2 GSI-23, RCP Seal LOCA TMl1 USI-A-49, Pressurized Thermal Shock GSI-23, RCP Seal LOCA i GSI-43, Failure of Instrumentation Air l GSI-65, Loss of CCW I GSI-76, Failures of instrumentation and control and Non-  ! g nuclear Instrumentation 1 l A few utilities have used the IPE process to provide a framework for resolution of safety issues on a plant-specific j basis. 'Ite IPEs have identified plant-specific vulnerabilities and proposed plant improvements associated with these issues. The NRC staff has reviewed this information in the IPEs and have judged the resolution of these issues on a plant-specific basis in the individual staff evaluation reports. Although most licensees chose not to use their IPEs to resolve any USIs or GSIs, among those who did, many selected GSis 23,105, and 130. The following paragraphs discuss the background of these three generic issues, as well as the approaches used by the licensees to resolve the l issues, and examples of the improvements proposed by the licensees on the basis of their findings. l 8-11 NUREG-1560, Draft

8. Conclusions and Observations GSI-23, " Reactor Coolant Pump Seal Failures"-

A LOCA can occur ifleakage through the RCP seals exceedsthe capacityof the normal makeup systems. RCP seals limit the leakage of reactor coolant along the pump shaft, directing the majority of this flow back to the chemical and volume control system (CVCS), with the remainder being directed to the reactor coolant drain tanks. The RCPs use a series of primary and secondary seals to limit the reactor coolant leakage to containment. Therefore, these seals are part of the RCS pressure boundary. Certain identified common mode vulnerabilities could result in an RCP seal LOCA, rendering the mitigating systems inoperable,thereby leading to core damage. One such scenario involves the complete loss of the CCW system, which  ! provides cooling water to the seal thermal barrier heat exchanger among other systems. In some plants, the CCW system also cools the reactor coolant makeup system pumps, CVCS charging pumps, or high-pressure safety injection (HPSI) pumps that supply RCP seal injection flow. Therefore, for those plants, complete loss of CCW could result in the equivalent of a small-break LOCA caused by seal degradation, with no HPSI pumps available for emergency core cooling. This sequence of events could lead to core damage and could be initiated by the loss of all AC power, as in a SBO. To resolve GSI-23, licensees performed analyses to ensure adequate core cooling during loss of seal cooling events, including SBO, loss of SW, and loss of CCW. Approaches examined by the licensees included use of a dedicated seal cooling system, alternative seal cooling, an alternative AC power source, and/or a core cooling capability using the fire water system. Some licensees also considered using the high-temperature o-rings recommended by Westinghouse. In the case of Surry, the licensee argued that GSI-23 should be considered resolved for Surry, because the plant's CDF associated with RCP seal failure SBO and non-SBO conditions are lower than the industry-average CDF identified in NUREG-1401 (Ref. 8.9). Virginia Power also asserted that planned improvements in Surry's ability to cope with an SBO would decrease the overall CDF associated with RCP seal failures. In addition, Virginia Power provided instrumentation and procedures to detect seal failures and mitigate their consequences. GSI-105, " Interfacing Systems LOCA in LWRs"- An interfacing systems ISLOCA is defined as a breach of the pressure boundary between the RCS and any one of several low-pressure systems. Breaching the pressure boundary consists of the failure or improper operation of two or more pressure-isolation valves (PlVs) that comprise the boundary. The PlVs are typically check valves and/or motor-operated valves. If high-pressure coolant enters the relatively low-pressure interfacing system, the possibility exists of overpressurizing and rupturing the interfacing system; such a rupture which usually extends outside containment. If the break is not isolated, core damage is likely, with the subsequent release of radioactive material bypassing containment. Several NRC-sponsored studies (Ref. 8.10) have analyzed PWR susceptibility to ISLOCA without revealing generic problems. The major insight fro n the latest studies is that ISLOCA problems, if they exist, are highly plant-specific. Because of that insight, and because the calculated risk is low at the plants analyzed, the Commission concluded (Ref. 8.11) that the most effective course of action for resolution of GI-105 involved plant-specific analyses at each PWR. To resolve GSI-105 within the scope of the IPEs, the licensees examined major systems of concem, using a screening l process to eliminate systems posing insignificant threat from ISLOCA. As a result, the licenseesidentified the valves I NUREG-1560, Draft 8-12 l l

8. Conclusions and Observations in the flowpaths that would pose a threat from ISLOCA and estimated the CDF for the plausible ISLOCA scenarios.

For example, the CDF at McGuire Nuclear Station has been demonstrated to be sufficiently low, on the basis of credible analyses, to consider GSI-105 resolved at McGuire. The low CDF was achieved through a combination of good practices and design features. These include independent verification of valve position, valve position alarms, double checks in procedures, and removal of power to motor-operated PlVs before power operation. GSI-130, " Essential Service Water System Failures at Multi-Unit Sites" GSI-130 concerns an increase in CDF caused by the unavailability of the ESW system at seven PWR sites. The objective of resolving of GSI-130 is to cost-efrectivelyreduce the potential risk of ESW system failures at multi-unit sites. In order to identify ESW system vulnerabilities, the licensees used event tree / fault tree methodology. Loss of the ESW system was treated as a distinct initiator, and the licensees examined each plant's responses and associated mitigating actions to the ESW system initiator. The licensees modeled support system dependencies that account for system inteniependencies of the ESW system. Licensees also considered plant-specific data regarding the reliability and availability (including common-mode failures) of the ESW system and its components. The licensees then compared the total CDF with the estimates CDF contribution resulting from the loss of ESW. The improvements proposed in the GSI-130 regulatory analysis (Ref. 8.12) and sequested by GL 91-13 (Ref. 8.13) included technical specification changes and revision of emergency procedures. In the case of McGuire, the licensee has developed an operational test for the ESW system crosstie valves. This test will be performed during each refueling outage. 833 Potential Generic Safety Issues This report identifies issues that play a key role in both prevention and mitigation of severe accidents. The following are some significant examples of generic issues resulting from the IPE reviews which are candidates for further investigation:

• For some PWRs, the IPEs indicated that transient sequences involving RCP seal LOCAs are the largest contributors to CDF. For other PWRs, the IPEs indicated that these sequences have a negligible contribution either because plant design characteristics minimize the potential for unmitigated RCP seal LOCAs, or because the IPE modeling of real LOCAs predicted lower probabilities of seal leaks or smaller leak rates. Thus, RCP seal LOCAs remain an issue for many, but not all, PWRs. This issue is currently under evaluation by the NRC's Office of Nuclear Regulatory Research. Resolution of this issue will involve careful evaluation ofinformation from the individual IPEs regarding the plants at which RCP seal LOCA is and is not a contributor, the reasons underlying that assessment, and the types ofimprovements proposed.
• Because of ATWS concerns, the most recent BWR emergency procedures direct the operators to inhibit the automatic depressurization system, with subsequent manual depressurization performed if required. Some licensees have indicated that this inhibition results in a higher estimated probability of the operator failing to depressurize the vessel, resulting in dominant accident sequences at high pressure. In addition, because of the consequence of failing to depressurize(although the operator may have a low probability of failure),

there are many BWRs still have a relatively high CDF contribution from transient sequences at high pressure. The issue of depressurization in BWRs may, therefore, be worthy of further investigation. 8-13 NUREG-1560, Draft I

8. Conclusions and Observations

• Some licensees indicated that accident environments for some sequences (e.g., those producing high containment pressure or temperature) can affect equipment operability in a manner that significantly increases the plant CDF. Such effects are plant specific, but it is not clear from the submittals whether all licensees have adequately addressed the effects of adverse conditions on equipment operability. Some licensees appearto have dismissed this issue without adequate evaluation, while others have included failures for cases that might be shown to be non-threatening with further analysis.
• Some BWR IPEs identified a potential con.ainment failure mechanism involving prolonged discharge through the safety relief valves into a hot suppression pool. However, the majority of the licensees did not

             < iscuss the possibility or implications of such a blowdown to a hot pool. While substantial information exists for design-basis accident hydrodynamic loads, there is considerable uncertainty regarding the - loads under severe accident conditions.

• Most PWR IPEs assigned a small probability to induced-SGTRs (ISGTRs). A few IPEs, however, considered ISGTR significant because RCP restart under degraded core conditions is considered possible and this would lead to a high probability of ISGTR. Most licensees did not consider the effect of RCP restart, or if they did, they still assigned a small probability to ISGTR on the basis of the expected limited duration of RCP operation. This variable treatment in the IPEs Mdicates the large uncertainty associated with the ISGTR issue. It should be noted that this issue is being addressed under the proposed rule making on s;eam generator tube integrity.

   -         vue BWR 2 Mark 1 IPE identified an issue involving containment bypass as a result of high-temperature creep rupture failure in the isolation condenser tubes. That particular IPE estimated that this failure mode has a relatively low frequency. Nevertheless, failure of the isolation condenser tubes could be a potential safety issue for several other early BWRs that are equipped with isolation condensers but failed to address this scenario in their IPEs.

• Drywell shell meit-through plays a significant role in the early failure probability reported in most Mark i IPEs. Although the reactor safety community appears to be approaching a consensus on when and under what conditions this failure mechanism is important, shell melt-through may still be a safety issue for some of these plants given their mix of accident sequences and containn. cat conditions (i.e., insufficient water on the drywell floor).

For some of these issues, the technical analysis (or phenomena) are generally understood L in general, there is ; agreement among the experts. In some cases, such as drywell shell melt-through in BWR Mark is and direct J containment heating in PWR containments, agreement in the expert community has only been recently reached,(i.e., l sin:e the completion of the IPE analysis). For other issues, the technical analyses may not be well understood even 1 now and there may be disagreement among the experts. For the type of issues discussed above, the NRC is planning followup activities to determine whether any actions (e.g., evaluate for continued or further research) are warranted. 8.4 Plant Inspection Activities This report provides a wealth of information that can be used to augment and support plant inspections. PRA perspectives can help to optimize and prioritize inspection resources by focusing on the high-risk aspects of a plant. Using the results from individual lPEs, the NRC, the industry, and individual licensees can identify the plant-specific NUREG-1560, D aft 8 14

8. Conclusions and Observationr systems and components and operator actions that have a significant impact on preventing or mitigating core damage. '

In addition, the IPE results make it possible to identify and understand the factors underlying the significance of those systems / components and operation actions. That is, it is important to known whether the system, component, or action is critical because its reliability is extremely poor, or because its failure (although rare) has severe consequences. Knowledge of these issues serves as an imponant aid in inspection planning. This report also provides information on those systems, components, and actions that are safety significant in preventing and mitigating core damage for the different reactor and containment classes. This information can be used 12 gam perspectives on important systems, components, and actions for a given plant. For example, SBO sequences are important at almost all of the plants. Systems, components, and human actions that are important in SBO sequences include the following examples:

• turbine-driven cooling systems, such as auxiliary feedwater systems in PWRs and RCIC systems in BWRs e diesel generators e operator actions to shed DC loads and extend battery life Chapters 3 through 5 summarize the important contributors to risk, while Chapters 10 through 13 provide related detail.

t in many cases, the information provided about sequences is straightforward to interpret and apply in an inspection situation. For the dominant accident sequences, inspectors seek to understand the accident process and the contributing systems, components, and operator activities. In addition, they subsequently consider operator training, l clarity of procedures, and other factors associated with the sequences of interest. For example, in looking at SBO for one licensee, the estimated SBO-related CDF is high (-6E-5/ry and which is above the SBO rule goal of IE-5/ry). The ability to shed the DC load and extend battery life is a critical aspect in coping with SBO at this plant. Consequently, the key issues to be investigated during inspection activities include how quickly and easily load  ! shedding can be performed, are procedures and training provided, how knowledgeable the operators are, and how accurate the technical analysis is in predicting the extended battery life. The use of front-line systems, as described in the Final Safety Analysis Results to mitigate accidents is clear and requires little attention other than to ensure that the systems function properly. However, the majority of the licensees credited the use of alternative systems and equipment beyond their original design function. These credits have generally included the following non-safety systems and/or non-technical specification systems:

  *            ,a-safety systems for coolant injection (such as firewater, control rod drive, service water crosstie)

• alternative AC or DC power sources (such as gas turbine generators, standby shutdown facility diesel generators, or portable power supplies to battery chargers)
• crosstic among systems and units (such as AC power, CCW, feedwater)
• room cooling (by opening doors and using portable fans)

I Whi?: such use is expected and even encouraged in order to achieve a realistic PRA, licensees' training and testing fct the systems / equipment associated with these " alternative" functions is sometimes questionable. In many cases, 8-15 NUREG-1560, Draft

8. Conclusions and Observations this credit has a significant impact on the results; that is, if the credit were removed, the estimated CDF would substantially increase and the dominant accident sequences and contributors would change.

In general, on the basis of the information presented in the submittals, it appears that the above systems can meet the functional requirements of the accident sequences. Ilowever, it is not clear that the licensees always performed all of the necessary " analyse:" to credit the use of these systems. For example, for firewater use, it is not clear that the licensees measured the length of the firewater hose to ensure that it has sufficient length to connect, that it has the proper connection, and that sufficient time is available to complete the connection. For use of alternative AC or DC power sources, it is not clear that the sources are always available (e.g., that a portable battery is available and reliable at any given time). For room cooling, it is not clear that a portable fan is necessarily available and functioning under all necessary conditions (e.g., SBO). Furthermore, it is not clear that the training provided for the use of these options ensures as high a degree of operator reliability as is reflected by the licensees. That is, it is not always clear that the operators have sufficient understanding of how to use these alternative systems in different accident situations. Chapter 5 and 13 discuss important operator actions identified in the IPEs. These actions can be considered during inspection activities related to training and procedures. For example, the operator action to manually depressurize the vessel given failure of high-pressure injection systems was identified as an important action in BWRs. The importance of this action is at least because of the fact that most emergency operating procedures direct operators to initially inhibit the automatic depressurization system, thus requiring the operators to manually depressurize when low-pressure systems are needed. 8.5 Areas for Research This report indicates numerous areas in which further research would be useful and should be considered regarding both severe accident behavior and analytical techniques. This need, combined with the number of affected plants and the impact of additional knowledge (or enhanced methodology) on improving the prediction of plant risk or core damage frequency and on reducing or more clearly defining the uncertaintics, will help to prioritize the research and allocate resources. It must be recognized that substantial advances in areas important for the risk analysis of nuclear power plants have been made in the time since the IPEs were completed. For example,in the area of severe accident phenomena, consensus is being achieved on dealing with drywell shell melt-through in BWR Mark is and with direct containment heating (DCll) in PWR containments. Such advances in the state-of-knowledy in this and other areas important for PRA analysis will be taken into account when looking to the IPEs as a source of information for identifying and prioritizing research. The following areas are examples of issues that should be considered for research:

• Human actions are important contributors to plant CDFs in the IPEs, with correct operator actions often significantly reducing the CDFs. However, there are considerable uncertainties associated with determining human error probabilities for operator actions. As a result improved modeling of human actions would significantly improve the understanding of the risk associated with operating nuclear power plants. The NRC's Office of Nuclear Regulatory Research is currently conducting a research program to develop an improved method to address human reliability analysis concerns. Perspectives from the IPEs are being incorporated into this human reliability analysis program.

NUREG-1560, Draft g.16

8. Conclusions and Observations Many of the IPEs included core damage prevedon strategies (e.g., RCS depressurization without high-pressure injection available during LOCAs .o that low-pressure injection can be used) that were not previously analyzed. These strategies could tave significant benefit at some plants, but further evaluation is needed to determine their generic applical,ility.

The IPEs estimated the CDFs from full power intemal events, but did not provide estimates for other operating modes (i.e., low power and shutdown). However, studies to date that have estimated the risk during low power / shutdown modes have required significant effort. Streamlined approaches that draw from the insights of the initial low power / shutdown studies would be useful as a tocl for performing a more comprehensive CDF estimate than that provided by the IPEs. While not required, such estimates may be needed for some aspects of risk-informed regulation. A number of issues related to containment venting and its variable treatment in the BWR IPEs may deserve funher evaluation. All BWR Mark I plants have installed, or have committed to install, a hardened vent; however, a number of IPEs from these plants stated that only negligible benefits retult from such a capability, while other Mark I IPEs ascribed substantial benefit to the ability to vent through a hardened path, in a few cases, the IPE submittals suggested that the basis for venting procedures should be changed to include containment temperature as well as the current sole reliance on containment pressure, since elevatedtemperaturescan seriot ./ degrade containment capability. In addition, several BWR IPEs called for reevaluation of the containment flooding contingency, found in current EPGs, which involves drywell venting and could lead to significant releases. Finally, one BWR 6 Mark 111 IPE idertified RCS venting through the main stream isolation valves as a very important early release mechanism, while no such venting is discussed in the other Mark 111 IPE submittals. The uniformly low early containment failure probabilities reported in the IPEs for plams with ice condenser containments is surprising, especially when compared with the results reponed for large dry containments. No single reason for the low failure probabilities is apparent from the IPE submittals; however, modeling assumptions clearly play a role. Further evaluation of the reasons for the low probabilities reported in these IPEs appears warranted. This includes evaluation of assumptions concerning ice condenser availability and its capability to absorb energy. A number of phenomenologicalissues are addressed with substantially different approaches in the IFEs of similar plants. For instance, some IPE submittals discussed exvessel fuel-coolant interaction (FCI) as insignificant for containment failure,while other submittals claim that FCI plays an important role. Debris bed coolability also received disparate treatment in the IPEs. Some submittals indicated that coolability is always assumed when water is present, while others used stricter criteria involving the depth of debris and the amount of water. These issues are already the subject of ongoing research at the NRC and elsewhere. 8.6 Commission's Safety Goals The NRC established two quantitative health objectives (QHOs) for the prompt fatality risk and cancer fatality risk to an individual near a nuclear power plant. In addition, the NRC proposed subsidiary objectives related to CDF and CCFP. The IPE results are directly compared against the subsidiary objectives in Section 7.1 and Chapter 16. However, most IPE results cannot directly be compared to the QHOs because licensees, in response to GL 88-20, were not requested to calculate offsite health effects. However, offsite health effects are reponed in some IPEs and for several plants in NUREG-ll50 (Ref. 8.14). Therefore, by ccmparing the frequencies of the containment failure modes that are dominant contributors to the QHOs as reported in the IPEs to those reported in 8-17 NUREG-1560, Draft

8. Conclusions and Observations NUREG-il50, it is possible to draw inferences as to how the IPE results might compare to the QHOs. The results of this extrapolation are summarized in Section 7.1 and described in detail in Chapter 16.

On the basis of this comparison, a fraction of the plants have the potential for early fatality risk levels that could approach the QHOs. This subset of plants was further examined using their reported source term frequencies (from the IPEs) contributing to early release and adjusted for population. On the basis of this further screening, two BWRs and 12 PWRs remain with the potential for early fatality risk levels that could approach the QHOs. 8.7 Use of NUREG-1560 This report provides information concerning the IPE results and perspectives that can be used by both industry NRC staff and the industry to help guide and focus a wide spectrum of activities. This section discusses the use of this information in a variety of activities such as accident management; maintenance rule; risk-informed regulation, and several miscellaneous activities including examination and prioritization of plant improvements, development of risk management programs, development of an enhanced understanding of plant performance, and evaluation of the effectiveness of regulatory activities. 8.7.1 Accident Management One element of the " Integration Plan for Closure of Severe Accident Issues" described in SECY-88-147 (see Reference 8.3) is accident management. SECY-88-147 broadly defines accident management as measures taken by the plant staff to (1) prevent core damage,(2) terminate the progress of core damage if it begins and maintain the core within the reactor vessel,(3) failing that, maintain containment integrity as long as possible, and finally (4) minimize the consequences of offsite releases. In additioc accident management includes certain measures taken before an event occurs (e.g., improved training for severe acddents, and hardware or procedural modifications) to facilitate implementation of accident management strategies. GL 88-20 emphasized that the results of licensees' IPEs are an essential ingredient in developing a severe accident management program for individual plants. This is because the conclusions drawn from "the IPEfor severeaccident vulnerabilities (1) will depend on the credit takenfor survivability of equipment in a severe accident environment, and (2) will either depend on operators taking beneficial actions during or prior to the onset of core damage or dependon the operators not taking specific actions that would have adverse efects. " GL 88-20 further states that licensees are not required to develop an accident management plan as an integrated part of their IPE (i.e., they can defer the development of such a comprehensive plan). Nonetheless, GL 88-20 clearly encourages licensees not to defer implementing operator or plant personnel actions, identified in the course of conducting the IPE, that can substantially reduce the risk from severe accidents and that they believe should immediately be implemented in the form of formal guidance. Furthermore, Supplement 2 to GL 88-20, " Accident Management Strategies for Consideration in the IPE Process" (Ref. 8.15), lists accident management strategies that have significant potential for recovering from a wide variety of accident scenarios. These strategies are grouped into three broad categories:

• conserving and/or replenishing limited resources during the course of an accident
• using plant systems and components for innovative applications during an accident
• defeating appropriate interlocks and overriding component protective trips in emergency situations NUREG-1560, Draft g.18

8. Conclusions and Observations The purpose of Supplement 2 is to " forward these strategies to industry so that licensees can evaluate these or similar strategiesfor applicability or effectiveness at each of their plants as part of conducting the individualplant examination. " Finally, in the "lPE Submittal Guidance"(Ref. 8.9), the NRC requested that utilities document r,ny worthwhile strategies that were developed as part of the IPE process to further prevent or mitigate the detrimental effects of severe accidents.

A review of the IPE submittals indicates that, in general, utilities have responded appropriately to the requests in GL 88-20 and NUREG 1335 related to accident management. The submittals indicated that, at most plants, many of the candidate accident management strategies from Supplement 2 to GL 88-20 already existed or were added to operator guidance during the conduct of the IPEs. Where additional strategies were found to be important on the basis of IPE results, licensees usually documented them in their list of improvements as having been implemented. In addition, in many IPE submittals, licensees indicated that they have identified issues involving potential further strategies that they will deal with in their accident management programs. Examples of these strategies include the possibility of ex-vessel flooding to cool core debris in-vessel in some PWRs, or the revision ofinitiation criteria for containment spray or containment venting in BWRs. l Clearly, licensees have recognized that their IPEs provide a framework for developing their comprehensive and structured accident management plans. That framework can be used to identify where strategies are most needed, as well as to evaluate the efficacy of particular strategies. Future updates with strategies from finalized accident management plans will further improve the quality of the IPEs (PRAs). For example, many PWR IPEs/PRAs use l somewhat unrealistic modeling because they fail to consider operator actions during accident progression, this inadequacy would be remedied by the eventual inclusion of the actions developed from the licensee's accident management program. 8.7.2 Maintenance Rule The IPEs/PRAs can be used (by both NRC and the licensees)to support implementation of the maintenance rule, l which requires that licensees establish performance goals commensurate with safety in the follovig areas: l

• determination of the risk significance for all plant rystems and functions l
• establishment of performance criteria to monitor d sdected systems e control and monitoring of the risk of simultaneous out-of-service equipment When explicitly modeled in the IPEs, it is possible to calculate the risk importance of systems, equipment, and l human actions for prevention and mitigation of specific core damage scenarios. IPEs have demonstrated that some nonsafety systems have the potential to significantly reduce CDF (e.g., CCW crosstie between units) as discussed in Section 8.1.4. Nonsafety systems are systematically modeled in IPEs and, therefore, are directly incorporated into I

the PRA calculations that can be used to support the determination of risk significant systems, equipment, and functions for the maintenance rule implementation. Plant-specific data used in the IPEs to calculate the unavailability and failure rate of a component provides a basis for establishing appropriate performance criteria. The component importance measures calculated on the basis of IPE models could provide the basis for determining the response time and calibration parameters for the statistical monitoring techniques that are required for this task. Some of the IPEs can be used to improve configuration management to calculate the CDF increase that results from , multiple equipment being taken out of service simultaneously. The combination of equipment that either causes the l 8-19 NUREG-1560, Draft . I

1

8. Conclusions and Observations plant to enter a limiting condition of operation, or could significantly affect the CDF could be identified and ivoided.

Control and monitoring of the out-of-service configuration risk relies heavily on the IPE models. 8.7.3 Risk-Inforrned Regulation This report provides a variety of information that can be used to support risk-informed regulation. As the IPEs represent a substantial investment by the licensees, the potential use of IPEs in risk-informed regulation is of considerable importance. Chapter 14 describes the attributes for a quality PRA; the staffis using this information as it develops guidance for the use of PRA in risk-informed regulation. Chapter 15 compares the IPE results to the attributes for a quality PRA defined in Chapter 14, discussing areas where the analysis is incomplete or inadequate, and areas where the analysis exhibits the strength of acceptablemethods and appropriate implementation. Licensees can use this information to identify areas that are potentially problematic. For example, this report identifies an IPE weakness in over-reliance on generic data. This area should, therefore, be examined in greater detail if an IPE/PRA were to be used for regulatory purposes other than GL 88-20. Chapters 3,4,11, and 12 of this report discuss the systems, components, and human actions that are important in preventing and mitigating core damage, on a reactor- and containment-type basis. This information can be used to support pilot applications and studies, providing perspectives as to where to focus concerns. The relative importance of systems, components, and human actions in the IPEs indicates areas in which plant changes can significantly reduce risk and areas where relaxations can be made without significantly increasing risk. This information can be used to support estimates of the change in plant risk associated with improvements or relaxations. For example, the South Texas Project IPE/PRA results were used as the basis for severallicensee requests for permanent technical specification relaxations. The discussions in Chapters 3,4,11, and 12 on key contributors to CDF and containment performance also provide information that is useful when IPEs/PRAs are used for risk-informed regulation. These chapters cover the key CDF and containment performance issues arising for the various plant groups. If the submittal results differ significantly from the perspectives provided in Chapters 3,4,11 or 12, specific plant features responsible for the deviations should be identified. For example,if the PRA results for a Westinghouse 4-loop plant indicate a small contribution from seal LOCAs, then it should be determined that there is adequate cause for the low contribution because of features such as backup cooling for the seals. 8.7.4 Miscellaneous Issues The information contained in this report can support other possible uses by both the NRC and the licensees. These uses include such items as examination and prioritization of plant improvements, development of risk management programs, development of enhanced understanding concerning plant performance,and evaluation of the effectiveness of regulatory activities. The following paragraphs discuss these uses in greater detail. During their IPEs, licensees identified a variety of plant enhancements to improve reactor safety. Many of these improvements are potentially applicable to other plants. For example, some licensees with BWRs made enhancements to improve the ability to use firewater as an alternative injection source. Other licensees with BWRs I might also realize significant improvements in plant safety with similar modifications. Section 8.2.1 discusses some other issues with possible generic applicability . Some licenseeshave developed risk management programs (e.g., configuration control) to assess and control a variety of risks, including but not necessarily limited to, severe accident risks. Information provided in :his report can be NUREG-1560, Draft 8-20

l a a ! 8. Conclusions and Observations . used to help licensees assess the completeness of their risk management programs with respect to severe accidents { that are within the scope of the IPE program. For example, licensees can assess whether any accident initiators and j sequences have been identified in other IPEs that may also apply to their plant. Further, many suggested plant  ; t improvements may be identified to help control the risks in areas where improvements may be warranted. For f example,if a licensee wishes to reduce the risks from SBO accidents,the licensees as a whole have identified many different alternatives for reducing such risks. ')  ! This report can also provide insights as to how plants may perform in accident situations. A wide range of outcomes is possible for some types of sequences,as discussed in this report. For example, during an ATWS event at a BWR, difTerent outcomes can result from different combinations of system pressure, standby liquid control injection timing, , and operator actions to control level and those outcomes involve uncertainties for many scenarios. The containment performance portion of this report, for example, discusses many different phenomena, such as hydrogen burns and DCH. By making operators aware of all of the various possibilities, this repon helps to ensure that they will be I better prepared to deal with real events that may occur. By looking at the results for specific classes of plants or the industry as a whole, insights can be gained regarding the effectiveness of certain regulations. For example, the impact of the SBO rule on plant safety can be inferred from the IPE results. Results reported for 15 plant units indicated an average reduction in CDF of 2E 5/ry for these units as a result of SBO rule modifications. Most of the plants that accounted for SBO rule changes now have SBO ( CDFs below the goal of IE-5/ry, but a few plants have SBO CDFs above the goal even after implementing the changes. Insights such as these can be obtained for other rules given further analysis of the results. , 8.8 Probabilistic Risk Analysis i P T6t is report identifies the dominant accident sequences, containment failure modes, plant features, and human actions  ; i that play a major role in preventing or contributing to core dama'e, containment, failure and radionuclide release (as reported in the IPEs/PRAs). The models used in the licee',ees' PRAs and the results of those analyses (as reported to the stafT) can be used to Ppport PRA activities. Hcwever, variability in the results are observed for plants with similar design. In addition, although much of the va.iability is expected (as a result of differences in the plant design and operation), some variability is not supponed by the differences in plant characteristics. Therefore,before these results can be used, it is essentialto develop aa understanding of the bases for this variability. The information presented in Chapters 3 through 5 and 10 through 13 indicates where much of the variability exists (e.g., contributors and core damage frequency) and what has caused the variability. Whether caused by plant differences or modeling assumptions the variability in the IPE results generally falls into one of the following categories:

• differences in definition of scope or boundary conditions (e.g., completeness of initiating events, or  !

accounting for support system dependencies such as instrument air or HVAC) l

• differences in plant (system / equipment) response to accident conditions (e.g., effect of containment i conditions on injection pumps, ability of power-operated relief valves to reclose, or potential for RCP seal LOCA if pumps continue to run without seal cooling) o e difference in definition of terms (e.g., differences in the definitions of accident sequences, differences in the criteria used to define the onset of core damage)

NUREG-1560, Draft 8-21 i

I

8. Conclusions and Observations Standardization of these items would ensure that the variability is driven by plant characteristics rather than "subjectivejudgements" that are not necessarily supported by plant-specific analyses. However, even allowing for the variability, the models and results presented in the IPEs can provide useful c:;pport for ongoing and future PRA activities:

The IPE results can be used to ensure completeness and consistency among PRAs. For example, new failure modes were reported in some IPEs, but not in other IPEs for plants with similar design features. This may indicate that the other PRA models may need to include these new failure modes. Some IPEs used new PRA models that have distinct advantages over previxsly available models. For example, it is now possible to directly couple the Level I and 2 ana!*iser, such that core damage accident sequences are directly allocated to containment failure modes. This ein tinates the need for binning into plant damage states, and the approximations that can accompany this prccess. 1 l 1 NUREG-1560, Draft 8-22

I

8. Conclusions and Observations R.EFERENCES FOR CHAPTER 8 8.1 USNRC, " Individual Plant Evaluation for Severe Accident Vulnerabilities - 10CFRl50.54(f), " Generic Letter 88-20, November 23,1988.

8.2 USNRC, " Mark I Containment Performance Program Plan," SECY-87-297, December 8,1987. 8.3 USNRC, " Integration Plan for Closure of Severe Accident issues," SECY-88-147, May 25,1988. 8.4 USNRC, " Mark 1 Containment Performance Improvement Program," SECY-89-017, January 23,1989. 8.5 USNRC, " Initiation of the Individual Plant Examination for Severe Accident Vulnerabilities," Generic Letter 88-20, Supplement 1, August 29,1989. 8.6 USNRC, " Completion of the Containment Performance improvement Program and Forwarding ofInsights for Use in the Individual Plant Examination for Severe Accident Vulnerabilities," Generic Letter 88-20, Supplement 3, July 6,1991. 8.7 USNRC, " Individual Plant Examination Submittal Guidance," NUREG-1335, August 1989. 8.8 USNRC, " Regulatory and Backfit Analysis: Unresolved Safety issue A-45, Shutdown Decay Heat Removal Requirements," NUREG-1289, November 1988. 8.9 S.K. Shaukat, J.E. Jackson, and D.F. Thatcher," Regulatory Analysis for GI-23: Reactor Coolant Pump Seal Failure," April 1991. 8.10 USNRC, " Interfacing Systems LOCA: Pressurized Water Reactors," NUREG/CR-5102, February 1989. USNRC, " Assessment of ISLOCA Risk - Methodology and Application to a Westinghouse Four-Loop Ice Condenser Plant," NUREG/CR-5744, April 1992. USNRC, " Assessment of ISLOCA Risk - Methodology and Application to a Combustion Engineering  ; Plant," NUREG/CR-5745, April 1992.  ! USNRC, " Assessment of ISLOCA Risk - Methodology and Application to a Babcock & Wilcox Nuclear l Power Plant," NUREG/CR-5604, April 1992. 1 l 8.1 i USNRC, " Regulatory Analysis for the Resolution of Generic Issue 105, ' Interfacing System Loss of Coolant Accident in Light-Water Reactors'," NUREG-1463, July 1993. 8.12 V. Leung, D. Basdekas,G. Mazetis," Regulatory Analysis for the Resolution of Generic issue 130: Essential ' l Service Water System Failures at Multi-Unit Sites," USNRC, NUREG-1421, June 1991. 8.13 USNRC, "The Resolution of Generic issue 130, ' Essential Service Water System Failures at Multi-Unit Sites'," Generic Letter 91 13, September 19,1991. 8.14 USNRC, " Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG-il50, l December 1990. 8J5 USNRC, " Accident Management Strategies for Consideration in the Individual Plant Evaluation Process," Generic Letter 88-20, Supplement 2, April 4,1990. NUREG-1560, Draft l 8 23

GLOSSARY , t-Accident analysis - steps taken by a PRA analyst to model and quantify the frequency of core damage, containment response, and public risk attributable to a specific accident or class of accidents Accident class - a grouping of severe accidents with similar characteristics (such as, transients, loss of coolant accidents, station blackout accidents, and containment bypass) Accident conditions - environmental or operational conditions occurring during events that are not expected in the course of plant operation but are postulated for design or analysis purposes Accident initiators - initiating events that can challenge plant systems and components e

                       ~

Accident management - strategies and guidance developed for incorporation into the emergency response procedures of a plant to prevent or mitigate events during a severe accident Accident progression analysis - modeling of that part of the accident sequence which follows the onset of core 3

           -damage, including containment response to severe accident conditions, equipment availability, and operator performance (also referred to as a Level 2 PRA) 1 Accident sequence analysis - the process of determining the combinations of initiating events, safety functions,            .

, end system failures and successes that may lead to core damage (also referred to as a Level 1 PRA) l As-built, as-operated - a phrase used to refer to the conformity of the PRA to actual operational and design conditions at the nuclear plant l l ! Availability - the probability that a system or component will function satisfactorily when required to respond to l a randomly occurring initiating event or system / component challenge (unavailability is the complement of , availability)  ; I Back-end - the portion of the PRA dealing with the containment response to severe accident challenges and the associated radiological release to the environment (also referred to as a Level 2 PRA); can include consideration of consequence to both the public and environment (also referred to as a Level 3 PRA) l Best estimate - the point estimate of a parameter used in a computation which is not biased by conservatism or

optimism Boolean algebra - relating to, or being, a logical combinational system that represents symbolically relationships .

I (as those implied by logical operators AND, OR and NOT) between activities t E l l G-1 NUREG-1560, Draft l

1 l l Glossary l Burden - in human reliability analysis, any of the factors that affect operator performance including such items  ; as time constraints (short available time), diagnosis constraints (confusing indications), factors related to decision  ! making (competing resources), command and control impediments (remoteness between people who need to communicate), and physiological factors (hostile environment) i Common cause event - a subset of dependent events in which two or more component fault states exist at the same time, or within a short time interval, and are the direct result of a shared cause Common cause failure - a single event that adversely affects two or more components at the same time j Common mode failure - a single failure that affects two or more components at the same time Component - an element of plant hardware designed to provide a particular function (for system modeling purposes, a component is at the lowest level of detail in the representation of plant hardware in the models) Conditional contain ment failure probability- the likelihood, expressed as a probability, that the containment will fail, given that core damage has occurred Conditional probability- the conditional probability of event A occurring given that event B has already occurred is given as: P(A l B) = P(AnB)/P(B) Containment bypass - an event which opens a flow path that allows the release of radioactive material directly to the environment bypassing the containment atmosphere Containment class - a grouping of U.S. containments with similar characteristics (for BWRs, containment classes include Mark I, II, and III containments; for PWRs, containment classes include large dry, atmospheric and subatmospheric, and ice condenser containments) 1 Containment failure - loss of integrity of the containment pressure boundary (caused by severe accident conditions) which results in leak rates to the environment that exceed the design limits Containment failure mechanisms - accident conditions that can cause loss of containment integrity (examples for severe accidents include failures resulting from direct containment heating, steam explosions (in-vessel and ex-vessel), hydrogen combustion / detonation and shell melt-through) Containment failure modes - descriptions used to classify the type ofcontainment failure, such as isolation failure,  ! bypass failure, and early or late failure  ; Containment isolation failure - failure to isolate all lines that penetrate the containment (the frequency of containment isolation failure includes the frequency of pre-existing unisolable leaks) NUREG-1560, Draft G-2

     .     --            .     - . _~~ __- ._                       .-           -. -                      - - . . - -            _ -

t i l t l Glossary  : t i I Containment performance- a measure of the response ofnuclear plant containments to severe accident challenges  ; (containment performance is typically represented by the conditional containment failure probability) Core damage - uncovery and heatup of the reactor core as a result of a loss of core cooling to the point where i l prolonged clad oxidation and fuel damage is anticipated 1  : Core damage frequency- the frequency, per reactor year, of an accident leading to core damage Core-concreteinteraction - interaction of molten core material with concrete structures in the containment during i a severe accident in which the reactor pressure vessel fails I Core melt - severe damage to the reactor fuel and core internal structures following the onset of core damage, i including the melting and relocation of core materials I l t l Creep rupture - a mechanism of failure resulting from continuous deformation at constant stress; imponant for metal components at elevated temperatures, such as steam generator tubes or a steel containment boundary in contact with molten core material r I Cut set- minimum combination of a set of events (e.g., initiating event and component failures)that, if they occur, will result in the onset of core damage , Dependency- requirement external to an item and upon which its function depends j 2 Design-basis event - any of the events specified in the nuclear power plant's safety analysis that are used to {' establish acceptable performance for safety-related functions (events include anticipated transients, design-basis accidents, external events, and natural phenomena) l Diagnosis - examination and evaluation of data to determine either the condition of a structure, system, or component, or the causes of the condition Dominant contributor - an accident class that has a major impact on the total core damage frequency or a j containment failure mechanisms having a major impact on the total radionuclide release frequency Early containment failure - failure of the containment in a time frame considered short relative to the overall timing of the severe accident (typically, early containment failure is defined as containment failure before or within j a few hours of reactor vessel breach) l i Early release - a radioactive release from the containment that occurs early, (i.e., occurring within a few hours of vessel breach) and typically before effective implementation of the offsite emergency response and protective actions i . G-3 NUREG-1560, Draft ' l

- Glossary Equipment qualification - the generation and maintenance of data and documentation to ensure that the equipment will operate on demand to meet system performance requirements during design basis accidents Event tree- a quantifiable logical network that begins with an accident initiator or condition and progresses through a series of branches that represent possible system performance, human actions, or phenomena that yield either a safe, stable state or an undesirable one, such as core damage or containment failure Event tree top event - the conditions (system behavior or operability, human actions, or phenomenological events) that are considered at each branch point in an event tree External event - an event initiated outside the plant systems that can affect the operability of plant systems (examples include earthquakes; tornados; and floods and fires from sources outside the plant)

Failure- a state that renders a component incapable of performing its specified operation according to established ' success criteria (the component can fail ifit either functions when not required, or does not function when required) Failure analysis - the systematic process of determining and documenting the mode, mechanism, causes, and root cause of failure of a component or system Failure mechanism - any of the processes that result in failure, including chemical, electrical, mechanical, physical, thermal, and human factors Failure mode - manner or state in which a system or component fails (examples include stuck-open valves, motor-bearing seizure, excessive leakage, and failure to produce a signal that drops control rods) Failure rate - the number of failures of an item within the population per unit measure oflife in such terms as demand or time Fault tree - a graphical representation showing the logical relationships among faults; provides a concise and orderly description of the various combinations of possible fault events within a system which could result in some predefined, undesirable event for the system Fault tree analysis - analysis based on probabilities, and mathematicalmanipulation of those probabilities,(fault tree analysis begins with an undesired top event and attempts to identify the sub-events that are necessary to cause the top event; fault tree analysis contrasts with failure modes and effects analysis, which is a bottom-up approach) Freen date - the cut-off date for the plant model in an IPE; plant modifications after th! date are not included in the model Frequency- the number of occurrences of an event per unit time NUREG-1560, Draft o.4

l Glossary Front-end - the portion of the PRA dealing with the core damage frequency analysis (also referred to as a Level 1 PRA) l l Front line system - an engineered safety system used to provide core or containment cooling and to prevent core damage or containment failure (such as ECCS and containment spray systems) l Fuel-coolant interaction - the energetic interaction, by direct contact between water and molten core material, that may result in a steam explosion (fuel-coolant interactions may occur either in-vessel or ex-vessel) I Fussell-Vesely importance - the fractional decrease in total core damage frequency when the plant feature (e.g., l a component, train, or system) is assumed to be perfectly reliable (failure rate = 0.0) l Generic Letter 88 a generic letter issued by the U.S. Nuclear Regulatory Commission on November 23,1988, which requested that U.S. nuclear utilities submit an Individual Plant Examination for severe accident vulnerabilities for each licensed nuclear power plant Generic failure rate - failure rates that apply generically to a class of equipment rather than specifically to an l individual piece of equipment;(rates for equipment from a specific vendor or for a specific application may vary from generic values; generic failure rates, also called " handbook" failure rates, are useful in preliminary design analysis, predictions, and design planning to estimate inherent capability,but should not be preferred to more specific, actual component data, if available) liarsh environment - an environment expected as a result of the postulated accident conditions appropriate for the design basis or beyond-design basis accidents Iligh pressure melt ejection - a reactor vessel failure mode that occurs with the reactor coolant system at high pressure and results in rapid dispersal of molten core material, steam, and hydrogen into the containment, challenging it in two ways: (1) The high temperature core material may come in contact with the containment liner resulting in liner failure (2) The dispersal of core material and steam into the containment atmosphere may result in direct containment heating and, possibly, hydrogen combustion lluman error probability - a measure of the likelihood that the operator will fail to initiate the correct, required, or specified action or response needed to allow the continuous or correct function of an item of equipment Human reliability analysis - a structured approach used to identify potential human errors and to systematically estimate the probability of those errors using data, models, or expert judgement Initiating event - see accident initiators G-5 NUREG-1560, Draft

l Glossary Individual plant examination - Generic letter 88-20 requested U.S. nuclear utilities to perform an evaluation to identify any plant-specific vulnerabilities to severe accidents;in responding to GL 88-20 most utilities performed the equivalent of a Level 2 PRA, and considered accidents initiated by internal events during full power operation Internal events - accident initiators originating in a nuclear power plant and, in combination with safety system , failures and/or operator errors, leading to core damage accident sequences (see also external events) Knowledge-based operator action - The mode in which operators may have to act under accident conditions that occur during unfamiliar situations or in an environment for which no know-how or rules for control are available from previous encounters;(various models proposed in the literature emphasize two different aspects of the problem, specifically,the two classes distinguish time-oriented models that emphasize the time available for operator action, and rating-oriented models that rate human actions according to various characteristics,such as difficulty in diagnosis; error rates are developed from these ratings) Late containment failure - failure of the containment in a time considered long relative to the overall timing of the severe accident (typically, late containment failure is defined as containment failure occurring more than a few hours past reactor vessel breach) Late release - a radioactive release from the containment that occurs late (i.e., occurring more than a few hours past reactor vessel breach) and typically after effective implementation of the offsite emergency response and protective actions Level I analysis - an identification and quantification of the sequences of events leading to the onset of core damage Level 2 analysis - evaluation of containment response to severe accident challenges and quantification of the mechanisms, amounts, and probabilities of subsequent radioactive material releases from the containment Les el 3 analysis - evaluation and quantification of the resulting consequences to both the public and environment Level of detail - different levels of logic modeling used in a PRA; (a failure event in a fault tree analysis can address various levels of detail, depending on how much useful information is available concerning the contributors to the failure event) 1 Low contributor- an accident class that has a minor impact (on the order of a few percent) on the total core j damage frequency or a containment failure mechanism having a minor impact on the total radionuclide frequency l l Mission time - the time period that a system or component is required to be operable in order to carry out its mission; (for example, a mission time of 24 hours implies that containment sprays are required to be operable for 24 hours in order to prevent containment failure from occurring within that period) NUREG-1560, Draft G-6

I I Glossary Model- an approximate mathematical representation that simulates the behavior of a process, item, or concept (such as failure rate);(for exa.mple, the probability of a system failure is synthesized using models that relate system failures to component failures and human errors; the probability of system failure is then calculated from these more elementary and better understood failures; these models contain parameters,such as the rates of occurrence of various events, that are not known precisely) i < Modeling assumption - an assumption on which a model is based (such assumptions may not be valid or

universally accepted) 1 Performance shaping factor (PSF)- an influence on the performance of an operatcr;(underlying PSFs is the idea that the human error rates for a set of specified actions can be derived by investigad.ng how a small set of PSFs j influence the success or failure of the operators; PSFs include such considerations as training, experience, availability and quality of a procedure, stress, interdependence among operators, environment, and timing) 1 Plant - a general term used to refer to a nuclear power facility; (for example, plant could be used to refer to a i

single unit or a multi-unit site) I Pool scrubbing- the retention of some of the radioactive material from core debris released into the pool; (for < example, the suppression pool of the BWR Mark I containment may provide pool scrubbing for some accident

scenarios) a i Probabilistic Risk Assessment / Analysis - of a nuclear power plant, is an analytical process that quantifies the l potential risk associated with the design, operation and maintenance of a plant to the health and safety of the public; the risk evaluation involves three sequential parts or " Levels"(refer to Level I analysis, Level 2 analysis and Level 3 analysis)

Reactor class - a group of nuclear power plants of similar design with reactors manufactured by the same vendor; (for example, all Westinghouse 4-loop plants belong to the same reactor class) Reactor year - a period of the reactor operation that accounts for the downtime during a calendar year Recovery action - an operator action intended to bring failed equipment back to operable status Recovery factor - a correction factor that is applied either to sequence cut sets or an event tree; (for example, a sequence cut set may be modified by including a new basic event representing the probability of an operator's failure to perform a recovery action; if several cut sets are affected by the same dominant recovery action, it may be more useful to include the recovery action at a higher level in the logic model; for example, actions to recovery offsite power in response to a loss of offsite power initiating event are included in the event tree functions) Regression analysis - a statistical technique which hypothesizes a model relating a dependent variable to a set of independent variables;(the dependent variable is assumed random and its expected value is expressed as a function NUREG-1560, Draft G-7

Glossary of the independent variables with unknown coefficients; the coefficients are estimated based on the observed values of all the variables) Reliability - the probability that a component performs its specified function and does not fait under given operating conditions for a prescribed time Risk - typically, the expected value of the consequences per unit time (usually expressed as fatalities /yr or $/yr); defined more bmadly using the " set of triplets" { (si ,if, x;) ); (in the set of triplets, s; identifies one of several possible scenarios, f; is the frequency of that scenario, and x is the consequence of that scenario; the risk is the set of all possible scenarios, their frequencies, and their consequences; this definition distinguishes between low-frequency, high-consequence scenarios and high-frequency, low-consequence scenarios) Risk-informed regulation - a regulation whose decision making criteria integrate probabilistic and conventional deterministic evaluations Rule-based operator actions - a sequence of actions in which an operator follows remembered or written rules; (for example, performance of written post-diagnosis actions or calibrating an instrument or using a checklist to restore manual valves to their normal operating status after maintenance are classified as rule-based operator actions) Safety systems / components - those systems / components that are designed for design-basis accident;(technical specifications and administrative controls are required for safety systems / components) Scope - refers to the extent of initiating events considered in a PRA; a full-scope PRA usually includes accidents initiated by internal and external events during full-power and low power / shutdown conditions; the scope should be distinguished from the PRA Level, which defines the exter.t of the analysis (refer to Level I analysis, Level 2 analysis and Level 3 analysis) Sensitivity analysis - an analysis in which one or more input parameters to a model are varied in order to observe their efTects on the model predictions 1 Severe accident - an accident that goes beyond the design-basis of the plant and usually involves extensive core damage I l Skill-based operator action - the performance of more or less subconscious routines governed by stored patterns of behavior; (for example, the performance of memorized immediate emergency action following an accident initiator) State-of-the-art PRA - a PRA that reflects the latest improvements in PRA modeling and evaluation Station blackout - an accident sequence initiated by loss of all offsite power with failure of onsite emergency AC power (diesel generators), and failure of timely recovery of offsite power and onsite emergency AC power NUREG-1560, Draft G-8

  -  -     -          .--_            .        - - -        -     _     _-.             -. _       . - . . .. . _ = -

Glossary

    ' Success criteria- the systems / components and their combinations that are needed to carry out their mission given              ;

an accident initiator j l > l Support system - a system that provides a support function (e.g., electric power, control power, and cooling) for l another system; (for example, ilVAC is often considered as a support system) Uncertainty Analysis - the quantification ofinc imprecision in the PRA estimate that results from imprecisely l , formulated PRA models and imprecisely known input variables Unit - refers to a single nuclear power reactor with its associated systems and components; most nuclear power  ;

plant sites have either one or more units; at multi-unit sites, some supnon systems can be shared between units ,

l Vessel breach - refers to the failure of the reactor pressure vessel (RPV) beundary and a release of the radioactive material from the RPV I' Walk-through/ walk-down - inspection of local areas in a nuclear power plant where systems and components are l physically located in order to verify the location of the equipment, assess its operating status, and ascenain any environmental effects or system interaction effects on the equipment which could occur during accident conditions , 1 i l l i, i i n l 4 G.9 NUREG-1560, Draft ' l l _

INDEX Volume 1, Part 1 A Browns Ferry (1-8), (1-11), (3-17), (4-7), Anticipated transient without scram (4-10), (4-46) Babcock & Wilcox (3-43) Brunswick (18), (1-11), (3-17), (3-21), (3-23), (3-25), (4-7), (4-10), BWR 1/2/3 (3-12) BWR 3/4 (3-20) (4-45) BWR 1/2/3 BWR 5/6 (3-29) BWRs (3-8) defined (1-8) Combustion Engineering (3-50), human actions (5-3) perspectives (3-11) (3-53) containment failure (4-14), (4-24) transients (3-7) vulnerability (2-2) defined (1 10) B W R 3/4 human actions (5-4) importance to CDF (xix) defined (1-8) improvements (2-12) human actions (5-3) Perspectives (3-5), (3-24), (3-33), Perspectives (3-17) (3-46), (3-61), (3-69), transients (3-7) vulnerability (2-2) (3-76) B W R 5/6 PWRs (3 38) vulnerability (xvi), (2-8) defined (18) Westinghouse 2-loop (3-58) human actions (5-3) Westinghouse 3-loop (3-65) improvements (214) Westinghouse 4-loop (3-73) Perspectives (3-26) Arkansas (xxx), (4-29), (4-32), (4-34), (5 11), transients (3 7) vulnerability (2-2) (5-12) Byron (1-9), (1-12), (3-43), (3-45), (3-51), (3-69), (3-74), (4-29), R (4'3 ) Babcock & Wilcox defined (1-9) O human actions (5-8) perspectives (3-39) Callaway (1-9), (1-12), (3-69), (4-29) plant improvements (2-15) Calvert Cliffs (1-9), (1-12), (3-46), (3-48), (3-50), (3-51), (3-52), vulnerability (2-6) Beaver Valley (1-9), (1-12), (3-62), (3-67), (3-53), (3-54), (4-29), (3-69), (4-29), (4-33), (5-11),(5-13),(7-5),(8-9) (4-3 5), (4-37), (4-46), Catawba (1 9), (1-12), (3-69), (4-38), (4-40), (4-47), (5-11), (5-13), (7-5) (4-42), (4-43), (4-47), Big Rock (1-8), (1-12), (3-9), (3-12), (3-13), (8-10) (3-14), (3-15), (3-16), (4-4), Clinton (1 8), (1-11), (3-26), (3-30), (3-32), I (4-26), (4-29), (4 37), (3-34), (4-22), (4 24), (4-38), (5-6), (5-7), (5-16) (4-25), (4-26), (5-6), (5-7) Braidwood (1-9), (1-12), (3-69), (374), Comanche Peak (1-9), (1-12), (3-69), (4 29) (4-29), (4-37) Combustion Engineering defined (19) l g-1 NUREG-1560, Draft

 . _ _ _ _ . . _ _ . . _ _ _ _ _ _ _ . _ _ . _ _ _ _ . - . _ .                                         .-_-_._.-m_._,_..__

i Index, Vol.1, Part 1 l l human actions (5-8) - Containment failure mode j improvements (2-15) defined (1 11) . j perspectives (3-46) ' perspectives (7-2)

                              . vulnerability (2-6)                       Containment isolation failures Conditional containment failure probability                           BWRs (4-9), (4-14), (4-21), (4-26)           i defined (4-1)                                       PWRs (4-37), (4-43)                           l impact of high values (8-6)                Containment late failures                              I variability (4-1), (4-4), (4-16),                   basemat melt-through (4-35)                .]

(4-25), (4 28), (4-34), BWRs (4-6) i (4-36), (4-40), (4-43) defined (1-11) Containment analysis methods hydrogen combustion (4-25)  ; i

                             ' MAAP (4-42)                                         ice condenser (4-40)

Containment bypass large dry (4-31) j BWRs (4-6) Mark I (4-8) .  ! defined (1-11) Mark II (416)  ! ice condenser (4-40) Mark 111 (4-23) l ISLOCA (4-9), (4-21) overpressurization (4-11), (4-19), _l large dry (4-31) - (4-35), (4-43) j Mark I (4-8), (4-13) perspectives (xxii), (4-3) ) Mark II (4-16) PWRs (4-28) -i Mark 111 (4 23) vulnerability (2-9)  ! perspectives (xxii), (3-5), (4-3), Containment performance ] (4-26) ' BWRs (4-4) _ _ j PWRs (4-28) compared to NUREG-1150 (7-4) - , steam generator tube rupture (4-36) improvements (2-13), (2-15), (4-10) . -l Containment classes MAAP code (6-17) , BWR defined (1-11) perspectives (xx), (4-1)  ; PWR defined (1-12)- PWRs (4-26)  ; Containment early failures - Containment Performance improvement j BWRs (4-6) Program (4-19) l defined (1 11) defined (8-3)  ! direct - containment heating (4-33), ' ice condenser (8-4) i (4-41), (4-42), (7 5) large dry (4-31), (8-5).  ! high pressure melt ejection (4-31), Mark I (8-4) , (4-40), (4-41) Mark II (8-4) I hydrogen combustion (4-24), (4-40), Mark Ill (8-4) l (443) Containment:' ice condenser  ; ice condenser (4-39) defined (1-12)- l large dry (4 30), (4-34) improvements (2-16) _~ Mark I (4 8) perspectives (4-38) Mark 11 (416) Containment: large dry Mark Ill (4-23) defined (1-12) i overpressurization ; (4-10), (4-18), perspectives (4-29)-

                                                                                                                                )

(4-33) . Containment: MattI j perspectives (xxi), (4-3) defined (1-1I) l PWRs (4-28) . fatality risk (7 5) shell melt-through (xvi), (4-9), (7-5) improvements (2-15), (2-16) NUREG-1560, DraR I.2

l l Index, Vol.1, Part I Containment: Mark 11 Diablo Canyon (1-9), (1-12), (3-69), (4-29),

def'med (1-11) (4-37) l improvements (2-16) Dresden (1-3), (1-8), (1 11), (3-9), (3-13),-

                   ' perspectives (4-15),(4-21)                                             (3-14), (3-15), (3-16), (4-7),

l Containment: Mark 111 (5-16),(5-17) defined (1-1l) Duane Arnold (1-8). (1-1!), (2-16), (3-17), improvements (2-16) (4-7), (4-10), (5-17) Containment: subatmospheric , l defined (1 12) F fatality risk (7-5) Farley (1 9), (1-12), (3-62), (3-68), (4-29) fatality r k -5)

                                                                            *          *

• I' O' I' ( ~ I' improvements (2-16)

                                                                                                   '            '(    I' (   I' Cook (19), (1-12), Q-69), (3           ), (4-38),             F       id 0-8                        .m @m                                     [

(3-24), (3-25), (4-7), (4-46), ,

          ' Cooper (1-8), (1-11), ( l , (3-22), (3-23),                   Fort Calhoun (1-9), (1-12) (3 6), (4 29) l            Core damage accident classes O

defined (1-10) Core damage frequency Generic Letter 88-20 compared to subsidiary objective improvements (2-15) , (7-3) limitations (1-3)- ' objectives (xvi), (1 1), (8-1) defined (3-1) gains from plant improvements (2-1) risk-informed regulation (6-1) impact of high value (8-6) vulnerability (21) Generic safety issues Perspectives (xvii), (1 2), (3 1), (7-2) variability (3-5), (3-35), (3-44), Potential (8-13) ' (3-48), (3-60), (3-64), resolution with IPE (8-10) Ginna (19), (1 12), (3-54), (3-58), (3-59), (3-72) Crystal River (1-9), (1 12), (3-39), (4-29), (3-60), (3-61), (4-29), (511),(5-12),(5-13) (4-37), (4-46), (7-5) Grand Gulf (1-8), (1-11), (3-26), (3-30), , (3-32), (3-33), (4-22), D , ), (4-26), (6-2) Davis Besse (19), (1-12), (3-39), (4-29), , (4-34), (8-10) Decay heat removal H Haddam Neck (1-9), (1 12), (3-69), (3-74), l BWR 1/2/3 (3-12) (4-29), (4-35), (5-12), (7-5) BWR 3/4 (3 20) Harris (1-9), (1-12), (3-62), (3-66), (3-68), BWR 5/6 (3 29) ' (4-29), (4-36) BWRs (3-8), (8-8) ' Hatch (I-8), (1-11), (3-17), (3-24), (4 7) , human actions (5-5) ' improvements (2-12) Hope Creek (18), (1-!!), (3-17), (3-21), (4-7), (8-10) Perspectives (3-14), (3-23), (3 33) Human actions , PWRs (8-9) ) BWRs (51), (5-6) , USI A-45 (8-6) comparing BWRs and PWRs (5-18) 1-3 NUREG-1560, Draft .

l Index, Vol.1, Part 1 perspectives (xxii), (1-2) BWR 3/4 (3-21) pre-initiator (5-5) BWR 5/6 (3-30)  : . PWRs (5-8), (5-1l) BWRs (3-8) recovery (4-26) Combustion Engineering (3-50) variability (5-1), (5-13), (5-16) defined (1-10) Human reliability analysis . importance to CDF (xix) EPRI cause-based decision tree improvements (2-13) method (5-14) perspectives (3-4), (3-25), (3-34), Human Cognitive Reliability (HCR) - (3-46), (3 53), (3-61), I method (5-14) (3-68), (3-75)  ! Individual Plant Examination PWRs (3 38) Partnership (IPEP) method vulnerability (xvii), (2-7), (2-10) l (5-15) Westinghouse 2-loop (3-58) operator reliability characterization Westinghouse 3-loop (3-65) and assessment method Westinghouse 4-loop (3-73) (5-14) IPE Insights Program perspectives (5-13) limitations (1-2) quality (6-5) objectives (1 1) SLIM (5-14) THERP (515) g_L Kewaunee (1-9), (1-12), (3-54), (3-59), l I-l (3-61), (4-29), (5-12), Indian Point (1-9), (1-12), (3-69), (3-76), (5-13),(8-9) (4-29), (8-10) LaSalle (1-8), (1-11), (2-16), (3-26), (3-31), Interfacing system LOCA (4-15), (4-17), (4-18), Babcock & Wilcox (3-43), (3-46) (4 20), (4-46) BWR 1/2/3 (3-12), (3-17) Limerick (I-8), (1 11), (2-16), (3-17), (4-15), BWR 3/4 (3-21) (4-17), (418), (4-19), BWR 5/6 (3-30) (4-20), (4-46), (5-16), BWRs (3-8) (5-17) f Combustion Engineering (3-50) Loss of coolant accidents l contribution to containment bypass Babcock & Wilcox (3-42) > (4-44) BWR 1/2/3 (3-12)- defined (1-10) BWR 3/4 (3 21) , importance to CDF (xx) BWR 5/6 (3-29) improvements (2-6), (2-13) BWRs (3-8) perspectives (3-25), (3-35), (3-54), Combustion Engineering (3-49) (3-62), (3-69), (3-76) defined (1 10) PWRs (3-38) importance to CDF (xix) vulnerability (2-3), (2-10) perspectives (3-4), (3-15), (3-25), Westinghouse 2-loop (3-58) (3 34), (3 44), (3-52), , Westinghouse 3-loop (3-66) (3-59), (3-67), (3-74)  ! Westinghouse 4-loop (3-73) PWRs (3-37)  ! Internal flood vulnerability (2-8) analysis quality (6-6) Westinghouse 2-loop (3-57) Babcock & Wilcox (3-43) Westinghouse 3-loop (3-65) BWR 1/2/3 (3-12) Westinghouse 4-loop (3-72) ) NUREG-1560, Draft I-4

Index, Vol.1, Part 1 Af Oyster Creek (1-8), (1-11), (3-9), (314), , Maine Yankee (1-9), (1-12), (3-46), (3-50), (3-16), (4-7), (4-9), (8-11) ' (3-51), (3-52), (4-29), Palisades (1 9), (1 12), (3-46), (3-51), (3-53), i (4-33),(5-12),(5-13) (4-29), (4 34), (7-5), (8-6) l Maintenance Rule Palo Verde (1-9), (1-12), (3-46), (3-51),  ! (3-52), (4-29), (4-33), (7-5) l use of IPEs (8-19) McGuire (1-9), (1-12), (3-69), (4-38), (4-40). Peach Bottom (1-8), (1-11), (3-17), (4-7), (4-42), (4-43), (4-44), (4-10), (5-16), (6-2) (4-47), (8-1 l), (8-13) Perry (1-8), (1 11), (3-26), (3-31), (3-32), Millsione (1-8), (1-9), (1-1l), (1-12), (3-9), (3-33), (3-34), (4-22), (3-13), (3-15), (3-46), (4-26), (4-46), (5-7) (3-69), (4-7), (4-29), (4-32), Pilgrim (1-8), (1 11), (3-17), (3-21), (3-25), (4-35), (5-6), (5-7), (8-8), (4-7),(5-6),(5-7) Plant classes (8-9) Monticello (1-8), (1-11), (3-17), (3-22), BWR (18) (3-23), (3 24), (4-7), (4-9), PWR (1-9) (4-10),(4-12),(5-6) Plant improvements BWRs (3-5), (3-14), (3-15), (3-22), i f (3-23), (3-24), (3-31), N (3-32), (3-33), (8-3) , Nine Mile (xxxi), (1-8), (1-11), (3-9), (3-14), from IPE (xvii), (2-11) I (3-15), (3-16), (3 26), PWRs (3-37), (3-44), (3-46), (3-51), (3-30), (3-32), (4-7), (4-10), (3-53), (3-59), (3-60), (4-13), (4-14), (4-15), (3-61), (3-67), (3-68), (4-17), (418), (4-19), (3-74), (3-75), (8-3) (4-20), (4-21), (5-6), (5-7), Point Beach (1-9), (1-12), (3-54), (3-58), (5-16), (5-17), (8-1 l) (3-60), (4-29), (3-11) North Anna (19), (1-12), (3-62), (3-66), Prairie Island (1-9), (1-12), (3 54), (3-58), (3-68), (4-29), (4-36), (3-59), (3-60), (4-29), (5-12), (8-11) (4-36),(4-37) NRC Safety Goals Probabilistic risk assessment defined (7-1) attributes (6-9), (8-21) Perspectives (1-2) elements of (6-2), (6-4), (6-7), (6-10) use of IPE (xxiv), (7-1), (8-17) individual plant examination vs. NUREG-1150 quality PRA (6-12) IPE perspectives, compared with peer review (6-11) (1-2),(7-9) research (8-16) IPE results compared to (4-42), (7-3) use in extrapolating offsite health efrects (7-3) Q-R Quad Cities (1-8), (1-11), (3-17), (3-23), NUREG-1335 (4-7),(5-7) vulnerability (2-1) Radionuclide release early release (4-46) 0-P MAAP code (6-15) Oconee (19), (1-12), (3 39), (3-41), (3-44), perspectives (4-44) (3-45), (3-46), (4-29), variability (4-45) (8-11) Reactor coolant pump seal LOCA I-5 NUREG-1560, Draft i

I Index, Vol.1, Part i Babcock & Wilcox (3-43), (3-45) (3-45), (3-52), Combustion Engineering (3-51) (3-60), (3-68), improvements (2-6), (2-13), (8-3) (3-75), (7-10) perspectives (3 38) PWRs (3-37) vulnerability (xvi) variability of core damage frequency Westinghouse 2-loop (3-59) (7-6) i Westinghouse 3-loop (3-66) vulnerability (2-10) Westinghouse 4-loop (3-73) Westinghouse 2-loop (3-57) l Risk-informed regulation Westinghouse 3-loop (3-65) inspections (8-14) Westinghouse 4-loop (3-72) 1 I perspectives (12), (8-20) Steam generator tube rupture role of IPE (xxiii), (6-1), (6-15), Babcock & Wilcox (3-43) (8-6) Combustion Engineering (3-50) River Bend (18), (1-11), (3-26), (3-30), contribution to containment bypass (3 31), (3 33), (4-22), (4-44) (4-25), (4-26), (4-46), (5-7), defined (1-10) (8-11) importance to CDF (xx) Robinson (1 -9), (1-12), (3-62), (3-66), (3-67), perspectives (3-38), (3-46), (3 54), (4-29), (4-37) (3-61), (3-69), (3-76) plant improvements (2-13), (S-3) S vulnerability (2-6) Salem (1-9), (1-12), (3-69), (4-29) Westinghouse 2-loop (3-58) San Onofre (1-9), (1-12), (3-46), (3-51), Westinghouse 3-loop (3-66) (3-52), (4-29), (8-11) Westinghouse 4-loop (3-73) Sequoyah (1-9), (1-12), (3-69), (4-38), (4-40), Summer (1-9), (l-12), (3-62), (4-29), (5 12), (4 41), (4-42), (4-47), (8-9) (5-12),(6-2),(7-3) Support system: AC power Severe accident management improvements (2-12) perspectives (3-52), (3-60), (3-68) use of IPEs (8-18) Severe Accident Policy Statement (1-1) Support system: cooling water South Texas (1-9), (1-12), (3-69), (4 29), Babcock & Wilcox (3-44) (4-37), (8 11), (8-20) human actions (5-5) St. Lucie (1-9), (1-12), (3-46), (4-29), (4-46) vulnerability (2-10) Station blackout Westinghouse 2-loop (3-58) Westinghouse 3-loop (3-66) Babcock & Wilcox (3-42) Westinghouse 4-loop (3-73) BWR 1/2/3 (3-11) Support system: DC power BWR 3/4 (3-20) improvements (2-12) BWR 5/6 (3-28) BWRs (3-7) station blackout (3-13) Combustion Engineering (3-49) Support system: HVAC plant improvements (8-3) defined (1-10) impact of Station Blackout Rule quality of model (6-13) (12),(75) vulnerability (xvii), (2-6), (2-8) importance to CDF (xix) Westinghouse 3-loop (3-67) i perspectives (3-4), (3-5), (313), Suppon system: instmment air (3-21), (3-30), vulnerability (xvii), (2-7) l Westinghouse 2-loop (3-59) i l NUREG-1560, Draft 1-6 l

Index, Vol.1, Part 1 Support systems Vulnerability as initiators (3-15), (3-32), (3-50) BWRs (xvi), (2-2) improvements (2-12) defined (xvi), (2-1), (2-2) IPE perspectives (710) PWRs (xvi), (2-4) Surry (1-9), (1 12), (3-62), (3-67), (3-68), (4-29), (6-2), (7-3), (7-5), W.2 (8-11),(8-12) Washington Nuclear (18), (1-11), (3-26), Susquehanna (1-8), (1-11), (3-17), (3-21), (4-15),(4-17) (3-23), (3-25), (4-15), Waterford (1-9), (1-12), (3-46), (3-53), (4-17), (4-18), (4-20), (4-29), (4-33), (4-34), (8-6) (5-17) Watts Bar (1-9), (1-12), (3-69), (4-38), (4-40), (4-41), (4-42), I (4-43), (4-47) TMI (xxxii), (19), (1-12), (3-39), (3-44), Westinghouse (3-4 5), (4-29), (5-12), defined (1-9) (8-11) human actions (5-8) Transients improvements (2-15) Babcock & Wilcox (3-42) vulnerability (2-7) BWR 1/2/3 (3-12) Westinghouse 2-loop BWR 3/4 (3-20) perspectives (3-54) BWR 5/6 (3-29) Westinghouse 3-loop BWRS (3-7) perspectives (3-62) Combustion Engineering (3-49) Westinghouse 4-loop defined (1-10) perspectives (3-69) importance to CDF (xix) Wolf Creek (1-9), (1-12), (3-69), (4-29), perspectives (3-2), (3-4), (3-22), (4-46) (3 31), (3-43), (3-50), Zion (1-9), (1-12), (3-69), (4-24), (4-29), l (3-58), (3-66), (3-73) (4-37), (4-46), (6-2), (7-3) PWRs (3-37) Westinghouse 2-loop (3-57) Westinghouse 3-loop (3-65) l Westinghouse 4-loop (3-72) l Turkey Point (1-9), (1-12), (3-62), (3-67), (3-68), (4-29), (8 9) U-V Unresolved safety issues resolution with IPE (8-10) preventing containment failure (4-13), (4-20), (4-24), (4-25) preventing core damage (3-24) Vermont Yankee (1-8), (1-11), (3-17), (3-21), (3-23),(4-7),(5-17) Vogtle (1-9), (1-12), (3-69), (3-75), (4-29) 1-7 NUREG-1560, Draft

. . _ . ~ NRC FORM sSS u.s. NUCLEAR REGULATORY Commission 1. REPORT NUMBER QM (Amelgned by NRC, Add Vol, Supp., Rev.,

 "5"3E 3                                   BIBLIOGRAPHIC DATA SHEET                                                           '""'""""'""*""'"d
                                                                                                         .                         NUREG-1560

2. EE AND SUBME Volume 1, Part 1 individual Plant Examination Program:

Perspectives on Reactor Safety and Plant Performance 3- DATE REPORT PUBUSHED MONTH YEAR l Summary Report October 1996 Draft Report for Comment

4. FIN OR GRANT NUMBER

5. AUTHOR (S) 6. TYPE OF REPORT DRAFT

7. PERIOD COVERED (inctume oefes)

8. PERFORMING ORGAN 1ZATION - NAME AND ADDRESS (r Anc, panse Dvisen, omee or Regen, u s. Nuclear Ragusanry commessen, and merhap address. #contecer, provute nome end methng edtWess)

Division of Systems Technology Offica of Nuclear Regulatory Research US Nuclear Regulatory Commission Washington, DC 20555-0001

9. SPONSORING ORGANIZATION - NAME AND ADDRESS (a Nac, type 'seme w above; acontecer. panse NRC ovvisen, omco ar Regen, u s NucAser Regutekry commesomri.

end markng eddress) S:m) as above

10. SUPPLEMENTARY NOTES

11. ABSTRACT (200 worss or has)

Th5 report provides perspectives gained by reviewing 75 Indtvidual Plant Examination (IPE) submittals pertaining to 108 nuclear power plant units. IPEs are probabilistic analysis that estimate the core damage frequency (CDF) and containment performance for tecidents initiated by internal events (including internal flooding, but excluding internal fire). The IPE submittals were reviewed to gain perspectives in three major areas: (1) improvements made to individual plants as a result of their IPEs and the collective result of the IPE program, (2) plant-specific design and operational features and modeling assumptions that significantly affect the estimates of CDF and containment performance, and (3) the quality of the IPEs with respect to their potential role in risk-informed r:gulation. These perspectives were gained by assessing the core damage and containment performance results, including overall CDF, accident sequences, dominant contributions to component failure and human error, and containment failure modes. These results were assessed in relation to the design and operational characteristics of the various reactor and containment types, and by comparing the IPEs to attributes of a quality probabilistic risk assessment. Methods data, boundary conditions, and assumptions used in the IPEs were considered in understanding the differences and similarities observed among the various types of plants. j i i l i

12. KEY WORDS/DESCRIPTORS (bst words or pAresse met we essisf resserchers in bestrno me report) 13 AVAILAsstrrY ST ATEMENT Probabilistic Risk Assessment unlimited Individual Plant Examination 14 SECURITY CLASSIFICATION Severe Accident (Th,s pege; unclassified (Thss Repary unclassified

15. NUMBER OF PAGES ,

16. PRICE NRC FORM 335 Q-60) The fann was electromcelly peduced by Ekte Federal Forms. Inc.

l 4 l i 1 l l i  ! l l l 4 I

                                                               \

l i Printed on recycled paper Federal Recycling Program

lj1 i $ 1lI '1 1 D I A m. L P 7 WS A EE 43 S S F fg AD g LN 7 C TE A "Yg SG g RA p FI ST O P 5 5 S 5 C 6 V 0

                              '       S e        C C'

N C

 ^

O C I T I . c I 7 L g p go 1 g - 2yRUN 7T N r 3j 1 EG 5C 5f p n6N I 5'! .f;H 0 ySFS. t 7 yPV,U 1 T N O I S 1 S I 0 0 MM5 M 3 S O5 SS E E C 05 S E U TY 2 N TE AR' I SA TOC UN S T D BR D EI A.N, LP A I R TUO I CO NE GGT mFY U RNI O LT A RHS N A E E LWA P C U N

                                                       ,     f1,Illll!i}}