' the associated PORV is Inking,  !

14 ,

i f

. = - . = - - . . .- . - - . . . . - . - - . - - - - - .-

i

,u i

.j 4

In case of an 580, the ac power must be restored wkhin 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> if the DDAFW purnp is not operating, and 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> otherwise. De two40er non-recovery probability is given a value of 0.136, or about half ,

of the NSAC 147 value. De 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> non-recovery probability is given as 1.16E 2, which seems  !

remmamhte. Offshe power is recovwed only in case of an 580, i.e., no credit is given for offsite poww  !

_ recovery of a dead bus whh success of one diesel generator.

De RCP seal LOCA model is taken from WCAP 10541. Rev. 2. t For transients, credk is given for opermor action to restore main feedwww la case of failure of auxiliary feedwater. Credit is also given for depressurising and opersing only with the condensate punps. j s

Some event tres models contain illogical paths. De IPE submittal implies the these are resolved at the j fauk tres level, ,

- h abould be noted that in the IPE submittal explanation of the modeling of accident sequences, and the j

- ranonale thereof is very poorly documented (there is just a summary section on PRTs and success  :

crheria). On the other har,d, the modified IPE discussion of the SAM sequences expansion and the  :

LOCA success criteria is vwy comprehensive.  !

5 Overall, Byron success crkeria and event tree modeling seem to be reasonable and in line with most other l IPEs or PRAs for similar plants.  ;

i 2.1.1.3 Systems Analysis ,

i A total of 10 systems / functions are described in Section 4.2 of the Submittal included are descriptions  :

4 of the following systems: component cooling water, auxiliary feedwater, RCFCs, essential service water, containment spray, ECCS (including safety ledecsion, RHR, CVCS and accumulators), reactor protection, j elomric power, containment isolation and miscellaneous systems (including RWST refill, main feedwater, condensate / condensate booster, instrument air, nonessential service water s turbine stop and governor i valves, steans dumps, steam generator PORVs, MSIVs, FWlVs and pressurist PORVs. In addition, RAI responses discuss the HVAC system.

De system descriptions in the submittal are oAen not vwy clear, which makes it hard to understand all )

aspects of system modeling and plant features. For example, answers to questions arising from the lack l of description of event tres modeling (see above) could not be found hwe, either. De role of the fire  :

protoaion system in the plant and in the model was not discussed. On the other hand, the RAI responsas' i

. discussion of the HVAC is very detailed and thorough, as is the discussion about the Hyron de system. ,

De results session lucidly discusses unique plant features and plant specific irights, and the dependency matrices and associated footnotes are.very expansive and well documented.

Alao included for some important systems are simplined schemadcs that show major equipment items and -

important flow and configuration information.  ;

Section 1.2 provides a discussion of systems and system arrangements which have a signincent hapact i on the level I analysis.-

i 4

15 i

i

.__.4-,....-, . -..-.,#.. -

.. _ . . . . . . . _ . - 2.__.-._. .

f

. _ . . - - . - - ~ - - .. - . - - . - - - - - - - - - - .

~* l Note that the major diffwence between the Byron and Braidwood designs is the source of water for the j essential service water system. Dere are also some minor dlNorences in dependencia, as explained .j below.  :

De systenu notebook approach was used for systems analysis. }

}

2.2.1.4 System P7

De IPE addressed and considwed the following types of dependencies: shared component, instr =maneariaa and control, isolation, motive power, direm equipment cooling, areas requiring HVAC, .

opermor waions and environmental eNeas. HVAC is not an imponant system at this plant, as only a few 1 systems require it within the mission time (see section 1.2 for the list of HVAC dependent systems). 1 Derefore HVAC is not modeled as an initiating event but is modeled as a subsequent failure in the fault {

tross of systems affected by HVAC failure. l

. De RCFCs are needed to control the containment M=+nre within the PORY qualification limits. i Similady, the pressuriser spray valves will be affected by small LOCA environments in the containment, i auch that the maximum flow rate will decrease. ' Howevw, the IPE calculations show that the flow rate ,

,would still be suffic ient.  ;

Seywal Table in volume 2 show various 'dapendency matrices. It should be noted that Byron's-dependency matrices are of poorer quality than Braidwood's. Dere are several inconsistencies between .,

various dependency matrices in the Byron IPE. For example, some matrices imply that EDGs do not  ;

4epend on essential service water or de power, or do not show complete dependence of main feedwater  :

on either de bus.

Dare seem to be minor diffwences between Byron and Braidwood dependency matrices. For example, f

. at Braldwood, a reactor trip closes the main feedwater valves, and the pressurizer PORVs also depend ,

on 120V ac instrument power (in addition to de and compressed air) for operation of a relay. Dese ,.

dependencies do not exist at Dyron. Dere are differences in logic for operating RCFCs in a slow speed mode (during normal plant operation they are operated at normal speed): at Byron, the safegueds or the  :

safe shutdcwn sequencers do the speed switching, whwoes at Brandwood this is the responsibility of the ESFAS system. Another difference in dependency matrices stene from seemingly different piggyback  :

arrangements for high pressure recirculation at the two plants: at Byron, RHR pump A feeds either of the two centrifugal charging pumps, whereas RHR pump B feeds either of the two Si pumps, with valves betwoon the SI and the CCP pumps in place to alter that arrangement. At Braidwood, it seems that RHR -

. pump A feeds either CCP A or $1 A, and likewise for RHR pump B.

i 2.2.2 Quantitative Process 1.1.1.1 Quantification of Aeddent Sequence Frequends l

De IPE used a large event tres/small fault tree approach with a suppon state model to quantify core

- damage sequences. De event trees are systemic.

q De system and event tree models were quantified using the WESQT software, a

16 m- _ _ _ _ _ _ , _ _ _ . . . . , _ _ . . . . . _ _ . _ _ _ . . _ . . . _ , _ _ . . . _ . _ , _ , . _ , , . . - ~ . _ . . , - _ _ , _ - , _

f De systemic sequences which resuhed from the analysis had a truncation limb of 5.E-10/yr. De  !

residual was 3.E-7/yr (0.80% of the CDF). De IPE took credit for various recovery activkles,  ;

including the recovery of offsite poww and repair of eq11pment. l f

De IPE data used for non-recovery of offsite power are lower (by a factor of 2) than the avwage

, industry data ched in an Electric Poww Research lastitute (EPRI)-oponsored study (NSAC 147).

2.1.2.2 Palet Esthmetas and Unsertainty/ Sensitivity Analyses l

Mean values were used for the point estimate of the data input. No uncertainty analysis was performed.

Linked sensitivity analyses were shown. Top event imponance analysis results were also shown. l 2.1.2.3 Use of Plant Spedric Data

. Plant specific data were collected from October 1,1986 through March 31, 1992 for Unit I and r September 1,1988 through March 31,1992 for Unit 2. - Dis 9.1 year data collection period at Byron  ;

represents all of the p; ant's operating experience, except for the first year ' break in' period for each unit.

Component history from both units was combined to arrive at the raw data used to derive the plant specific data used in the IPE. De licensee stated that there is no statistical difference in data between j the two units.

De following sources were utilized to arrive at the plant specific data: (leviation reports, licensee event  !'

repons (LERs), nuclear plant reliability data system (NPRDS), master out of service card log and mode change logs. ,

De licermee focused hs data gathering effort for plant specific data on relatively few types of components i deemed important by the licensee; the other components were assigned generic data from a variety of sources. De components which were assigned plant specific data were the diesel generators, the pumps  :

and the motor operated valves (MOVs), the RCFCs and the essential service water fans. De pump and  ;

the MOV data were gathered for each individual system, i.e., essential service water pumps were distinguished from the Si pumps, etc. His is a positive feature of the analysis, imwever offset by the relative paucity of plant specific types of components considered.

De plant specific data wwe calculated by dividing the number of failures by the number of demands or  !

hours of tunning time, if zero failures occuned a value of 1/2 was used for the number of failures. No Bayesian updating was used.

De treatment of the MDAFW and DDAFW pumps is not consistent with that of the other pumps. De licensee used generic data for failure to run, due to a limited exposure time and no failures experienced.

1-In response to the RAI about the treatment of the AFW pump data, the licenses reported the results of ,

a limited sensitivity analysis on Byron DDAFW pump data. De plant specific data of zero (i.e., !/2)'

failures in 191 hours0.00221 days <br />0.0531 hours <br />3.158069e-4 weeks <br />7.26755e-5 months <br /> (yleiding a run failure rate of 2.62E 3/ht) was input into the model and the analysis  ;

e rerun. De results showed a modest increase of 35 in the CDF. In addition, if both the DDAFW and .  !

. the MDAFW pumps are treated similarly to other pumpe, the CDF lacrease would be 85.

)

-17 .

l. i o  ;

L  !

-. - .- -_.--.- ---_._-_- - - - . . = . - - . . . -

Table 2 of thl review compares the failure das for selecsed components from the IPE to valum typically used in PRA and IPE studies, using the NUREG/CR 4550 data for comparison [NUREG/CR 4550, i Methodology). Note that the table contains both plant specific and generic (denoted by GNR) data that t the licensee used. ,

I

- Most data are in range of the NUREGICR 4550 data. Some pumps in the Table have a plant specific  :

run failure rate which is significandy higher than the NUREG/CR 4550 data. His is due to treatment  ;

of sero failures and limited number of demands or exposure time. 'the important components with significantly lower failure rates than the NUREG/CR 4550 data are some MOVs and the diesel driven  !

AFW pump failure to start, in response to an RAI the licensee did include the check valve failure to  ;

close in the modified IPE which had little e#ect on the CDF, but the units in which the data was -

presented appear to be incorrect. [

In addklon, the failure rate for the de (drawer two) circuit breaker spurious opening uses a value from 4 i

IEES-Std 500 whidi seems to be at abe low and of the range of data (3.E-8/hr was the value used). His may significantly impact the initiating event frequency for a loss of a de bus. .

De failure rate for the reactor protection system (leading to an ATWS) seems to be low compared to most other IPE: (2.8E4/ demand vs. about 3.E-5/ demand).

In conclusion, the licensee collected plant specific data for only a limited subset of components. The licensee distinguished between various types of pumps and MOVs in its plant specific data. As pointed ,

out above, a limited subset of failure data seems to have significantly lower values than expected, q Table 2 Comparison of Failure Data Component ByS 4550 DDAFW pump fall to start 5 lE 3 3.0E 2 .

fall to run (GNR) 8.0E-4 8.0E-4

MDAFW pump fall to start 1.8E-3 3.0E 3 fall to run (GNR) 1.0E-4 3.0E 5 Motor Driven Pump fall to start 1.E 3 to IE 2 3.0E 3

• i fall to run 6E4 to 2E-3 3.0E 5 Air Compressor (GNR) fall to start not shown 8,0E 2 -

fall to run 5.0E-5 2.0E 1 l

Battery Charger Failure during operation (GNR) 6.0E-7 1.0E4 l

l8 4 l

• j Component ByS 4550 Battery failure (GNR) l' fall on danand not shown -

fait during op. 2.0E4 1.E4 Circuit Breaker (> =480V)(GNR)

- fall to ranain closed spur open 1.0E4 1.0E4 l fall to transfer 3.0E 3 3.0E 3 l

AC Bus Fault (GNR) 3.0E-8 1.0E 7 during operation  ;

1 Check Valve (GNR) fall to open not shown 1.0E 4 fall to close 1.0E-3 1.0E 3 MOV Fall on Danand 1.5E-4 to 4.0E-3 3.0E-3 Pressurizer PORY GNR fall to open 2.0E-3 2.0E 3 fail to close 2.0E 3 2.0E 3 Fan (essential cooling water) fall te start 1.4E 3 3.0E-4' t fall to run 1.0E 5 1.0E 5' '

Emergency Diesel Generator i fall to start 9. lE-3 3.0E 2 fall to run 3.0E-3 2.0E 3 Notest (1) 45W are mean values taken from NULEG/CP 4550, i.e. from the NUREG Il50 study of five U.S. auclear power plants. ,

(2) Demand failures are probabilities per demand. Failures to run or operate are frequencies expressed in number of failures per hour.

ONR scaeric data used for this component.

HVAC fan failure rates shown 2 2 2.4 Use of Generic Datn

'Ihe sources for the generic data were NUREG/CR 2815, and NUREG/CR 4550, for the most part.

'Ihese were supplemented by IEEE Std 5001984, WCAP 10271 (a proprietary Westinghouse report on survell!ance frequencies and out of service times for the reactor protection lastrumentation system),

NUREG/CR 2728 (the IREP procedures guide) and WASH 1400.

I Section 2.2.2.3 above discusses the use of generic data for important components.

l

-19 i - - . _. - . . . - . ;.. = - _ - _ - - . -. . - -

1 3.1.2.3 C m- Cause Quantifiention Most types of redundant components generally associated with common cause failures were examined to address potential common cause failures. De approach used was the multiple greek laster approach ,

(MOL). De # and (if applicable) the y and the 4 factors are reponed in the submittal. De methodology I followed that described in NUREG/CR 4780 (' Procedure for Treating Common Cause Failures in Safety and Reliability Studia'). i l

De categories of components included in the conunon cause analysis are: large ac circok breakws, i reactor trip breakers, diesel generators, containment spray pumps, residual heat removal pump, othw r pumps, check valves, MOVs, HVAC chillers, HVAC fans and the 'aywage" category. De ' average' category includes: air compressors, AOVs, HOVs and manually operated valves, electrical / electronic ,

components (e.g., comparators, lead / lag amplifiers, battery chargws, limit switches, laveners, relays, i swisses, maalmi cam timers, power transionnors, circuit breakers (other than large ac breakers), fan  !

. coolers, best endangers, strainer filters. -

l De list is fairly complete. Dere seem to be no common cause failures modeled for batteries, and l between the DDAFW and MDAFW pumps, or between the PORY valves.

De licensee tailored the generic common cause data to its plant specific conditions, disallowing failure i mesanisms based on maintenance practices and hardware fixes. Dis tends to mask the uncertainty in  :

the state of knowledge of these failures. For example, there could be as yet undiscovered failure i mechanisms, or unintended new failure mechanisms introduced by the maintenance procedures. 7 De modified IPE has different # factors than the original IPE: the # factors which were below 0.01 were l increased to 0.01, thus establishing a floor for # factors. The licensee also did some sensitivity analyses:

establishing the floor on the $ facsors had a negligible impact on the CDF (1 %). Increasing all # factors .

In the modified IPE by a factor of 10 raised the total CDF by a factor of 1.7 (from 4.0E 5/yr to 6.9E-5/yr), w

- A comparison of # factors for 2 out of 2 systems in the submittal vs. those suggested in NUREG/CR-4550 or the ALWR requirements document (number in parentheses), to which the licensee compared their }

data values in the submittal, i.e., ' reference # factor" la presented in Table 3.

• Table 3 shows that the CCF factors used in the IPE are generally lower, and in some cases much lower (order of magnitude) than the ones recommended in NUREG/CR 4550 or the EPRI ALWR requirements ,

document. However, they are generally wkhin range, the licerisee studied common cause failures at their l plant and developed a rationale for these values, and they have also performed a sensitivity analysis. '

Derefore, the conclusion is that the licensee has complied to a limited extent with the accepted way of modeling these types of failures, i u

i 5

20 s

f-+. . [E~, , .,.[,,;.m_mm_,,-_,

i

'. l i-Table 3 Comparison of Common-Cause Failure Factors i

Reference # ,

Camponent Bys Ji facter factor  ;

NRC (EPRI)  !

Large ac breaker 0.039 (0.10)

Reactor trip breaker 0.041 (0.10)

HVAC fans 0.01 (0.10) [

CS pumps 0.062 0.11 (0.067)

RH pumps 0.01 0.15 (0.14) other pumps 0.01 .03 4.21 .

(0.14) ,

MOV 0.011 0.088 (0.05) ,

check valves 0.01 (0.18)

Average 0.011 (0.10)

Dimel Generator 0.01 0.038 (0.073) 2.2.2.6 Imidating Event Fr:;M=

A mixture of pneric data, plant specific data and plant specific analyses was used to derive the initiating event frequencies.

The frequency of general transients is derived from Byron experience within the data window for collection of plant specific data.

De frequencies for single and dual unit loss of essential service water, loss of CCW, loss of de bus 111, losses of ac buses 141 and 142, ISLOCA and flooding initiators were determined based on plant specific analysm, including fault tree analyses.

- For calculation of frequency of losses of component coollrig water and dual unit losses of essential service water, the licenses considered ploing ruptures as a contributing (and the dominant) cause of the initiator.

De licensee used and adapted the piping rupture data from EPRI TR-102266 for the 'PWR Other Systems' category based on the pipe size groups. His was done as part of the analysis for the modified IPE. ,

• ~

Ruptures in the essential service water system effectively make such failures dual unit initiators from the standpoint of the aNacted unit, as no cross connection would be attempted in such a condition due to the diversion through the break, Credit is given for the operators to isolate the break, with a median time 21 L

i L

L

of isolation given as 30 minutes in ordw to calculate the HEPs. However, for break slees needing isolmion in las than 30 minutes, no credit is given (HEPal.0). Two new dual imit initiators of signl6 cant impam were uncovwed by this pipe rupture analysls in the modified IPE: one was a flooding event of all 4 SX pump rooms, the otner a draindown of the cooling tower basins. Neither of these two initiators is shown in Table 4 below. More discussion of the SX mptures is offered in the flooding susion of this TER (2.2.4).- ,

l De following initiators had frequencia developed based on generic data: De loss of lastrument air I frequency was determined by a review of ladustry operating experience. De SGTR frequency was developed from U.S. and international Westinghouse PWR experience. De fregnancy of secondary side ,

breaks was calculated based upon opersing expulence at W=*1=peWigned PWRs. De generic j data bases were consulted for the period January 1,1984 through Marc 6 31,1992.

For losses of offske power (dual and single unit), methodology and site-specific data NUREG 1032 l r

were used for grid relmed, weather relmed and extrane weather reized losses of offsite power. De plant centered losses were calculated from genwie data presental in NSAC-147,166 and 182 for loss of .

offsite poww at dual unit sites.

I De large and medium LOCA frequencies were taken from WASH 1400. De small LOCA frequency includes small pipe breaks, reseming failures of pressurizer PORVs or SRVs and RCP seal failures. De i small pipe break frequency is taken from WASH 1400. De pressurizer PORV and SPV challenge  !'

probabilities were calculated based upon the challenge rate for these components for anticipated transient t

casesories developed for Westinghouse nuclear steam supply systun plants in response to NUREG 0737 and Byron specific anticipatal transient NUREG categories. De reactor coolant pump seal fe"ure frequency was based on data for U.S. Westinghouse PWRs. j De initiating event frequencies used in the IPE are shown in Table 4 -

De initiating event treguencies seem reasor:ble and are comparable to other PRA studies, with possible  ;

exceptions in the case of loss of instrument air, loss of a de bus (see section 2.2.2.3), and small LOCAs.

h is not expected that this will have a large effect on the resu!ts, but in case of some initiators the effect may be measurable (i.e., a 10-20% effect on the CDF).

2.2.3 Interface lasues 2.2.3.1 Front.End and Back-End laserfaces  ;

Failure of core cooling recirculation due to failure of containment heat removal is not modeled. De licanam used probabilistic arguments to remove this issue from consideration. Dere'is ample diversity and redundancy in the containment heat removal systems (2 CS pumps, 4 RCFC units). De dominant failure mode of the RCFCs is a loss of the essential service water (SX) according to the liraata*. His would also disable the core cooling recirmistion, as the RHR heat exchangers are cooled by CCW, which

• ls in turn cooled by SX Dis type of argument still does not totally address the issue, and the licensee  :

~ "

seems to have missed the opportunity to obtain insight on the impact of this failure.

- De RCFCs are needed to control the containment atmosphere within the PORV qualification limits.

4

'1 22

~E...... --.-m.w. _...,m, -, .. . ...,,,,__..r.~, .__.%, ,,___m_.s..-, -..r, , , _ , -- E-e , m--,.-.r..,e

RCFCs are credited with providing cool recirculation water, in addition to providing containment heat i

• l removal, i.e., successful operation of this system obviates the need to align the RHR heat exchangers for CCW cooling. The RCFCs promote mixing of the containment atmosphere, as well as condensing the steam, such that the sump water is maintained at a reasonable temperature.

Further insights into the Level 2 analysis, are presented in Section 2.4 2.2.3.2 Human Factors Interfaces insights into the buman reliability modeling are presented in Section 2.3. l l

Table 4 Initiating Event Frequendes for Byron IPE I Initiating Evat Frequmcy (/yr)

Large LOCA 3.00E-4 Med!um LOCA 8.00E-4 Small LOCA 6.10E-3 SGTR 1.10E 2 ISLOCA 1.01E 7 General transient 2.20 Steamline breaks upstream of MSIVs or feedline breaks downstream of 3.60E 3 FWIVs Steamline breaks downstream of the MSIVs or feedline breaks upstream of 3.60E 3 FWlVs ,

single unit LOOP 3.22E 2 dual unit LOOP 1.21E 2 singe unit loss of essential service water 4.64E 4 dual unit loss of essential servlee water 9.59E-6 loss of CCW 5.62E 5 loss of 125V de bus til 5.05E-4 ,

loss of instrument air 4.30E-4 loss of 4kV ac bus 141 3.55E 4 loss of 4kV ac bus 142 3.55E-4 flood in zone 8.31 1.30E-4 flood in zone 11.60 1.89E-5 23

2.2,4 laterisal Flooding 2.2.4.I lasermal modise Mesteddesy ne snethodology used to perform the flooding analysis consisted of four major steps:

1) Collection of pertinent information; 4

2) Plant wdkdown; .

i

3) - Qualitative analysis to eliminate flood areas;

4) Quantification ofimportant flood scenarios. J Y

De four steps follow the standard flooding analysis methodology. j Flooding scenarios v.hich require a manual abutdown after a time period longer thAn two hour ,

considered controlled shutdowns and wwe screened from the analysis, i ne flooding scenario frequency incl)ded considersion of detection and isolation of the flood, but few

details wwe provided.  ;

At least one senario was screened because the flooding would not damage the critical equipment for at  :

l

leam 30 minutes, implying the there is a low probability of operator failure to detect and isolate ti e flood '

within that time pwlod. However, in response to an RAI, it is stated that ' operator amion to mitigate the impact of a flood is incorporated in several procedures (e.g., B/BwOA PRl4), but was conservatively i nor credited in the initial analysis *, which seems to contradict the above in the IPE modification '

modeling SX piping ruptures, a lognormal distribution for the isolation HEP is developed. His l' distribution has a median isolation tirne of 30 minutes, and a cutoff of 30 minutes (i.e., no isolation is a allowed in less than 30 minutes). .

1-From the information received it appears that the other HEPs, associated with the general transient PRT used for quantification of the flooding scenarios, were not modified to account for flood specific concerns.

Spraying and flooding were both considered as mechanisms for equipment damage, any mitigating measures were also considered (e.g., equipment raised off the floor, anti-spray shields). De doors were assumed to be in their normal position. Flood propagation is considered, including back propagation through drains, ventilation ducts, etc. Based on the information teceived it seems that leakage through doors and drain blockage was not considered, though a statement is made that most general operating >

f!oors of the various buildings have open stairwells and large floor openings and/or gridworks to permit equipment transfer between levels. In the detailed analysis, minimum water levels to a rAuce equipment damage were considered in the flood propagation mones. As a general guideline, watw apray from a pipe -

was annumed to affiam components v%in a 10 foot radius and in line of sight from the pipe. Engineering judgement was used when appropr*mte to extend this range of effect due to other factors such as higher pressure systems, elevated spray sources that could aplash, and cable trays or other items that could redirect the water flow and/or cause waterfall effects at extended distances from the break; a

Credit is given to rigid and durable insulation around some pipes in the plant, it is assumed this insulation would contain the spray from a pipe break, such that only flooding and dripping from the .;

24 ir

,,, . . . ~ _ , , ~ + + . . . _ . . . , . . . _ - . _ _ . _ -..m, _ . . ._ , . _, ... ,m .,,..e, . . . . _ . , ,,,,,..mm._,___ . . _ , , - ~ - . ..m.,, .._m

i seems was considered. Pipes whid are normally free of liquid during normal operation (e.g., uncharged Are lines) were not considwed credible water sources, j Fire protection system piping ruptures, as well as the SX and CCW piping ruptures were considered in i

the modified IPE. A flooding scenario was discovwed related to SX pipe ruptures which would disable all 4 SX pumps by water propagation through a ventilation duct, leading to a dual unit loss of service i water and (according to the snodel) directly to dual unit core damage. Dis scenario has a frequency of about 1.2E 5/yr. A hardware modification prevening overflow of the ,malliary building Soor drain sump  ;

into the SX rooms is currently being considered by the licensee but details wwe not provided, (the modification has not been implemented as of the date of the modified IPE). De modified IPE takes credit for this improvement, thus eliminating this scenario frcm the list of surviving flooding scenarios.

Another 'Gooding* scenario related to SX pipe ruptures would also have a subanaaetal CDP impact, and was also eliminated by crediting a not yet implemented modification. His is really a diversion of water  :

from the coods toww basins, in escens of the makeup capability, again causing a dual unit loss of ,

essential serv!4 watw and dual unit core damage. Procedural changes are being considered, such as ciosing the cross connect valves, stopping the SX pumps, extending the draindown time, etc. Assuming ,

a screening probability of failure of 0.1 of such modifications to stem the loss of SX inventory, and assuming the other flood proofing modification (for the SX pump rooms, discussed above) already in place, lowns the initiating event frequency, and the core damage frequency, byg .5E 5/yr. ,

With these two modifications assumed in place, the residual frequency for dual unit loss of essential service water is reported in Table 4.

Dere is not much discussion about pipe whip and steam impingement, other than a statement that  ;

impingement from pipe breaks was considwed. In response to an RA1, the licensee stated that maintenance induced floods were not judged to be a concern after reviewing the data base of maintenance events for the modified HRA (which does not seem to answer the question about the maintenance induced floods).

Surviving flood scenarios were quantified using internal events event trees (or plant response trees).

Only two flood scenarios survived the screening procus.

In conclusion, it seems the flooding analysis was a credible effort, with some simplifying assumptions and some questions as to the modeling of operator actions.

2.2.4.2 Intemal meding Resuhs De total CDF from flooding is calculated to be 3.5E-9/yr. - His includes the two unscreened scenarios, and not the two scenarios which are currently undwgoing consideration for a fix, ne two unscreened '

Aooding scenarios result from pipe breaks spraying water on equipment which is not qualified for spray operation and is not shielded.

De scenario in zone 3.31, grade level of turbine building would disable two of the three lastrument air couipressors, with a frequency of 1.30E 4/yr, leading to a core damage frequency of 1.5E-9/yr.

P 25

,-ns-,rr-1-,+w-w--r-em-w+ ,e e -"6e , .~nr e erw--%- o,. m,-r m o w w r-.,- m-,-,-ww.r--ee.,,., wwe.,- e,--- , w,-- -,

, ,-. . %,+ a -

-l De scenario in mone i1.64, elevadon 426' in the ausiliary building, would lead to a loss of MCCs 131, l 112 and 134, wkh a frequency of 1.89E 5/yr and s core damage frequency of 2.0E 9/yr.  !

l No estimate of the residual from the e eened scenarios is given.

i 2.2.5 Core Dominge Sequemee Remsks j 2.2.5.1 h=1===# core Dunese 8 t-De f gults of the IPE analysis are in the form of systemic sequences, therefore NUREG 1335 screening 'f

- critee.a fr.r reporting of such seguences are used. De laternal core damage frequencyhas a po int endow f 4.0E-5/yr. Accident types and initiating events that contributed most, to the CDF, and their percent tuntribution, are listed in Tables 5 and 6. .

De submies: lists 100 dorninsa sequences, wkh almost no discussion. De 10 most important sequency [

are sununarised below in Table 7 ,

De loss of offsite power contributes 19% or 7.6E4/yr to the total CDF. His is mostly due to the 580  !

i conditions (16% of the total CDF). De RCP seal LOCA cr,atribution is 2.3E 5/yr or 68%, from all inklators. De ATWS contribution is 0.5%, or 8.9E-7/yr. His is lower than at most PWRs due to a I now probability of RPS failure and ATWS sucosas wineria. De SG11t contribution is 5%. De 15LOCA  :

i contrRation is 0.2%. De flooding does not centribute significantly due to credited plant improvements

~which are under considwation. ]

E 4 De dual loss of service water is a dominant initiator due to the SX dependency of RCP seals, as well as a dependency of all the high pressure pumps. De loss of CCW initiator has a very high conditional core damage probshility, due to an assumed failure of the operator to switch the operating charging pump to a cool water source (necessary possibly due to a loss of letdown heat removal). His leads to an RCP seal LOCA with guaranteed failure of one train of HPl/HPR (no credit given to SI pumps for this .

function in non-LOCA ini'inted events). l De SGilt contribution of 5.4% involves a fair amount of credited ucident management strategies. For example, as seen in the dominant SGTR sequence, operators are credited with correcting an initial operator error. RWST refill also helps reduce this contribution. An example of credit for a SAM aequence can be seen in the second LOCA sequence in Table 7 (8th sequence from the top). Hwe, the

- operator is given about an 84% chance of recovering or repairing failed egulpment, due to long time scales, i

~ ..

Except for the high contribution of the SX losses, the risk profile is not atypical of a PWR.

De following are CDF contribudons (Fussell Weely) of the most importar.t systems (and do not include .;

high level operator actions associated with such systems): i

- essential service water,- 55%;

. - centrifugal charging pumps,14%; 9

- equipment for SX crons41e,14%;  !

- auxiliary foodwater,11%

t 26

- , ' - - _ _-.,' ..i,.,nw~ ,. ..._-_.-.n.s ... . ..~ ___ _ _.-a., - , , , , , . . , , n .,l l'..-.,.nn__,..- . , . , , . . - - a,-- -,,, ni

_ _ - _ _ . . . . . . _ _ , _ _ . . _ . _ _ . _ - ....__.___m__.__..___._. _ _ _

)

)

1

$ - 4160V bus 142,11 %;- '

- 4160V bus 141,:10%; =

- RCFCs, 9% *

- LPI, 851

]

De rist ymfile and risk contributor at Byron are somewhat different than those at Brr.'lwood. a Dis  ;

seems to be due to difference in dva, particularly initiating ovent frequencies, plant specific failure rates .

and operator errors.

Por sunple. the dual unit loss of service water due to pipe ruptures has a significantly higher frequincy  !

of occurrence at Byron.-

Sin 0larly, the single unit loss of essential service water plays a much more prominent role at Byron than I at Braidwood. Als is due to an order of magnitude higher failure probability of event SXX (aanantial '

servios water cross <:ennect hardware), at Byron.- A review of plant specific MOV data for the masametal

, service water system at the two plants reveals a failure to open rate of 4.0E-3/ demand for Byron and i

3.2E 4/ demand for Braidwood, De operator failure rato to cross connect is also higher at Byron (1.3E-3 vs. 5.0E-4).

As another example, the 4 kV buses are significantly more important at Braidwood, partly because the plant specific EDG failure rates are higher.

Table 5 Accident Types and Their Contribution to the CDF"

, initiating Event Group Contribution to CDF (/yr)  %-

less of support system 1.88E-5 47

+

LOCA 1.07E 5 26 IAss of offsite power 7.57E-6 19 SGTR 2.16E-6 5.4 General transient 7.41E-7 1.8 Secondary side breaks 3.78E-7 1.0 ,

laternal flood '3.5E-9 0.01 (Station blackout) (6.32E 6) (16)-

. (A*IWS)1 (1.9E-7) (0.5)

- (ISLOCA) (1.01E-7) (0.2)

TOTAL CDF : - 4.00E-5 100.0

' " Categories in parentheses (e.g., station blackout) are not separate initiator types but are included in other c.tegories (e.g., SBO is included under LOOP and transient).

27 r

...2.4.

Table 6 Initiating Events and Thdr Contribution to the CDF I'""*7 " " I""  %

Initiating Event to CDF (/yr)

(/yr)

Dual unit loss of essential service water 9.59E4 9.59E4 23.73 Single unit loss of essential service water 4.64E 4 6.08E4 15.05 Small LO',A 6.10E-3 5.13E4 12.69 Singir unit loss of offslie power 3.22E 2 4.09E4 10.12 Dual unit loss of offsite power 1.21E-2 3.48E4 8.62 Large LOCA 3.00E-4 2.74E4 6.78 Medium LOCA E.00E-4 2.70E4 6.69 SGTR 1.10E 2 2.16E4 5.35 Loss of CCW 5.62E-5 1.74E4 4.30 A

Loss of 125V de bus til 5.05E-4 1.40E4 3.47 General transient 2.20 7.41E-7 1.83 Feedline break inside containment 1.80E-3 1.36E-7 0.34 ISLOCA 1.01E-7 1.01E-7 0.25 Feedline break outside containment 1.80E-3 1.00E-7 0.25 Steamline break .'nside containment 1.80E 3 7.13E-8 0.18 Steamline break outside containment 1.80E-3 7.12E-8 0.18 l Loss of a single ac bus 141 3.55E-4 4.08E-8 0.10 l Loss of a single ac bus 142 3.55E-4 2,36E-8 0.06 Loss of instrument alt 4.30E-4 5.14E-9 0.01 Internal flooding, zone 11.6-0 1.89E-5 2.32E-9 0.01 Internal flooding, zone 8.3-1 1.30E-4 1.81E-9 0.00 '

4 l

28 l

Table 7 Dominant Core Damage Sequences Dominant Subsequent Failurm in  % of Initiating Event Sequence CDF Dual unit loss of essential service water all the injection systems fall; RCP seal 18.9 LOCA Single unit loss of essentia! service SX cross-connect falls due to hardware 10.7 water failure; all injection systems fall; RCP seal LOCA Large LOCA _ failure of accumulator injection 5.7 Medium LOCA failure to cooldown'depreseurize with 4.3 steam genera *. ors; operator error in establishing high pressure reeltculation Loss of CCW guararse.xl operator failure to align 4.0 charging pump to RWST; failure of charging pump due to high temperature; independent failure of the other charging pump or associated RHR in recirculation Small LOCA failure of LPI in recirculation 3.9 same as sequence I, except have a large 3.5 l Dual unit loss of essential service water consequential small LOCA (> 21 i gpm/RCP)

Small LOCA failure of normal RHR, failure of 3.5 switchover to LPR (given failure of equipment used for normal RHR), failure of recovery of equipment lingle unit LOOP independent failure of essential service 2.8 water causing EDG failure and SBO as ,

well as a seal LOCA SGTR failure of cooldown/depressurization; 2.5 operator fails to discover failure of cooldown/depressurization 29 j l

. 2.3 Human Reliability Analysis Technical Review 2,3.1 Pte-Initiator Human Actions .

Errors in the performance of pre-initiator human actions (such as failure to restore or properly align equipment aAer testing or maintenance, or miscalibration of system logic instrumentation), may cause j components, trains, or entire systems to be unavailable on demand during an initiating event. De review  ;

of the human reliability analysis (HRA) portion of the IPE examines the licensee's HRA process to determine the extent to which pre-initiator human events.were considered, how' potential events were identified, the effectiveness of any quantitative and/or qualitative screening processes used, and the- a processes used to account for plant-specific performance shaping factors (PSPs), recovery factors, and 1 dependencies among multiple actions. i a  :

2.3.1.1 Types of Pre-Initiator Henan Actions Consideswd -

The Byron /Braidwood modified IPE considered both of the traditional types of pre-initiator human actions: failures to restore systems aAer test, maintenance, or sutveillance activities and instrument miscalibrations. However, only four restoration events and no miscalibration events were actually ,

modeled in the modified IPE. All other pre-initiators were screened (not modeled in the fault or event trees) on the basis of either a qualitative or quantitative analysis. Desails of the screening process are described below in sections 2.3.1.2 and 2.3.1.3.

2.3.1.2 Proesas for Identification and Selection of Pre-Initiator Hunan Actions he general approach W in the Byron /Braidwood modified IPE to address pre-initiator events was to perform a search of plant records to identify potential pre-initiator vulnerabilities. Records from 1992 - ,

1995 were reviewed to identify events involving personnel error, out-of-service (OOS) error

. (maintenance), testing error, or miscalibration error. De review in:luded licensee event reports (LERs),

nuclear operations notifications (NONs), which are Comed's mechanism for promptly reporting events ,

at one station that may have applicability at other stations, and problem identification forms (PIFs), which is Comed's method for documenting any discrepancy. One goal of the review was to identify any patterns in the different types of possible errors, e.g., OOS errors, or to identify specific errors with systems modeled in the modified IPE, in addition, procedures related to the different types of errors were examined to determine whether adequate independent verification, checking, testing, and/or control room indication of system misalignment existed. Dus, reviews of actual plant events and plant proadures were used to identify potential pre-initiator events, in addition, instrumentation used to initiate automatic actions and instruments used by operators in responding to initiating events were reviewed. De basis for the selection and inclusion of pre-initiator events in the modified IPE models is addressed in the

- next section. ,

l 2.3.1.3 Scrwening Process for PreInitiator Hunan Actions

- The Byron /Braidwood modified IPE documents and dic== error related events that were identified and also discusses the procedures related to performing maintenance, testing, and miscalibrations. The general .

conclusion of the analysis was that while errors do occur, they are rare, no " patterns were identified," ,

and "no vulnerabilities existed." For restorations aAer testing or maint_enance, it was argued that " many of the hundreds of surveillance procedures do not affect systems modeled in a PRA..., many tests _

i 30 1

. 1 l

. performed 'during refooling outages or other shutdown periods cannot cause m-power misalignments because other surveillances are required to prove system operabi'ity before returning to power operation:

. ..., some only invive visual inspection.... and others are performed without any re-alignment of system components fmm their at-power configuration." For the remaining (with only a few exceptions), it was rgued that " component misalignmeat would be indicated or annunciated in the control room..._or independent verificmion of component position ...is required by procedure." Events meeting these criteria ,

were screened out and therefore only a few restoration events were modeled in the modified IPE. ,

De above approach for qualitatively screening restoration events is commendable in one sense because of the level of analysis involved in examining plant specific informaion. Moreover, the screening criteria used are not unreasonable and are consistent with approaches taken by some other licensees. However, other licensees have modeled restoration faults that require independent verificat ion and because of other shortcomings in the restorsion process, some of these events have turned out to be rciatively impor: ant.

Dus, the failure to include such events must be considered a weakness of the Byron /Braidwood modified IPE, Two of the events that were modeled were associated with restoring the containment spray pumps and the other two were for reopening the "RH heat exchanger inlet isoladon valve" after testing. De associated procedures apparently did not have the adequate check-offs or the independent verification needed to be screened out. While several other events were actually quantified "using the current procedures," the resulting HEPs ranged from 1.4E 5 to 5.5E-8 and were considered negligible compared to the failure to start or run data. Events not modeled due to negligible failure contributions included ESFAS slave relay restoration for containment spray and safety injection and restoration of the charging pump manual discharge valve.

Assuming the events that were screened out due to negligible failure contributhns were quantified appropriately, the screening approach is not unreasonable. Moreover, the HEPs for the four restoration events that were modeled appeared reasonable (5.lE 3 to 1.8E-3) given the absence of appropriate check-offs. However, it was impossible to clearly assess the adequacy of the quantification technique used to quantify these events (and those dismissed as having negligible contributions) because the quantification process was not explained in either the original or modified Byron IPE. In response to an NRC RAI, the licensee indicated that THERP was used to quantify the pre initiators. Nevertheless, while the values

> are not obviously unreasonable and the licensee appears to have considered relevant factors, the lack of a clear description of the quantification technique b t weakness of t% modified IPE.

hrning to pre initiator miscalibration events, the hcensee made several arguments that served as the basis for not modeling any miscalibration events in their modified IPE. First, it was argued that "the potential for instrument miscalibration at Byron anx! Braidwood is minimized by the practice that multiple channels of plant instrumentation measuring a para.uer are not worked on in the same day by the same instrument

! technician using the same test equipment." In addition, " calibration results are reviewed to compare the

! recorded "as found" value with the "as left"_ valoe to identify discrepancies, and for parameters with

- more than one channel, miscalibration would be identified at the end of the calibration activity by a simple " channel check - comparing the meter reading of the just calibrated channel to an adjacent meter indicating the same parameter." Furthermore, it was argued that indications used by operators are nonnally "available from multiple channels and/or diverse instrumentation or alarms which are normally active and in constant use_such that a miscalibrated instrument would be readily identified and/or compensated for by a diverse indication."

31

L L ,,

4

- While the above arguments are not unreasonable, as noted regarding the restoration faults, other licensees 1- . have modeled such events and in some instances found thera to be important. Moreover, while failures la these types of actions may be rare, the step by step examination of procedures required during J quantification may have identified some shortcomings. hus, while it may or may not be true_that _

operators would be able to cope with discrepancies between lastruments, the identification of some potentially imponant pre-initiator events may have been precluded. Dus,_the licensee's approach to ,

~

miscalibration events is considered a minor weakness of the modified IPE.

The licensee did anempt to determine "whether miscalibration might have a noticeable effect on the fault tree failure probabilities." Dey noted that "in general, the instrumentation basic events were either not -

found in any of the fault tree cutsats above the cutoff of IE-12, or were in only a few cutsets that did not contribute significantly to the fault tree failure probability. It is not clear, however, how this review -

accounts for the potential impact of miscalibrations. It remains possible that such cutsats might have ,

become important if miscalibration errors (panicularly common cause) had been included.

2.3.1.4 Quantification of Pre-laitiator Human Actions As discussed above, while some pre-Initiator restoration faults were quantified and some of those were

~ included in the modified IPE rrodels, a description of the quantification approach was not provided.

2.3.2 Post-Initiator Human Actions Post-initiator human actions are those required in response to initiating events or related system failures.

. Although differen' labels are often applied, there are two important types of post-initiator human actions that are usually andressed in PRAs: response actions and recovery actions. Response actions are generally distinguished from recovery actions in that response actions are usually explicitly directed by emergency operating procedures (EOPs). Alternatively, recovery actions are usually performed in order to recover a speelfic system in time to prevent undesired consequences. Recovery actions may entail going beyond

- EOP directives and using systems in relatively unusual ways. Credit for recovery actions is normally not taken unless at least some procedural guidance is available.

De review of the human reliability analysis (HRA) portion of the modified IPE determines the types of post initiator human actions considered by the licensee and evaluates the processes used to identify and select, screen, and quantify the post-initiator actions. He licensees treatment of operator action timing, dependencies among human actions, consideration of accident context, and consideration of plant-specific PSFs is also examined.

2.3.2.1 Types of Post Initiator Human Actions Considend De Byron /Braidwood modified IPE addressed both response and recovery type post-initiator hunca actions. De revised submittal and the licensee's response to the NRC's RAI provided a definition of J tmponse type human actions (referred to as type CP actions) that was generally consistert with that-described above. One slight difference was that the Byron /Braidwood function restoratica procedures (FRPs) direct recovery of lost functions and this may include attempting to align alternate systems. Rese _

recoveries are obviously proceduralized and were reasonably treated as response actions in the IPE. In addition, at least one nontroceduralized action was modeled as a response type action (stopping the residual heat removal pumps in degraded power non-LOCA events). A description of the quartification of this event (OSP-2). provided a reasonable explanation.

32

1 he recovery type actions modeled in tia Byron /Braidwood modified IPE included recoveries of failed

. equipment and five events involving crew discovery of previously failed human actions, such as discovery: .

of failure to feed and blood. Dese actions were developed for the modified IPEs as part of the Success '

L wkh Accident Management (SAM) endstate elimination analysis, ne goal was to use plant- procedure-based recoveries to lead SAM sequences with high frequencies of occurrenct to core success, Two other recovery amions modeled the lealatian of the ruptured service water ($X) pipe in "DLSX" sequences and included (applied to Byron only) isolating Train A of SX from Train B SX in "DLSX" sequences to s maintain one recoverable train before the SX cooling tower basins drain through the pipe rupture. i Recovery actions are discussed in more detail below in section 2.3.2.3.

De modified submittal signified that response type actions appeared in the plant response troer (PRTs) r and in the fault troer. Dus, they could occur at the event or fault tree level. Locovery actions were aot t included in the logic models and as noted above were applied in special analyses, e.g., the SAM endstate eliminaion process and the isolation of component cooling weer and service weer pipe break analyses.

2.3.2.2 Proass for Identification and Sal-*h of Post Initiator Human Actions De licensee's response to the RAI indicates that the important operator actions (OAs) had been identified and defined previously (in the original IPE) by the systems analysts in the development of the fault trees and PRTs. Procedural reviews were an important source of information for the identification of response type operator actions. Procedures reviewed included emergency response procedures (EOPs), 'lystem operating procedures, abnormal operating procedures, function restoration procedures, and emergency contingency actions, in addition, opera *.or talk-throughs (including the use of checklists) were used to

• review the solu:ted critical subtasks and to gather plant-specific factors for consideration 6 the HRA quantification." Most recovery actions were identified during the elimination of sequences with SAM g'

endstates. The others were identified by the systems analysts after initial quantification in order to recover component cooling weer and service water pipe breaks by isolating the break. Sequence timing, time available for the operator actions, and success criteria were considered in determining which actions ,

1 to include.-

2.3.2.3 Screening Process for Post Initiator Response Actions

- A screening analysis was not performed for response type post Initiator human actions modeled in the Byron IPE. In the original IPE, all OAs in the event and fault trees were given detailed analysis with I the goal of obtaining a realistic HRA. As is discussed below, the modified IF r.x;uantified important human actioas from the original HRA. '

i However, the recovery acsions modeled in the SAM endstate eliminar analysis involving new discovery  !

of previously failed human actions were assigned screening values of 0.1. In addition, the action (applied i I

to Byron only) to isolate Train A of SX from Train B SX in "DLSX" sequences to maintain one recoverable train before the SX cooling tower basins drain through a pipe rupture was also assigned a I

screening value of 0.1. Neither the basis for the assignment of *his value not a discussion of any revisions to the screening values were provided. - Apparently no revisions to the screening values were made.

2.3.2.4 C E "= of Phot Initiator Human Actions )

For the modified IPE, the PRT and fault tree post-initiator response type human actions with a risk  ;

achievement worth ((RAW), "using the original IPE model, enhanced quantification") greater than 2.5 - )

1 33 i

l l

I

and "those added as a result of danges to the PRTs and fault trees,* received a complete re-evaluation."-

la addition, PRTs that " contributed significantly to CDF in the orig

• mal IPE were identified" and the "OAs in thee trees, including the conditional probabilities, were evaluated on a sequence-specific basis . t to identify conditions of stress, dependency,; and availability of recovery opportunities and were j roquantified when necessary." Remaining HEPs were reviewed for reasonableness and "for selection of the appropriate'value for and brand of the PRTs." he PRT OAs "were also reviewed to identify those }'

actions which might be described as timecritical." Dat is, "those for which the estimated time to accomplish the action was greater than 25% of the estimated time available before some undesirable state was reached."

As described by the licensee, a thorough search was performed to identify human actions for re-L a quantification. Dirty-five human acsions were requantified for both Byron and Braidwood, with different

~

values obtained for the different plants in some lastances, in the original IPE the licensee argued that wkh only one exception (Byron's service water cooling tower) the two plants and.theiFprocedures were identical. - However, in the modified IPE, they noted that since 1994 some differences have developed and a few operator actions were requantified specific to the plant. -De modified submittal and the response to the RAI provide descriptions of HRA related differences and similarities between the plant, 4 e.g., procedures, shift staffing, control rooms, and procedure use.

L Most of the actions identified in the review were requantified using the EPRI Cause Based Decision Tree Methodology (CBDTM) from EPRI TR-100259, "An- Approach to the Analysis of Operator Actions in PRAs," June 1992 (a few special cases were quantified with the THERP Annunciator Response Model, NUREGICR-1278). The CBDTM uses a set of decision trees to model errors in the cognitive element of each action and recommends use of the THERP method to model tha failures to perform the task-execution portion of the action. The failure probability for the action is calculated as the sum of the cognitive and task-execution portions of the action, d

Dis method estimates failure probabilities for the cognitive elements based on an assessment of factors I such as data availability, attention failure, miscommunication and misreading of data, misleading E information, missing or misreading procedural steps, misinterpretation of instructions or decision logic, c and deliberate violations. Recovery factors, such as reviews by other crew members, including the shift te&nical advisor (STA), are allowed to reduce the error probabilities calcuented from the decision trees if there is sufficient time. De criterion of " sufficient time" depends on the particular recovery factor-for example, credit for review by the STA is not permitted unless there is at least 15 minutes from the initiating cues for the operator actions to be completed. In addition, in the modified IPE, credit for an emergency response facility (ERF) was not taken unless the OA took place greater than one hour into the sequence or the time available for the OA was greater than one hour. In contrast to the other EPRI HRA

, me: hods, the CBDTM does not otherwise directly incorporate measures of time in quantifying human error probabilities.

De likelihoods of failures in task execution were quantified using the THERP method, described in NUREG/CR-1278. De essence of the recovery approach for both phases of the action is that additional e

time allows additional control room cues or cues from reviewing procedures to become available, which in turn facilitates self-review and review by other crew members and technical advisors.

Compared with the method used in the original Byron IPE submittal, the combination of the CBDTM and THERP appears to provide a more realistic basis for assessing post-inHator human actions. At a i

l

1 .

y. . L minimum, the diagnosis phase is explicitly modeled (except for the events modeled with the THERP <l Annunciator Response Model that are discussed below) and relevant PSFs are considered. -

However, as noted in NRC Technical Evaluation Reports (TERs) for other IPEs, the CBDTM does not,-

-in itself, have a unique approach for analyzing time-critical l actions. Dat is, those actions where the ,

difference between the time available and the time required to perform the actions is short and the '

possbility exists for the operators to fall to accomplish the actions in time, are not evaluated directly as a ihnetion of time. Derefore, even widi the CBDTM, the pcwential exists for undereshhg HEPs for ,

- short-time frame events.- De licensee did indicate tha '.me pressure w;.s taken into account by lacreasing the stress factor (addrused within 'nlERP) in the evaluation of the basic HEP. De licensee's consideration and treatment of operator response time is discussed in more detail in the next section.

i Before proceeding, however, it was noted above that for a few events, the licensse argued that the "EPRI-CBDTM was inappropriate for estimating p ," (the diagnosis phase). De licensee noted that the operator response to loss of component cooling water and loss of service water are initiated by control board ,

p alarms, rather than reactor trip, and that operator actions are guided by alarm response procedures. For these cases the diagnosis phase of the action was quantified with the THERP Annunciator Response  :

Model, One of the events quantified in this way was the operator action to start the standby service water pump and open the se:vice water crosstle valves (OSX 1, crosstie Unit I to Unit 2 SX). De quantificsion of this event was provided in the response to the RAI and the resulting HEP for Byron was ,

1.3E-3 and for Braidwood was 5.0E 4, Assuming adequate time is available (and this event was not  :

Indicated as being time critical in the reponse to the RAI), the values are not obviously unreasonable and the method appeared to be applied .pywydetely, Fumly why the CBDTM was considered inappropriate for these events was not explained. The four other specific events quantified with this method were not mentioned, but were said to be related to loss of component cooling water and loss of service water sequences.

. 2.3.2.4.1 Estimates and Consideration of Operator iterponse ilme

. In the licensee's response to the RAI, a discussion was provided of events that might be considered time '

critical. Available time and estimated ~ performance times were presented for these events and the i- discussion focused on the promiural guidance provided for these actions. De apparent goal was to illustrate a reasonable expectation of operator success given the time available and procedural guidance.

A review of these actions, their timing, and the associated HEPs suggest that the assigned HEPs were 4 not obviously unreasonable. In the same licensee response to the RAI, differences in timing for similar i events as a function of context was also addressed. De tpparent goal was to illustrate that the differences in timing were not important for the identified events because of the relatively large amounts of time available. In any case, while the CBDTM is not ideal in its treatment of short-time frame events,

it appears that the licensee made a reasonable effort to try to ensure that potentially time critical events were not inappropriatdy quantified, i.e. a " sanity check" was apparently performed, m

he modified IPE and the response to the RAI note that opportunities for recovery are largely a function of time. Decefore, before applying the various recovery failure probabilities 8 ted above, the modified IPE states that sequence timing, time available for the OA, and performance time - were considered. His information was indicated as being documented in the IPE Plant Response Tree and Success Criteria Notebooks and was based on MAAP computer runs and operator and simulator personnel estimates.

[ .

When time was available, recovery credit for failure to diagnose (p.) was given for extra crew, shift .

change and ERF review,; with recovery values of 0.5,0.1 and 0.1, respectively. Credit (0.5) was also li 35 L

. given for recovery immediate action steps" (those performed from memory), when required procedure reading wow we as a check. In addition, if a procedure step involved a system or function '

-that was shared by the tw units, a recovery of 0.5 was applied due to the presence of the other unit's crew.

i Credit for recovery of response execution (p,) could be given for similar reasons, but was based on va lues from THERP. Recovery credit for actions outside the control room was considered only if lack of completion produced a compelling signal in the control room. While the approach used allows substantial credit for recovery, reviews of example calculations for important actions suggests that recovery credit was applied reasonably (particularly given the detailed application of THERP to the step by step ~

performance of procedurally driven actions).

2.3.2.4.2 Other Performance Shpping Faaors Considered Operator action interviews were conducted and checklists were used to assess critical aspects of the diagnosis and execution of an action. Factors evaluated included training on the simulator, adequacy of procedures, need for local actions, time available for local actions, feedback to the control room for local actions, stress level, potential non-recoverable actions, etc. Per the guidance provided in the CBDTM and in 'IHERP, the level of stress in given situanons was objectively factored into determining the HEPs.

Moreover, both errors of omission and errors of commission were modeled for response execution errors as diressed by THERP. De overall consideration of PSPs in the modified IPE represented an adequate consideration of plant-specific influences on human reliability. .

2.3.2.4.3 Consideration ofDependencies As discussed above, dependencies related to the impact of time on within crew performance was .

addressed in determining recovery credit for initially failed actions. Opportunities for recovery will l clearly be dependent on the amount of time remaining. In general, time dependence focuses on the fact I' that the time available for diagnosis is dependent on the total time available and the time needed to L

perform the action. While time dependencies for short4ime frame events are not explicitly addressed with

! the CBDTM, the licensee examined time critical events to assess the reasonableness of the HEPs given the available time, in addition, the licensee indi:sted that sequence related timing (the impact of available

time across a sequence) was considered in determining the time available for specific events (see item e below). Rus, time dependence appeared to be satisfactorily considered in the m3dified IPE.

Another type of dependence concerns the extent to which the failure probabilities of multiple human actions within a sequence are related. Dere are clearly cases where the context of the accident and the pattern of successes and failure can influence the probability of human error. Dus, in many cases it i

would clearly be inappropriate to assume that multiple human actions in a sequence or cut set would be independent. Furthermore, context effects should be examined even for single actions in a cut set. While the same basic action can be asked in a number of different sequences, different contexts can obviously '

lead to different likelihoods of success, Dependence among multiple human actions were tuoughtfully and thoroughly handled in the Byron IPE through use of the following guidelines: .

a. Two operator action failures separated in time by an essentially successful action were regarded as independent.

1 36 l

l

- . - - . - , - .~ . - . - - - - - . _ - . . . - . - - . . . _- .---. . _

b. 1The time available for _most operator actions varied from minutes _to hours. he degree of dependence between OAs varied according to the time between events. Events separated by less than 15 minutes were assumed'to be have high dependence, nose separated by less than 30 _

minutes but more than 15 were assumed moderately dependent and those separated by less than

~ 60' minutes but more than 30 were assumed to have low dependence. Events separated by more -

than an hour were assumed to be independent.

- c. Events initiated by the same cue and on a parallel success path were treated as having a common diagnosis element (p,).

d. Responses to memorized "immediate action" steps were assumed independent of actions later in the procedure and immediate action steps were assumed independent if performed by different crew members,

e. For cases where an OA failure significantly reduced the time window for a subsequent OA, high dependence would be assessed on the second OA.

f. For cases where an OA failure guaranteed failure of a subsequent OA, complete cependence would be assessed.

Once a judgment about the degree of dependence between events was made, the dependency formulae from NUREG/CR-1278 were used to determine the HEP value for a dependent event. De IPE also noted -

that the lower bound for single human actions was set at 1.0E-4.

Potential dependencies between events in the fault trees were also given a qualitative assessment and l documented in the response to the RAI. It was stated tLat no dependencies were identified.

The modified IPE submittal and the response to the RAI also indicated that context effects on single human actions were addressed. Different HEP values were calculated for similar events in different contexts.

2.3.2.4.4 Quantification ofRecomy Type Aalons As discussed above, the method used to quantify the recovery type actions was different from that used for the response type actions, Screening values were assigned to the recovery of previously failed actions and apparently were not revised. While the 0.1 value assigned was not unreasonable given the apparent long-time frame scenarios in which they ware applied, a discussion of the basis for the HEP would have been nelpful. Recoveries of failed equipment were based on mean time to repair values from WASH-1400 and obtained values were reasonable.

2.3.2,4.3 Hanan Aaions in the Flooding Analysis la the Byron IPE, the flooding scenarios examined apparently used whatever human actions were already contained in the models for transients and there was no evidence that the values were adjusted for the flooding context. .In addition, the licensees's response to the RAI indicated that operator actions to mitigate a flood were not credited.

l 37 l

l 1

l

.. _, . - - . . ~ _ . . . . . _ _ . - , . . _ e _ _ ,

- 2.3.2.4.6 Human Actions in she iswl 2 Analysis -

Operator actions were not modeled in the Level 2 analysis, d

2.3.2.5 haportant Hisman Actions The styron response to the NRC's RAI presents a list of the important " operator action nodes" as a function of their contribution to CDF. De top eight operator action top events for Byron in terms of their conenbution to CDF are presented in Table 8 along with the percent contribution to' CDF. %e licensee

" noted, however, that "in these lists all cases of each operator action are combined." For example, the OSX event includes OSX-1 [ HEP Byron = 1.3E-3] for LSX sequences as well as OSX-4 [ HEP = 1.0]

for DSLX sequences. As stated by the licensee, "thus, the operator action importance can be misleading since it includes cases of denned failure [ HEP = 1.0]." In addition, the top event report does not include '

events in the fault trees. _

Table 8 Byron Operator Action Top Events

" I*

Event Name Event i escription CDF OSX Restore SX Via Unit Crosstie 25.22 %

ODS RCS Cooldown/Depressurization 8.37 %

ORC Establish ECCS Recirculation 5.81 %

OAC Establish Cool Suction Source for Charging Pump 4.30 % ,

ORT Establish RWST Refill 3.95 %

ODS2 Recover ODS 2.54 % .

-OSP. l:e RH Pumps 2.21%

ORE Restore Essential Equipment 1.12 %

2.4 Back End Technical Review -

2.4.1 Containment Analysis / Characterization 2.4.1.1 Fmni end Back-end Pg '---12: -

Containment event trees (CETs), which are used in most of the IPEs for Level 2 analysis, are not developed in the Byron IPE. De tradition 4 core damage anslysis (i.e., Level 1) and containment. analysis (i.e., Level 2) portions of the Probabilistic Risk Assessment (PRA) are integrated through. the use of

~

" plant response trees" (PRTs) that depict the combinations of events that model the plant behavior from the initiating event to .n end state characterized by retention of fission products within the Totainment boundary or release of fission products to the environnent.

e 38

1 Since a single event tree (i.e., the PRT) is used for both Level 1 and Level 2, the development of plant damage _ states (PDSs) as interface for the Level 1 and Level 2 ans;yses_is not needed in the IPE. ,

However, grouping of core damage sequences to PDSs is performed.it is used to consolidate the large number of accident sequences into a small number of damage states such that all sequences within a particular damage state can be treated as a group for assessic; :,ccident progression, containment

- response, and fission product release.

Sequence groniping is discussed in Section 4.1.3.3 of the iPE submittal. De parameters used in the IPE '

for sequence grouping include:

1.- Accident initiator, .

2. Core melt uming, 3.- Functional failure,_

4 Containment status and fission product release. '

Accident initiators include transient,_ loss _of support functions (e.g., loss of amamatial service water, component cooling water or de power), loss of offsite power, loss of all ac power (station blackout,-

SBO), LOCAs, SGTR, ISLOCA, and secondary side breaks. De timing of core melt can be early (within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of accident initiation), intermediate (2 to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />), or late (6 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />).

One parameter, the RCS pressure, which is considered in most other IPEs for PDS definition is not considered here. RCS pressure is not an important parameter in the Byron IPE because all containment challenga mechanisms associated with high pressure melt ejection (HPME), such as direct containment heating (DCH), are dismissed in the IPE as "unlikely" to cause containment failure.

Contributions to the total CDF from the PDSs with various accident initiators are: 39% from PDSs with sequences initiated by loss of essential ser" Ice water (ESW),15% from SBO sequences,13% from small LOCA sequences,7% from large LOCA sequenem,7% from medium LOCA sequences,5% from SGTR sequences, and 0.2% from ISLOCA sequences. We most probable PDS is XL6K (31% _ total CDF), a

- PDS of loss of ESW sequences with late core melt, loss of all ECCS injection, and a late containment failure with up to 0.1% of the volatiles released. His is followed by SX9S" (10% of total CDF), a PDS of small LOCA sequences, with failure of recirculation injection, and no containment failure; BL4A, a PDS of SBO sequences, with late core melt, high pressure injection failure, and no containment failure -

within the 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> mission time used for Level 2 andysis; ar.d AE6S, a PDS of large LOCA sequences,

. with early core melt, loss of all ECCS injection, and no containment failure.

2.4.1.2 Contalament Event Tree Development

= As discussed above, a single PRT is used in the Byron IPE for both the Level 1 and Iavel 2 analyses.

De PRT, which is an event tree, is dcd,p.d and quantified for each initiating event. De PRT explicitly includes the analysis of containment systems normally assessed in the Level 2 analysis, and the enntainment condition is addressed in the PRT by the availability of these systems described in the success crkeria for containment integray. According to the success criteria, integrity is maintained if containment "De second character of this PDS designator, X, which indicates the core damage timing, is not defined in the IPE submittal (Table 4.1.3-2).

39

de pressure is less than 98 psig, the median failure pressure for the Byron containment. Based on plant- [

t specific MAAP analyses, containment integrity can be maintained by the operation of one of four RCFCs or one RHR hest exchanger (with associated recirculation train).

De quantification of the containment failure probabilities for Byron is based on plant-specifk MAAP analyses and phenomenological evaluations of the various failure modes, or mechanisms, identified in NUREG-1335. De evaluations are preented in Phr Agical Evaluation Summaries (PESs) which -  :

are not included in the IPE submittal". However, brief discussions of the evaluations and the results

'obtained from them are provided in the subicittal. l The containment failure modes that are addressed in the PESs include those associated with hydrogen m combustion, direct containment heating (DCH), steam explosions, molten core-concrete lateraction (MCCI), vessel blowdown, thermal loading on penetrations, containment isolation failure, containment bypass, and containment overpressurization by noncondensible gas generation, steam generation, or

-. hydrogen burn. According to the submittal, modeling and bounding calculations, based on extensively compiled experimental data, phenomanological uncertainties, and complemented with MAAP calculations in some cases, comprise the general approach taken in these esaluations. Based on these evaluations, all of the above containment failure modes, except for containment overpressure by steaming and/or noncondensible gas generation, containment isolation failure, and containment bypass, are considered as - >

"unlikely" failure modes and thus not included in failure quantification. De lack of consideration of these failure mechanisam in a structured way, such as can be provided by a CET, precludes a systematic twans to examine the relative (quantitative) importance of these failure modes (with the consideration of uncertainties) and the effeus of some romvery actions (e.g., depressurization) en these failure modes.

' Some of the items of interest ar3 the following:

Unlikely Ce%2nt Failure Modes d C* ament failure modes are discussed in Section 4.3.3 of the submittal. Although all important severe accident containment failure modes that are discussed in NUREG 1335 are addressed in the IPE J submittal, most of them are ignored and not evaluated in mntainment failure quantification. Dese include those associated with the following phenomena:

'l. Hydrogen combustion,-

2. Direct containment heating (DCH),

3. Steam explosions,

4. Molten core concrete interaction (MCCI),

5. Thermal attack of containment penetrations, and

. 6. Vessel thrust force.

Phenomenological evaluations were performed in the IPE for the above : phenomena. De Phenomenological Evaluation Summaries (PESs) investigated both the likelihood of occurrence and the probable consequences of these accident phenomena. De PESs were based on available experimental information from the open literature, as well as information developed using the Fauske & Associates,.

Inc. (FAI) experimental facilities.

' "Some are provided in the licensee's response to the RAI.

43 i

~

e,

< For the first two ' phenomena, hydrogen combustion and DCH, conservative estimate of containment presures were obtained and compared _with containment pressure capability to determine their effect on -

containment failure probability, he assessment of hydrogen deflagration assumed in-core hydrogen production imm 100 percent oxidulaa of all Zirconium and metallic constituents of the lower core plates, and burning of all_ available hydrogen inventory in the containment with no energy absorption by -

anmalannent equipment or structures. According to the response to the RAI, this resulted in a containment pressure rise of 62 psi from hydrogen combustion, and a total containment press are less than the median containment failure pressure". For DCH, the containment pressure estimated in the PES is 81 psia if-it is combined with a hydrogen burn, and 52 psia if there is no hydrogen burn. De DCH modeling methodology used in the PES included consideration of the debris mass that could pan ==lally be b particulated in the reactor cavity and the instrumental tunnel, and the fraction of entrained (particulate) debris that couhl escape the reactor cavity and disperse to the containment atmosphere. According to the PES only 15% of entrained core debris was expected to be dispersed to the lower compartment of the containment.

The potential of deflagration-to detonation transition (DDT) was also evaluated in the PES. De DDT potential wm estimated using an empirical technique that involves estimating detonation cell size for some

bourding containment conditions. According to the results, DDT in highly unlikely (to impossible) for any compartment within the Byron containment. For ex-vessel steam explosion, the potential for comalament ovespressurization due to both rapid steam generation or shock wavas were investigated and found unlikely to cause containment failure.

All of the above containment phenomena cause matainment pressure loads, and the dismissal of these phenomena is based primarily on a comparison of the containment pressure loads to the containment pressure capability, which is taken to be the median containment failure pressure (i.e.,50% containment failure probability). Even though the pressure load is less than the median failure pressure, there exists a finite, although small, failure probability if the containment fragility curve (as that presented in the IPE submittal) is considered. Dis issue is discussed in the licensee's response to the RAI (Level 2 Question 5). De licensee's response indicates that the conditional containment failure prob 6bility due to the above mechanisms (i.e., steam explosions, DCH, hydrogen deflagration, and hydrogen detonation) could be about 1% if the containment fragility curve, instead of the median containment failure pressure, is used in the comparison. This probability, according to the licensee, is based on bounding estimates of the effects of the above loading mechanisms on containment failure. Failure from these mechanisms could cause an early release of up to 10% of the volatiles released (According to the result of a MAAP calculation performed for a the sensitivity study).

Although the assessment of hydrogen combustion and DCH in the IPE seems reason 61e, and the estimated containment pressures obtained i>r these phenomena are described in the submittal as conservative (or bounding), they are less than that estimated for the worst case in NUREG 1150 for Zion.

For example, for the worst case, the pressure rise in the containment due to HPME for Zion has a mean "According to the PES attached with the licensee's response to the Level 2 RAI, the post-burn containment pressure based on adiabatic isochoric complete combustion (AICC) is 109 psia for the SBO sequence. His is less than, but very close to, the median containment failure pressure of 112.7 psia (9g psig), and, according to the fragility curve for Unit 2 (Figure c. 3-4), results in over 20%

- probability of containment failure (i.e., conditional failure probability).

41

.~

value of 105 psi, much higher than that obt ined in the PESs for Byron. His indicates the significant uncertainties associated with these phenomena.

Of the containment failure modes dismissed in the Byron IPE, MCCI may cause late containment failure.

Ex vessel debris coolability is not discussed as an issue in containment failure quantification. Rather, MCCI is evaluated in the PESs by a simple bounding analysis using empirical parameters determinod _

from esperimental data.- According to the PES, results of the bounding analysis indicate that molt-through of the containment basemat will not occur within the mission time of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />. .

Questkins were raised in the kAl regarding the depth of the core debris in the cavity and the effect of- a nonamiform spread of debris on debris coolability. According to the response, the depth of the debris in 4be reactor cavity is 25 cm if the entire initial core mass, the Zlicalloy mass, the lower core support plate, and 10% of the lower head mass were retained in the cavity and its sump. His depth of corium is treated in the IPE as coolable if there is an overlying water pool. According to the response, this assumption is based on experimental results which demonstrate the ability of water to rapidly quench molten debris and ingress into debris beds to maintain them coolable indefinitely. -

Dere is a sump in the Byron cavity which represents a particular case of non-uniform spread within the '_

cavity. According to the response to the RAI the " PES would provide a basis for assessing that non-uniform coricn spreading corresponding to the cavity sump configura:on would be coolable." However, "At some degree of non-aniformity of debris spread... core debris coolability would be diminished and localized concrete erosion would be expected to occur," but "No method was provided in the PES to dowmine how long such concrete erosion might be expected to occur before terminating due to dilution ,

of the corium with the eroded concrete." Although the sump area is more tusceptible to corium attack and is more likely to be penetrated by erosion from CCI, it does not seem to present a significant problem because of the small releases associated with melt-through.

IJkely Contatnment Failure Modes The following containment failure modes are considered in the IPE as likely failure modes and are included in containment failure quantification:

1. Containrnent overpressure,

2. Containment isolation failure, and

3. Containment bypass.

Containment overpressure failure is primarily due to containment pressurization from the generation of steam and non-condensable gases when containment baat removal is not anilable".

"Although the containment integrin success criteria require CHR for success, containment failure is not assured in the larA 2 analysis if CHR is not available. For example, CHR may not be available for the PDSs that are assigned in the IPE to Release Category A, a release category that has no containment failure within the 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> mission time, but failure may occur without further mitigating action. .

42

l

'* si L # , '.

Tempermure-induced steam genermor creep rupture, which is considered in other IPEs,- is not considered j L

in the Byron PRTs or addressed in th6 PESs. However, it is discussed in the licensee's response to the RAI (I.evel 2 Question 1). According to the response, ISGTR is not addressed because it is believed that J"

. the primary system loop seals will not clear and the hot leg and pressurizer surge line, which are expected -

to fall before the steam generator tubes, are not likely to reach the temperature levels required for rapid  ;

aosp rupture following core damage. Although temperature-induced hot leg failure is not considered in

the IPE base case, k is investigated in the sensitivity study. On the other hand, induced EGTR is not .  ;

included in the sensitivity study. -

It is also stated in the response that, if the loop seals had cleared, for example by the restart of the RCPs

' per the EOPs, a higher gas temperature throughout the primary system would occur and temperature-

. Weced fauuru of a steam genermor tube would become likely (although the hot leg and pressurizer surge -

noe would remain more likely to fau ikst). Although no detailed probabuistic treatment of this issue was -  ;

L performed during the preparation of the IPE,'an event tree structure was developed in th licensee's

. response to the RAI to estimate the probabilities of temperature induced RCS fauure. De event tree attempted to decompose the p r-- m-iogical issues important to temperature-induced failures. Using .

subjective probabuky values for the issues, the probability of high-temperature induced hot leg or surge line fauure was estimated to be 35% and the probability of induced SGTR was estimated to te; 18%. They were 40% and 24%, respectivaly, if the toerator restarts the RCPs. Dese numbers are based on the assignment of the probability values for the various issues based on an analyst's judgment which are more pessimistic than those used in NUREG-il50 for Zion. De probability ofISGTR used in the NUREG- 4 1150 analysis for Zion has a mean value of 1.8% for RCS at setpoint pressure.- Although the high probability values obtained from the event tree analysis provided in the RAI response lo not seem to justify the omission of this failure mode from IPE _quantification, further discussion is not provided in_

the response. Despite that these ptobability values are obtained based on an analyst's judgment and may

, be overly conservative, the licensee could have benefited from an examination of their implication for IPE quantification.

Containment Failure Modesfrom IPE Results In the Byron IPE, containment bypass is due to SGTR or ISLOCA. Induced SGTR is not included in the quantification. De only failure mode considered for early containment failure is containment isolation fauure, and the only Ime containment failure mode considered is that from containment overpressurization in cases when containment heat removal is not available. A 48-hour mission time is used in the Level 2 ,

analysis. Sequences that involve core damage within the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (the mission time for Level 1),

but no containment failure until after 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, are assigned a CAM release class (containment success with accidut management).

2.4.1J Containment Failure Mode and Timlag De Byion containment ultimate strength evaluation is described in Section 4.3.3.1 of the IPE submittal.

f'amminenam failure pressures were obtained by a review of the byron /Braidwood FSAR and a Sargent

& Lundy calculation. Of the several likely containment failure locations identified in the review, the Bunker Ramo electrical penetrations, which are used only in Unit 2, were found to have the lowest mean fauure pressure (108 psig). De connainmad fragility curve used in the IPE was based upon the failure pressures at the limiting failure locations and their associated uncertainties (with an assumed 7%

coefficient of variation). The median containment failure pressure of the fragility curves are 125 psig for 4 . Unit 1 and 98 psig for _ Unit 2.

c

De containment failure pressures and their distributions seem to be consistent with those obtained in other IPEs.

'2.4.1.4 Contalssnent Isolation Failure - ,

Containment isolation status is one of the PRT top events. It is also indicated by the founh digit in the 4<ligk PDS designator. De identincmion of the imponant containment penetrations is d'scussed in some  ;

detail in Section 4.2.1.10 of the IPE submittal. Additional discussion is provided in the licensee's- .

reponse to the RAI (Level 2 Question 2). With few exceptions, only pipes with diameters greater than 2 laches are evaluated". Results show that the frequency of containment isolation failure for Byron is y about 4.lE 7 (Table 3-8 of the Modified IPE Results submitted with the response to the RAI).

Containment isolation failure sequences are dominated by the RWST suction valves to the containment spray pump failing to close, the operator falling to manually initiate phase A containment isolation, and the lastrument bus invener falling to provide power to the slave relays. According to the descriptions provided in the IPE submittal and the licensee's response to the RAI, all five areas identified in the Generic Letter regarding the evaluation of containment isolation failure are addressed in the IPE.

2.4.1.5 System / Human P ;: - -

- De availability of the systems that are imponant to Level 2 accident progression is determined in he PRT and their status is described in the PDS defm' ition.

2.4.1.6 Radionuclide IMa= Characteriantion Since the Byron containment event trees have been incorporated into the PRTs, the PRT end states define the radionuclide release characteristics. As di-~I above in Section 2.4.1.1 of this report, the PRT end y states (or accident sequences) are grouped to a se of PDSs, and each PDS includes sequences with similar damage states in terms of the initiating event, expected timing of core damage, status of the ECCS and containment heat removal systems, and the state of the containment and fission product release. Each PDS .

thus defines a set of faulted functions that summarizes by function a set of system faults that would result in similar radiological consequences. To reduce the number of sequences to be analyzed for source term definition, the PDSs from the top 100 sequences were funher grouped to 12 PDS groups. De highest frequency sequence from the representative PDS in each PDS group was selected and used as a basis for estimating each group's source term characteristics. De CECO-specific version of the MAAP code was used to simulate the 12 sequences of events for source term definition. De sequences were analyzed for the 48 hour5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> mission time used for Level 2 analysis.

De fourth character of the PDS designator, which characterizes containment status and fission product release, is used for release category (RC) definition to summarize the Level 2 results. Among the sixteen RCs defined, eight have non-zero frequencies. ney are (Table 3.8 of the Byron Modified Results):

1. ha. Category S - No containment failure; leakage only, (44.8% total CDF)

"A penetration with diameter equal to 2 inches is retained if it is served as a containment sump line.

De only penetration of diameter equal to 2 inches retained for futuier evaluation is that for containment floor drain sump pump to the Auxiliary Building Drain Tank.

44

--v.-a,- % , - , - ,,,n- n-. ~ v r

I-2, ah Category A - No containment failure within 48-hour mission time; failure could occur

- aAer 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> without accident management; less than 0.1% volatiles released. (13.7% total C DF),-

3. Aelease Category K - Late containment failure; less than 0.1 % volatiles released (containment failure 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or longer aAer vessel failure, 32.4% total CDF) 4.. .

nata == Category L -late containment failure; up to 1% volatiles released (containment failure 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or longer aher vessel failure, l.2% total CDF) 1- Reiemme Category M - Late containment failure; less than 10% volatiles released (containment failure 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or longer aAer vessel failure,1.9% total CDF)

6. Release Category E - Containment isolation impaired; less than 0.1% of volatiles released (0.6% total CDF).

7. Release Category F - Containment isolation impaired; less than 1 % of volatiles released (0.4%

total CDF).

8. blan= Category C - Containment bypassed; up to 1% of volatiles released, (5.0% total CDF),

he release categories are defined to provide a general characterization of the release profile. Although the classification of the accident sequences to the various release categories is in general adequate, the assignment of SGTR sequences to Release Category C is questionable. According to Table 3.6 of the Modified Results, the release fraction of volatile fission products for the SGTR sequence selected to represent this category (RL7C) is 27%, much greater than the limit of 1% of volatiles released used for the C category, it is thus more appropriate to use Release Category T, which according to Table 4.1.3-2 of the submittal, involves releases of volatile fission products of up to 50%, to characterize the release of the SGTR sequences.

De licensee agreed in a telephone conference call (involving NRC, BNL and Comed personnel) that, based on the information presented in the IPE submittal (including the RAI response) Category T is the wrrect release category for SGTR sequences. De assignment of all SGTR sequences to the T Category, ,

although conservative, is acceptable. With this change, the conditional probability of significant ently release (i.e., for volatiles release greater than 10%) for Byron is 5%, an average value in IPEs with large dry containments 2.4.2 Accident Progression and Containment Performance Analysis 2.4.2.1 Severe Accident Progression Sequence selection for fission product release characterization is discussed in Section 4.5.5 of the submittal. Sequences with no containment failure were not evaluated for fission product telease. For the -

remaining sequences in the top 100 sequences, there are 21 different PDSs. Drough combination of PDS: with similar release characteristics,12 PDS groups were selected in the IPE for source term analysir.. De sequence with the highest frequency in the representative PDS in each PDS group was-analysed by a CECO 1pecific version of the MAAP code for the determination of the release fractions for the group. De sequences soleded for source term calculations include one SGTR sequence, 3 SBO sequences,3 small LOCA sequences,3 loss of assential service water sequences, and two steam line break sequences.

We sequences relected for source term analysis seem adequate. However, the grouping of some PDSs and the selection of the sequence for source term analysis in these PDS groups may not be adequate and 45

. . . .- - --. - - - - . - - . . - ~ _ . - . . - - - - - - - - _ .

),. ,

need further discussion. For example, the most probable PDS, XLI>K with 31% total CDF, is grouped l to a much less likely PDS, X14K with only 0.4% total CDF, and XI4K is selected as the representative

' PDS. De selection of a low frequency seguence (Sequence 37,1.42E-7) to represent all the sequences 7 in this PDS group (which includes the number I and number 2 sequences with frequencies of 7.6E4 and g 4.3E4, respectively) should have been justified with further discussion". Even if the saurce terms for -

Sequence 37 (0.35% of total CDF) can bound those for Sequences I and 2", the sequences with the most 1 dominant CDF contributions (19% of total CDF for Sequence l'and 115 for Sequence 2) should be analyasd (or esamined in more detail) to provide data for IPE quantification and source term definition.

i Besides PDS X14K,-the grouping of PDS R14K and VX9K to PDS XI4K would also benefit from 4 additional discussion. PDS RI4K lavolves SGTR initiated sequences and PDS VX9K involves ISLOCA laitiated sequences. Although both have low frequencies (0.3% of CDF for RL9K and 0.24% of CDF for VX9K), the grouping of these bypass sequences to a late failure PDS with less than 0.1% volatiles released would also benefit from discussion.

Despite the above deficiencies, the MAAP calculations performed in the IPE pro ided a reasonable -

coverage of the sequences that could occur at Byron to allow a quantitative understanding of accident progression and fission product releases for Byron.

- 2.4.2.2 Dcaniennt Contributors: l' 3 with IPE Insights

< Level 2 results on radionuclide release character!zation (or containment failure mode definition) are discussed in Section 4.5.5 and summarized in Sectica 7.1 of the submittal. Table 9, below, shows a cow.priison of the conditional probabilities for the various containment failure modes obtained from the Byron IPE with those obtained from the Surry and Zion NUREG-il50 analyses. Results from both the original and the Modified IPEs are presented in Table 9.

As shown in Table 9, the conditional probability of containment bypass for Byron is 5.0% of total CDF (Discussions are based on modified IPE results.). All of it is from steam generator tube rupture as an initiating event. Induced SGIR is not considered as a credible failure mode. ISLOCA initiated sequences

. (in PDS VX9K) have a frequency of about 0.2% of total CDF but are grouped to a late failure PDS (PDS X14K). A small fraction of SGIR initiated sequences (in PDS RL9K,0.3% of total CDF) is also grouped to late failure PDS X14K.

h

'%e selection is appropriate in the original IPE submittal because the contribution from XI4K is

. negligible. XII>K is the dominant contributor only in the modified IPE results, not in the original IPE results. According to a telephone conference call with the licensee (involving NRC,'BNL, and Cond:4 personnel on June 27,1997) although new sequences with dominating CDF contributions were identified in the modified IPE, additional MAAP calculations were not performed for the modified IPE. De source terms of these new sequences were defined by the MAAP calculations for

~

the sequences selected in the original IPE based on an analyst's engineering judgement.

'%e difference batween PDS X14K and PDS X14K are that the former involves late core melt and u

. the loss of all ECCS injection and the latter involves intermediate core melt and the loss of high pressure ECCS injection.

46 L

L

O

,o Since all phenomena that may cause an early containment failure are considered in the IPE as "unlikely" to cause failure and are thus not included in failure quantifict . 'he conditional probability of early containment failure for Byron is zero. De probability of contalnu.. Isolation failure is 1.0%. Most of.

It is from sequences initiated by loss of ESW (24% of isolation failure), small LOCA (21%), and steam / feed line break (19%).

Table 9 Containment Failure as a Percentage of Total CDF Containment Failure Original Byron Modified Byron gg Zion Mode IPE+ IPE+ + NUREG-1150 H50 Early Failure Negligible + + + Negligible + + + 0.7 1.4 Late Failure 8.1 35.5 5.9 24.0 Bypass 0.04 5.0 12/2 0.7 Isolation Fauure 0.7 1.0 Intact 91.2 * " 58.5 "

• 81.2 73.0 CDF (1/ry) 3.lE-5 4.0E-5 4.0E-5 3.4E-4

+ The data pmsented for Byron are b.t. sed on Table 7.13 of the IPE subnutta modified by the license's response to RAI Level 2 Question 11.

++ The data presented in this column are based on Table 3-8 of Enclosure 3

• Byron Modified IPE results" of the licensee's response to RAI.

+ + + The phenomena that may cause early contamment failure are not considered in containment failure quantification based on phenomenological evaluation summaries prepared by FAI.

• Included in Early Failure, approximately 0.02% *

" included in Early Failure. approximately 0.5%

• • • 'Ihe probability of " Intact" containment include that from "no containment failure within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, but failure could eventually occur without further mitigatirg action" (3.0%

CDF in the original IPE submittal and 13.7 % in the modified IPE results).

De conditional probability of late containment failure for Byron is 35.5% of total CDF. It is primarily from containmen' overpressure failure due to loss of containment heat removal. Because of the long time it takes to melt through the containment basemat, late failure by basemat melt-through is not considered as a credible failure mode even if the debris is not coolable. Based on the results presented in the Modified IPE results, the primary contributors to late containment failure ne loss of ESW sequences (90% of late failure) and SBO sequences (6% of late failure). De individual contribution to late failure from other initiators is less than 1%. For the various initiating events, 84% of loss of ESW sequences, 37% of steam (or feed) line break sequences and 14% of SBO sequences result in late failure. De conditional probability of late failure for LOCA sequences is small, less than 2%.

l Comparison of the results from the modified IPE and the original IPE (see Tabie 9) shows a significant l increase in containment bypass and late comainment failure probabilities for the modified IPE. De )

increase in containment bypass release probability (from 0.04% to 5%) is primarily due to the change 1 in the treatment of the SGTR initiated evenu in the IPE. While most of the SGTR initiated events were considered in the original IPE to lead to a " Success with Accident Management (SAM)" end state (and j 47 l

l

.-. - .- - _ - - - ~ - - - - - - . - . - - -.-. . - - ..-

thus were not considered for Level 2 source term analysis), some of these sequences, with additional evaluation, were considered as core damage sequences and grouped to the containment bypass release group in the modified IPE. De increase in late containment failure probability (from 8.1% to 35.5%)

is primarily due to the significant increase in the probability ofloss of ESW sequences in the modified IPE (about 3% in the original IPE and almost 40% in the modified IPE). ESW sequences are more likely to lead to late containment failure than other sequences because of the loss of cooling to the frontline systems. For example, Level 2 results indicate that while over 80% of ESW sequences and with late containment failure, less than-15% of SBO sequences end with late containment failure.

2.4.2.3 Characterization of C '- M Performance ,

As shown in Table 9, the core damage frequency (CDF) for Byron is lower than that obtained in NUREG il50 for Zion but similar to that obtained in NUREG-il50 for Surry. De conditional probability of containment bypass obtained in the Byron IPE is less than that obtained in NUREG-ll50 for Surry, but greater than that obtained in NUREG il50 for Zion. Induced SGTR, which is considered in the NUREG IISO study, is not considered in the Byron IPE.

Another feature of the Byron IPE is the lack of consideration of any early failure modes in containment

' failure quantification. De early containment failure modes that contribute to NUREG-il50 analyses for Surry and Zion include those from steam explosion and containment pressure load associated with HPME.

Should the data used in the NUREG-1150 analyses for in-vessel steam explosion (0.8% and 0.08% for low pressure and high pressure sequences, respectively) and HPME (higher estimated pressure in NUREG ll50 than in Byron IPE) be used in the Byron IPE, the conditional probability of early containment failure could be comparable to, or greater than, those obtained in NUREG-il50 (because of the smaller containment failure pressure for Byron).

i 2.4.2.4 Impact on Equipment Behavior Equipment important for prevention of core damage anJ/or containment failure was evaluated for -

survivability for a range of accident conditions postulated. To accomplish this task, the By an equipment survivability study was divided into three phases, and the Phase !! study covers the IPE conditions.

According to the licensee's response to the RAI (Level 2 Question 10), the Phase 11 equipment survivability study was limited in scope to a review of the conditions encountered during a successful recovery from a a of the initiating event. He equipment was thus assessed only for the conditions prior to core damage. For example, as part of the Phase II assessment, the Reactor Containment Fan coolers (RCFCs) were considered in the IPE to face their harshest environmental challenge following a Large LOCA initiator. The challenges to the equipment by the harsh environmental conditions following core damage, such as that from aerosol plugging, were considered to be beyond the scope of the IPE.

According to the response to the RAI, the effects of aerosol plugging of RCFC cooling coils are considered in the Severe Accident Management Guidance provided by the Westinghouse Owners Group for members to use in developing Severe Accident Response procedures.

2.4.2.5 Unces1ainties and Sesuiitivity Analysis Sensitivity studies were performed in the IPE to evaluate the effects of uncertainties of in-vessel and ex-vessel phenomena on containment failure timing and related source term release. Uncertainties were addressed by performing MAAP sensitivity studies. His was accomplished by varying certain MAAP model parameters in selected base-case sequences. He ranges of MAAP model parameter variation for 48 I

1 senskivky analyses were based on the recomrnendations provided in EPRI documentation. De parameters l Investigated in the Byron sensitivity studies (for source terms) include: j

- 1. - RPV failure timing -De sensitivity study includes the evaluation of the influence of core melt progression model (e.g., the MAAP core blockage model), induced hot leg rupture, and primary system loop seal clearing on timing of RPV failure.

2. Containment failure timing - De sensitivity study includes the evaluation of the influence of the core melt progression model, ex vessel core debris coolability, external vessel cooling, containment failure pressure, increased fragmentation of core debris expelled at vessel failure, delayed vessel failure, and induced hot leg rupture on containment failure timing.

3. Fission product release - De sensitivity study includes the evaluation of ti:e influence of containment failure timing and size on fission product release.

One sensitivity analysis that is of panicular interest is the one that involves external vessel cooling. De external cooling model used in the CECO-specific version of the MAAP code basically prevents reactor vessel failure as long as the lower head is submerged by water. As a result, reactor vessel failure was effectively prevented during sequence calculation for these sensitivity cases. Because of external cooling, containment failure time was delayed (by about 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) but the release of volatile fission product releases significantly increased (by about 40 times) relative to the base case which assumed vessel failure one minute after corium relocation to the lower head. In addition to the above effects, the high I'.CS temperatures that result from preventing vessel failure by successful external vessel cooling may increase the likelihood of creep rupture of the RCS (in the hot leg, surge line, and in steam generator tubes) and result in higher fission product release. De licensee's response to the RAI (Level 2 Questions 7 and 8) provide

• some discussion on these issues.

De sensitivity studies reported in the submittal investigated the effects of uncenalnties of some parameter values used in the MAAP code on calculation results. De effect of uncertainties of accident phenomena on containment failure probability are not included in the sensitivity studies of the IPE submittal but are dismctM in the Phenomenological Evaluation Summaries prepared by the licensee in support of the IPE and in the licensee's response to the RAl. De probabilities of induced SGTR and early containment failure due to energetic events such as those from hydrogen combustion or those associated with HPME are discussed in the response to the RAl.

15 Evaluation of Decay Heat Removal and Other Safety Issues and CPI 2.5.1 Evaluation of Decay Heat Removal 2.5.1.1 Examination of DHR De IPE addresses decay heat removal (DHR). De decay heat removal is accomplished by the following Byron features:

1) During small LOCAs and transient events, decay heat is removed via the auxiliary feedwater system or via alternate feedwater (malr. feedwater, startup feedwater or condensate / condensate booster pumps with depressurization) through the secondary side. If secondary side cooling is 49

not available, feed and bleed operations are needed on the primary side. He feed and bleed requires high pressure injection systems, the pressurizer PORVs and the associated operator actions;

2) During medium and large LOCAs, decay heat is removed by the break flow and the ECCS. This includes the Si system, the RHR (or LPI) injection and recirculation subsystems, the charging system and the associated operator actions. These systems are backed up by the containment fan coolers and the shotdown cooling mode of the RHR.

The IPE describes in detail each system, associated operator actions and hardware and HRA unavailabilities, along with any simplifying assumptions in modelhg the sy-tem. For example, alternate sources of auxiliary feedwater (from the other unit CST and from the SX system) were not modeled. For non-LOCA cases, only the charging system was modeled for success of feed and bleed cooling. De RWST refill is credited, as is the operation of the RCFCs for the decay heat removal. 'It should be noted that the RCFCs have a very low unavailability due to the success criteria used (one~out of 4).

he licensee notes that a review of NUMARC closure guidelines for the Byron sequence quantification indicates that over 50% of the core damage sequences (in the original IPE) involve a loss of primary and secondary heat removal in the recirculation phase, while 30% (in the original IPE) involves a loss of both primary and secondary heat removal in the injection phase, De licensee then notes that one of the causes of failure in the sequences in question is a degraded state of the 4kV system, with one bus failed. His has led to the revision of the procedures to effect the cross-tie even if one bus is energized (previously the cross-tic was effected only in an SBO). This improvement reduces the CDF by 62% and reduces the contribution of AFW and ECCS recirculation failures by approximately 20% each, relative to the original IPE.

The modified IPE has many modifications (e.g., in the area of HRA, SAM states resolution, CCF modeling) so that a direct comparison of the impact of these changes was not made (the sensitivities above are not a comparison between the original and the modified IPE). For example, the AFW failure contribution to the CDF sequences was about 82% in the original IPE, but only about 11% in the modified IPE.

Two sensitivity studies were completed relative to decay heat removal, in the first study, an SX pump was modeled as providing sufficient AFW flow through an idle AFW pump (after depressurization) to remove the decay heat. This led to a 67% reduction in the total core damage frequency. In the second study, local action to start the train A AFW pump was considered following a loss of de bus 111. He CDF reduction due to credit for this action was about 5%. Both of these actions were already proceduralized, but they were not credited in the base model.

Note that the numerical data in this section comes from the original IPE, as the modified IPE did not include this section.

He licensee appears to have fulfilled the request of the generic letter with respect to this issue. No DHR vulnerabilities were identified and the licensee considers the DHR issue resolved.

2.5.1.2 Diverse Means of DHR he IPE evaluated the diverse means for DHR, as described In the section above.

50

a

2.5.1.3 Unique Features of DHR he unique features at Byron that direedy impact the ability to provide DHR are described in Section 1.2

(* Key Features").

2.5.2 - Other GSis/USIs Addressed in the Submittal No GSis or US!s, other than USl A 45 (DHR Evaluation) are addressed in the submittal.

2.5.3 Response to CPI Program Recommendations De CPI recommendation for PWRs with a dry containment 1.: the evaluation of containment and equipment vulnerabilities to localized hydrogen combustion and the need for improvements. Although the effects of hydrogen combustion on containment integrity and equipment are discussed in the submittal, the CPI issue is not specifically addressed. More detailed information on this issue is provided in the licensee's response to the RAI (Level 2 Question 12). According to the response, hydrogen combustion 11 sues are addressed in the PESs, which conclude that hydrogen deflagration and detonation are an un!!kely containment failure mode.10 addition to the PESs, plant walkdowns were performed at Byron as part of the containment performance evaluation conducted for the Byron and Braidwood IPEs. De walkdown team identified the likely hydrogen release points into the containment from the primary system and a couple oflocations which had a potential for hydrogen pocketing (i.e., the seal table room and the space between the primary shield wall and the secondary shield wall). Subsequent investigation showed that the Byron containment has a very low likelihood of localized detonation and the accompanying potential for missile generation.

Severe accident management procedures are currently being prepared for Byron and Braidwood Stations.

This guidance is based on the WOG Severe Accident Management Guidelines (SAMGs). He SAMGs include SAM strategies fdr controlling containment hydrogen concentrations to preclude hydrogen burns and/or detonation.

2.6 Vulnerabilities and Plant Improvements 2.6.1 Vulnerability The licensee stated that a potential vulnerability exists with respect to flooding. This potential vulnerability is addressed in improvements #2 and #3 in section 2.6.2 below, in addition, the licensee used the NUMARC severe accident issue closure guidelines to assess if any improvements are necessary.

he NUMARC guidelines group sequences in the categories defined in Table 10, with instructions as to what action is needed if a category CDF exceeds a certain threshold value. De Table also shows contributions of the NUMARC category to the CDF at Byron. His table is taken from Table 3-4 of Enclosure 3 of the RAI Responses.

De licensee states "For mast bins, adequate treatment is to ensure such sequences are covered in severe l accident management guidance. For some bins, no action is necessary. Bins IIA and VB require consideration of procedure changes, minor modifications, or treatment in severe accident management guidance For IIA, it is believed that the quantification is conservatively high, and that investigation and 51 l

i reAnement of the loss of SX-related procedure changes, discussed above, will result, ultimately, in CDF

' lower thu that shown. For VB, Comed's conclusion is that there is not cost effemive procedure or hardware changes to reduce the risk. Derefore, in response to this analysis of the response to the NUMARC Closure Guidelines, Comed's Byron Station will " flood proof" the SX pump rooms, and develop procedure changes to respond to.an SX pipe break large enough to threaten drainage of the SX -

cooling tower basins."-

As indicated above, the licensee does commit in this secslon to " flood proof" the SX pump rooms, and develop procedures for deallag with the loss of cooling tower basin event in response to the NUMARC closure guidelines. De sequences in question are discussed in the flooding section, and result in a dual unit loss of service water, have a dual unit core damage frequency of close to 1.0E-4/yr, and are not

included in Table 10, or any other results. Dat sequences are similar to sequence 1 in Table 7, and

- would fall into category IIA in Table 10.

Also, the licensee did implement or consider several other improvements, as a result of the IPE (but not as a result of NUMARC guidelines), which are discussed in the next section. .

- Vulnerability is not defined in the IPE subminal for Level 2, and no vulnerabilities were identified in the

' IPE process.

2.6.2 Proposed Improve nents and Modifications Wree Level 1 improvements have resulted from the IPE process, ne IPE takes credit for all three, in addition, the submittal states that the CECO's insights process identified numerous insights for procedure enhancements to improve operator response, both before and after core damage, as well as strategies and features to be included in Severe Accident Management Guidance. it is stated in the submittal that much of the generic Fuldance in the Westinghouse Owners Group Severe Accident Management Guidelines is based on the insights from the Zion and Byron IPEs.

De following three i.evel 1 improvements are discussed: ,

1) .Crosstying emergency ac buses. His insight was identified in the original IPE. Emergency procedures developed as a result of the blackcut rule directed use of this crosstle in the event of an SBO. The principal insight from the original IPE was that there were other situations for which the cross-tie is valuable, i.e., one bus deenergized and equipment on the other bus failed.

Crosstying when only one bus is deenergized had therefore been implemented in the procedures, even prior to the IPE submittal (but was not credited in the original IPE).-De CDF change (relative to the original IPE) is a reduction of 1.9E-5/yr (fmm 3.lE-5/yr, a 62% reduction),

while the SBO CDF was reduced from 4.5E4/yr to 3.6E4/yr, a 21% reduction, ne modi 6ed IPE credits crosstying of enher or both 4 kV buses (141 and 142) to the other unit.-

. De original and the enhanced IPE (prior to the modified IPEj just credited crosstying of the bus 141..- Crediting both crosstics, (on top of allowing crossties in case of one bus energized),

reduced the Byron enhanced IPE CDF a further 11% (the SBO CDF was reduced a further.28%). '

52 d

.A .

l i

Note that the enhanced IPE apparently differed from the originalIPE in allowing the cross-tie with one bus (re) energized.  !

Table 10 NUMARC Categoria and 3yS Resolution EyS NUMARC Action Required "III"

Category CDF / r) II '" I')

IA loss of primary and secondary heat 1.iE4 108 - 104, SAMC removal in injection phase IB loss of primary and secondary heat 1.5E4 10 104, SAMG removal in recirculation phase IIA induced (seal) LOCA with loss of 2.0E-5 104 - 108, consider injection procedural, minor hardware modifications or SAMG IIB induced (seal) LOCA with loss of 2.2E4 10 104, SAMG recirculation Illa small LOCA with loss of injection 1.5E-7 < 104, do nothing IllB small LOCA with loss of 4.5E4 10 10*, S AMG recirculation lilC large/ medium LOCA with loss of 2.4E4 10 104, SAMG injection IllD large/ medium LOCA with loss of 2.7E4 108 - 104, SAMG recirculation IV accident sequences invoH ig failure 1.7E-7 < 104, do nothing of reactivity control VA interfacing system LOCA 7.6E-8 < Itt', do nothing VB steam generator tube rupture 1.8E4 108 - 104, consider accidents procedural, minor hardware modification, SAMG 1

2) Scaling SX pump room ventilation duct. This arose out of consideration of pipe rupture events in the SX system some of which may lead to a loss of SX or flooding events. The ventilation duct in question would allow piopagation of flooding from such an event from a sump room to all SX pump rooms, leading to a dual unit loss of essential service water event (discussed in the 53 i

flooding section) with a high frequency. A modification is being developed to prevent the flooding, although installation dates have not yet been established. The IPE model assumes that this modification perfectly removes this scenario from consideration.

The sensitivity for this modification is discussed after modification 3, as both would be implemented together.

3) Develo ing procedure for coolir.g tower basin loss due to $X ruptures. If the pipe size exceeds certain limit, the flow out of the break will exceed the cooling tower basin makeup capacity, and a loss of all SX will result. Operator procedures are being investigated which would minimize the frequency of such an event (e.g., closing the cross-tie valves, stopping the SX pumps, etc.).

The modified IPE results for the dual unit loss of essential service water contain the assumed residual from such actions, where a 10% failure probability to prevent loss of the basins' inventory was assumed.

If the credit for modi 0 cations 2 and 3 is removed, the resulting core damage frequency will rise by approximately 1.0E-4/yr.

The SBO rule changes are also discussed in the RAI responses. De crosstying of the emergency ac buses in case of an SBO was the modification implemented for the SBO rule. No sensitivity was available for this modification as this procedure change is already embedded in the original IPE.

De plant enhancement resulted from the Level 2 analysis in Braidwood, i.e., the installation of an opening in the reactor cavity cover plate, is not needed for Byron. The cover plate for Byron is not leak tight and thus allows water to Dow from the containment basement to the wor cavity.

54

1

.e

3. - CONTRACTOR OBSERVATIONS AND CONCLUSIONS  ;

i i

De arengths of the level 1 !PE analysis are:

1) De treatment of plant specific initiating events is comprenensive; I

2) Common cause analysis is applied to most types of components;

3) De plant speenfic data which was collemed for the pumps and the MOVs discriminated based on i

- the system ($1 pumps versus CCW pumps, etc.)

'l

~

De subminal contains a good discussion of insights on plant featu os as well as a comparison of  !

4) l

. deste differences wkh anoeber CECO plant (Zion) and their impact on the diffwences in results.

5) De decay best removal discussion is relui/ely comprehensive; i l

6) - De RAI resoonses wwe generally very detailed and thorough; ,

1

7) The discussion of IPE modifications was also very compime, with generally credible analyses  !

- justifying the modifications.  ;

l De weaknesses of the levd I analysis are:

1) Dere are some questions about data, for example the lack of plant sralfic data (which was collec;rd only for the dimel generatars, the pumps, the MOVs, the RCFCs and the essential cooline water fans). l

2) ' Some of the common cause factors used are still low, even with establishment of the floor for such values in the modified IPE (this is somewhm olhet by performance of a sensitivity analysis).

3) De documentation for certain aspects of the analysis is not very clear, making it vwy hard to understand the analysis or some of the results. For example, there is no description of modeling 1 of accident sequences for specific plant respoase trees (i.e., the PRT logic), nor is there a ,

thorough discussion of the top sequences in the results sation. V' *muld not find a complete discussion of the RCP seal LOCA model utillred, offsite power ravwy model or anodeling of containment failure feedback to the status of ECCS oporte. ion. De syman section was also not very helpfbl in answering these questions. Dere was no discussion of success crkeria where they deviated froen the established PWR practice. Subsequent conversations with the licensw led to 1 a satisfactory resolution of these issues. l De HRA avview of the Byron modified IPE :did not idendfy any significant problems or errors. A viable .;

o approach was used in performing the HRA and nothing in the licensees submittal indicated that, based  ;

on the HRA, it failed to mwt the objectives of Generic latter 88 20. Important elements (including weaknesses) pertinent to thP .stenninstion include the following:

4 55 -

s F

__.2.. a _. _ x._ - ,u __._a__._._.._,. . _

.. i

1) De modified IPE indicates that utility personnel were involved in the HRA and that the procedure reviews, plant examinations, and opermor acslon interviews represented a viable  !

process for conArming the the HRA portions of the IPE tcpresent the as built as operated plant.  ;

1 i

2) De analysis of pre initiator human actions included both miscalibrations and restoration faults, Howevw, while a thorough analysis and evaluation of plant apacific data relating to pre-laitiators  !

was performed, only four restoration faults were actually included in the PRA mudels. All l others wwe dismissed on the basis of qualitative (and in a few cases quantitative) screening 1  ;~

~

critula. While the appreadi was not without merit, the lack of a full modeling of pre-laitiator

• events (and the lack of a clear explanation of the pre laitiator quantification technique) must be ,

considered a wannaan of the modified IPE. 1

3) De combination of the EPRI Cause Based Decision Tree Methodology (CBDTM) and T}lERP ' l (NUREO/CR 1278) prvvided a raamanaMe basis for assessing post initiator response type human actions. The CBDTM as applied in the Byron modified IPE does a good job of assessing the l diagnosis portion of operator actions. In addition, the impact of plant specific performance t shaping factors was adequately addressed. One limitation of the CBDTM is that it does not, in knolf, have a unique appronJi for analyzing time-critical actions. Dat is, those actions where the ,

difference between the time available and the time required to perform the actions is short and ,

the possibility exists for the operators to fall to accomplish the actions in time, are not evaluated I directly as a function of time. Therefore, even with the CBDTM, the potential exists for l underestimating HEPs for shortalme frame events. However, the licensee performed an ,

acceptable evaluation to ensure that short time frame events were not inappropriately quantified.

4) A thorough tientment of dependencies between post initiator operator actions was conducted for  ;

the modified IPE.

t i

5) The Byron modified IPE presents a list of the important " operator action nodes" as a function of their contribution to CDF. The licensee noted, however, that "in these lists all cases of each operator action are combined." For example, the OSX event includes OSX 1 [ HEP Byron =

1.3E 3) for LSX sequences as well as OSX-4 [ HEP = 1.0} for DSLX sequences. As stated by .

the licensen, "thus, the operator action importance can be misleading since it includes cases of defined failure (HEP = 1.0]." In addition, the top event report does not include events in tht  ;

fault trees. Dus, the analysis of important human actions could have been done in a more useful  ;

manner.

l \

De strengths of the Level 2 analyses are the in<lepth examination and plant specific evaluation of l l

-important containment phenomena in the Phenomenological Evaluation Summaries (PESs), and the estensive MAAP calculations performed for source term dormition and sensitivity analyses. It seerns that the lloonsee has developed an overall appreciation of severe accident behavior and a quantitative understanding of the overall probability of core damage and radioactive material releases. De licensee

- has also addressed the recommendations of the CPI program. '

l Dare are some weaknesses in the Level 2 IPE' '

I i

~

1) : De most significant weakness is the lack of ocasideration of some of the containment phenomena

• In the IPE quanthication model. Except for containment overpressure failure, isolation failure, i

. f se l

l s  :

i and bypass, all other containment failure modes are considwed'as "unlikely" to cause l

4 containment failure.md deus not included in containment failure quantification. Done include all  :

W shat snav cause early anntainmem failure (steam es;,sosion, bjdrogen combustion, and l

DCH), and sons phenomena the may cause late ccatainmem failure (molten core debris  :

lateraction and thermal attack of containment penetrations). Because of the uncertainties j associated wkh these & r and containment pressure capability, their contributions to early  !

'

• containmem failure may not be negligible. De problem is more significam for Unit 2 because  !

of its.relatively low namaalamane failure pressure. Although a rough estimate provided in the reposse to an RAI indicates that the contributions to containmem failure probabilky fhun these j "unlikely failure modes" are small (about 15 of total CDF) and their exclusion from containment  ;

dallure quantification may be justified, the lack of consideration of these failure modes in the IPE in a struaured way, audi as can be provided by a CET, precludes a systematic means to examine  !

tha relative importance of these failure modes and the effems of some recovery actions on these .;

failure modes.  !

2) De assignment of SGTR sequences to Release Category C is another problem. Release Category l C, according to the IPE subminal, involves accident sequences that have up to 1 % of the volatiles -

1

, released. However, the predicted release fraction of voimile fission products for the sequence ,

solemed to represent the SGTR sequences is 27%, much greater than the limit of 1% of volatiles i for Category C. It is thus more appropriate to use Release Category T (instead of C) to [

characterine the release of the SGTR saquences. Release Category T is defined as containment  !

bypass with up to 50% of the volatiles released.  !

De licensee agreed in a telephone conference call (involving NRC, BNL and Comed personnel) I that, based on the i ' ' ~lon presented in the IPE submittal (including the RAI response)  !

Category T is the ao . .. lease category for SGTR sequences. De assignment of all SGTR

[

sequences to the T Category, although conservative, is acceptable. With this change, the conditional probability of significant early release (i.e., for volatiles release greater than 10%)

for Byron is 5%, an average value in IPEs with large dry containments Although the MAAP calculation performed in the IPE for the SGTR case may be conservative .  ;

because the relief valves on the secondary side were assumed to fell open (e.g., due to excessive 1

cycling) in the calculation, there is no basis in the IPE submittal and the RAI rerponse to assign l

the SGTR sequences to the C Category. Any future effort (e.g., additional MAAP calculation) ,

to justify the assignment of the JGTR sequences to Category C needs to address the probability of SG valve failure due to adverse operating conditions in severe accidents.

l

3) Equipment survivability study in the IPE is limited in scope to a review of the conditions encountered during's successful recovery from each of the initiating events. De equipment is  :

thus assessed only' for the conditions prior to core damage. For example, the Reactor  ;

, Containment Fan Coolers (RCFCs) are considered as facing their harshest environmental challenge followig a large LOCA laitiator, ne challenges to the'equipmem by t ie harsh

- environmental coaditions followleg core damage, such as aerosol plugging, were considered to be beyond the scope of the IPE According to the response to an RAI question, the effects of aerosol plugging of RCFC cooling coils are considered in the Severe Accident Management Guidance provided by the Westinghouse Owners Group for members to use in developing Severe Accident Response procedures.

~

$7 l t

I s i Dis is not a signlAcant deficiency, howevw, because containment failure due to equipment  ;

failure under harsh environmental conditions would be ime and most likely with low fission -  ;

product releases. De effect on the overall fission product release profile for Byron should not j be significant because of the already relaively high contribution from late containment failure for i

Byron (35.5 %). j

4) The treatmern of induced steam generator tube rupture (SGTR) is not well treated in the  !

submittal, induced SGTR is not included in the PRT model or addressed in the PESs. Rough , ,

estimates of the probabilities of hot leg fauure and induced SGTR by creep rupture using a - l decomposkion event tres structure are presented in the licensee's response to the RAI. It shows

{

an overall probability of induced SGTR of 185. De probability is increased to 24% if the RCPs  ;

are restarted by the operator. Although these high probabuity values do not seem to justify the q omittirig of this failure mode in IPE quantification, Auther discussion is not provided in the RAI  :

response, h is noted, however, that these probability values are obtained based on na analyst's  ;

judgement and may be overly conservative. (ne probability of laduced SGTR obtained in the  :

RAI response is much higher than that obtained in NUREG il50.) Since o>ntal.unent bypass j

hom SGTR initiated sequences is the dominant failure mode in the IPE, additional contribution to containment bypass from induced SG1R may not change significantly the release profile of the j plant. However, this issue needs to be re-examined if contribution from the SGTR initiated sequences to the total CDF is significantly reduced in a future IPE update. j 5)- A' augh the sequences selected for source term definition seem adequate, the selection of a [

sequence with ury low frequency to represent a PDS group that includes the most likely  !

seguence, and the lack of sufficiert discussion on the selection, is a weakness. Even if the source l I

terms defined by the MAAP calculation for the selected sequence can bound ce are representative of all the sequences in the PDS group, the most likely sequence with significant CDF contribution (

should be analyzed (or examined in more detail) to provide data for IPE quantification and source term definition.

On the other hand, the MAAP cWculations performed in the IPE provided a reasonable coverage of the sequences that could occur at Byron to allow a quantithtive understanding of se:ident  :

progression and fission product releases for Byron.  !

i It appears that the licensee has met the objectives of Generic Letter 88 20. Some strengths and several  ;

weaknesses of the Level I, HRA, and Level 2 analyses have been identified above.  ;

q t

~

58 4

• (

I

4. REFERENCES llPE) Hyron Nuclear Power Station Individual Plant Examination, Commonwealth .

Edison Company, April,1994. l lRAI Responses) Response to NRC Requestfor Additional ligformation and Modyled IndMdual Plant Examination, Byron /Braidwood Nuclear Power Station IPE," >

Commonwealth Edison Company, March,1997.

(EPRI TR LOO 259) G. W, Parry, et al. An Approach to the Analysis of Operator Actions in PRA, l

- Electric Power Research Institute Report, EPRI TR 100259 Palo Alto, CA,  !

June,1992, j (NUREGICR 1278) A. D. Swnin and H, E. Guttman, flandbook ofHuman Reliability Analysis strh l Emphasis on Nuclear Powr Applications : Technique for Human Error Rate 1 Prediction, NUREG/CR 1278, U.S. Nuclear Regulatory Commission,  ;

Washington D.C.,1983.

i F

59 I

_ _ _ . ._. ,. _ __ , _ _ _ _ . ,