Text

Staff Evaluation Rept Concluding That Licensee IPE Complete Wrt Info Requested by GL 88-20 & Process Meets Intent of Subj GL
	ML20198R306
Person / Time
Site:	Braidwood
Issue date:	10/27/1997
From:	; NRC (Affiliation Not Assigned)
To:	;
Shared Package
ML20198R299	List: ML20198R297; ML20198R306;
References
	GL-88-20, NUDOCS 9711130231
	Download: ML20198R306 (8)
	v • d • e

. . ... - . . . . . . . . . _ . -- . . . . - . - -... _ . - .

1 L

s :

i i

e BRAIDWOOD NUCLEAR GENERATING STATION UNITS 1 AND 2 INDMDUAL PLANT EXAMINATION ,

4 STAFF EVALUATION REPORT

.t n.

D

+

b

v. . ece a

* * - - - + - , ,..:,, , _ _ . . ,

, J

. i. msonucnow 7

1 On June 30,1994, the Commonwealth Edison Co. (Comed) submitted the Individual Plant Examination (IPE) for Braidwood Nuclear Generating Station (BNGS) Units 1 and 2 l (the base IPE) in response to Generic Letter (GL) 88 20 and associated supplements. On l January 26,1996, the staff sent a request for additional information (RAI) to the :

' licensee identifying concems about the IPE that were similar to those raised previously by the staff for the Zion, Dresden and Quad Cities IPEs. The licensee responded by letter '

on March 27,1997, forwarding " Responses to NRC Requests for Additional Information and !

Modified Byron and Braidwood IPEs" which addressed the concems. The modified analysis also included the revised sequences and the impact on core damage frequency (CDF) as a result of these modifications. Subsequent to the staff review of the modifications to the IPE -

i and the responses to the RAls, teleconferences were held during June 1997 between the _

licensee, the staff, and its consultant Brookhaven National Laboratory for clarification.

A "Stop 1" review of the BNGS base IPE submittal and modifications was . ;rformed and involved the effbrts of Brookhaven National Laboratory in the frontend and the back end analyses, and Sandia National Laboratory in the human reliability analysis (HRA). The Step 1 review focused on whether the licensee's method was capable of identifying vulnerabilities. Therefore, the review considered (1) the completeness of the information and (2) the reasonableness of the results given the BNGS design, operation, and history. A more detailed review, e " Step 2" review, was not performed for this IPE submittal. Details of the contractor's findings are in the attached technical avaiustion report (Appendix A) of this staff evaluation report (SER).

In accordance with GL 80 20, BNGS proposed to resolve Unremved Safety issue (USI)

A-45," Shutdown Decay Heat Removal Requirements." No other specific USis or generic ,

~

safety issues were proposed for resolution at, part of the BNGS IPE.

ll, EVALUATION in the RAls sent to the licensee on January 26,1996, the staff expressed concems regarding several areas of the IPE including: a human reliability analysis that did not incorporate importar.; aspects of operator performance and did not appropriately treat human 6 performance under accident conditions; use and application of an optimistic quantification =

process, including comn .n cause failure (CC. ); use of the MAAP code to deterr..ine cor,.

cooling success enteria under conditions where it has not been benchmarked, arriving at combinations of equipment of lesser capacity to achieve success; use of " success with accident management"(SAM) end-states without significant margin beyond the cutoff criteria a

(24 hr.) for these sequences. The licensee explicitly addressed the staffs concems in the modified IPE submittal.

4 Each of the two BNGS units is a Westinghouse 4 loop pressurized water reactor (PWR) with a large dry containment. in the base IPE submittal the licensee estimated the total CDF for each unit as 3 E 5/ reactor-year (ry) for intemally initiated events, including intamal flooding.

Loss of offsite power (LOOP) contributes 88% (single unit 56%, dual unit 32%), loss of coolant accidents (LOCA) 4% (small 2%, large and medium 1.%), transients 7% (loss of support systems 4%, others 3%), steam generator tube rupture (SGTR), anticipated i

1

~ , , . - - - . , _ . , , , . , - . . . _ . _ . ..,.... _ -.

3 transients without scram (ATWS), interfacing systems LOCA (ISLOCA) and intemal flooding "1%. As an accident type station blackout contributes about 23%. In its modified IPE submittal the licensee estimated the total CDF for each unit also as 3E 5/ry for intemally initiated events, including intemal flooding. LOOP contributes 31% (dual unit 18%, single unit 13%), transients 33% (loss of support systems 30%, others 3%), LOCA 27% (large, medium and small all 9%), SGTR 9%, ATWS, ISLOCA and intemal flooding <1%. Loss of support systems is dominated by dual unit loss of essential service water (ESW) 20%, single unit loss of ESW 4% and loss of component cooling water (LOCCW) 4%. As an accident type station blackout contributes about 28%.

While the total CDF has not changed, the contributors to CDF have char,ged. Most notable is the inclusion of pipe breaks (not previously considered) in the ESW v/hich resulted in a dual unit loss of ESW (5.6E-6/ty). The inclusion of pipe breaks resulted in the identification and subsequent elimination of a " potential vulnerability" wherein both EGW pump rooms are flooded (see enhancements, below). In addition, the licensee has taken credit for cross-tie of either or both of ti. 4KV buses (141 to 241,142 to 242) on loss of power to these buses.

Further, in the snodified IPE, sequences leading to single or dual LOOP previously identified as success with accident management (SAM), were expanded. The licensee originally defined SAM sequences as "no core damage at 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and for which accident management actions are required after 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ..." The licensee analyzed these sequences further and expanded them to either success or core damage. These sequences now contribute a total of about 1E-5/yr to the total CDF.

In addition to the above, the increase in contribution from Large LOCA was due to the change in success criteria to more typical criteria for PWRs. The medium LOCA contribution increase was due to increases in human error probabilities (establish high pressure recirculation from 0.05 to 0.5), as a result of the modification to the HRA and changes to the emergency core cooling flow requirements which had an impact on refueling water storage tank efill success.

Regarding the use of low CCFs, the licensee established a threshold value of 0.01 for systems with a two-of-two train configuration. This resulted in an automatic increase of those factors that were previously below 0.01. With this approach, the licensee addressed the staff's concems about very low CCFs, but in a limited way. The values for CCF factors remained lower than generic values and the ((censee did not provide a strong supoort for ,

their applicability at BNGS. The 'icensee indicated that the sensitivity study performed for the CCF (increasing the beta factor by a factor of ten; which, for a nurnber of components brought the beta factor value up to the values identified in NUREG/CR 4550), showed that the total CDF increased by a relatively small factor (a factor of 2 to 6E-6), and that therefore the IPE results are relatively insensitive to the common cause factors in the range of the values under discussion. However, the staff believes that the resultant increase in the CDF contribution for certain individual events, not displayed or discussed in the modified IPE, may show some sensitivity to common cause failure, irrespective of the impact on the total CDF.

Because of this the staff considers the licensee's analysis to be limited due to the uncertain character of CCF analysis as expressed above. Even so the staff believes that it is unlikely that this limitation has affected the licensee's overall conclusions from the IPE and its capability to identify vulnerabilities. It may, however, have limited the licensee's ability to gain insights and identify improvements.

2

l The licensee performed an HRA to document and quantify potential failures in human system interactions, in the HRA for the modified IPE the licensee searched for pre-initiator human events and in particular for events related to re-alignment of manual valves after test or maintenance and to miscalibration. After examining BNGS procedures and operational history, the licensee identited at least four events that were pre initiator misalignment events (none of which were miscalibration). However, the licensee qualitatively screened the majonty of pre-initiators on the basis of procedural check offs, independent verification and indications in the control room. The licensee's conclusion was that while errors do occur, they are rare. *no pattems were identified" and "no vulnerabilities existed." The staff finds the licensee's quahtative examination for pre-initiating events in the revised IPE sufficient for identifying a vulneraklity at BNGS; however, the staff, does not believe that the elimination of the majority of pre-initiator events from quantitative assessment on the above basis is completely justified. Very often in a PRA low probability events such as pre-initiators, because of their common-cause potential, are proven to be important contributors to risk.

In the modified IPE the licensee completely revised the post-initiator human event analysis.

The licensee phmarily used the " Electric Power Research Institute (EPRI) Cause Based Decision Tree Methodology (CBDTM)" described in EPRI TR 100259, while the Technique for Human Error Rate Prediction (THERP), described in NUREG/CR-1278, was used in the base IPE, The CBDTM was used to quantify the likelihood of enots in detection, diagnosis, and decis!on making, and THERP was used to quantify errors associated with task execution.

Compared with the method used in the base IPE for BNGS, the combination of the CBDT and THERP methods provide a more realistic basis for assessing post initiator human actions. Therefore, most of staff's concems associated with the way THERP had been applied in the original IPE are not applicable for the modified IPE In order to address these concems, the licensee rea.ialyzed approximately 35 "important" post-initiater human actions

- (importance was based mainly on risk achievement worth values) and new actions added as a result of changes to the fault or plant response t'ees. The staff finds that the licensee adequately addressed dependencies between human enors, performance shaping factors and with the use of CBDTM, the licensee better incorporated diagnosis errors and actual plant design and operating characteristics.

Regarding the treatment of time, unlike other EPRI methods, the CBDT method incorporates time implicitly. Therefore, for those situations where the time available versus the time a required 'c perform the aJon is short, the likelihood of the operator failing may be in~ eased due to the short (or perhaps insufficient) time frama since time is not explicitly treated.

Consequently, with the CBDT method, the potential exists for underestimating HEPs for events with short timeframes. However, the licensee did state that time pressure was taken into account by increasing the stress factor (addressed within THERP) in the eveluation of the basic HEPs. A review of these actions, their timing, and the associated HEPs suggests that the revised HEPs are not unreasonable.

Based on the licensee's IPE process used to search for decay heat removal (DHR) and intemal flooding vulnerabilities, and review of BNGS plant specific features, the stati finds the licensee's DHR evaluation consistent with the intent of the USI A-45 (Decay Heat Removal Reliability) resolution. No other specific unresolved safety issues (USis) or generic safety issues (GSis) were proposed for resolution as part of the BNGS IPE.

3

The licensee evaluated and quantified the results of the severe accident progression through the use of BNGS plant specific phenomenological evaluation summaries. The licensee's back end ac alysis has considered important severe accident phenomena. Among the BNGS conditional containment failure probabilities the licensee reported that early containment failure is 0%; late containment failure is 30% with overpressurithiion (due to steam generation or accumulation of non-condensible gases) being the primary contributor, bypass is 7% with SGTR sequences being the primary contributor, containment isolation failure is

<1% and the containment remains intact 63% of the time. The values for bypass and late containment failure increased from those in the base IPE to those in the modified IPE. The increase in the containment bypass release probability (from 0.04% to 7%)is primarily due to the addition of the SGTR sequences stemming from the change in the treatment of the SAM sequences as discussed above. The late containment failure probal?;ity increase (from 8%

to 30%)is a result of additionalloss of ESW sequences as a result of the inclusion of the pipe breaks in the ESW system, as discussed previously.

The s'aff's overall assessment of the back end analysis is that the licensee has made reasonable use of back-end techniques in performing a back-end analysis and that they considered severe accident phenomena, it must be noted, however, that in the quantification model the BNGS IPE back-end analysis did not include important containment phenomena (i.e., steam explosion, hydrogen combustion and direct containment heating) that may cause ,

early containment failure. Although in response to an RAI the licensee provided a rough estimate of 1% from these unlikely failure modes, lack of consideration of these failure modes in the IPE in a structured way such as provided by a containment event tree precludes a systematic means to examine the relative importance of these failure modes and possible recovery actions for these moties. The licensee's response to containment performance improvement program recommendations is consistent with the intent of GL 88-20 and the

- associated Supplement 3.

Some insights and plant specific safety features identified at BNGS by the licensee are:

1. Ability to perform bleed and feed cooling.

, 2. Each plant has a large condensate storage tank (400,000 gal.) and has an attemv.e.

auxiWary feedwater supply from the ESW system cooling pond.

l s. m =

3. Two auxiliary feedwater pumps; one motor driven and one diesel driven.

4. Eight hour battery capacity without load shedding, j 5. There are two ESW pumps per unit, with a cross-connection capability between the units. One pump per unit is sufficient for shutdown.

6. There are five component cooling water pumps, two dedicated to each unit and one swing pump which can be aligned to each unit.

7. There are four reactor containment fan coolers, only one of which is required for containment cooling.

4 l

-- ==~ _ -.- ,

I %

8. Establishment of high pressure recirculation from the sump requires manual actions of the operators to align the discharge of the RHR pumps to the suction of the safety injection or charging pumps.

g. Two diesel generators per unit. The emerg9ncy buses can be cross connected, and each diesel generator has the capacity to to power one emergency bus at both units at the same time, in Enclosure 4 (Braidwood Modifed IPE Results) of the modified IPE submittal, the !!censee indicated that the resuhs of the BNGS PRA were evaluated against the NUMARC Severe Accident Closure Guidelines (NUMARC g1-04). The licensee did not define a vulnerability, ;

but they did identify plant modifications or enhancements as discussed below: 1

1. In their letter transmitting the modified IPE, the licensee indicated that their analysis did disclose a " potential vulnerability", and indicated that ".. a modification is being considered.... which will mitigate this potential vulnerability." This pa*ential vulnerability involved a dual unit loss of ESW from flooding. Water from a p8pe break in the ESW system can flow through a common duct resulting in flooding of both ESW pump rooms. The licensee did not identify specifics but, in the section of the modified IPE submittal addressing the " Revised Initiating Event Frequencies for Loss of Service Water," the licensee indicated that a modification to the vent duct on the 330 ft. level of the auxiliary building, is being addressed. According to the licensee, this modification will prevent water from the auxiliary building floor drain sump room from overflowing into the ESW pump rooms. Giving credit for this modification in the modified IPE, the CDF contribution for dual loss of ESW due to pipe breaks decrease from about 4E 5/yr to about 6E-6/ry.

2. In the modified IPE, the licensee indicated that procedures were available and credit was given for crosstieing either or both 4KV ESF buses (141 to 241,142 to 242) to the other unit on loss of power to the buses on the other unit. Credit for this procedural enhancement reduced the contribution from dual and single loss of power from about 2E 5/ry to about SE 6/ry.

3. The BNGS has a cavity deslJn that does not allow water to flow from the containment b..ement to the reactor cavit)hby way of the cavity instrument tunnel. As a plant .

enhancement ret iting from the Level 2 analysis, an opening has been pmvided I-the access plate to the instrument tunnelin Unit 1, and a similar one is planned for Unit 2 for the "next" refueling outage.

Ill. CONCLUSIONS On the basis of these findings from the review of the modified IPE submittal, the staff finds that the licensee's IPE is complete with regard to the information requested by GL 88 20 (and associated guidance, NUREG 1335) and concludes that the licensee's IPE process meets the intent of GL 88 20.

It should be noted that the staff's review primarily focused on the licensee's ability to examine

, the Braidwood Units 1 and 2 for severe accident vulnerabilities. Although certain aspects of 5

. e emer.amm deWe * * * =mutuss eve =.M w e w =w. stamue < en, .ese m .

the IPE were explored in more detail than others, the review is not intended to validate the accuracy of the licensee's detailed findings (or quantification estimates) that stemmed ,

from the examination. Therefore, this SER does not constitute NRC approval o.- !

endorsement of any IPE material for purposes other tha. those associated with meeting the intent of GL 88 20. >

(

O e

l l

l s a ,

i i

l +

6 t

L

i * *- *N e4 h ee w mw.e-.., , , , , , ,

-- , _ - - r, . . - . , - .-o-w- e-,<-- ,-----r -- --,,n<, --,-e- , ,-- ,--,-g-- - -

,,-,r- ,.,g,-p-- . - - -m-w.,--\.q- o-

. . ._ . . . . ._ . _ _ - . - . . . . - . . ~

. . .-. - - - .. . - . . . . . - . = _ . . = - . _ = . = . .

A e

1

+, ,

I i

i i

1 i

t I

f APPENDlX A i

BRAIDWOOD NUCLEAR GENERATING STATION

' INDIVIDUAL PLANT EXAMINATION TECHNICAL EVALUATION REPORT k

a f;. A I

I

{

t>

.,.l

+

.f- - {. . s

,1 .u. no w. .n+ n- .

TECHNICAL REPORT FIN W4449 07/30/97 l

TECHNICAL EVALUATION REPORT OF THE IPE SUBMITTAL AND ,

RAI RESPONSES FOR THE '

BRAIDWOOD STATION

! Zoran Yusicki l

t John Forester' I C. C. Lin '

i i

Department of Advanced Technology Brookhaven National Laboratory l

Upton, New York 11973

e. w =

l 1

l i

Propered for ww U.S. Nucteer Regdstory Commmemn E Ofnce of Nw:iear RegJetory Research

Coreact No. DE-AC02-76CH00016 l

' San 6 National Laboratories

}.]h$$b

-=- - - - - - . - . . . - , .. _~. - . . - - - - - . . - .

i CONTENTS :

i

Page p EXECUTIVE S U MM ARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v ;

NOMENCLATURE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxill i

1. INTRODU CTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I ,

1.2 Plant Characterization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 ,

2. TECH NICAL REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 '

2.1 Lloensee's IPE Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 -

2,1.1 Completeness and Methodology . . . . . . . . . . . . . . . . . . . . . . . . .7 2.1.2 Multi Unit Effects and As-Built, As-Operated Status . . . . . . . . . . . . . . 9 2.1.3 Licenses Participation and Peer Review . . . . . . . . . . . . . . . . . . . . . 10 10 2.2 Front End Technical Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Accident Sequence Delineation and System Analysis . . . . . . . . . . . . . 10 2.2.1 16 2.2.2 Quantitative Process . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . 22 2.2.3 Interface lssues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.2.4 Internal Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.2.5 Core Damage Sequence Results . . . . . . . . . . . . . . . . . . . . . . . . . . 25 28 2.3 Human Rel: ability Analysis Technical Review . . . . . . . . . . . . . . . . . . . . . .

28 2.3.1 Pre-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . '

31 2.3.2 Post-Initiator Human Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . '

2.4 Back End Technical Review . . . . .............................37 37 2.4.1 Containment Analysis / Characterization . . . . . . . . . . . . . . . . . . . . . .

2.4.2 Accident Progression and Containment Performance Analysis . . . . . . . 44 ,

2.5 Evaluation of Decay Heat Removal and Other Safety issues and CPI . , . . . . . . 48 2.5.1 Evaluation of Decay Heat Removal . . . . . . . . . . . . . . . . . . . . . . . . 48 L 2.5.2 Other GSis/USls Addressed in the Submittal . . . . . . . . . . . . . . . . . . 50 L' 2.5.3 Response to CPI Program Recommendations . . . . . . . . . . . . . . . . . . 50 l

2.6 Vulnerabilities and Plantitnproveraents . . . . . . . . . . . . . . . . . . . . . . . . . . 50 =

I Vu erability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.6.1 '

l 2.6.2 Proposed improvements and Modifications . . . . . . . . . . . . . . . . . . . 52 55 ,

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS . . . . . . . . . . . . . . . . . .

4. REFEREN CES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

.a.

til f

3 8' N#* + -e.+**M We+m -a -,w .

% -y--yr,---- -e- ew,+--e a-,,w-w,<

+ww.,----i -n-w -a+-+-r,-=v=-g -w w-= +4ws- -

-+WT---w-

l , ,

l \

l TABLES l

Page E-1 Plant and Containment Characteristics for Braidwood Nuclear Power Station . . . . . . . . . vil E-2 Accident Types and Delt Contribution to the CDF . . . . . . . . . . . . . . . . . . . . . . . . . x E-3 Initiating Events and Delt Contribution to the CDF , . . . . . . . . . . . . . . . . . . . . . . . xi

-E4 Containment Failure as a Percentage of Total CDF . . . . . . . . . . . . . . . . . . . . . . . . . xv 1 Plant and Containment Characteristics for Braidwood Nuclear Power Station . . . . . . . . . 5 18 2 Comparison of Failure Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Comparison of Common Cause Failure Factors . . . . . . . . .= . . . . . . . . . . . . . . . . . 20 3

laitiating Event Frequencies for Braidwood IPE , . . . . . . . . . . . . . . . . . . . . . . . . . 21 4

Accident Types and Deir Contribution to the CDF . . . . . . . . . . . . . . . . . . . . . . . 26 5

laitiating tvents and Deir Contribution to the CDF . . . . . . . . . . . . . . . . . . . . . . . 26 6

7 Dominant Core Damage Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 8 Braidwood Operator Action Top Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . _37 9 Containment Failure as a Percentage of Total CDF . . . . . . . . . . . . . . . . . . . . . . . . 46 10 NUhtARC' Categories and BwS Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 e '

'I N g 4

E t

t iV 1

1

i b t l

. EXECUTIVE

SUMMARY

- Dis Technical Evaluation Report (TER) documents the Arviings inom a review of the Individual Plant Fnaminarian (IPE) for the Braidwood Nuclear Power Station. His technical evaluation report adopts the l

NRC review objectives, which include the following:

- To determine if the IPE ' submittal provides the level of detail requested in the " Submittal Guidance Docuansat," NUREG 1335, and To assess if the IPE submittal meets the intent of Generic 14tter 88-20.

As stated in Generic Iatter (GL) 88-20, the purpose of the IPE program is for the licensee to: ~

1. Develop an appreciation of severe accident behavior. ,

-2. .

Understand the most likely severe accident sequences that could occur at the plant.

3. . Gain a enore quantitative understanding of the overall probabilities of core damage and Assloc product releases.

- 4.- - If necessary, reduce the overall probabilities of core damage and fission product releases by modifying, where appropriate, hardware and procedures that would help prevent or mitigate severe accidents.

His review addresses the reasonableness of the overall IPE approach with regard to its ability to mnit the incensee to meet the:;e goals of Generic latter 88 20. De review utilized both the information provided in the IPE submittal and additional information (RAI Responses) including an improved IPE analysis provided by the licensee, the Commonwealth Edison Company (Comed), in the response to a request for additional information (RAI) by the NRC. .

E.1 Plant Charaderization De Braidwood Station (BwS) is a two4mit nuclear power plant. Each unit is a Wetafam 4 loop pressurized water reactor (PWR) with an electrical power rating of 1120 MWe. BwS is operated by the ,

Commonwealth Edison Company. Unit I started commercial operation in July 1988, while the Unit 2 s stant date was October 1988.

A numbar of daign features at Braidwood impaa the core damage frequency. Dese are (a more detailed discussion can be found in Section 1.2 of this report):

- De plant has a food and bleed capability. De submittal indicates the block valves are normally open.

' - There are three mala feedwater (MFW) pumps, one motor driven (normally in standby) and two turbine driven (normally operating). - In addition, there is also one motor driven startup feedwater putr,1. Dere are 4 condensate / condensate booster pumps.

- Dare is one motor driven auxiliary feedwater (MDA W) and one dicsci driven auxiliary feedwater (DDAFW) pump. De diesel driven pump has its own suppott system, making it partially - <

independent of the plant's 125 V de system.

v .

1 M

e .,s-.- -..y%,w~..~. ,w.. , ,- - - . -re..,,-,, g , , . . . -m, , , ,%.~ ...y ..-_.., ,,.om.~

I

. 7 .De condensate storage tank (CST) is relatively large and there are effectively un!!mited alternate

, suction sources.

' De reactor coolant pumps (RCPs) employ Westinghouse seals with charging pump injection and !

component cooling weer cooling of the thsmal barriers. De seals use the high temperature O rings.

- De high head injecsion can be provided by skher of the two safety injection (SI) pumps, or by eithw of the two centrifugal charging pumps (CCPs), thus providing a high level of redundancy. Bis applies to the recirculation phase as well. De CCPs an.d the Si pumps are physically separated, a De high pressure recirculation is provided by a piggy back arrangement off the two ruidual heat removal (RHR) pumps. De switchover to low pressure recirculation is autommic, but if high pressure circulation is needed, the opwator must align the high pressure pumps to the discharge of the RHR pumps.

De refueling, water storage tank (RWST) is relatively large (415,000 gal) and can be refilled.

- - De HVAC system is a distributed systoni.

Dere is a strong dependence of the RCP seals, the diesel generators (DGs) and all high pressure pumps on the essential service water system, however there are two pumps per unit with cross-connection capability and a very large source of water from the essential service water pond.

- Dare are five CCW pumps, two dedicated to each unit, and one swing pump which can be aligned l

to either unit, with one pump / unit required for su; cess.

- Only one out of four reactor containment fan coolers (RCFCs) is sufficient to prevent containment overpressurization by steam production. In a&an, there are two containment spray trains. De RCFCs can also be used for decay beat removal, in case of failure of RHR heat removal in the recirculation phase.

Dare are two 125V DC buses per unit, and whh an associated bauery, and a charger. De batteries "

have an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months capacity at the maximum current (without load shedding). Tie lines are provided for cross-tying ter.pective de buses from the two units.

- Dere are 2 diesel generators per unit, cooled by essential service wata and provided with r air own startup air. De diesel generators depend on station batteries. De emergency buses :.an be cross connected, and end diesel genermor has sufficient capacity to power one emergency bus at both units

- at the same time.

' Due are provisions in place to feed some non essent i st loads as well from diesel generators, such

, as the air compresors, primary water pumps and nonessential savice water pumps (cooling for the air compresors).

- Dere are 6 offsite transmission line feeding into the switchyard, thus providing a reliable offsite

. power supply, 2

l-

. l

\

J he Braidwood Nuclear Power Station utilizes a large dry containment design. De containment structure is a prestressed concrete shell made up of a cylinder with a shallow dome roof and fit:t foundation stab. I Some of the plant characteristics important to the back-end analysis are summarized in Table E-1 below and compared to those of two typical large dry containments.

Table E 1 Plant and Containment Characteristics for Braidwood Nuclear Power Station Characteristic Braldeood Zion Surry Dermal Power, MW(t) 3411 3236 2441 Containment Free volume, ft' 2,800,000 2,860,000 1,800,000 204,000 216,000 175,000 Mass of Fuel, Ibm 43,400 44,500 36,200 Mass of Zircalloy, Ibm Containment Design Pressure, psig 50 47 45 Median Containment Failure Pressure, psig 98+ 135 126 Containment Volume / Power, ft'/MW(t) 821 884 737-Zr Mass / Containment Volume, Ibm /ft' O.015 0.016 0.020 O.073 0.076 0.097 Fuel Mass / Containment Volume 71bm/ft'

+ The median contauuneet failure pressure is 125 psig for Unit I and 98 psig for Unit 2. The

lower failure pressure for Unit 2 is due to its use of the Bunker Ramo electrical penetrations which was stated in the IPE submittal to have a lower failure g>ressure.

I l

De plant characteristics imrottant to the back-end analysis are:

- 'A cavity design which does not allow water to flow from the containment basement to the reactor t

cavity via Qe cavity insuument tunnel. De removable hatch cover located at the top of the instrument i

tunnel is leak-tight for Braidwood. As a plant enhancement resulting from the Level 2 analysis, an l opening has been provided in the access 4te in Unit I which allows water to flow to the cavity.

Installation of such an opening for Unit 2 a planned for the next refueling outage.

- The large containment volume, high containment pressure capability, and the open design and significant venting areas for the subcompartments within the Braldwood containment which he!p

=

ensure a well-mixed atmosphere (a feRure which inhibits combustible gas pocking).

i

- A relatively low containment failure pressure of 98 psig for Unit 2 because of the use of Bunker l

Ramo electrical penarations. De containment failure pressure is 125 psig for Unit I which does not use Bunker Ramo penetrations.

- Two separate systems for containment atmosphere cooling and pressure suppression: the Reactor l Containment Fan Coolers (RCFCs) and the Containment Spray system. According to the IPE submittal, one of fouc RCFCs or one RHR heat exchanger (with associated recirculation train) can

. provide sufficient cottainment cooling to prevent containment overpressure failure from steam vii l

l t- wt - - -

I S

[

. production'. De RCFC is designed to remove heat from the containment as requhed following a .

design basis LOCA and, consequently, is decigned to operate in a pressure environment up to 50 psig.

- De containment spray pumps can be aligned to take suction from the RWST, or from the containment recirculation sump and one or mort RHR pumps anJ associated heat exchangers. De operation of containment spray reduces Assion product releases.

E.2 Licensee's IPE Process no licensee initiated work on a probabilistic risk assessment (PRA) for Braidwood in response to Generic Letter g3-20. De freeze data for the analysis was Daca=her 1992.

. De IPE was based on the Byron IPE, as Byron (another CECO plant) is almost identical to Braidwood.

De CECO staff did the analysis, with help from consultants (NUS, Duke Engineering Services) in specialised areas. (The Byron IPE was i=rivi-M by consultants with a review and involvement by the Commonwealth Edimn Company staff and the consultants. De CECO staff also performed some specialized facegof that analysis.)

i CBCo staff managed the IPE, provided insights to the senior management and haplemented the

. In(Iroyamash, '

n To support the IPE process, the licensee reviewed several PRA studies: WASH 1400, NUREG l!50, the IDCOR study for Zion, the Zion IPE and the Byron IPE. As noted above, this IPE relied heavily on the experience and analyses of the Byron IPE, as Byron is an almost identical CECO plant.

Utilky personnel were involved in the HRA. Procedure reviews, examinations of control room staffing ,

i l l , and layout, examinations of the " Detailed Control Room Design Reviews and over 40 operator act on '

interviews with operators helped assure that the IPE HRA represented the as built, as operated plant.

l Checklists were filled out during the interviews to docament critical plant and scenario specific aspects j

of the diagnosis and execution of an action. Factors evaluated included training on the simulator, adequacy of proesdures, need for local actions, time available for local actions, feedback to the control room for local actions, stress level, potential non-recoverable actions, etc. Other plant specific factors were addressed through the application of the EPRI Cause Based Decision Tree Methodology (CBDTM) j_

imm EPRI'llt 100259, "An Approach to the Analysis of Operator Actions in PRAs," June 1992. Both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions =

(performed as part of *he response to an accident)%ere addressed in the IPE. Important h man actions are identified and at least one proc dural change related to cross-ticing power was implemented.

De analysis was reviewed as the work was progressing as part of normal quality assutance (QA), by both the CECO personnel (including personnel from other CECO plants) and the consultants. De high level review was also performed by CECO management and management from the consultants team L (Westinghouse, TENERA and Fauske). However, the degree to which the Byron /Braidwood modified l - IPE was independently reviewed was not addressed.

1

'De residual Heat Removal-(RHR) system for decay beat removal from the RCS, although not a ,

, containment system. also provides a means of long4erm containment heat removal.

i._

3

'*^ WM

..__.-_..~_._, --m __, ,

~

De subminal indicmes the irot to maintain a 'living PRA.*.

E.3 IPE Analysis l Front-End Analysis E.3.1 4 ;

De malablogy chosen for the front end analysis was a imel 1 PRAI the large event tree-small fault tree wkh support state event tree was used. De computer code used for quantification was WESQT. i

- De IPE quantlSed the follawing initiating event categories: 4 loss of coolant ac:idents (LOCAs)

(including one interfac6ng systems LOCA (ISLOCA) caegory broken ciown into 4 pathways),5 transients '

(one general transient including several traditional categories, two lor.n of offsite power and two types of secondary breaks), one steam generator tube rupture (SGUt), 7 suport system laitiators and one - ,

flooding category (with two domlamm scenarios shown in the initising wents (IE) section). De IPE l developed 15 plant response trees and two support state event trees. A flooding analysis was also Performed. . .

Sucoms crkeria were based on best estimate plant response veri 6ed by MAAP runs and thermal hydraulle ,

analyses. ;

Small and large LOCA success criteria were changed in the modified IPE to reflect the classical success i crkeria, according to the documentation provided. Employment of the condensate pumps (with secondary l

L depressurization) upon failure of AFW and MFW is credited.

Reactos concalament fan cooler units are given credit for decay heat removal. Credit is also given to l

RWST refill, as well as xcident management strategies, including equipment repair.

i Ce==~ heat removal systems are not considered for success in the level I analysis.

I De RCP seal cooling model assumes that both thermal barrier cooling (CCW) and seal injection must fall in order for the seals to fail. His element of the success criteria is consistent with other PWR PRA studies. De seal LOCA model is taken from WCAP40541, Rev. 2.

Pisa specific data was collected only for pumps, motor operated valves (MOVs) and diesel generators.

f' De data f: pur ps and MO vs distinguishes between the systems where the component is emr'ayed.

1

%e data used ibt some components is significantly lower than expected. On the other hand, some pump failure data are significantly birher than expected. De use of generic data for the two AFW pumps failure to run is p.;;o i.Me, since plant specific data exist which show a much higher failure re. De licenses did perform a seashivity analysis using plant specific data, which increased the CDF by 200%.

. The multiple greek letter (MGL) approach.was used to characterize common cause failures. Most L important # facsors seem now, even though CECO established a floor of 0.01 for such values. De floor was established in response to an RAI questioning low # values for some components in the original submittal. De positive feature of the licensee's common cause analysis is that most categories of osmporants commonly associated with common cause failures are modeled to exhibit such failures.

ix .

,w + m.,--,,n -- m a s n --w. .v-. - - - ov - - -. - - w r-n- - r- - ~~-w - ~-- -, e,- -- - ~ ~ - -~- - - - - - - - - - -- - - -

The internal core damage frequency (CDF) is 2.82E 5/yr. De internal accident types and initiating events that contribute rnost to the CDF and their percent contributions are listed below in Tables E-2 and E-3:

Table E 2 Accident Types and Their Contribudon to tk CDF8 Initiating Event Group Contribution to CDF (/yr) %

less of offsite power 8.77E4 31 Imss of support system 8.39E4 30 LOCA 7.70E4 27 SGTR 2.44E4 8.6 General transibt 6.43E-7 2.3 Secondary side breaks 3.36E-7 1.2 Internal flood 3.5E-9 0.02

~

(Station blackout) (7.87E4) (28)

(ATWS) (2.2E-7) (0.8)

(ISLOCA) (1.01E-7) (0.4)

TOTAL CDF 2.82E-5 100.0 j

33 w =

Categories in parentheses (e.g., station blackout) are not separate initiator types but are included in other categories (e.g., SBO is included under LOOP and transient).

x l

L

Tab!c E 3 initiating Events and Their Contribution to the CDF Initiating Event freq y , [DF %

(lyr) _

Dual unit loss of essential service water 5.58E4 5.58E-6 19.72 Dual unit loss of offsite power 1.32E-2 5.16E-6 18.22 Single unit loss of offsite power 3.22E-2 3.62E-6 12.79 Large LOCA 3.00E-4 2.59E4 9.15 Small LOCA 6.30E-3 2.57E4 9.09 8.00E-4 2.44E4 8.64 Medium LOCA 1.10E-2 2.44E4 8.63 SG7R less of CCW 5.91E-5 1.13E4 4.00 Single unit loss of essential service water 5.65E 4 1.03E4 3.63 General transient 3.00 6.43E-7 2.27 5.05E-4 5.97E-7 2.11 Loss of 125V dc bus 111 l

1.80E-3 1.25E-7 0.44 Feedline break inside containment ISLOCA 1.01E-7 1.01E-7 0.36 1.80E 3 8.94E 8 0.32 f Feedline break outside containment 1.80E-3 6.07E-8 0.21 Siemmline break inside containment 1.80E-3 6.03E-8 0.21 Steamilne break outside containment >

Loss of 2 ingle ac bus 142 , 3.55E-4 157E-8 0.09 ,

. l.oss of a single ac bus 1 3.55E-4 2.47E-8 0.09 I

less of instrument air 4.30E-4 4.15E-9 0.01 Internal flooding, zone 11.6-0 1.89E-5 2.03E-9 0.01 Internal flooding, zone 8.3-1 1.30E-4 1.50E-9 0.01 l .-

i E.3.2 Human Reliability Analysis

Ihe HRA proess for the Byron /Braidwood modified IPE addressed both pre-initiator tetions,(performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident).1he analysis of pre-initiator actions included both miscalibrations and restoration faults.

xi 4

i

. However, while a thorough analysis and evaluation of plant specific data relating to pre-initiators was j

performed, only four restoration faults were actually included in the PRA models. All others were dismissed on the basis of qualitative (and in a few cases quantitative) screening criteria. ,

Post-initiator human actions modeled included bo6, response-type and recovery type actions. A post-Initiator screening analysis was not conducted. All human actions included in the logic anodels were given detailed quantification analysis in the original IP3. For the modified IPE, the PRT and fault tree t post Initiator response type human actions with a risk achievement worth ((RAW), "using the original IPE model, enhanced quantification") greater than 2.5 and ."those added as a result of changes to the PRTs and fault trees," received a complete reevaluation. In addition, PRTs that " contributed eW.W,My to CDF in the original IPE were identified" and "the operator actions (OAs) in these trees, ,

including the conditiond probabilities, were evaluated on a sequence specific basis to identify conditions of stress, dependency, and availabilhy of recovery opportunities and were requantified when necessary." .

Remaining HEPs were reviewed for reasonableness and "for selection of the appropriate value for each branch of the PRTs." ne PRT OAs "were also reviewed to identify those actions which might be described as time-criucal." Dat is, "those for which the estimated time to accomplish the mion was greater than 25fof the estimated time available before some undesirable state was reached."

As noted above, post-ir tor response type human actions were quantified using the EPRI CBDTM, which has been referred to as a cause-based approach. Recovery of failed equipment was quantified on the basis of mear time to repair data from WASH.1400. Other recovery type actions modeled were i assigned a screening value'of 0.1. Cince all of the recovery related sequences were *long-term," an HEP of 0.1 is not unreasonable. Human errors were identified as important contributors in accident sequences leading to core damage.

E.3.3 Back-End Analysis t

He methodology employed in the Braidwood IPE for tte back-end evaluaten is clearly described in the submittal. Unlike most other IPEs, which develop and use containment event trees (CETs) for Level 2 analyses, a single event tree, the plant response tree (PRT), is used in the Braidwood IPE for both Level l

1 and Level 2 analyses. De PRT developed in the Braidwood IPE explicitly includes the analysis of contakunent systems normally assessed in the Level 2 analysis. De containment condition is addressed in the PRT by the development of success criteria for containment integrity, detennined by deterministic analyses of containment performance using a failure pressure of 98 psig. MAAP analyses are used to m,

deterir-ine the containmant hest removal requirements-to prevent containment failure tollowi g any event in which ma and energy rae releas d to the containment.

! Besides =**1a==* bypass and =*=1==* Isolation failures, only late containment overpressure failure due to loss of =*=1=ent heat removal is considered in IPE quantification. All other containment failu:e madae identified in NUREG-1335 are addressed in the IPE by Phenomenological Evaluation Summaries (PESs, prepared in support of the IPE, but not included in the IPE submittal) and, based on the results

! aheninad from the PEss, dismissed as "unlikely failure modes" and not included in matninmaat failure l quantification.

l 1 - Since the containment failure pressure used in the PESs for the determination of the "unlikely failure anodes" (98 psig) is the median failure pressure, a small, but finite, containment failure probability may xii

./

.I .l_._..__. _E_._.m.,_...~ ._.. ., _

L.

L l

be obtained if the containment fragility curve, instead of its median value, was used in the PESs' Using the loads estimated in t@ PESs and the containment fragility curve, the licensee obtained a conditional containment failure probability of about 1% for the containment pressurization mechanisms not included I

in IPE quantification (i.e., steam explosions,' DCH, hydrogen deflagration, and hydrogen detonation).

Although the estimated contributions to containment failure probability from these "unlikely failure modes" are smali arc cheir exclus;on from containment failure quantification may be justified, the lack i- of consideration of these failure modes in the IPE in a structured way, such as that can be provided by s CET, precludes a systematic means to examine the relative (quantitative) impv&rs.4 of these failure '

modes (with the consideration of uncertainties)* and the effects of some recovery actions (e.g.,

depressprization) on these failure modes.

> Tempersure-induced steam generator tube rupture, which is considered in some IPEs for high-pressure

=1==, is not addressed in the Braidwood IPE. It is neither includei in the PRT nor addressed in the PESs. In response to an RAI, the licensee developed a decomposition eveut tree to evaluate the probabilities of temperature in<luced RCS creep rupture (including hot leg or surge line failure as well as induced SGTRJ. De parmatars (or top events) considered in the event tree include the probability

of RCP restart and the probability of loop seal clearing. Quantificttion results indicate an overall probability of induced SGTR of 18%. The probability S increased to 24% if the RCPs are rastarted by the operator. Although these high probability values do not seem to justify the omission of this failure mode from IPE quantification, further discussion is not provided in the response, it is noted, however, that these probability values are obtained based on an analyst's judgement and may be overly conservative. (The probability of induced SCTR obtained in the RAI response is much higher than that obtained in NUREG-Il50.) Since containment bypass from SGTR initiated sequences is the dominant failure mode in the IPE, additional contribution to conta'mment bypus from induced SGTR may not l

change significantly the release profile of"the plant. However, this issue needs to be reexamined if

, contribution frorn the SGTR initiated sequences to the total CDF is si;,nificantly reduced in a future IPE update. i Results of the PRT analysis for Level 2 are grouped to plant damage states (PDSs). Release fractions are :

I determined by the analyses of 12 representative sequences using the MAAP cornpcer codes. Based on containment failure timing, containment failure mode, and the fractional relerse of fission products, the PDSs are further grouped to eight release categories.

Since a single event tree, the PRT, is used for both Level 1 and Level 2 analyses, the grouping of Level I results :o pla-t damage shtcs (PDSs) is not ne::essary in the Braidwood IPE. However, r,quece grouping is used in the Braidwood IPE to consolidate the large number of accident sequences obtained from the PRT analysis into a small number of damage states (or plant damage states, PDSs). De intent

Ibe conditional containment failure probability can be almost 50% for a conMa==* pressure load close to, but less than,98 psig

'lhe mean pressure load used in NUREG-1150 for Zion is higher than that obtained in the PESs. De conditional containment failure probability from the energetic events associated with IIPME could be much higher because of the relatively bw containment failure pressure for Braidwood.

xiii -

I

. __~ -

~z T . _ _ -

1 .

of this grouping is that all sequences within a particular damage state can be treated as a group for assessing accident progression, containment response, and fission product release.

Contributiom to the tetal CDF from the PDSs with various accident initiators are: 28% from SBO mm,23% from PDSs with sequences initiated by loss of essential service water (ESW),9% from small LOCA sequences,9% from large LOCA sequences,9% from medium LOCA sequences,8% from SGTR sequences, and 0.4% from ISLOCA sequences. The most probable PDS is XL6K (19% total CDF), a PDS of loss of ESW sequences with late core melt, lors of all ECCS injection, and a late containment failure wi^ up to 0.1% of the volatiles released.

Ibis is followed by BI4S (12% total CDF),

a PDS of SBO sequences with intermediate core damage timing, failure of high presure ECCS injection, ard no containm:nt failure; AE6S (9% of CDF), a PDS oflarge LOCA soo;2ences, with early core melt, the failure of all ECCS injection, and no containment failure; SX9S8 (7% CDF), a PDS of small LOCA sequences, with recirculat!on failure, and no containment failure; and MX^S, a PDS of medium LOCA sequences, with recirculation failure, and no containment failure.

i Table E-4 shows a comparison of the conditional probabilities of the various containment failure modes obtained from the Braidwood IPE with those obtained from the Surry and Zion NUREG-1150 analyses.

Results from both the original and the Modified IPE' are presented in Table E-4.

As shown in Table E-4 , the conditional probability of containment bypass for Braidwood is 6.8% of total CDF, all of which is from steam generator tube rupture as an imtlating event. As discussed above, induced SGTR is not addressed in the IPE. Inclusion of inducej SGTR will increase the total contribution frcm centainment bypass, but is not capected to change significantly the release profile of the plant because of the already significant contribution from SGTR to early bypass releases.

, Since all phenomena that may cause an early containment failure are considered in the IPE as unlikely" to cause containment failure and not incbded in containment failure quantification, the conditional probability of early containment failure for Braidwood is zero. The probability of containment isolation failure is 0.8%, and the major contributors to isolation failure are small LOCA, loss of de power, SBO, and loss of ESW sequences, s s .

Ibe second character of this PDS designator, X, which indicates core damage timing, is not dermed in the IPE submittal (Table 4.1.3-2).

' Modified IPE results are provided in Enclosure 3 of the response to the RAI.

xiv

- . . - . , . - - - - .- - - - . _ . .- -. .- - -.- -..._- -.~ ._ -. -

7 p1.;

W ..

- Table E 4 Containment Failure as a Percentage of Total CDF .

=

. Original - Modified Zion '

~ I'"I NUREG-1150 NUREG-1150 .

Failure Mode IPE E Negligible + + + Negligible + + + 0.7 1.4 Early Failure Late Failure 8.4 29.6 5.9-0.04- 6.8 12.2 0.7 Bypass ,

i '

Isolation F !!ure 0.2 0.8 l 91.4*" 62.8"* - T' , 73.0 latact - ~ t 2.7E-5 2.8E-5 4.0' . i t 4E 4 CDF (1/ty) .

+ 'Ibe data pressoled for Braadwood are hosed on Table 1.13 of the 3 Nt7 lihed by es liosasse's r==ra=== to RAI 1.mvel 2 Queshoe 3.12.

++ 'Ihe data presamled in this coluaan are based on Table 4-8 of Encl os % s. mod Modified IPE results" of the hosesee's response to RAI. J

+++ The phenomsma that may coupe early containment failure a:3 not oc:esaered in '

-'cominia===t failure quantifimhan based on Phenomenological Evaluation Summaries prepared by FAl.

Included b Early Failure, approximately 0.02%

4

'- ,- Included in Early Failure, approximately 0.5%

- - The probabdity of "latact" anasala==as for Braidwood include that from "no aa=*=i=====*

Silure within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , but failure could eventually occur without further mitigatag action" (2.8% CDF in the original IPE submittal and 9.3% in the modified IPE results).

De conditional probability of late containment failure for Braidwood is 29.6% of total CDF. It is n

primarily from' containment overpressure failure due to loss of containment heat removal. Because of the !

long time it takes to penetrate the containment basemat, late containment failure by basemat melt-through is not considered a a credible Wa==* failure mode in the IPE even if the debris is not coolable. The prima contributors to late containment failure are loss of ESW sequences (66% of late failure) and SBO sequences (23% of late failure). For individual initiating events, 84% of loss of ESW sequences,44%

of steam (or feed) line break sequences,24% of SBO sequences, and 21% of SGTR sequences result in t.

late failus.. The conditional probaMlity g late failure for LOCA sequences is small, less than 2%. ,

Comparison of the tcsults imm the modified IPE and the original IPE (see Table E-4) shows a signiticant increase in contahunent bypass and late containment failure probabilities for the modified IPE. He .

increase in containment bypass release probability (from 0.04% to 6.8%) is primarily due to the change in the treatment of the SGTR initiated events in the IPE. While most of the SGTR initiated events were considered in the original IPE to lead to a

Success with Accident Management (SAM)" end state (and thus were not considered for Level 2 soutce term analysis), some of these sequences, with additional evaluation, were considered as core damage sequences and grouped to the contakunent bypass release group in the modified IPE. De increase in late containment failure probability (from 8.4% to 29.6%)

. is primarily due to the significant increase in the probability of loss of ESW sequences in the modified

IPE (less than 1% in the of.ginal IPE and 23.3% in the modified IPE). ESW secuences are more likely to lead to late containment failure than other sequences because of the loss of cooling to the frontline XV s%ewwvv w - - - ~ w - - r- + r- aw-* f e.-e-a w , -e + s- - - , =r- --" - - - - + - ,- r-+ -

i i

, j .

systems. For example, level 2 results indicate that while over 80% of ESW sequences end with late containment failure, less than 25% of SBO sequences end with late containment failure. _

Source terms obtained from MAAP code calculation res0lts 'are provided in the submittal for 10 sequences.' De sequences selected for source term calculations include one SGTR sequence,2 SBO seguances,3 small LOCA seguences, I loss of ESW sequence,1 loss of offsite sequence, and two steam line bnnk sequences. Sequence selecsion is based on the frequency of the sequences in the representative PDS in a PDS group, which may include a few PDSs and is used to reduce the number of MAAP l

. calalations for source term characterization. Although sequence selection and the assignment of release frsctions for source term definition seem adequate, there are some questions. For example, the most probable PDS, X14K with 19% total CDF, is grouped to a much less likely PDS, Li4K with only 0.2% J total CDF and LI4K is selected as the representative PDS. De selection of a low frequency sequence (Sequence 86,2.67E-8) to represent all the sequences in this PDS group (which includes the number 1 sequence with frequency of 4.5E-6) should have been justified by further discussion'. Even if the source terms for Spence 86 (0.1% of total CDF) can bound those for Sequence 1, the sequence with the most

. dominant CDF contnoution (16% of total CDF for Sequence 1) should be analyzed (or exambed in more detail) to provide Bata for IPE quantification and source term definition. On the other hand, the MAAP

- calculations performed in the IPE provided a reasonable coverage of the sequences that could occur at

- Braidwood to allow a quantitative understanding of fission product releases of Braidwood.

Another question related to source term characterization is the assignment of Release Category C for SG'IR sequences. According to the IPE submittal, Release Category C has a release fraction of volatile fission products of up to 0.01. Since the MAAP calculated release fraction of volatile fission products for the SGTR sequence is 0.27, the assignment of SGTR sequences to Release Category C is not appropriate. The correct assignment should be Release Category T (up to 50% volatiles released).

De licensee agreed in a telephone conference call (involving NRC, BNL and Comed personnel) that, based on ti e information presented in the IPE submitte (including the RAI response) Category T is the mrrect release category for SG'IR sequences. De assignment of all SGTR sequences to the T Category, although conservative, is acceptable. -With this change, the conditional probability of significant early release (i.e., for volatiles release greater than 10%) for Bralds ood is 6.8%, an average value in IPEs for PWR plants with large dry containments, l

Al&ough the MAAP calculation performed in the IPE for the SGTR case may be conservative because the relief valves on the secondary side were assumed to fail open (e.g., due to excessive acting) in the o calculation, .here is no basb in the 'PE subminal and the RAI responses to assign the SGTR sequences to the C Category. Any future effort (e.g., additional MAAP calculation) to justify the assignment of

~

i the SGTR sequences to. Category C needs to address the probability of SG valve failure due to adverse -

operating conditions in severe accidents.

% selection is appropriatt., in the original IPE submittal because the contribution from XI4K is l

negligible XIEK is the dominant contributor only in the modified IPE results, not in the original IPE D results.

L i

L xyj L

c

, . . _ . - . - ._m.. . . .

, t

+

De sensitivity studies performed in the Braidwood IPE involve varying certain MAAP model parameters in MAAP calculations for selected base <:ase sequences. De ranges of MAAP model parameter variation for IPE sensitivity analyses are based on the recommendations provided in EPRI documentation. De parameters investigated inct*le those associated with RPV failure timing, containment failure timing, and fission product releases. De effects of containment phenomena (e.g., DCH) on containment failure probabilities are not evaluated in the IPE because most containment failure modes are considered as "unlikely" to cause containment failure and thus not included in the quantification. However, they are discussed in the PESs, and rough estimates of the effects of some of the phenomena are discussed in the response to the RAI.

E.4 Generic Issues and Containment Performance Improvements De IPE addresses decay beat removal (DHR).

Different methods of decay her removal are addressed for different types of accidents. Availabilities of these systems dueto hardware failures and operator errors are disessM. Contribution of DHR to core damage is discussed (over 80% in the original IPE, about 60% in the modified IPE), along with insights as to the contributing factors. it is stated that failure in the 4kV ac system plays a major role, and it is shown how utilizing the inter unit crosstie helps reduce this contribution substantially (from the original IPE value).

No DHR vulnerabilities are found and the licensee considers the DHR issue resolved.

No additional generic issues are discussed in the submittal.

E.5 Vulnerabilities and Plant Improvements De licensee states 'here is a potential vulnerability related to flooding and remedied by improvement 2 below.

Two Level 1 improvements have resulted from the IPE process. De IPE takes credit for both. In addition, the submittal states that the CECO's insights process identified numerous insights for procedure A=ments to improve operator response, both before and after core damage, as well as strategies and features to be included in Severe Accident Management Guidance it is stated in the submittal that much

.s of the gen-ric guidance in thf Westinghouse Owners Group Severe Accideat Management Guideling is based on the insights from the Zion and Byron (i.e., Braldwood) IPEs.

He following two Level 1 improvements are discussed:

1) Cross-tying emergency ac buses. His insight was identified in the orig'maLIPE. Emergency procedures developed as a result of the blackout rule directed use of this cross'ie in the event of an SBO. De principal insight from the original IPE was that there were other situations for which the cross-tie is valuable, i.e., one bus deenergized and equipment on the other bus failed.

His procedural improvement has been implemented.

2) Scaling the essential service water pump room ventilation duct. His would prevent a dual unit flooding initiating event which would disable all four essential service water pumps. A Xvii -

, y w--. e-,- a =tm.i,c w.

- p 4 -

-.,m-.mn, e -- p

2

?;

-* modification is' being developed to prevent the flooding, although installation dates have not yet

. been established. l Both of these improvements have a significant impact on the core damage frequency.

De plant enhancement resulting from the Level 2 IPE acalysis is the installation of an opening in the reactor cavity cover plate. His opening permits adequate flow of water to the reactor cavity from the -

containment basement to immerse the vessel lower head. While the benefit of such an opening was not quantified in the IPE, the licensee clearly felt that water in the reactor cavity is beneficial. According to licensee's response to the RAI, an opening has been provided in the access plate in Unit 1. Installation - '

of such an opening for Unit 2 is planned for the next refueling outage.

~

E.6 Observations -

De licensee appears to have analyzed the design and operations of Braidwood to discover la=*=a= of ,

particular vulnesability to core damage. It also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at

- Braidwood; gained a quantitative understanding of. the overall frequency of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.

The strengths of the level 1 IPE analysis are: comprehe isive treatment of plant specific initiating events; ,

applying the mmmon cause analysis to most types of components; the plant specific data which was collecsed for several systems (such as specific data for pumps and MOVs); derivation of insights; decay heat removal discussion; RAI responses were generally very detailed and thorough; and the discussion of IPE modifications was also very-comple% with genetally a credible analysis behind such-

, modifications, ne weaknesses of the Level 1 analysis are:

1) Dere are questions about some of the data used, for exampic employment of generic data for the MDAFW and DDAFW pumps when plant specific data indicated much higher failure rates.

2) In general, there is a lack of plant specific data (which was collected only for the diesci

. generators, the pumps and th MOVs).

4 , ,

3) -

Some of the common cause tactors used are still low, even with establishment of the floor for such values in the modified IPE (this is somewhat offset by performance of a sensitivity analysis).

De HRA review of the Byron /Braidwood modified IPE did not identify any significant problems or e.rors. A viable approach was used in performing the HRA and nothing in de licensees submittal indicated that, based on the HRA. It failed to meet the objectives of Generic 1.mtter 88-20. Important elements (including weaknesses) pert

ment to this det:rmination include the following:

'1)i - De modified IPE indicates that utility personnel were involved in the HRA and that the procedure

- reviews, plant examinations, and operator action interviews represented a viable procc 4 for e confirming that the HRA portions of the IPE represent the as-built-as operated plant.

xviii '

- .,w-,em*.-e< m +g,e

m~, ~ -

t

2) De analysis of pre-initiator human actions included both miscalibrations and restoration faults.

However, while a thorough analysis and evaluation of plant-specific data relating to pre-initiators was performed, only four restoration faults were actually included in the PRA models. All others were dismissed on the basis of qualitative (and in a few cases quantitative) screening criteria.

While the approach was not without merit, the lack of a full nodeling of prednitiator events (and the lack of a clear explanation of the pre-initiator quantification technique) must be considered a minor weakness of the modified IPE.

3) The combination of the EPRI Cause Based Decision Tree Methodology (CBDn') and THERP (NUREG/CR 1278) provided a reasonable basis for assessing post initiator response type human actions. The CBDTM as applied in the Byron /Braidwood modified IPE does a good job of assessing the diagnosis portion of operator actions. In addition, the impact of plant-specific performance shaping factors was adequately addressed. One limitation of the CBDTM is that it does not, in itself, have a unique approach for analyzing time-critical actions. That is, those actions where the difference between the time available and the time required to perform the actions is port and the possibility exists for the opiars to fail to accomplis' *.he actions in time, are not evaluated directly as a function of time. Therefore, even with the CBDTM, the potential exists for underestimating HEPs for short time frame events. However, the licensee performed an acceptable evaluation to ensure that short-time frame evetrts were not inappropriately quantified.

- 4) A thorough treatment of dependencies between post-initiator operator actions was conducted for the modified IPE.

5) De Byron /Braidwood modified IPE presents a list of the important " operator action nodes" as a function of their contributian to CDP. 'Ihc licensee noted, however, that "in these lists all cases of each operator action are combLed." For example, the OSX event includes OSX-I [ HEP Byron

= 1.33-3, Braidwood = 4.0E-4] for LSX sociuences as well as OSX-4 [ HEP = 1.0] for DSLX sequences. As stated by the licensee, "thus, the operator action importance can be misicading since it includes cases of defined failure [ HEP = 1.0]." In addition, the top event report does not include events in the fault trees. Dus, the' list does not p ovide useful information about important human actions.

The strengths of the Level 2 analyses are the in-depth examination and plant specific evaluation of f

i

" important containment phenomena in tife Phenomenological Evaluation Summaries (PESs), and the =

extensive MAAP calcularb performed for source term definition and sensitivity analyse:. It see:r that the licensee has developed an overall appreciation of severe accident behavior and a quantitative understanding of the overall probability of core damage and radioactive ma:erial releases. De licensee has also addressed the recommendations of the CPI program.

j Dere are some weaknesses in the Level 2 IPE.

i l I) "Ibe most significant weakness is the lack of consideration of some of the conta'mment phenomena 1 in the IPE quantification model. Except for containment overpressure failure, isolation failure, and bypass, all other containment failure modes are considered as "unlikely" to cause conta'mment failure and thus not included in containment failure quantification. Wese include all phenomena that ir.ay cause early containment failure (steam explosion, hydrogen combustion, and DCH), and l

XiX l

=

-. some phenomena _that may cause late containment failure (molten core debris interaction and

thermal attack of containment p.m.iions). Because of the uncertainties associated with these phenomena and containment pressure capability, their contributions to early containment failure may not be negligible. De problem is more significant for Unit 2 because of its relatively low l containment failure pressure. Although a rough estimate provided in the response to an RAI indicates that the contributions to contairanent failure probability from these fuelikely failure modes";are small (about 1% of total CDF) and their eaclusion from conulament failure quantification may be justified, the lack of consideration of these failure modes in the IPE in a structured way, such as can be provided by a CET, precludes a systematic means to =amina the-relative krportance of these failure modes and the effects of some recovery actions on these failure modes.

2) De assignment of SGTR sequences to Release Category C is another problem. Release Category ,

, C, according to the IPE submittal, involves accident sequences that have up to 1% of the volailes released. However, the predicted release fraction of volatile fission products for the sequence selected to,repreene the SG'IR sequences is 275, much grener than the limit of 1% 't volatiles for Category C. It is thus more appropriate to use Release Category T (instead of C) to- -

characterize the release of the SGTR sequences. Release Category T is defined as containment bypass with up to 50% of the volatiles released, i ne licenser agreed in a telephone conference call (involving NRC, BNL and Comed personnel)

F that, based on the information presented in the IPE submittal (including the RAI response)

Category T is the correct release category for SGTR sequences. The assignment of all SGTR sequences to the T Category, although conservative, is is.wgeble. With this change, the conditional probability of significant early release (i.e., for volatiles release greater than 10%) for Braidwood is 6.8%, about the average value in IPEs for PWR plants with large dry containments.

Although the MAAP calculation performed in the IPE for the SGTR case may be conservative because the relief valves on the secondary side were assumed to fail open (e.g., due to excessive cycling) in the calculation, there is no basis in the IPE submittal and the RAI responses to assign L the SGTR sequences to the C Category. Any future effort (e.g., additional MAAP calculation) to justify the assignment of the SGTR sequences to Category C needs to address the probability of SG valve failure due to adverse operating conditions in severe accidents.

J Equipment survivability study in the IPE=is limited in scope to a review of t'.2 conditions =

3) encowtered during a successi i recovery from each of the initiating events. De equipment is thus au=M only for the conditions prior to core damage. For example, the Reactor Containment Fan

- Coolers (RCFCs) are considered as facing their harshest environmental challenge following a

-Large LOCA initiator. The challenges to the equipment by the harsh environmental conditions following core damage, such as aerosol plugging, were considered to be beyond the scope of the

, - - IPE. According to the response to an RAI question, the effects of aerosol plugging of RCFC cooling coils are considered in the Severe Accident Management Guidance provided by the nWestinghouse Owners Group for members to use in developing Severe Accident Response

' procedures.

Dis is not a significant deficiency, however, because contaire.ent failure due to equipment failure

. under harsh environmental conditions would be late and most likely with low fission product 4

4

__ _ _ _ _ _-- ._ _ _ . - .. , 1 n . . _ _._ _ , - _ . _ __1- . . _ _ . . , ___- _ . _

_r V releases. De effect on the overall fission product release profile for Braidwood should not be significant because of the already relatively high contribution from late containment failure for Braidwood (29.6%).

4) % treatment of induced steam generator tube nr.ture (SGTR) is not well treated in the submittal.'

indaced SGTR is not included in the PRT model or addressed in the PESs. Rough estimatas of

~

the probabilities of hot leg failure and induced SGTR by creep' rupture using a decomposition event tree structure are presented in the licensee's response to the RAI. It shows an overall probability of induced SGTR of 180 Tbc probability is increased to 24% if the RCPs are .

restarted by the operator. Although these high probability values do not seem to justify the omitting of this failure mode in IPE quantification, further discussion is not provided in the .RAI response. It is noted, however, that these probability values are obtained based _on an analyst's judgement and may be overly conservative. (The probability of induced SGTR obtained in the RAI response is much higher than that obtained in NUREG-1150.) Since containment bypass from SGTR initiated sequences is the dominant failure mode in the IPE, additional contribution to coneniamant bypass from induced SGTR may not change significantly the release profile of the plant._ Ho* wever, this issue needs to be re-examined if contribution from the SGTR initiated sequences to the total CDF is significantly reduced in a future IPE update.

5) Although the sequences selected for source term definition seem adequate, the selection of a sequence with very low frequency to represent a PDS group that includes the most likely sequence, and the lack of sufficient discussion on the selection, is a weakness, Even if the source

. terms defined by the MAAP calculation for the selected sequence can bound or are representative of all the spences in the PDS group, the most likely sequence with significant CDF contribution

should be analyzed (or examined in more detail) to provide data for IPE quantification and source term definition. On the other hand, the MAAP calculations performed in the IPE provided a reasonable coverage of the sequences that could occur at Braidwood to allow a quantitative understanding of c: cident progression and fission product releases for Braldwood.

De licensee appears to have fulfilled the objectives of Generic Letter 88-20. Some strength and several weaknesses of the Level 1, HRA and Level 2 analyses are identified above l' . c a 1-I l- !

I l

xxi .

l' I

i I ..

l , . - ~ T:~r~:r:m- 2: .. - - . ..

4 i

4 8

i g

+

r

\. .

/

1 O

+

O 4

h $U b d

R et

f. - -

4

/' NOMENCLATURE AC, ac e ' Alternating Current -

1AFW Auxiliary Feedwater

' ATWS ' - Anticipated Transient Without Scram BNL ': Brookhaven National Laboratory BwS- Braidwood Station ,

ByS Byron Station CBDTM Cause Based Decision Tree Methodology I

j CCF Conunon Cause Failure CCI Core Concrete lateraction CCP Centrifugal Charging Pump i

CCW Component Cooling Water -

CDF , Core Damage Frequency CET Contain= ant Event Tree

~7 Comed, CECO ' Conunonwealth Edison Company

- CPI . Containment Performance Improvement CST Condensate Storage Tank CVCS Chemical and Volume Control System DC,dc Direct Current ,

DCH4 Direct Containment Heating J DDAFW Diesel Driven Auxiliary Feedwater DDT Deflagration to Detonation Transition DG Diesel Generator

~ DHR Decay Heat Removal -

-ECCS Emergency Core Cooling System EOP Emergency Operating Procedures EPRI Electric Power Research Institute h' ESW- Essential Service Water FAI Fauske & Associates,Inc.

! GL Generic Letter GSI Generic Safety issue

" Human Error Prdbebility =

HEP l- HPME- Hit Pressure Melt Ejectic,n L HRA Human Reliability Analysh i HVAC Heating, Ventilating and Air Conditioning IDCOR Industry Degraded Core Rulemaking IPE Individual Plant Evaluation l- ISLOCA Interfacing Systems Loss of Coolant Accident i LOCA- Loss of Coolant Accident

-LOOP Loss of Offsite Power MAAP . Modular Accident Analysis Program MCC Motor Control Center

! MDAFW' Motor Driven Auxiliary Feedwater MFW Main Feedwater

,i JOClii l

^Y' l s 1

I

. _ . _ . _ _ _ _ . T Z l-~":TJ:T- __7" _ _ .

s x ,

NOMENCLATURE (Cont'd)

- MGL Multiple Greek Letter MOV Motor Operated Valves MWe- Megawatt Electric M wth Megawatt Dennal NRC Nuclear Regulatory Commission OA Operator Action PDS - Plant Danage State PES - Phenomenological Evaluation' Summaries

- PORY, T Power Operated Relief Valve PRA Probabilistic Risk Assessment

.- PRT Plant Response Tree

PSF . Performance Shaping Factor PWR Pressurized Water Reactor QA Quality Assurance RAI Request for AdditionalInformation RAW Risk Achievement Worth

-RCFC' Recirculating Containment Fan Cooler RCP Reactor Coolant Pump ,

RCS Reactor Cooling System RHR Residual Heat Removal -

RPS Reactor Protection System-RWST Refueling Water Storage Tank SAM Severe Accident Management SBO Station Blackout -

t SG- Steam Generator -

SGTR Steam Generator Tube Rupture SI Safety Injection TER Technical Evaluation Report THERP Technique for Human Error Rate Prediction USI Unresolved Safety Issue :

=- .

4 T

XXIV l

k 1)

__~ _ .. _ _ . . _ _ _ _ __ __.

e 1. INTRODUCTION 1.1= Review Process )

~

His technical evaluation report (TER) documer's the results of the BNL review of the Braidwood ,

Nuclear Power Staion Individual Plant Examinaion (IPE) submktal [IPE, RAI Responses). His technical evaluation report adopts the NRC review objectives, which include the following:

i . To determine if the IPE subalual provides the level of detail requested in the "Subminal Guidance Document," NUREG-1335, and To assess if the IPE submittal meets the latent of Generic Letter 88-20.

De NRC issuedtseneric Letter (GL) 88-20, regaesting that dl licensees perform an IPE "to identify :

, plant 4pecific vulnerabilities to severe accidents and report the results to the Commission" according to

the format and content guidelines oudined in NUREG-1335. As stated in the GL, the purpose of the IPE program is for the licensee to:

1. Develop.an appreciation of severe accident behavior.

. 4

2. Understand the most likely severe accident sequances that could occur at the plant.

3. Gain a more quantitative understanding of the overall probabilities of core damage and fission

, . product releases.

4.- . If necessary, reduce the cverall probabilities of coro damage and fission product releases by awdifying, where .wivysiete, hardware and procedura that would help prevent or mitigate severe .

accidents.

His review addresses the reasonableness of the overall IPE approach with regard to its ability to permit :

. the licensee to meet these goals of Generic Letter 88-20.

A Request af Additionalinformation (RA1),1which resulted from a p~liminary review of thcMPE submittal, was prepared by BNL and discussed with the NRC on Ommer 2,1995. Based on th'.s dimmian, the NRC staff submined an RAI to the Commonwealth Edison Company (CECO) on January 26,1996. (% wealth Edir- Company responded to the RAI in a document dated March 27,1996 which was a submittal for a Modified IPE His document discusses joint Byron /Braidwood issues, as the plants are very sirnilar and the RAls were identied for Level 1.'In addition to responding to the RAI,

- this document pnsents modifications to the model and the results due to the issues raised in the RAls and the previous NRC-raised issues for the other CECO IPEs (Zion, Dresden,' Quad Cities). His 'IER is based on the original submittal, modifications to the IPE (modified IPE) and its results and the responses to the RAI (EAl Responses). He submittal (and this TER) also refer to an " enhanced IPE"which was l- = an upgrade to the original IPE but did not include the modifications documented in the modified IPE.

g

. 1 .

1, 4

1 4

f

** *. - *46

1.2 Plant Characterization M

De Braidwood Station (BwS) is a two-Unit nuclear power plant. Each Unit is a Westinghouse 4 loop presurized water reamor (PWR) wkh an electrical power ratiq of 1120 MWe. BwS h operated by the Commonwealth Edison Company. Unit I started commercial operation in July 1980, while the Unit 2 start date was October 1988.

A number of design features at Braidwood impact the core damage frequency. A mere detailed

- discussion is provided in the body of this rgort Dese are:

De plant has a feed ud blead capability. De power operated relief valves (PORV) block valves are normally open, however they are conservatively modeled as closed. One PORV is enough for succes of the feed and bleed operation. De PORVs are powered from either the instrument air system or the dedicated in-containment accumulators. De feed and bleed operation can be - -

accomplished w5 t h okbar one of the two centrifugal charging pumps, or, at a lower pressure, one of the two. safety injection (SI) (or high pressure injection (HPI)) pumps.

Dere are three main feedwater (MFW) pumps, one motor driven (normally in standby) and two turbine driven (normally operating). In addition, there is also one motor driven startup feedwater pump. Dere are 4 condensate / condensate booster pumps.

Dere is one motor driven auxiliary feedwater (MDAFW) and one diesel driven feedwater (DDAFW) pump. He diesel driven pump has its own dedicated set of two redundant 24 V batteries, making it partially indgendent of the plant's 125 V de system. However, auto start and remote manual start (from the control room) of the DDAFW pump does depend on the 125 V system. %e IPE conservatively does not credit local manual start of the DDAFW pump, making this pump de dependent in the model (however, it seems that battery depletion is not a problem once the pump has been started).

He condensate storage tank (CST) is relatively large [ good for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months in a station blackout (SBO)), maintained at 400,000 gal. De alternate suction so see for the auxiliary feedwater (AFW) system is the essential service water system (SX), a very large source of water, as described below.

^

De reactor coolant pumps (RdPs) employ Westinghouse seals with charging pump injection ahd component cooling weer cooling of the thermal buriers. He seals use high temperature O-rings (except one of the four pumps at unit 2, RCP 2C, which was scheduled to have the O-rings replaced "during a future outage

at the time of the IPE, December 1992). Note that a loss of the essential service water system (SX) will eventually result in a loss of all seal cooling, as SX is used to cool both the centrifugal charging pumps and their pump room , a well as to cool the component cooling water (CCW) beat exchangers.

Here are three charghg pumps. Two are centrifugal, with SX cooled bearings, and one is a positive displacement type whose bearings are cooled by CCW. Any one of the three pumps can '

be used for normal charging (which includes RCP seal injection), or emergency bora' ion (taking i

suction from the boric acid transfer pumps), but only the centrifugal charging pumps (CCPs) are used for injection following a safety signal.

2' ki

. , ^ _ , - - , - -- , -

4

De high head injection can be provided by either of the two Si pumps, or by either of the two ;

CCPs, thus providing a high level of redundancy. ;This applies to the recirculation phase as well.

+

- De CCPs and the Si pumps are physically separated.

De high pressure recirculmion is provided by a piggy-back arrangement off the two RHR pumps. '

De switchover to low pressure rockculation is automatic, but the high pressure recirculation requires operator action to align high pressure pumps to the discharge of the RHR pumps.

The refueling water storage tank (RWST) normally holds 415,000 gal (good for 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months in a steam generator tube rupture (SGTR)] and is designed with a proceduralized refill capability.

There is a very large source of water for the SX system - the amantial service water cooling pond. ,

There seems to be a weak dependence on instrument air. Valves in the residual beat removal (RHR) hyt exchangers and the AFW system would fall open, not affectir , operation of these systema, wheroes the chemical volume and control system (CVCS) valves would fall as is, again not affecting operation of the system. De steam generator level control could be accomplished by valves not dependent on instrument air, ne MSIVs would fall *as is'. De pressurizer s

PORVs would be affected, but have accumulators with enough capacity for 50 openings. He normal pressurizer spray valve would close. Dere would 'be a partial eNect on the CCW system and a delayed effect (via HVAC loss) on electrical switchgear, the RHR pumps, and the charging pump:;. De main effect seems to be failure of the main feedwater and the condensate systems, as well as the steam dump capability and the RWST refill capability. However, there are only three instrument air compressors between the twa units, two normally operating, and one standby,

- common to both units.

There is a relatively weak dependence on the HVAC system, ne HVAC system is distributed (each component room has a dedicated unit, plus a common ventilation system in the auxiliary building which supplements the individual HVAC units). The only components afected, over

-' ' many hours, would be the charging pumps, the RHR pumps and the electrical switchgear, ne l

DDAFW pump, however, would suffer failure within 2 minutes, due to bearing failure. On the other hand, the main components of its HVAC (the SX booster pump and the room ventilation fan) are powered off the engine shaft and are integral components of the pump itscif.

54 gn 6

ne essential servi . water system (SX) is used to cool the diesel generators, ths CCPs, Qe SI pumps, the CCW, the reactor containment fan coolers (RCFCs) and various HVAC units in the auxiliary building and the control room. De flow from this system is DQt required for proper cooling of the DDAPW purnp bearings (including room cooling), due to existence of the integral SX booster pump (see above).

Dere are four SX pumps, two per unit, with a cmss-connection capability between the units. One SX pump per mit is sufficient for heat removal. .

The CCW is used to' cool the RCP seal thermal barriers, the RCP upper and lower oil coolers, the positive displacement charging pump (PDP) oil cooler, the normal and excess letdown, and the RHR heat exchangers and the RHR pump seals.

l 3

__ _ _ _ . -_ _ _ __ ""~" T 7-- n . - _ ,

~

Dere are five CCW pumps, two dedicated to each unit, and one twing pump which can be

. aligned to either unit.

Here is only one PORV per steam generator (SG) (4 steam generators),~ however there are

- provisions for manual opening of SG PORVs. Dere are also 12 steam dump valves, sufficient for a 50% load rejection.

- BwS has an AMSAC system, which, in case of an anticipated transient without scram (ATWS),

automatically trips the turbine and starts the AFW system.

, Only one out of four RCFCs is required to prevent containment overpressurization by steam production. In addition, there are two containment spray trainc. De RCFCs can also be used for docay best removal, in case of failure of RHR heat removal in the recirculation phase.

- There are two 125V DC buses per unit, each with an associated battery, and a charger. De batteries have a 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months capacity at the maximum current (without load shedding); however it does -

not appeaMhese batteries are needed for the DDAFW pumps once these pumps are .arted. ; Tie lines are pmvided for cross-tying respective de buses from the two units (apparently not credited in the analysis). l Dere are 2 diesel generators per unit, cooled by essential service water and provided witn their own startup air. De emergency buses can be cross connected, and each diesel generator has sufficient capxity to power one emergency bus at both units at the same time.

Dere are provisions in place to feed some non-essential loads as well from diesel generators, such as the air compressors, primary water pumps and nonessential service water pungs (cooling for

. the air compressors).

I There are 6 offsite transmission lines feeding into the switchyard.

- De Braidwood Nuclear Power Station utilizes a large dry containment design. De containment stnitture is a prestressed concrete shell made op of a cylinder with a shallow dome roof and flat foundation slab. .i Some of the plant characteristics important to the back-end analysis are summarized in Table I below and compared to those of two other typical large dry containments.

As shown in Table 4, the parameter values for%raidwood are close to those of Zion. De lower j l

containment failure pressure for Brauwood is due to the use of the Bunker Ramo electrical penetrat')ns (used in Unit 2 only). De parameters presented in the above table provide rough indications of the containment's capability to meet severe accident challenges, but both the containment strength and the j challenges associated with the severe accident involve f.ignificant uncertainties.

er 4

1

- - .-. .a_,.. . __

0 o

t.

I o . Table 1 Plant and Containment Characteristics for Braldwood Nuclear Power Station Characteristic Braidwood Zion Surry Hermal Power, MW(t) 34II 3236 244i Containment Frce volume, ft* 2,800,000 2,860,000 1,800,000 Mass of Fuel, Ibm 204,000 216,000 175,000 Mass of Zircalloy, Ibm 43,400 44,500 36,200 Containment Design Pressure, psig 50 47 45 Median Com inment Failure Pressure, psig 98+ 135 126

~

Containment Volume / Power, ft*/MW(t) 821 884 737 Zr Mass / Containment Volume, Ibm / ft' O.015 0.016 0.020 Fuel Mass / Containment Volume, Ibm / ft' O.073 0.076 0.097

+ De median coomnmant failure pressure is 125 psig for Unit I and 98 psig Ior Unit 2.

T11e lower failure pressure for Unit 2 is due to its use of the Bunker Ramo electrical penetrations which was stated in the IPE submittal to have a lower failure pressure.

The plant characteristics important to the back-end analysis are:

A cavity design which does not allow water to flow from the containment basement to the reactor l

cavity via the cavity instrument tunnel De removable hatch cover located at the top of the l

instrument tunnel is leak-tight for Braldwood. As a plant enhancement resulting from the Level 2 analysis, an opening has been provided in the access plate in Unit I which allovm water to flow

- to the cavity. Installation of such an opening for Unit 2 is planned for the next refueling octage.

! The large containmen: volume, high containment pressure capability, and the open design and l significant venting areas for the subcompartments within the Braidwood containment hdp ensure a well-mixed atmosphere (a feature which inhibits combustible gas pocking).

A relatively low containment failure pressure of 98 psig for Unit 2 because of the use of the Bunker Ramo electrical penetrations and a relatively high containment failure pressure of 125 psig for Unit I which does not use these kind of penetrations. ,

Two separate systems for containment atmosphere cooling and pressure suppression: the kcac. tor Containment Fan Coolers (RCFCs) and the Containment Spray system. According to the IPE submittal, one of four PFCs or one RHR heat exchanger (with associated recircelation train) can provide sufficient containment cooling to prevent containment overptc3ure failure from steam production'. The RCFC is designed to remove heat from the containment as required following a design basis LOCA and, consequently, is designed to operate in pressures tip to 50 psig. The containment spray pumps can be aligned to take suction from the RWST, or from the contamment

%e residual Heat Removal (RHR) system for decay I removal from the RCS, although not a

( containment system, also provides a means _of long-tern, containment heat removal.

5 .

3, ,

I

,' . . j

. r;airculation sump and one or more RHR pumps and associated heat exchangers. The operation of containment spray reduces fission product releases.-

2 e

i l

v

\

sp 8 s

t a

?

9 f

E

./

? 6

't a

4. f ..

/ E, g-

e z .? ,

l 2. TECHNICAL REVIEWz 2.1 Licensee's IPE Process

._2.1.1 Comd2x: and Methodology-De licensee ha provided the type of information requested by Generic IAtter 88-20 and NUREG 1335.

De front end portion of the IPE is a Level 1 PRA. . De specific technique used for the level ! PRA is a support sine model using the large' event tree /small fault tree technique, and k was clearly described in the submittal.- .

Event trees were developed for all classes of initiating events considered. A system importance analysis t has been performed.' A limited sensitivhy analysis is shown. No uncertainty analpis was performed.

To support the IPE process, the llemaam rwiewed several PRA studies: WASH-1400, NUREG-1150, the

~ IDCOR study for Zion, the Zion IPE and the Byron IPE. De Braidwood IPE relied heavily on the esperience and analyses of the Byron IPE, as Byron is an almost identical CECO plant.

De modified Byron /Braidwood IPE, in conjunction with the licensee's response to the NRCs RAI, was generally complete in scope regarding the HRA process. The HRA process for the Byron /Braidwood mcdified IPE addressed both pre-inklator actions (performed during maintenance, test, surveillance, etc.)

and post-initiator actions (performed as part of the response to an accident). De analysis of pre-initiator

~

u - actions included both miscalibrations and restoration faults. However, while a thorough analysis and .

l evaluation of plant 4pecific data relating to pre-initiator was p.is,ed, only four restoration faults were acsually included in the PRA models.- All others were dismissed on the basis of qualitative (and in a few cases quantitative) screening criteria.

Post inklator human actions modeled included both response-type and recovery-type actions. A post-initiator screening analysis was not conducted. All human actions included in the logic models were given detailed quantification analysis in the original IPE. For the modified IPE, the PRT and fault tree

,s post-initiat reponse type human actiorg,with a risk achievement worth ((RAW), "using the original ,

IPE model, enhanced que*'fication") greater than 2.5 and "those added as a result of changes to the PRTs and fault trees," n elred a complete re-evaluation." In addition, PRTs that " contributed significantly to CDF in the original IPE were klentified" and "the operator actions (OAs) in these trees, faciuding the conditional probabilities, were evaluated on a sequence-specific basis to identify conditions

. of stress, dependency, and availability of recovery opportunities and were requantified when necessary."

0 Renamiairig HEPs were reviewed for reasonableness and "for selection of the apptopriate value for each branch of the PRTs.1 %e FRT OAs "were also reviewed to identify those actions which might be described _ as time critical." Dat is, "those for which the estimated time to accomplish the action was

. greater than 25% of the^ estimated time available before some undesirable state was reached."

Post-initiator response type human actions were quantified using the EPRI Cause Based Decision Tree L Methodology (CBDTM), which has been referred to as a cause-based approach. Rerovery of failed equipment was quantified on the basis of mean time to repair data from WASH-1400. Other recovery 7

Y

+,-o,l , . . , . + ,-, . , . , ~ - . , ..,m. , ,- = - - ,- ,N;

- . - . . - . - ~< . .- - _ , - . - - .. . -

.. l i

l

_j type actions modeled were assigned a screening value of 0.1. Since all of the recovery related ser aces were "long-term," an HEP _ of 0.1 is not unreasonable. Plant-specific performance shaping fact ,and dependencies (such as those among multiple actions la a sequence) were thoroughly considered fs both response and recovery actions. Human errors were identified as important contributors in ac.. dent sequences leading to core damage.

The Braidwood Nuclear Power Station-h.dividual Plant Examination (IPE) back-end submittal is essentially consistent with respect to the level of detail requested in NUREG-1335. However, a CET is not developed sp.dncally for Level 2. A single event tree, the plant response tree (PRT), is used for both '

the Level 1 and IJvel 2 analyses. Since most of the phenomena that may challenge containment integrity are dis:nissed in the IPE as "unlikely" to cause containment failure (based on the Phenomenological .

EvaluatiottSmumaries prepared by FAI), quantification of containment failure is greatly simplified.

Quantification is primarily based on the availability of containment heat removal addressed in the PRT.

Since a single event tree is used for both L.evel 1 and Level 2 analyses, grouping of core damage sequences to plant dat 4e stata (PDSs) is not :-uary in the IPE. However, sequence grouning is used

. to consolidate the large number of accident sequences obtained from the PRT analysis into a small L ~ number of damage stata (called core damage sequence designators or plant damage states, PDSs, in the IPE submittal) such that all sequences within a particular damage state can be treated as a group for assessing accident progression, containment response, and fission product release.

~

The PRT developed in the Braidwood IPE explicitly includes the analysis of containment systems normally assessed in the Level 2 analysis. ' Die containment condition is addressed in the PRT by the development of success criteria for containment integrity, and, according to the IPE submittal, integrity i is ==ia*=hi if the containment is isolated and containment heat removal (CHR) is available. Succer.sful containment heat removal, based on plant-specific MAAP analyses and containment pressure capability

- (98-psig), can be provided by one of four RCFCs or one RHR heat exchanger (with associated recirculatio train). ,

Besides containment overpressure failure due to the loss of CHR, only conta'mment bypass and containment isolation failure are included in IPE quantification. All'other containment failure modes identified in NUREG-1335 are addressed in the Phenomenological Evaluation Summaries (prepared in support of the IPE, but not included in the IPE submittal') and dismissed as "unlikely" and thus not included in the failure quantification. Although the contributions to containment failure probability from these "unlikely" failure modes are expected to be small, and their exclusion from fcilure cuantification ,

may be justi6ed, the lack of consid< ration of these failure modes in a structured way, such as can be

'Part of the PESs are provided in the licensee's response to the RAI.

, '%e licensee's response to the RAI indicates that the conditional containment failure probability due

. to the containment pressurization mechanisms not included in the IPE quantification (i.e., steam emplosions, DCH, hydrogen deflagration, and hydrogen detonation) could be about 1%. This number, according to the licensee, is based on bounding estimates of the effects of the above loading mechanisms on containment failure probability.

8 ,

-.--_.-s -_ . . _ ___. . _ . _ _ e-,. . , .

~e l

L. : provided by a CET, precludes a systematic means to examine the relative (quantitative) importance of q

J these modes and the effects of some recovery actions (e.g., depressurization) on them.

Results of the PRT analysis are grouped to plant' damage states (PDSs). Release fractions are determined =

by the analyses of 10 representative sequences using the MAAP computer code. Based on containment failure timing, containment failure mode,' and the fractional release of fission prnducts, the PDSs are further grouped to seven release categories.'

2.1.2 Multi Unit Effects and As-Built, As Operated Status Cross connection capability exists between the units for the service water (SX) pumps, emergency ac and de buses and the condensate storage tanks (CSTs). De CCW and instrument air (IA) systems have '

standby swing trains which can be connected to either unit. . De control room, the switchyard, the station -

cooling pond, the non-*= mist service water (used to cool the compressors, the condensate and the MFW pumps) and the SX cooling pond are shared. 4 De two units at this site are effectively identical, hence the model or the results are not unit specific, De effect of shutdown of the other unit was not explicitly modeled. However, independent failures in j" -

the other unit are accounted for. He techrdcal specifications limit the degradation of important systems in the shutdown unit (i.e., caly one train at a time can be undergoing maintenance). His applies to the SX, CCW, ac and de power, IA.

Dual unit initiators were modeled (e.g., dual unit loss of offsite power, or dual unit loss of service water).

A Wule variety of the most recent versions of information sources were used to develop the IPE: system

. descriptions, Byron /Braidwood updated FSAR, units 1&2 general arrangement drawings, piping and instrumentation diagrams, piping phys! cal drawings, electrical drawings, structural drawings, technical specifications, abnormal operating procedures, emergency procedures, surveillance procedures, Braidwood licensee event reports, deviation reports, plant operating history, ma'mtenance records,

' Braidwood NPRDS information, mode change logs, master out of service logs, general operating procedures, system procedures, Braidwood/ Byron system comparisons and plant pump head cerves for key pumps. De freeze date of the analysis was December 1992 for Braidwood.

a r- a l At least one plant walkdown (for flooding) was explicitly referenced. Other walkdowns are impl!xt, as when the IPE discusses resolution of differences between the information contained in the above >

documents and the actual systems and layout.

Procedure reviews, examinations of control room staffmg and layout, examinations of the " Detailed Contml Room Design Reviews and over 40 operator action *mterviews with operators helped assure that the IPE HRA represented the as-built, angerated plant. Checklists were filled out during the interviews 4 to document critical plant and scenario-specific aspects of the diagnosis and execution of an action.

Facsors evaluated included training on the simulator, adequacy of procedures, need for local actions, time available for local actions, feedback to the control room for local actions, stress level; potential non-recoverable actions, etc.

{-

9 i-_

_. . - . - .- 1 ~ '~ T~ ~~ ~ L - . ~ ~ ~ . - . J._~~... : - - - . -

1 4'

.: he submittal states the licensee intends to maintain a "living" PRA. ]

l 2.1.3 Licensee Participation and Peer Review Licensee personnel were involved in all aspects of the analysis. CECO staff performad most of the work.

he Braidwood IPE is based on the Bymn IPE, as Bymn is a very similar (almost identical) CECO plant.

%erdone, k was decided to take the Byron IPE and modify it to account for plant and data differences, t*ing CECO staff as much as possibic. (De Bymn IPE was performed by consultants from Westinghouse, )

1ENERA and Fauske (the IPEP team) with involvemov, review and help in certain areas of the analysis l by the CECO team). Consultants imm NUS corporadon and Duke Engineering & Services were engaged to assist the Braidwood effort in the areas of data collection, initiating event frequency determination,

system comparisons (Byron vs. Braidwood) and procedure reviews (ccmponent demnd data and emergency procedure comparisons). De program was managed by the CECO person in charge of the company's overall IPE/ accident managanent (AM) effort (i.e., all 6 CECO plants).

De IPE was subjected to a multle review process. First, the contractor personnel would review their analysis. His wa*s then reviewed by the appropriate licensee personnel and any com nents resolved. A final review of the IPE study was conducted by CECO senior management (and in case of the Byron IPE, the IPEP senior management). Decisions concerning IPE and/or AM recommendations were made as part of the CECO mant4gement review. Dere was no outside review and the licensee states the internal review was very thorough such that outside review was not deemed necessary, it should be noted that Byron and Braidwood IPE review personnel consisted of people from both plants as well as personnel i familiar with 'other CECO plants, such that uniformity of modeling across the licercee's plants was a goal of the licensee.

Dore are no examples of review comments provided in the submittal.

From the description provided in the IPE submittal it seems that the request of Generic Letter 88-20 regarding licensee participation and peer review is satisfied.

2.2 Front End Technical Review 2.2.1 Accident Sequence De!ineation and System Analysis

6 m 2.2.1.1 Inidating Events he IPE initiating events were developed by considering, events which would result in a ractor trip on a relatively short time scale, i.e., controlled manual shutdown would not qualify. ,

Generic Westinghouse PWR experience wn consulted for types of events to consider, as well as plant specific events which have occurred at Braidwood. De Braidwood design and abactmal operating pmcedurm were reviewed to determine whether plant conditions that may result in addition or deletion of accident initiators were considered. Le previous and on-going analyses of similar plants were .

reviewed and their applicability to Braidwood assessed. Finally, the results of plant systems analyses were utilized to identify potential initiating ever.ts.

Dere were 19 initiating event categories, as follows:

10

~

7 S

? -

. Loss of Coolant Accidents (LOCAs):'

- large LOCA (> 5.2"); '

medium LOCA (> 1.7" and < mS.2"); . _

W small LOCA (> 0.86" and ' < = 1.7');

SGTR; -

' ISLOCA (several pathways):

' -lines through CCPs;

-safety injection pump discharge lines;

-RH discharge lines;;

.-RH suction lines; Transients:

general transient:.-

-reactor trip; '

turbine trip;-

-loss of main feedwater;

-18ss of condenser; g

W excursions;

-etc.;.

Wary side breaks qstream of the main steam isolation valves (MSIVs) or downstream of the main feedwater isolation valves (FWIVs);

. secondary side breaks downstream of the MSIVs or upstream of the FWIVs; single unit loss of offsite power (LOOP);

dual unit LOOP;

. Support system ink ts:

single unit loss of essential service water; dual ur.it loss of essential service water; loss of component cooling water; loss of 125V de bus 111; loss ofinstrument air; loss of 4kV ac bus 141; loss of 4kV.ac bys 142; l ..

L .. Flooding udtlators: : .

i- flood in zone 8.31 urbine building grade level);

flood in zone 11.6 0 (auxiliary building elevation 426').

i .

o Ibe initiating event analysis is fairly comprehensive and encompasses most commonly encountered iniGating events. Furthermore, it was based on plant specific analyses,

(.

p . : No reactor vessel rupture initiator is included, however the RAI responses state that, based on the l WASH 1400 frequency of 1.E-7/yr, this initiator was neglected.

r HVAC systems were considered for inkisting events. However, bared on distributed system design (each major safety component has its own room dedicated HVAC), dw slow bestup rates or lack of a plant trip, l

b I1

w. . . . . . - . - - - . . - - . - , . - .- .. . , - - . . . . - , . . ,. ,

J as well as the proceduralized operator mitigating actions, HVAC failures were eliminated as initiating -

events. :

^

--2.2.1.2 Event Trees The IPE developal 2 support system event trees and 15 plant response trees (PRTs).

De support system event trees deveinped combiamiana of successes and failurts of the following support systems: 4 kV emergency.ac buses 141 and 142,480V emergency ac buses 131X and 132X, de buses 111 and 112, ESFAS channels A and B, essential service water and component coollag waer. _ One of the support systems event trees was for the case when offsite power was available at unit 1, while the other was for the case of loss of offsite power at unit 1.

The reason for exclusion of lastrument air status from the support system event tree is that loss of this system only mildly affects important systems (as discussed ic section 1.2), hence its status is includ .

individual systems' f~:lt trees, as there are only a few valves affected.

De reason for exclusion of HVAC status imm the support system event tree is because of the distributed '

nature of the HVAC system, and only reistively few important rooms need HVAC within the mission time. Barefore this system, too, is modeled, if needed, in the individual systems' fault trees.

Each of the 15 plad response trees (PRTs) is composed of several subtrees, modeling various phases or aspecss of the particular type of

or modeling various types of initiators within the category (e.g.,

steamline breaks inside and outside the containment). Thus there are literally hundreds of event trees in the submittal. He 15 PRTs are for: large LOCA, medium LOCA, small LOCA, SGUt, ISLOCA, transient, LOOP, SBO, ATWS, loss of CCW, loss of a de bus, consequential small LOCA, secondary

, feed and steamline breaks, loss of essential service water and loss of instrument air %e flooding

! laitiators and the losses of ac buses 141 and 142 are analyzed by employing the transient PRT.

i

%e event trees are systemic. De mission time used in the core damage analysis was 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

De PRTs model both Level 1 and I4 vel 2 concerns.

De event tree end states, other than transfers to other event trees), are divided into the two possible core conditions: success or damaged (further subdivided into plant damage states). A successful core status a is defined to include. a) the hot standby where rib further operator actions or system saivations are required to mitigate the effects of .he initiating event and the operators can proceed to either p'ut

. cocidown or return to power operation; or b) at 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the core is suberitical and being cooled. Any l_

operator actions or system activations required to maintain that configuration beyond 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are not required to be successfully accomplished until a time significantly beyond 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

1 L The original IPE also had the " SAM

end states (meaning success with accident management). Dese l are long term sequences, which would need additional actions in order to keep the core in a stable state l past the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time. He SAM endstates have been expanded, in the modified IPE, to either success or core damage, with explanations pmvided about the actions needed and the failure probabilities used. De SAM erwkmat contnbuted a substantial amount to the modified IPE's core damage frequency

- the 50 top SAM sequences contributed a CDF of 1.05E-5/yr or 37.4% of the total CDF in the modified

IPE.i 12 l a i

L . . _ _ __ _ _ _ . _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

De expansion of the SAM endstates seems reasonable. Credit is given for component repair on a long time scale.

Core damage means exceedance of a critical peak cladding temperature for a certain time period. No core damage is postulated to occur if the hottest core temperature does not exceed 160(PF and if the time above 140(PF is limited to less than 30 min.

Success criteria were based on a best estimate plant response; when necessary, MAAP runs or thermal-hydraulle analyses wcze used to validate the success criteria.

The original IPE had some success criteria for the large LOCA and the small LOCA which were questioned in the RAls. Dese questionable success criteria were removed, leaving the more typical success criteria in the modified IPE and resulting in a 9% CDF increase due to large LOCA success crheria changes (and one new dominant sequence) and no change due to the small LOCA succese criteria changes.

De success critada for the large LOCA which were deleted was the use of two HPI pumps, or one HPI pump and one au:umulator, if the low pressure injection (LPI) pumps were unavailable. In addition, the original IPE did not require accumulators to inject Or a large LOCA; the modified IPE requires 3 out of 3 accumulators injecting into the intact loops.

De success criteria for a small LOCA which were deleted called for the use of an LPI pump in i

conjunction with secondary cooldown and depressurization; the new success criteria also call for opening of pressurizer PORVs if HPI pumps are used without any secondary cooling.

l In case of a high power (>40%) ATWS with no main feedwater, one of the success criteria in the submhtal allows for failure of cantml rod Insertion, failure of emergency boration, and failure of turbine trip, as long as both AFW pumps operate together with succerr, of 4 out of 5 steam generator (SG) safeof valves on each SG and one HPI is successful. It is implied that a small LOCA would ensve, and no primsy pressure relief is necessary. However a subsequent conversation with the licensee revealed that this success path would be invalid due to damage assumed to be sustalacd by the HPI system, which was considered failed under these conditions in the event trees.

The ATWS success criteria take credit for independent operation of the control bsnks (as opposed to shutdown bnks) of the contral rod syst:m, which would be automatically inserted to maintain the ECS T., within limits. In a conversation with the licensee, the following was learned about the operation and modeling of this system, as well as about the ATWS success criteria (which are not well described in the submittal):

he control banks' movement is controlled by a different system than the shutdown banks. As the control banks rods are driven in while engaged, by the control rod drive motors, the mechanical b'mding of breakers would not be a consideratica. However, it is one possible failure mechanism for the shutdown banks (i.e., for ATWS initir. tion). De shutdown banks are designed to be disengaged from the drives by opening of the breakers and to drop into the core by gravity in case of a reactor trip. Other failure L'=him for the insertion of the shutdown banks are in reactor trip signal generation and the reactor protection system. Since the contrc,i banks rely on differeat sensors and use a different controlling 13

- . -- . . -. . - . . - - - . .-. -- - . . ~ .. -- . -. - - .- - -. -- -

b

, system l they are not susceptible to such fritures. De licensee states that mechanical binding of sufficient number of control rods is improbabee, therefore the two types of control rods are deemed independent.

) De movement pf the control bania would provide enough power reduction in the early stages of an -

- AWS, ruch that the primary presure relief criteria would be ameliorated. For example, without taking ineD account this feature, no amount of primary pressure relief would be adequate 18% of the time (i.e..

that is the fraction of time. In the fuel cycle in-which ~ the moderator temperature coefficient is unfavorable). During about another 12% of the time, both PORVs and all three SRVs are needed for pressure relief; this success criterion would also direcdy lead to core damage in the model, as it is assumed that one PORV is blocked for ANS analysis (in other types of events, both PORVs are assumed blocked). Herefore, without taking into account the control banks insertion, an ATWS wuld directly lead to core damage in 18% to 30% of the cases. Due to credit for this system, the primary pressure relief failure does not appear in dominant sequences; instead, failure of the operators to close -

the MSIVs (which is needed in addition to the AMSAC me turbine trip) and failures of the AFW system do.

Containment hast

removal is not discussed in the submittal, however, it is a low probability concern due

so the diwrsity and redundancy in the containment heat removal systems and since the dominant failure

- mode d se RCFCs (loss of SX) alw disables the core cooling recirculation function.

%e feed and bleed success criteria (including the case of small LOCA, among others) call for opening of one pressu.icre PORV if a chargieg pump is used (CCP) or two pressurizer PORVs if an SI pump is ,

used.

Both pressurizer PORV block valves are assumed closed, contrary to technical specifications. Dis provides for conservative modeling, as in reality they are open most of the time, and closed only when the associated PORV is leaking.

L i

In case of an SBO, the ac power must be restored within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months if the DDAFW pump is not operating, l and 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months otherwise. De two-bour non-recovery probability is given a value of 0.136, or about half I of the NSAC-147 value. De 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months non-recovery probability is given as 1.16E-2, which seems reasonable. Offsite power is recovered only in case of an SBO, i.e., no credit is given for offsite power recovery of a dead bus with success of one diesel generator.

Tne RCP seal LOCA model is takendsom WCAP-10541, Rev. 2. c, .

For transients, credit is given for o'perator action to restors main feedwater in case of failure of auxiliary feedwater. Credit is also given for depressurizing and operating only with the condensate pumps. ,

Some event tree models contain litogical paths. De IPE submittal implies that these are resolved at the fault tree level.

It should be noted that in the IPE submittal explanation of the modeling of accidet segaeaces, and the rationale thereof is very poorly documented (there is just a summary section on PRTs and success criteria). On the other hand, the modified IPE discussion of the SAM sequences expans*mn and the LOCA success criteria is very comprehensive. '

l 14 -

__ _A._--- m as.--- m -- ,.__ -- .- -- _ - , , , _-sw-.swewr se etM , er w w-- -T--e--e-m-e nato Tv- - - - - --r- v e- , _--+vgs---n e -t - y

.- Overall,'Braidwood success enteria and event tree modeling se'em to be reasonable and in line with most other IPEs or PRAs for similar plantsi ,

2.2.1.3 Systans Analysis A total of 10 systems / functions are described in Section 4.2 of the Submittal. Included are descriptions of the following systems: component cooling water, auxiliary feedwater, RCFCs, essential servics water, Mm-it spray, ECCS (including safety injection, RHR, CVCS and acommutators), reactor protection,

. elomric power, containment isolation and =WI=== systems (including RWST refill, inain feedwater, condensate /cor>densate booster, instrument air, nonessential service water, turNne stop and governor valves,' steam dumps, steam generator PORVs, MSIVs, FWIVs and pressurizar PORVs). In addition, RAI responses discuss the HVAC system. ,

he system descriptions in the submittal are often ant very clear, which makes k hard to understand all aspects of systen modeling and plant features. For example, answers to goestions arising from the lack of description of event tree tnodeling (see above) could not be found here, either. He role of the fire system in the plint and in the model was not discussed. On the other hand, the RAI responses' discuasion of the HVAC is very detailed and thorough, as is the discussion about the Braidwood de system. De results section lucidly discusses unique plant features and plant specific insights, and the dependency matrices and associated footnotes are very expansive end well documento;1.

Also included for some kopvi- systems are simplified schematics that show major equip:nent items and important flow and configuration information.

Section 1.2 provides a discussion of systems and system arrangements which have a significant impact on the Level 1 analysis.

l 2.2.1.4 Systar Dependencies i

%e IPE addressed and considered the following types of dependencies: shared component, instrumentation and control, isolation, motive power, dirent equipment cooling, areas requiring HVAC, operator actions and environmental effects. HVAC is not an important system at this plant, as only a few

. systems require it within the mission time (see Section 1.2 for the list of HVAC dependent systems).

' %erefore, HVAC is not modeled as an initiating event iv. 's modeled as a subsequent failure in the fault trees of s) .:ms affected by HVAC failurg - ,

The RCFCs are neeJed to watrol the containment atmosphere within the PORV qualification limits.

l Similarly, the pressunzer spray valves will be affected by small LOCA environrnents in the conta'udnent,

!.udi that the maximum flow rate will decrease. However, the IPE calculations show that the flow rate would still be sufficient.

I Several Tables in volume 2 show various dependency matrices.

15 .s

.r s.0" .m - . .-; .

?

'l

.- _2.2.2_ Quantitative Process 2.2.2.1- Quantifiention of Accident Sequence Freguancies .

De IPE used a large event tree /small fault tree approach with a support state model to quantify core damage sequences. De event trees are systemic.

J De system and event tree models were quantified using the WESQT software.

De systemic sequences which resulted from the analysis had a truncation limit of 5 E-10/yr. De

' residual was 3.E-7 (1% of the CDF). De IPE took credit for various recovery activities, including the recovery of offsite power and repair of equipment.

De IPE data used for non-recovery of offsite power are lower (by a factor of 2) than the average industry data cited in an Electric Power Research Institute (EPRI)-sponsored study (NSAC 147).

2.2.2.2 hing Fatinates and Uncertainty / Sensitivity Analyses

' Mean values were usod for the point estimate initiator frequencies. No uncertainty analysis was performed. Limited sensitivity analyses were shown. Top event import 2.nce analysis results were also shown.

- 2.2.2.3 Use et Plant Spe:ific Data f Plant specific data were collected from July 1,1989 through December 31,1992 for Unit I and W 1,1989 through December 31,1992 for Unit 2. Dis 6.75 plant year data collection period at Braidwood 7@ resents all of the plant's operating experience, except for the first year " break-in" period for each unit.

Component history from both units was combined to arrive at the raw data used to derive the plant specific data used in the IPE De licensee stated that there is no statistical difference in data betweee the two units.

' De following sources were utilized to arrive at the plant specific data: deviation reports, licensee event reports (LERs), nuclear plant reliability data system (NPRDS), master out of service card log and mode l- change logs. , ,,

3 De licensee focused its daa gathering effort for plant specific data on relatively few types of componeuts deemed important by the licensee; the other components were assigned generic data from a variety of sourta De components which were assigned plant specific data were the diesel generators, the pumps l acd the motor operated valves (MOVs). De pump and the MOV data were gathered for each individual system, IA., =wntW service water pumps were distinguished from the Si pumps, etc. This is a positive feature of the analysis, however offset by the relative paucity of plant specific types of components considered.

De plant specific dan were calculated by dividing the number of failures by the number of demands or hours of running time. If zero failures occurred a value of 1/2 was used for the number of failures. No Bayesian updating was used.

16 i

',- - -, . - T

3 J

De treatment of 6e MDAFW and DDAFW pumps is not consistent with that of the other pumps, he i m

licensee used generic data for failure to run, even though plant specific failures occurred in both types of p mps, yleidirig a much higher plant specific run failure rate than that in the generic database (at least '

one order of magnitude). De MDAFW pumps experienced 4 failures la 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months , whereas the DDAFW pump experienced I failure in 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months . De licenses explains that the exposure time of these ,

pumps was very limked, thus generic data should be used. De same argument was not applied to other pumps with limited exposure time. l In a subsequent conversation with the licensee, it was stated that some of the failures recorded for the '

MDAFW pump may not be valid, e.g., one failure may have been double counted and two failures were

- related to infant mortality (low suntion trips), experienced when the plant was still very now. A ,

sensitivity analysis whh all these failure counted and employing the plant specific data for both the l MDAFW and the DDAFW pumps yloided a substantial increase in the CDF of 2005.

Table 2 of this review compares the failure data for selected components from the IPE to values typically I used in PRA and IPE studies, using the NUREG/CR 4550 data for comparison (NUREG/C'3 4550, Methodology). Note that the table contains both plant specific and generic (denoted by GNR) data that the licensee used.

Most data are in range of the NUREGICR 4550 data, with the cavest about the DDAFW and MDAFW l failure to run data. Some pumps in the Table have a plant specific run failure rate which is significantly higher than the NUREG/CR 4550 data. he important components with significantly lower failure rates than the NUREG/CR 4550 data are the MOVs and the diesel driven AFW pump failure to start. In response to an RAI the licenme included the check valve failure to close in the modified IPE with little effect on the CDF, but the units in which the data was presented appeared to be incorrect.

. In addition, the failure rate for the de (drawer type) circuit breaker spurious openings based on a value from IEEE Std 500 which seems to be at the low end of the range of data, This may significantly impact the initiating event frequency for a loss of a de bu:.

De failure rate for the reactor protection system (iending to an ATWS) seems to be low compared to moct other IPEs (2.8E4/ demand vs. about 3 E-5/ demand).

De failure tlata for the RCFC units was taken from the Byron plant specific dua, as lasufficient plant specific data existed at Braidwood. $ =

In conclusion, the licensee collected plant specific data for only a limited subset of ec-W '. He licensee distinguished between various types of pumps and MOVs in its plant specific data. De use of generic data for DDAFW and *"1AFW pumps is questionabic, which may have a significant effect on the results. As pointed out abovs, a limhed subset of failure data seems to have significantly lower values than expected.

P F

4 17 L ,

I n__-_-,___ . .,- , _

C.1_,.~_-.._,_,f_,__._._._._...___._,_,.._,,.,-...--_-_,,-.,_

Tchte 2 Comparison of Failure Data Component Bws 4550 DDAFW pump 2.6E-3 3.0E-2

. fall to start 8.0E-4 (0.01) 8.0E-4 fall to run

MDAFW pump 3.0E 3 3.0E-3 fail to start 1.0E-4 (0.02) 3.0E-5 fall to run

Motor Driven Pump 8E-4 to 6E-3 3.0E 3 fall to start 8E-6 to 4E-3 3.0E 5 fall to run Air Compressor (GNR) not shown 8.0E 2 fall to start 5.0E 5 2.0E-4 fall to run ,

Battery Charger Failure during operation (GNR) 6.0E-7 1.0E-6 Battery failure (GNR) fall on demand not showe fall during op. 2.0E4 1.E4 -

Circuit Breaker (> =480V) (GNR) fail to remain closed-spur open 1.0E4 1.0E4 3.0E-3 3.0E 3 fall to transfer AC Bus Fault (GNR) during operation 3.0E-8 1.0E-7 Check Valve (GNR) fail to open not shown 1.0E-4 fall to close not shown 1.0E-3 MOV Fall on Demand 1.lE 4 to 5.4E-4 3.0E-3 Pressurizer PORV fail to open 2.0E-3 2.0E .$

fall to close 2.0E-3 2.0E 3 Emergency Diesel Generator fall to start 1.3E-2 3.0E-2 fall to run 6.7E-3 2.0E-3 Notes: (1) 4550 are mean valaes takes from NUREG/CR-4550, i.e. from the NUREG !!50 study of five U.S. nuclear power plants.

(2) Denand failures are probabilities per demand. Failurm to run or operate are inequencies expressed in number of failures per hour.

GNR generic data used for this comptaet.

+ generic data used for the DDAFW and MDAFW putops failure to run; the number in partethesis shows the plant specific failure rate based on the algorithm used for other plant specific components.

!8

. + i f

. 1.2.1A Use of Generic Data he sources for the generic data were NUREG/CR.2815, and NUREG/CR.4550, for the most part. ;

Dese were supplemented by IEEE Std 500-1984, WCAP 10271 (a proprimary Westinghouse report on surveillance frequencies and out of service times for the reactor proteesion instrumentation system),

NUREG/CR.2728 (the IREP procedures guide) and WASH-1400.

Section 2.2.2.3 above discusses the use of generic data for important components, 1.2.2.5 Comann Cause Quantimation Most types of redundant M+i-m3 generaJy associated whh common cause failures were examined to address potential common <ause failures. De approach tued.was the multiple greek letter approach i

(MGL). he # and (if applicable) the y and the o factors are reported in the submittal. De methodology 20tiowed the described in NUREG/CR 4780 (*Pmcedure for Treating Common Cause Failures in Safety j and Reliability Studies *).

De categories of components included in the common cause analysis are: large ac circuit breakers, ructor trip breakers, diesel generators, containment spray pumps, residual heat removal pumps, other pumps, check valves, MOVs, HVAC chillers, HVAC fans and the ' average" category. De

average" ,

category includes: air compressors, AOVs, HOVs and manually operated valves, electrical / electronic i components (e.g., comparators, lead / lag amplifiers, battery chargers, limit switches, inverters, relays, swh&es, mechanical cam timers, power transformers, circuit breakers other than large ac breakers), fan '

coolers, heat enchangers, strainer filters.

De list is fairly complete. Here seem to be no common cause failures modeled for batteries, and

-

between the DDAFW and MDAFW pumps (evon though the pumps are similar), or between the PORV valves. ,

%c licensee tailored the generic common cause data to its plant specific conditions, disallowing failure mechanisms based on malatenance practices and hardware fixes. D'.s tends to mask the uncertainty in the state of knowladge of these failures. For example, there cocid be as yet undiscovered failure mechanisms, or unintended new failure mechanisms introduced by the maintenance procedures. ,

. He modifb: IPE has diffe ent # factors then the original IPE: the # factors which were below 0.01 were ,

increased to 0.01, thus estab" hing a floor for # factors. De licaa=* also did some sensitivity analysas:

establishing the floor on tue # factors had a negligible impact on the CDF (< !%). Increasing all #

factors in the modified IPE by a factor of 10 raised the total CDF by a factor of 2.0 (from 2.gE-5/yr to -

3.5E-5/yr).

A comparison of $ factors for 2 out of 2 systems in the submittal vs. those suggested in NUREG/CR-4550 or the ALWR requirements document (number in parentheses) to which the licensee compared their

' data values in their IPE submittal, i.e., " reference # factor

is presented in Table 3.

19

_ . _ _ _JZ L.iE: ~:~ r iz1;_ n r_.__ _ _.- .__

. Table 3 Comparison of Common-Cause Failure Factors Component BwS # factor l.arge ac breaker 0.039 (0.10)

Reactor trip breaker 0.041 (0.10)

HVAC fans 0.01 (0.10)

CS pumps 0.062 0.11 (0.067)

Rii pumps 0.01 0.15 (0.14) other pumps 0.01 .03-0.21 (0.14)

MOV - 0.011 0.088 (0.05) check valses 0.01 (0.18)

" Average" component 0.011 (0.10)

Diesel Generator 0.01 0.038 (0.075)

Table 3 shows that the CCF factors used in the IPE are generally lower, and in some cases much lower (order of magnitude) than the ones recommended in NUREG/CR-4550 or the EPRI ALWR requirements

' document. Ho vever, they are generally within range, tne licensee studied conunon cause failures at their plant and developed a rationale for these values, and they ' ave also performed a sensitivity analysis, herefore, the conclusion is that the licensee has complied to a limited extent with the accepted way of modeling these types of failures.

2.2.2.6 initiating Event Frequencies A mixture of generic caw, plant specific data and plant specific analyses was used to derive the initiating event frequencies, o u De frequency of general transients is derived from Braidwood experience within the data window sor collection of plant specific data, i De frequenries for single and dual unit loss of essential service water, loss of CCW, loss of de bus !!!,

losses of ac buses 141 and 14;, ISLOCA and flooding initiators were determined based on plant specific

- analyses, including fault tree analyses.

For calculation of fmquency of losses of component cooling water and dual unit losses of essential service water, the licensee considered piping ruptures as a contributing (and the dominant) cause of the initiator.

l

- De licensee used and adapted the piping rupture data from EPRI TR 102266 for the 'PWR Other L Systems' category based on the pipe size groups.

l L 20 l

~ . . _ . . _ . . . _ _ ,

(:

I Ruptures in the essential service water system effectively make such failures dual unit initiators from th standpoint of the affected unit, as no cross connection would be attempted in such a condition due to t diversion through the break. Credit is given for the operators to isolate the break, with a median time of isolation given as 30 minutes in order to calculate the HEPs. However, for break sizes needing isolation in less than 30 minutes, no credit is given (HEP = 1.0). More discussion of the SX ruptures is offered in the flooding section of this TER (2.2.4).

De following initiators had frequencies developed t.ased on generic data: De loss of instrument air i frequency was determined by a review of industry operating experience. De SGTR frequency was !

deve40 ped from U.S. and international Westinghouse PWR experience. De frequency of secon) breaks was calculated based upon operating experience at Westinghousedesigned PWRs. De generic data bases were consulted for the period January 1,1984 through March 31,1992.

For lossa of offsite power (dual and single unit), methodology and site-specific data from NUREG 10 were used for grid related, weatha related and extreme weather related losses of offsite power. De plant centered losses were calcul.cd from generic data presented in NSAC-147,166 and 182 offsite power at deal-unit sites.

De large and medium LOCA frequencies were taken from WASH 1400. De small LOCA frequency includes small pipe breaks, rescating failures of pressurizer PORVs or SRVs and RCP seal failures, n small pipe break frequency is taken from WASH 1400. De pressurizer PORV and SRV challenge probabilities were calculated based upon the challenge rate for these components for anticipate categories developed for Westinghouse nuclear steam supply system plants in response to NUR and Braldwood-specific anticipated transient NUREG categories. De reactor coolant pump seal failur frequency was based on data for U.S. Westinghouse PWRs.

ne initiating event frequencies used in the IPE are shown in Table 4.

De initiating event frequencies seem reasonabl . and are comparable to other PRA studies, with poss exceptions in the case of loss of instrument alt, loss of a de bus (see section 2.2.2.3), and small LO It is not expected that this will have a large effect on the results, but in case of some initiators the e may be measurable (i.e., a 10-20% effect on the CDF).

Table 4 Initiating Event Frequencies for . caldwood IPE Initiating Event Frequency (lyr)

Large LOCA 3.00E-4 8.00E-4 Medium LOCA 6.30E 3 Small LOCA 1.10E-2 SGTR 1.01E-7 ISLOCA 3.00 General transient 21

, - , , , - - - - , v- ,

Steamline breaks upstream of MSIVs or 3.60E 3 feedline bre4k s downstream of FWlVs i

Steamline breaks downstream of the MSIVs or 3.60E-3 feedline bre2ks upstream of FWIVs single unit LOOP 3.22E 2 dual unit LOOP 1.32E-2 singe unit loss of essential service water 5.65E 4 dual unit loss of essential service water 5.58E 6 I

loss of CCW 5.91E-5 loss of 125V de bus 111 5.05E 4 lots of instrument air 4.30E-4 loss of 4kV ac bus 141 3.55E-4 loss of 4kV ac bus 142 3.55E-4 flood in zone 8.3-1 1.30E-4 i

flood in zone 11.64 1.89E 5

~2.2.3 Interface Issues 2.2.3.1 Front End ana Back End Intesfaces Failure of core cooling recirculation due to failure of containment heat removal is not modeled. De licensee used probabilistic arguments to remove this issue from consideration. Here is ample diversity and redundancy in the containment heat removal systems (2 CS pumps,4 RCFC units). De dominant failure mode of the PCFCs is a loss of the essential service water (SX) according to the licensee. %Is would also disable the mre cooling recyculation, as the RHR heat exchangers are cooled by CCW, which ,

is in tum nooled by SX. Dis type of argument still does not totally address the issue, and the 'icensee appears to have missed the opportunity to obtain insight on the impact of this failure.

De RCFCs are needed to control the cor..alament atmosphere within the PORV qualification limits.

RCFCs are credited with providing mot recirculation water, in addition to providing containment beat renroval, i.e., successful operation of this system obviates the need to align the RHR heat exchangers for CCW cooling. De RCFCs promote mixing of the containment atmosphere, as well as condensing the l

steam, such that the sump water is maintained at a reasonable temperature.

Further insights into the Level 2 analysis, are presented in Section 2.4.

22

l l

I

.- 2.2.3.2 Husman Feders losesfeces i

insights Imo the human reliability modeling are preswded in Section 2.3. ;

i 2.2.4 Internal Flooding

?

2.2.4.I Imeernal Fleedias Methodelegy

- De methodology used to perform the flooding analysis consisted of four major steps: l

1) Collection of pertinent information; 3

2) Plant walkdown; -

i

. 3) Qualitative analysis to eliminate nood areas; 4)- Quantification of important nood scenarios.

4 De four steps follow the standard flooding analysis methodology. 7 Flooding scenarios which require a manual shutdown after a time period longer than two hours were considered controlled shutdowns and were screened from the analysis.

De Gooding wonario frequency included consideration of detection and isolation of the Good, but few details were provided. '

At least one scenario was screened because the floodirig would not damage the critical equipment for at '

! least 30 minutes, implying that there is a low probability of opwator failure to detect snd isolate the flood I within that time period. However, in response to an RAI, it is stated that ' operator action to mitigate ,

- the impaa of a nood is incorporated in several procedures (e.g., B/BwOA PRl4), but was conservatively

not credited in the initial analysis", which seems to contradict the above. In the IPE modification modeling SX piping ruptures, a lognormal distribution for the isolation HEP is developed. Dis distribution has a median laolation time of 30 minutes, and a cutoff of 30 minutes (i.e., no laolation is i

allowed in less than 30 minutes).

Prom the information recolved it appears that the other HEPs associated with the general transient PRT used for quantification of the flooding scenarios, wwe not modified to account for flood specific

=, coacerns. ,, ,

l Spraying and floodlag we,o both considered as mechanisms for equipment damage, any mitigating

! measures were also considered (e.g., equipment raised off the floor, anti spray shields). De doors were hasuined to be la their nonnat positior. Plood propagation is considwed, including back prop;,gation through drains, ventilation duas, etc. Based on the information received it seems that leair. age through

' doors and drain blockage was not considered, though a statement is made that most general operating ,

Soors of the various buildings have open stairwells and large floor openings and/or gridworks to permit equipment transfer between levels. - la the detailed analysis, minimum water levels to induce equipuient damese were considered in the Scod ptopagation sonas.: As a general guideline, water spray from 1i pipe was =====I so affect components within a 10 lbot radius and in line of sight from the pipe. Engineering judgement was used when appropriate to extend this range of effect due to other factors such as higher l pressure systems, elevated spray sources that could splash, and cable trays or other items that could redirect the water flow and/or cause waterfall effects at extended distanas from the break. '

23- ,

e 5, e- e- ,-4-,----,.bmmr ,

.-,~-4 . - , - , ---m- E- .,- .n9-,,w,2,r,,-,-----,-w w-w..--w---wh, 1- w .-c....w--- - w., .-w-,,,-wn, .um--- ,. w--w w-- ,n

l

. l l

Credit is given to rigid and durable insulation around some pipes in the plant. It is assumed this

insulation would contain the spray from a pipe break, such that only flooding and dripping from the seems was considered. Pipes whidi are normally free of liquid during normal operation (e.g., uncharged fire lines) were not considered credible water sources.

Fire protonion system piping ruptures, as well as the SX and CCW piping ruptures were considered in abe anodified IPE. A flooding scenario was escovered related to SX pipe ruptures which would disable all 4 SX pumps by water propagation through a ventilation duct, leading to a dual unit loss of service water and (acmrding to the model) directly to dual unit core damage. his scenario has a frequency of '

i about 3.2E-5/yr, and would therefore double the core damage frequency and be the leading core damage seguence. A hardware modification preven:ing overflow of the auxiliary building floor drain aump into the SX rooms. is currently being considered by the licensee but details _ were not provided, (the '

modincasion has not been implemented as of the date of the modified IPE). De modified IPE does take credit for this improvement, thus eliminating this scenario from the list of surviving flooding scourios.

Dere is not mu,cb discussion about pipe whip and steam impingement, other than a sta"nent that impingement from pipe breaks was considered. in .esponse to an RAI, the licensee stated that spalasanance induced floods were not judged to be a concern after reviewing the data base of malatenance events for the modified HRA (which does not seem to answer the question about the maintenance induced floods). ,

Surviving flood scenarios were quantified using internal events event trees (or plant response trees).

Only two fiv>d scenarios survived the screening process.

In conclusion, it seems the flooding analysis was a credible effort, with some simplifying assumptions and'anme questions as to the modeling of operator actions. More discussion on the effectiveness of the proposed improvement in flood proofing the essential smice water pump rooms would be appropriate.

2.2.4.2 Internal Mooding Results De total CDF from flooding is calculated to be 3.5E-9/yr. His includes the two unscreened scenarios, and not the scenario which is currently undergoing consideration for a fix. De two flooding scenarios result from pipe breaks spraying water on equipment which is not qualified for spray operation and is not ablelded.

De scenario in zone 3,3-1, grade level of turbine building would disable two of the three lastrument air l

compressors, with a frequency of 1.30E 4/yr, leading to a core damage frequency of 1.5E 9/yr.

%c scenario in zone 11.64, elevation 426' in the auxiliary building, would lead to a loss of MCCs 131, 132 and 134, with a frequency of 1.39E-5/yr and a core damage frequency of 2.0E 9/yr.

No settmate of the residual from the screened scenarios is given.

/

L 1

l 24 v+ - - - + - -p -

er e gy- --p,-my y -hept 9vv- --+y- '4vess--- -+ -* g- - -ww- --1,,io-- c --

y

2.2.5 Core Damage Sequence Results

' 1.2J.1 Dominant Core Dansee Sequences r

. De tmsults of the IPE analysis are in the form of systemic sequences, therefore NUREG-1335 screening criteria for reporting of auch seguances are used. De internal core damage frequency has a point l h of 2.8E-5/yr. Accident types and initising events that contributed most to the CDF, and their percent contribution, are listed in Tables 5 and 6.

De submittal lists 100 dominant sagaeness, with almost no discussion. De 10 most important sequences are sunnarized below in Table 7. ,

De loss of offsite power contributes 31% or 8.8E 6/yr to the total CDF. His is mostly due to the SBO -

. conditions (28% of the total CDF). De RCP seal LOCA contribution is 1.5E-5/yr or 54%, from all initiators. De A'!WS contribution is 0.8%, or 2.2E-7/yr. His is lower than at most PWRs due to a *

. Iow probability of RPS failure and the ATWS success criteria. He SGTR contribution is 9%. De

. lSLOCA contribution is 0.4%. De flooding does not contribute significantly due to a credited plant ,

improvanent which is under consideration.

De dual loss of service water is a dominant initiator due to the SX dependency of RCP seals, as well ;

as a dependency of all the high pressure pumps. De loss of CCW initiator has a very Ligh conditional core damage probability, due to an assumed failure of the operator to switch the operating charging pump ^

to a cool water source (necessary possibly due to a lou of letdown beat removal). His leads to an RCP seal LOCA with guaranteed failure of one tral.: of HPl/HPR (no credit given to SI pumps for this funcsion in non LOCA initiated events).

.nsSGTR contribution of 8.6% involves a fair amount of credited accident maragement strategies. For example, as seen in the dominant SGTR sequence, operators are credited with correcting an initial operator error. RWST refill also helps reduce this contribution.

Except for 'Le high contribution of the SX losses, the risk profile is not atypical of a PWR.-

De following are CDF contributions (Fussell-Vesely) of the most important systems (and do not include

+

high level operator actions associated with such systems):

- eun.tla* service waier,51%;

- 4160V bus 142,285;

- 4160V bus 141,25%;

- centrifugal charging pi" s,13%;

- auxillary feedwater,10%

t - high pressure recirculation,9%;

- accumulators, 8%

i 25 h

i

. . . . . _ , . . . , . . , . . . . .s.. ~ , . * , , ~ . . . _

. .% , _, ., .,.s, -..w.. .,,,,n.-,-.,__ + ,

Table 5 Accidet Types and Their Contribution to the CDF" Inhiating Estat Group Contribution to CDF (/yr) %

Loss of offsite power 8.77E4 31 less of support system 8.39E-6 30 LOCA 7.70E4 27 SGTR 2.44E-6 8.6 General transient 6.43E-7 2.3 Secondary side breaks 3.36E-7 1.2 Internal flood 3.5E-9 0.02 (Station blackout) U 87E4) (28)

(ATWS) (2.2E-7) ,

(0.8)

(ISLOCA) (1.01E-7) (0.4)

TOTAL CDF 2.82E-5 100.0 Table 6 Initiating Events and Their Contribution to the CDF

~

IE frequmey Contribution %

Initiating Event (/yr) to CDF (lyr)

Dual unit loss of essential service water 5.58E-6 5.58E-6 19.72 Dual unit loss of offsite power 1.32E-2 5.16E-6 18.22 Single unit loss of offsite power 3.22E-2 3.62E-6 12.79 Large LOCA e. 3.00E-4 2.59E-6 9.15 m.

Small LOCA 6.30F-3 2.57E-6 0.09 Medium LOCA 8.00E-4 2.44E-6 8.64 EGTR 1.10E-2 2,44E-6 8.63 less of CCW 5.91E 5 1.13E-6 4.00 Single unit loss of essential serdce water 5.65E-4 1.03E-6 3.63

" Categories in parentheses (e.g., station blackout) are not separate initiator types but are included in other categories (e.g., SBO is included under LOOP and transient).

26

e 3.00 6.43E-7 2.27 General transient i 5.05E-4 5.97E-7 ?.11 1 Loss of 125V de bus 111 1.80E 3 1.25E-7 0.44 Feedline break inside containment J 1.01 E.7 1.01E-7 0.36 !

ISLOCA ,

1.80E-3 8.94E-8 0.32 Feedline break outside containment

! .80E-3 6.07E-8 0.21 .

Stammline break inside containment 1.80E-3 6.03E-8 0.21 St**mline break outside containment 3.55E-4 2.57E-8 0.09 Loss of a single ac bus 142 3.55E-4 2.47E-8 0.09 Loss of a single ac bus 141 4.30E-4 4.15E-9 0.01 less of instrurflent air 1.89E-5 2.03E-9 0.01 Internal flooding, zone 11.6-0 1.30E 4 1.50E-9 0.01 Internal flooding, zone 8.31 Table 7 Dominant Core Damage Sequences initiating Event Dominant Subsequent Failures in Sequence p all the injection systems fail; RCP seal LOCA 15.9 Dual unit loss of essentid service water at least one accumulator on intact icops fe.lls 8.2 Large LOCA failure of operator depressurization; operator 6.4 Medium LOCA failure to estsblish high pressure reche'lation both emergency buses failure (including diesel 3.7 I Dual unit LOOP

and other failures) with cross tie, (SBO cor.ditions), resulting in essential service e ater failure. seal LOCA with mre uncovery prior tc 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months -

LPI pumps fail in recirculation 3.6 Smal! LOCA assumed failure of operators to switch 3.6 Iess of CCW charging pump suction to a cool source of water, failure of charging pump and thermal barrier cooling, RCP seal fr.ilure, cne i

remaining train of high pressure injection falls I

in recirculation l

27 l

l

Initiating Evat Dominant Subsequmt Failures in Sequece D RCS cooldown/depressurization fails and 3.6 SGIR operator fails to discover failure of cooldown/depressurization all injection equipment fails; consequential 3.0 Dual unit loss of essential service water small LOCA > 21 gpm both ac buses fall (including EDG failure) 2.4 Single unit LOOP with cross-tie to other unit, resulting in essential service water failure and SBO

conditions with core uncovery prior to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months due to a seal LOCA ac bus 142 failure with cross-tie, independe" 2.3 Dual unit LOOR failure of trata A of essential service water, which results in failure of the associated diesel generator, SBO conditions, presume do not credit start of DDAFW pump at this point due to bauery deplalon 2.3 Human Reliability Analysis Technical Review

- 2.3.1 Pre-Initiator Human Actions Errors in the performance of pre-initiator human acuons (such as failure to restore or properly align equipment after testing or maintenance, or miscalibration of system logic instrumentation), may cause components, trains, or entire systems to be unavailable on demand during an initiating event. De review of the human reliability analysis (HRA) portion of the IPE examines the licensee's HRA process to determine the extent to which pre-initiator human events were considered, how potendal events were identified, the effectiveness of any quantitative and/or qualitative screening processes used, and the prc, cesses used to r.ccount for plant-specific performance shaping factors (PSPs), recovery factors, and ,

dependenci" among multiple actioas.

2.3.1.1 Types of Pre Initiator Human Actions Considered

. De Byron /Braidwood modified IPE considered both of the traditional types of pre-initiator human actbas: failures to restore systems after test, maintenance, or surveillance activities and instrument f miscalibrations. However, only four restoration events and no miscalibration events were actually modeled in the modified IPE. All other pre-initiators were screened (not modeled in the fault or evet.t

! trees) on the basis of either a qualitative or quantitative analysis. Details of the screening process are

! described below in sections 2.3.1.2 and 2.3.1.3.

28

l

1.3.1.2 Proesus for Identification and Soledian of Pre Inidater Hunnan Adiens De general approach used in the Byron /Braidwood modified IPE to address pre-initiator ceents was to perform a search of plant records to identify potential pre-initiator vulnerabilities. Records from 1992 -

1995 were reviewed to identify events involving personnel. error, out of service (OOS) error 1

- (maintenance), testing error, or miscalibration error. De review includal licensee event reports (LERs),

nuclear opersions notifications (NONs), which are Comed's mechanism for promptly reporting events '

a one sesion the may have applicebuity a other marinna, and problem identification forms (PIFs), which is Comed's method for documenting any discrepancy. One goal of the review was to identify any l patterns in the different types of possible errors, e.g., OOS errors, or to identify specific errors with systems modeled in the modified IPE. In addition, procedures related to the differsat types of arors were examined to detennine whether adepunte independent verification, checking, testing, and/or control

- room indication of systan misalignment existed. Dus, reviews of actual plant events and plant procedures were used to identify potential pre-initimor events, in addition, instrumentation used to laitiate suu made actions and instrumenes used by operwors in reponding to laitiadng events were reviewed. De basis for the selectian and inclusion of pre-initiator events in the modified IPE models is addressed in the

- next section.

2.3.1.3 Screening Process for Pre Inidator Hunian Actions De Byron /Braidwood modified IPE documents and discusses error related events that were identified and also discusses the procedures related to performing maintanaree, testing, and miscalibrations. De general '.

conclusion of the analysis war that while errors do occur, they are rare, no patterna were identified,"

and "no vulnerabilities existed." For restorations after testing or maintenance, it was argued that "many of the hundreds of surveillance procedures do not affect systems modeled in a PRA..., many tests performed during refueling outages or other shutdown periods cannot cause at power misalignments

- because other surveillances are required to prove system operability before returning to power operation

..., some only invelve visual inspection..., and others are performed without any re-alignment of system components from their m-power configuration." For the remah.ing (with only a few exceptions), it was argued that " component misalignment would be indicated or annunciated in the control room... or independent verificmion of component position ...is required by procedure." Events mesdag these criteria were scrooned out and therefore only a few restoration events were modeled in the modified IPE.

i De above approach for qualitatively screening restoration events is commendable in one sense because l of the level of analysis involyed in examining plant specific information. Moreover, the screening cr}t,eria used are not uruensonable and are consistent with approaches taken by some other licensees.- dowever, other licanoes have modeled restoratior, faults that require independent verification and hac== of other shortcomings in the restoradon proces, some of these events have turned out to be relatively important.

Dus, the failure to include suc'. ..ents must be cornidered a weakness of the Byron /Brandwood modified l IPE.

L Two of the events that were modeled were associated with restoring the containment spray pumps and i the other two were for reopening the "RH heat exchanger inlet isolation valve" after tasting. De associated procedures apparently did not have the adequate check offs or the independent verification

- needed to be screened out. While several other events were actually quantified "using the current '

procedures," the resulting HEPs ranged fmm 1.4E 5 to 5.5E-8 and were considered negligible compared to the failure to start or run data. Eveats not modeled due to negligible failure contributions included l 29 .

p

---...-y.,m.-

. , . - . . - - . .w, m r-. , ,-,.-m~.e c.,,.-# - ~ , . . . .r-- ,,_.. , e , .w,.,- - .-,,w.. , , - . -- , - - * - . , - ,e--.----e

I

< ESFAS slave relay restoration for containment spray and safety injection and restoration of the charging l pump manual discharge valve. j Assuming the events that were screened.out due to negligible failure contributions were quantified i

] appropriately, the screening approach is not unreasonable. Moreover, the HEPs for the four restoration events that were modeled appeared reasonable (5.lE 3 to 1.gE 3) given the absence of appropriate deck- l offs. However, it was impossible to clearly assess the adequacy of the quantification technique used to J quantify these events (and those dismissed as having negligible contributions) because the quantification process was not explained in either the original or modified Byron /Braidwood IPE, la response to an NRC RAI, the licensee indicated that 'DIERP was used to quantify the pre laitiators. Nevertheless, while the values are not obviously unreasonable and the licensee appears to leave considered relevant factors, the lack of a clear description of the quantification technique is a weakness of the modified IPE.

hrning to pre-initiator miscalibration events, the licenses made several arguments that served as the basis

. for not inodeling any miscalibration events in their modified IPE. First, it was argued that "the potential for instrument miscalibration at Byron and Braidwood is minimized by the practice that multiple channels of plan' irutrumedstion measuring a pararreter are not worked on in the same day by the same lastrument assnician using the same test equipment." In addition, " calibration results are reviewed to compare the recorded "as found" value with the "as left" value to identify discrepancies, and for parameters with more than one channel, miscalibration would be identified at the end of the calibration activity _ by a simple

channel deck - comparing the meter reading of the just calibrated channel to an adjacent meter indicating the same parameter." Furthermore, it was argued that indications used by operators are '

normally *available from multiple channels and/or diverse instrumentation or alarias which are normally

- active and in constant use such that a miscalibrated instrument would be readily identified and/or compensmed for by a diverse indication."

l !

While the above arguments are not unreasonable, as noted regarding the restoration faults, other licensees l

have modeled such events and in some instances found them to be important. Moreover, while failures l

In these types of actions may be rare, the step by step examination of procedures required during '

l quantification may have identified some shortcomings nus, while it may or may not be true that

(

L operators wouid be able to cope with discrepancies between instruments, the identification of some potentially important pre initiator events inay have been precluded. Hus, the licensee's approach to miscalibration events ir considered a minor weakness of the modified IPE.

De licensee did attempt to determine!whether miscalibration might have a noticeable effect on the fault ,

tree failure probabilities." Dey noted that "in general, the instrumer.tation basic events werr !ther not found in any of the fault tree cutsets above the cutoff of IE-12, or were in only a few cutsett that did not coatribute significantly to the fault tree failure probability. It is not clear, however,' bow this review accounts for the potential impact of mL:alibrations, it remains possible that such cutsets might have become important if miscalibration errors (particularly common cause) had been included. [

2.3.1.4 Quantifiestion of PreInitiater Henan Actions As discussed above, while some pre-laitiator restoration faults were quantified and some of those were included in the modified IPE models, a description of the quantifiestion approach was not provided. ,

30

__ 1 . ._ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ ._ . . _ _ _ . _ _ _ _ __

, t 1

2.3.2 Post Initiator Huanan Actions j Post initiator human actions are those required in response to initiating events or related system failures.

Although different labels are often applied, there are two important types of post-initiator human actions that are usually addressa in PRAs: reponne amions and recovery actions. Response actions aro generally i distinguished from recovery azions in that response actions are usually explicitly directed by emergency .

operating procedures (EOPs). Alternatively, recovery actions are usually performed in order to recover l a specific systeen in time to prevent undesired consequences. Recovery acsions may entall solog beyond EOP directives and using systems in relaively unusual ways, Credit for recovery actions is normally not ,

taken unless at least some procedural guidance is available.

j De review on the human reliability analysis (HRA) portion of the modified IPE determines the types of '

post-initiator human actions considered by the licensee and evaluates the processes used to identify and sele:t, aasen, and quantify the post-initiator actions. %e licensees treatment of operator acsion timing, dependencies among human amions, manieration of accident context, and consideration of plant specific t

PSFs is also exargined.

5.3.2.1 Types of Peet taltiater Human Acsiens Considered g De Byron /Braidwood modified IPE addressed both response and recovery type post-initiator human actions. De revised submittal and the licensee's response to the NRC's RAI provided a definition of response type human actions (referred to as type CP actions) that was generally consistent with that described above. One slight difference was that the Byron /Braidwood function restoration procedures (FRPs) direct isvery of lost funcsions and this may include attempting to align alternate systems. Dese recoveries are obviously proceduralized and were reasonably treated as response actions in the IPE. In addition, r least one non proceduralized action was modcled as a response type action (stopping the

' residual heat removal pumps in degraded power non-LOCA events). A description of the quantification of this event (OSP-2), provided a reasonable explanation.

De recovery type actions modeled in the Byron /Braidwood modified IPE included recoveries of failed equipment and five events involving crew discovery of previously failed human actions, such as discovery of failure to feed and bleed. Dese actions were developed for the modfied IPEs as part of the Success with Accident Management (SAM) endstate elimination analysis. De goal was to use plant procedure-based recoveries to loed SAM sequences with high frequencies of occurrence to core success. Two other recovery accons modeled the isolation of the ruptured service water (SX) pipe in "DLSX" sequences and .

Included (applied to Byro, only) isolating Train A of SX from Train B SX in "DLSX" sequene s to maintain one recoverable train before the SX cooling tower basins drain through the pipe rupture.

Recovery actions are discussed in more detail below in section 2.3.2.3. i De modified submittal signified that response type actions appeared in the plant response trees (PRTs) and in the fault trees. Dus, they could occur at the event or fault tree level. Recovery actions were not

. included in the logic models and as noted above were applied in special analyses, e.g., the SAM andstate elimiastian psocess and the isolmion of component cooling water and service water pipe break analyses.

2.3.2.2 Procsos for Identincation and LAmeia= ef Post-Initiater Humaan Actions ne licemee's response to the RAI indicates that the important operator actions (OAs) had been identified and defined previously (in the original IPE) by the systems analysts in the development of the fault trees j l

-31 l

-- ---, - ,_,_ C__ z~ :: 3 ;-23 .l

I

. and PRTs. Procedural reviews were an important source of information for the identification of response j

type opermor actions. Procedures reviewed included emergency response procedures (EOPs), system operating procedures, abnormal operating procedures, function restoration procedures, and emergency J contingency actions, in addition, operator talk 4hroughs (including the use of checklists) were used to l

" review the selected critical subtasks and to gather plant specific factors for consideration in the HRA i quantification." Most recovery actions were identified during the elimination of sequences whh SAM :

andstates. De others were identified by the systems _ analysts after laitial quantification in order to ;

recover component cooling weer and service water pipe breaks by isolating the break. Sequence timing, ;

time available for the operator maions, and success criteria were considered in determining which acsions to include.

t

2.3.2.3 Sassning Prooms for headalaister Response Adless A screening analysis was not performed for response type post initiator human actions modeled in th; Byron /Braidwood IPE. In the original IPE, all OAs !, the event and fault trees were given detailed '

analysis wkh the goal of obtaining a realistic HRA. As is cascussed below, the modified IPE roquantified important human %:tiors from the original HRA.

Howner, the recovery actions modeled in the SAM andstate elimination analysis involving new discovery of previously failed human actions were assigned screening values of 0.1. In addition, the action (applied

to Byron only) to isolate Train A of SX from Train B SX in "DLSX"_ sequences to maintain one recoverable train before the SX cooling tower basins drain through a pipe rupture was also assigned a '

screening value of 0.1. Neither the bs:is for the assignment of this value nor a discussion of any revisions to the screening values were provided. Awarently no revisions to the screening values were made.

2.3.2.4 Quantification er heidnitiator limman Ah For the modified IPE, the PRT and fault tree post initiator response type human actions with a risk achievement worth ((RAW), "using the original IPE model, enhanced quantification") greater than 2.5 and *those added as a result of changes to the PRTs and tault trees," received a complete re evaluation."

In addition, PRTs that " contributed significantly to CDF in the original IPE were identified" and the "OAs in these trees, including the conditional probabilities, were evaluated on a sequence-specific basis to identify conditions of stress, dependency, and availability of recovery opportunities and were requantified when necessary." Remaining HEPs were reviewed for reasonableness and "for selection of the appropriate vHu: for each brand of the PRTs.",De PRT OAs "were also reviewed to identify those

actions wbli might ce donctibed as time-criticaC" hat is, "those for which the =tinatad thne to r

accomplish the acsion was greater thau 25% of the estimated time available before some undesirable :.. ate was reached."

~

As described by the licensee, a thorough search was performed to identify human actions for re- ,

quantification. Birty-five human actions were requantified for both Byron and Braidwood, with different values obtained for the different plants in some instances, la the original IPE the licensee argued that wkh only one exception (Byron's service water cooling tower) the two plants and their procedures were identical. However, in the modified IPE, they noted that since 1994 some differences have developed and a few operator actions were requantified specific to the plant. De modified submittal and the response to the RAI pmvide descriptions of HRA related differences and similarities between the plant, e.g., procedures, shift staffing, control rooms, and procedure use.

32 ww r+r' Wg9e-W +1 e e--w-7pmy,--+v----- -Yt1-t*-T "

6 Most of the maions identified in the review were requantified using the EPRI Cause Based Decision Tree *

- Methodology (CBDTM) from EPRI TR 100259, "An Approach to the Analysis of Operator Amions in PRAs," June 1992 (a few special cases were quantified with the THERP Annunciator Response Models :

NUREG/CR-1278). De CBDTM uses a set of decision trees to model errors in the cognitive element of each amion and recommends use of the THERP me&od to model the failures to perform the task- '

l execution portion of the amion. %e failure probability for the acsion is calculated as the sum of the cognitive and task execution portions of the action. ,

his method estimates failure probabilities for the cognitive elements based on an assessment of factors, 1 such as data availability, attention failure, miscomnwnication and misreading of data, misleading '

informsion, missing or misreading procedural steps, misintegreation of instructions or decision logic, and deliberate violations. Recovery factors, such as reviews by other crew members, including the shift ,

technical advisor (STA), are allowed to reduce the error probabilities calculated from the decision trees i j

if there is aufBcient time. The criterion of"aufnclent time" depends on the particular recovery factor--for '

example, credit for review by the STA is not permitted unless there is at least 15 minutes from the initiating cues for the operator actions to be completed. In addition, in the modified IPE, credit for an snurgency response facility (ERF) was not taken unless the OA took place greater than one hour into the 1 sequmce or the time available for the OA was greater than one hour. In contrast to the other EPRI HRA '

methods, the CBDTM does not otherwise directly incorporate measures of time in quantifying human error probabilities, The likelihoods of failures in task execution were quantified using the THERP method, described in NUREG/CR-1278. De assence of the recovery approach for both phases of the action is that additional time allows additional control room cues or cues from reviewing procedures to become available, which in turn facilitates self-review and review by other crew members and technical advisors.

Compared with the method used in the original Byron /Braidwood IPE submittal, the combination of the CBDTM and 'INERP appears to provide a more realistic basis for assessing post-initiator human actions.

At a minimum, the diagnosis phase is explicitly modeled (except for the events modeled with the THERP L Annunciator Response Model that are discussed below) and relevant PSFs are considered. l i

- However, as noted in NRC Technical Evaluation Reports (TERs) for other IPEs, the CBDTM does not, in itself, have a unique approach for analyzing time-critical actions. Dat is, those actions where the difference between the time available and the time required to perform the actions is short and the j

possibility exists for the operators to fail to accomplish the actions in time, are not evaluated directly as a function of time. Derefore, even with the CBDTM, the potential exists for underestimating7. EPfYor short-time fran e events. De licensee did indicate that time pressure was taken into account by increasing the str as factor (addressed within THERP) in the evaluation of the basic HEP. De licensee's I consideration and treatment of ...xator response time is diame==t in more detail in the next section.

Before proceeding, however, it was noted above that for a few events, the licensee argued that the "EPRI L

CBDTM was inappropriate for estimating p.," (the diagnosis phase). De licensee noted that the operator response to loss of component cooling water and loss of service water are initiated by control board alarms, reher than reactor trip, and that operator actions are guided by alarm response procedures. For

^

these cases the diagnosis phase of the action was quantified with the THERP Annwistar Response ;

Model. One of the event. quantified in this way was the operator action to start the standby service water pump and open the service water crosstie valves (OSX-1, crosstle Unit I to Unit 2 SX). The 33 ,

i l

L ] ,

I

)

- quantificsion of this event was provided in the reponse to the RAI and the roulting HEP for Byron was 1.3E.3 and for Braidwood was 5.0E 4. Assuming adequate the is available (and this event was not-indicated as being time critical in the reponse to the RAI), th' 41ues ate not obviously unreasonable and the method appeared to be applied appropriately. Exacsly '... y the CBDTM was considered inappropriate for thee events was not explained. De four other specMic events quantified with this method were not mentlened, but were said to be related to loss of component cooling water and loss of service water sequences.

2J.2.4.1 Essinests and Cenddrasise g(Opensser Aegenst 7tne 6 la the licensee's reponse to the RAI, a discussion was provided of events that might be considered ti:ne critical. Available time and estimated performance times were presented for these events and the

-discussion focused on the procedural guidance provided for these actions. De apparent goal was to ;

lilustrae a reasonable expectation of operator success given the time available and procedural guidance.

A review of these actions, their timing, and the associated HEPs suggest that the assigned HEPs were not obviously unspasonable. In the same licensee response to the RAI, differences in timing for similar events as a funcslon of context was also addressed. De apparent goal was to illustrate that the -

differences in timing were not important for the identified events because of the relatively large amounts of time available. In any case, while the CBDTM is not ideal in its treatment of short time frame events, !

k appears that the licensee made a reasonable effort to try to ensure that potentially time critical events

l were not inappropriately quantifial, i.e. a " sanity check" was apparently performed. .

De modified IPE and the rr., noe to the RAI note that opportunities for recovery are largely a function of time. Derefore, before applying the various recovery failure probabilities noted above, the modified IPE states that seguence timing, time available for the OA, and performance time were considered. His

, information was indicated as being documented i n the IPE Plant Response Tree and Success Criteria

Notebooks and was based on MAAP computer runs and operator and simulator penonnel estimates.

When. time was available, recovery credit for failure to diagnose (p) was given for extra crew, shift change and ERF review, with recovery values of 0.5,0.1 and 0.I, respectively. Credit (0,5) was also given for recovery of "immediate action steps" (those performed from memory), when required procedure reading would serve as a check. In addition, if a procedure step involved a system or function that was shared by the two units, a recovery of 0.5 was applied due to the presence of the other unit's ,

crew.

s Credit for recovery of response eucution (p,) could be given for similar reasons, but was based on values ,

from THERP. Recovery credit for actions outside the control room was considered only .. lack of completion produced a compelling signal in the control room. While the approach used alio,vs substantial credit for recovery, reviews of example calculations for important actions suggests that recovery credit was applied reasonably (particularly given the detailed application of THERP to the step by step performance of procedurally driven actions).

23.2.4.2 Other Perfenmaner Shaping Feners Consid: red

. Operator actiosi laterviews were conducted and checklists were used to assess critical aspects of the diagnosis and execution of an action < Factors evaluated included training on the simulator, adequacy of procedures, need for local actions, time available for local setions, feedback to the control room for local i actions, stress level, potential non-recoverable actions, etc. Per the guidance provided in the CBDTM and in THERP, the level of stress in given situations was objectively factored into determining the HEPs.

4 34

"' ~ ~ ~ -' - -

- - .- .- - - - - . __ - - . _ ---- ..- -~.-.- - _ -. -

Moreover, both errors of omission and errors of commission were modeled for response execution errors as directed by THERP. De overall consideration of PSFs in the modified IPE represented an adequate consideration of plant-specific influences on human reliability.

3 2J.2.4J Considematon ofDependendes As discussed above, dopendencies related to the impact of time on within-crew performance was adfiressed in determining recovery credit for initially failed actions. Opportunities for recovery will dearly be dependent on the amount of time romahdng. In general, time dependence focuses on the fact that the time available for diagnosis is dependent on the total time available and the time needed to perform the action. While time dependencies for short time frame events are not explicitly addcassed with the CBDTM, the licensee examined time critical events to assess the reasonableness of the HEPs given the available time, in addition, the licensee indicated that sequence related timing (the impact of avauable time across a seguence) was considered in determining the time availabic for specific events (see item e below). nus, time dependence appeared to be satisfactoruy considered in the moditied IPE.

Another type of* dependence concerns the extent to which the failure probabi!ities of mult!ple human actions whhin a sequence are related, nere are clearly cases where the context of the accident and the pattern of successes and failure can influence the probabuity of human error. Dos, in many cases it would clearly be inappropriate to assume that multiple human actions in a sequence or cut set would be independent. Furthermore, context effects should be examined even for single actions in a cut set. Whue the sane basic action can be asked in a number of different sequences, different contexts can obviously lead to different likelihoods of success.

Dependence among multiple human actions were thoughtfully and thoroughly handled in the Byron /Braldwood IPE through use of the following guidelines:

a. Two operator action failures separated in time by an essentially successfal action were regarded as independent.

b. De time available for most operator actions varied from minutes to hours. De degree of dependence between OAs varied according to the time between events. Events separated by less

' than 15 minutes were assumed to be have high dependence, nose separated by less than 30 minutes but more than 15 were assumed moderately dependent and those separated by less than 60 minutes but more than 30 wereessumed to have low dependence. Events separated by more .

- than an hour were . sumed to be independant.

c. Events initiated oy the same cue and on a parallel success path were treated as having a common diagnosis element (p.).

d. Responses to memorized "immediate action" steps were assumed independent of actions later in the procedure and immediate action steps were assumed independent if performed by different crew :Dembo"5.

s. For cases where an OA failure significantly reduced the time window for a subsequent OA, high '

dependence would be assessed on the second OA.

35

~

t=< c.r -mw- c- ---w-- y,4,m, , , w --- , yov-s= -v, ,-w.v mnrw- e v- w--3,inv ,---r-ei- ,,----+ ,- =w .- ---- -- ,-a,ywee-

i

. f. For cases where an OA failure guarameed failure of a subsequent OA, complae dependence would be rsessed.

Once a judgment about the degree of dependence between e<ents was made, the dependency form from NUREG/CR-1278 were used to determine the HEP value for a dependent event. 'Ihe IPE also noted that the lower bound for single human actions was set at 1.0E-4 Potential dependencies between events in the fault trees were also given a qualitative assessme documented in the response to the RAI. It was stated that no dependencies were identified.

De modified IPE submittal and the response to the RAI also indicated that context effects on single human actions were addressed. Different HEP values were calculated for similar ev contexts.

J-2.3.2.4.4 Quandlicadon of Roemry 1)pe Adens As disanssed above, the mahod used to quantify the recovery type actions was different frcs tha for the response type actions. Screening values were assigned to the recovery of previously and apparendy were not revised. While the 0.1 value assigned was not unreasonable given the long time frame scenarios in which they were applied, a discussion of the basis for the HEP been helpful. Recoveries of failed equipment were based on mean time to repair values from 1400 and obtained values were reasonable.

- 2J.2.4.5 Hmman Aedons in ne Mooding Analysis In the Byron /Braidwood IPE, the flooding scenarios examined apparently used whatever hu

- were already contained in the models for transients and there was no evidence that the values adjusted for the flooding context, in addition, the licensees's response to the RAI indicated tha actions to mitigate a flood were not credited.

2J.2.4.6 Human Adons in ne inel 2 Analysis

Operator actions were not modeled in the level 2 analysis. .

2.3.2.5 hnportant Human Acdons * .

l l

De Byron /Braidwood response to -he NRC's RAI presents a list of the important " operator a nodes" as a function of their contribution to CDF. The top tes operator action top events for Braitwoo in terms of their contribution to CDF are presented in Table 8, along with the percent contribution to CDF. The licensee noted, however, that "in these lists all cases of each operator action are combine

(

For example, the OSX event includes OSX-1 [ HEP Braidwood = 4.0E4} for LSX sequences as l OSX-4 [ HEP = 1.01 for DSLX sequences. As stated by the licensee, "thus, the operator action j : Importance can be misleading since it includes cases of defined failure [ HEP = 1.0]." In add top event report does not include events in the fault trees.

p 36 ,

4 f

n-,,n, ~ . - - , , - - . . - - - - , - - . , , , . - - - ~ - - . , , - , - , , . . -. , . - , . , - . . - , - - , - ~ . - , , ,, , , , - - , - - - , , , , , , . - , . . . . , - - - - . - -

i Table g Bral:lwood Operator Action Top Events i Percent Event Name Event Description Contribution to.

CDF OSX Restore SX Via Unit Crosstle 20.72 %

RCS Cooldown/Depressurization 11.69 %

ODS g.27% - !

ORC Establish ECCS Recirculation ORT Establish RWST Refill . 6.14% l OAL Establish Cool Suction Source for Charging Pump 3.99 %

ORE Restore F=Wi=1 Equipment 3.75 %

ODS2 Recovery ODS 3.62% -

Stop RH Pumps 2.24 %

OSP Establish Normal kH Cooth.g 2.02 %

ONR Establish Alternate Feedwater 1.14 %

ORF s

2.4 Back End Technical Review ,

2.4.1 Containment Analysis / Characterization 2.4.1.1 Front <md Back end E:;: '- *=

Containment event trees (CETs), which are used in teost of the IPEs for Level 2 analysis, are not developed in the Braidwood IPE. De traditional core damage analysis (i.e., level 1) and containment .

analysis (i.e., Level 2) portions of the Probabilistic Risk Assessment (PRA) are integrated in the BraidwoW TPE through the re of " plant response trees" (PRTs) that depict the combinations of ev_ents that model the piant behavior imm the initiating event to an end state characterized by retention of fission products within the containment boundary or release of fission products to the environment.

Since a single event tree (i.e., u.. PRT) is used for both Level 1 and Level 2, the development of plant damage strtes (PDSs) as laterface for the Level 1 and Level 2 analyses is not needed in the Braidwood :

l IPE. However, grouping of core damage sequences to PDSs is performed. it is used to consolidate the large number of accident sequences into a small nun.ber of damage states such that all sequences within '

a particular damage state can be treated as a group for assessing accklent progression, containment

!- response, and fission product release.

l- .

Sequence grouping is discussed in Section 4.1.3.3 of the IPE submittal. De parameters used in the IPE L for sequence grouping include:

37 .

_.__._.u_.._. _. _ _ __ . _ . - - _ _ _ _ . _ _ _ . . . _ - . _ - _ - -

, I. Accident initiator, *

. 2. Core melt thning,

3. Functional fauure, Containment status and Assion product release. t 4.

Accident initiators include transient, loss of support functions (e.g., loss of manaatial service water, component cooling water or de power), loss rf offske power, loss of all ac power (station blackout, SBO), LOCAs, SG'!R,ISLOCA, and secondary side breaks. De timing of core melt can be early (within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months of accident initiation), intermediate (2 to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ), or late (6 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ). ;

One parameter, the RCS pressure, which is considered in most other IPEs for PDS definition is not considered here. RCS pressure is not an important parameter in the Braidwood IPE because all containment challenge mechanisms associated with high pressure melt ejection (HPME), sud as direct containmaat beating (DCH), are dismissed in the IPE as "unlikely" to cause comenlammar failure.

Contributions to the total CDF from the PDSs whh various accident initiators are: 28% from SBO av=,23% imn PDSs whh seguances initiated by loss of essential service water (ESW),9% from small LOCA sequences,9% from large LOCA sequences,9% from medium LOCA sequences, 8% from

- SGTR sequences, and 0.4% from ISLOCA sequences. He most probable PDS is X14K (19% total CDF), a PDS of loss of ESW sequences with late core melt, loss of all ECCS injection, and a late -

containment failure wkh up to 0.1% of the volatiles released. Dis is followed by BI4S (12% total CDF),

a PDS of SBO seguences with intermediate core damage timing, failure of high pressure ECCS injection, and no enatalamam fauure; AE6S (9% of CDF), a PDS of large LOCA sequences, with early core melt, the failure of all ECCS irg}ecsion, and no containment failure; SX9S88 (7% CDF), a PDS of small LOCA seguences, with recirculation failure, and no containment failure; and MX9S, a PDS of medium LOCA sequences, with reeltculation failure, and no containmeot failure.

2.4.1.2 Centainment Event Tree Developonent As discussed above, a single PRT is used in the Braidwood IPE for both the Level 1 and I.evel 2 analyses, he PRT, which is an event tree, is developed and quantified for each initiating event. De PRT explickly includes the analysis of containment systems normally assessed in the Level 2 analysis, and the '

anatalament omdition is addressed in the PRT by the availability of these systems described in the success criteria for cor4=aar integrity. According to the success criteria, integrity is maintained if containment pressure is less than 98 psig, the median failure prer.sure for the Braidwood containment. Based on plant-

speciAc MAAP analyses, containment integrity can be maintained by the operation of one of four RCFCs or one RHR heat exchanger (with associated recirculation train). ,

> De quantification of the containment failun probabilities for Brandwood is based on plant-specific MAAP analyses and phenomenological evaluations of the various failure modes, or machantams, identified in NUREG-1335. De evaluations are presented in Phenomenological Evaluation Summaries (PESs) which t

De second character of this PDS designator, X, which indicates core damage timing, is not defined in the IPE submittal (Table 4.1.3-2).

- 38 7

,,.i , ,s. ,_..e ,,g ,,m. . ,. ._ .,. , . - . _ . , ,

1 are not included in the IPE submittal". However, brief discussions of the evaluations and the results ob*ained from them are provided in the submittal.

De containment failure modes that are aldressed in the PESs include those associated with hydrogen combustion, direct containment beating (DCH), steam explosions, molten corew:oncrete lateraction (MCCI), vessel blowdown, thermal loading on penetrations, containment isolation failure, containment bypass, and containment overpressurization by noncondensible gas generation, steam generation, or hydrogen burn. According ta the submittal, modeling and bounding calculations, based on extensively compiled experimental data, ;A.w,Twe.aiogical uncertainties, and complemented with MAAP calculations ,

in some cases, comprise the general approach taken in these evaluations. Based on these evaluations, all of the above containment failure modes, except for contalamant overpressure by steaming and/or naanandensible gas generation, containment isolation failure, and containment bypass, are considered as "unlikely" failure modes and thus not included in failure quantification. De hek of consideration of these -

failure mesanisms in a strucaured way, sud as can be provided by a CET, precludes a systematic means to examine the relative (quantitative) importance of these failure modes (with the consideration of uncertaintles) an( the effects of some recovery actions (e.g., depressurization) or. Sese failure modes.

Some of the items of interest are the following: ,

Unluely Containment Failure Modes Containment failure modes are discussed in Section 4.3.3 of the IPE submittal. Although all important severe accident containment failure modes that are discussed in NUREG-1335 are addressed in the IPE '

l subminal, most of them are ignored and not evaluated in containment failure quantification. Dese include those associated with the following containment phenomena:

l

1. Hydrogen combustion,

2. Direct containment heating (DCH),

t 3. Steam explosions,

4. Molten core concrete interaction (MCCI),

l 5. Dermal attack of containment penetrations, and

6. Vessel thrust force.

Phenomenological evaluations were performed in the IPE for- the above phenomena. De Menomenological Evaluation Summaries (PESs) investigated botti the likelihood of occurrence and the probable consequences of these accidenfthenomena. De PESs were based on available experimental

l information from the open iterature, as well as information developed using the Fauske d Assoc ates, inc. (FAl) experimental facilities.

~ For the first two phenomena, hydrogen combustion and DCH, conservative estimate of contalamant pressums were obtained and compared with containment pressure capability to determine their effect on containment failure probability. De assessment of hydrogen deflagration assumed in-core hydrogen

! pmduction imm 100tercent oxidation of all Zim,-A.T. and metallic constituents of the lower core plates, l and burning of all available hydrogen inventory in the containment with no energy absorption by aantalament equipment or structures. According to the response to the RAI, this resulted in a containment ,

" Some are pmvided in the licensee's response to the RAI.

39-h

l 1

, \

l pressure rise of 62 psi from hydrogen combustioa, and a total containment pressure less than the median matainment failure pressure'*. For DCH, the containment pressure estimated in the PES is 81 psia if it is combined with a hydrogen burn, and 52 psia if there is no hydrogen burn. De DCH modeling l methodology used in the PlIS included consideration of the debris mass that could potentially be i particulated in the reactor cavity and the instrumental tunnel, and the fraction of entrained (particulate) debris that could escape the reactor cavity and disperse to the containment atmosphere. According to the PES only 15% of entrained core debris was expected to be dispersed to the lower compamnent of the containment.

I De potential of deflagration 4o detonation transition (DDT) was also evaluated to the PES. De DDT potential was estimated using an empirical technique that involves estimating detonation cell size for some l bounding containment Anditions. According to the results, DDT is highly unlikely (to impossible) for .

any compartment within the Braidwood containment. For ex-vessel steam explosion, the potential for 7 containment overpressuriration due to both rapid steam generation or shock waves were investigated and found unlikely to cause containment failure. l

~

All of the above containment phenomena cause containment pressure loads, and the dismissal of these phenomena is based primarily on a comparison of the containment pressure loads to the containment presure capability, whidi is taken to be the median containment failure pressure (i.e., 50% containment failure probability). Even though the pressure load is less than the median failure pressure, there exists a finhe, although small, failure probability if the containment fragility curve (as that presented in the IPE l' submittal) is considered. Als issue is discussed in the licensee's response to the RAI (Level 2 Question 3.5). De licensee's response indicates that the conditional containment failure probability due to the above mechanisms (i.e., steam explosions, DCH, hydrogen deflagration, and hydrogen detonation) could be about 1% if the N =?=4 frag'ulty curve, instead of the median containment failure pressure, is used in the comparison. His probability, according to the licensee, is based on bounding estimates of the ,

~effects of the above loading mechanisms on containment failure. Failure from these mechanisms could cause an early release of up to 10% of the volatiler released (According to the result of a MAAP calculation performed for a the sensitivity study).

Although the assessment of hydrogen combustion and DCH in the IPE seems reasonable, and the estimated containment pressures obtained for these phenomena are described in the IPE submittal as conservative (or bounding), they are less tha'i that estimated for the worst case in NUREG-ll50 for Zion.

For example, for the worst case, the pressure rise in the containment due to HPME for Zion has a mean value of 105 psi, mueb hit hu than that obtained in the PESs for Braidwood. His indicates t'.4 significant uncertainties associated with these 1. ionomena.

Of the containment failure modes dismissed in the Braidwood IPE, MCCI may cause late containment failure. Ex vessel debris coolability is not discussed as an issue in containment failure quantification.

Rather, MCCI is evaluated in the PESs by a simple bounding analysis using empirical parameters

According to the PES attached with the licensee's response to Level 2 RAI,- the post-burn contatamaat pressure based on adiabatic isochoric complete combustion (AICC) is 109 psia for the l SBO sequence. His is less than, but very close to, the median containment failure prasure of 112.7 psia (98 psig), and, according to the fragility curve for Unit 2 (Figure 4.3-4), results in over 20% .

f probability of containment failure (i.e., conditional failure probability).

40

. _ _ _ _ _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ . ____ _ _ _ _ _ _ _ _-__ __ _ _ _ _._.._ _ _ _ ._u_ _u

, daermined from experimental data. According to the PES, results of the bounding analysis indicate that melt 4hrough of the containment basemat will not occur within the mission time of 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

Questions were raised in the RAI regarding the depth of the core debris in the cavit/ and the effect of non-uniform spread of debris on debris coolability. According to the response, the depth of the debris in the reactor cavity is 25 cm if the entire initial core mass, the Zircalloy mass, the lower core support ~

plate, and l' % of the lower head mass were retained in the cavity and its sump. His depth of corium is treated b the IPE as coolable if there is an overlying water pool. According to the response, this assumptio , is based on experimental results which demonstrate the ability of water to rapidly quench molten d'oris and ingress into debris beds to maintain them coolable indefinitely.

Dere is a sump in the Braidwood cavity which represents a particular case of non-uniform spread within the cavity. Acmrding to the response to the RAI the " PES would provide a basis for assessing that non-uniform corium spreading corresponding to the cavity sump configuration would be coolable." However "At some degree of non4miformity of debris spread.... core debris coolability would be diminished and localized concrete erosion wculd be expected to occur.* but "No method was provided in the PES to detennine bow long such concrete erosion might be expected to occur before terminating due to dilution of the corium with the eroded concrete." Although the sump area is more susceptible to corium attack and is more likely to be penetrated by erosion from CCI, it does not seem to present a significant probleta because of the small releases associated with melt-through.

Ukely Containment Failure Modes ne foWwing containment failure modes are considered in the IPE as likely failure modes and are included in containment failure quantification:

. 1. Containment overpressure,

2. Containment isolation failure, and

3. Containment bypass.

Containment overpressure failure is primarily due to containment pret;surization from the generation of steam and non-condeasable gases when containment heat removal is not available".

Temperature-induced steam generator creep rupture, which is considered in other IPEs, is act considered in the Braidwood PRTs or addressed in the PESs. However, it is discussed in the licensee's response to the RAI (Les el ; Question 3.1). According to the response, ISGTR is not addressed because it is oelihed that the primary system loop seals will not clear and the hot leg and pressurizer surge line, winch are expected to fail before the steam generator tubes, are not likely to reach the temperature levels required for rapid creep rupture follo# 3 core damage. Although temperature-induced bot leg failure is not "Although the containment integrity success criteria require CHR for success, containment failure is not assured in the Level 2 analysis if CHR is not available. For example, CHR may not be available for the PDSs that are assigned in the IPE to Release Category A, a release category that has no containment failure within the 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months mission time, but failure may occur without further mitigating action.

41

considered in the IPE base case, it is investigated in the sensitivity study. On the other hand, induced SGTR is not included in the sensitivity study.

k is also stated in the response that, if the loop seals had cleared, for example by the restart of the RCPs per the EOPs, a higher gas temperature throughout the primary system would occur and temperature-induced failure of a steam genmsor tube would become likely (sjthough the bot leg and pressurizer surge lies would remain more likely to fau first). Although no detailed probabilistic treatment of this issue was 4 performed during the preparation of the IPE, an event tree stmesure was developed in the licensee's response to the RAI to estimate the probabuities of temperature-induced RCS failure. De event tree attempted to decompose the phenomenological issues important ta ternperature-induced failures. Using subjective probability values for the issues, the probability of high temperature induced hot leg or surge !

line failurs was estimated to be 35% and the probabuity of induced SGTR was estimated to be 18%. Hey l

were 40% and 245, respectively, if the operator restarts the RCPs. Dase numbers are based on the assignment of the probabuity values for the various issues based on an anaiyst's judgment which are more pesimistic than those used in NUREG 1150 for Zion. De probability ofISGTR used in the NUREG-ih 1150 analysis for probabilityobtained values, rom theZion has event tree a mean an:. lysis provided invalue of 1.8%

the RAI response for toRCS at se do not seem justify the omission of this failure mode fsom IPE quantification, further discussion is not provided in the response. Despite that these probability values are obtained based on an analyst's judgment and may be overly conservative, the licensee could have benefitted from an examination of their implication for IPE quantification.

Omtainment Failure Modesfom IPE Results la the Braidwood IPE, containment bypass is due to SGTR or ISLOCA. Induced SGTR is not included in the quantification. The only failure n,.xle considered for early containment failure is containment

~ isolation failure, and the only late containment failure mode considered in the IPE is tha from containment overpressurization in cases when containment heat removal is not available. A 48-hour mission time is used in the Level 2 analysis. Sequenes that involve core damage within the first 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (the mission time for Level 1), but no contalument failure until aAer 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , are assigned a CAM release class (containment success with accident management).

2.4.1J Containment Failure Modes and Dair:g De Braidwood containment ult bnataestrength evaluation is described in Section 4.3.3.1 of the IPE .

l submittal. Containment failure prestures were obtained by a review ot'the Byron /Braidwood T AR and a Sargent & Lundy calculation. Of the several likely containment failun locations identified in the review, the Bunker Ramo electrical penetrations, which are used only in Unit 2, were found to have the lowest mean failur; pressure (108 psig). We containment fragility curve used in the IPE was based upon the fr'. lure pressures at the limiting failure locations and their associated uncertainties (with an assumed 7%

coef5cient of variation). De median ccAalament failure pressure of the fraguity curves are 125 psig for

. Unit I and 98 psig for Unit 2.

The containment fauure pressures and their distributions abtained seem to be consisten, with those obtained in other IPEs. .

I 42

+

4 e

2.4.1.4 radal===d laolation Failure - ;

Connainment isolation status is one of the PRT top events. It is also indicated by the fourth digit in the i 4<ligk PDS designator. De identlAcation of the important contalument penetrations is discussed in some .

detail in Section 4.2.L10 of the IPE submittal. Additional discussion is provided in the licensee's '

reposse to the RAI (Level 2 Question 3.2). With few exceptions, only pipes with diammars greater than t 2 inches are evalumed". Results show that the frequency of containment isolation failure for Braidwood j is about 2.2E 7 Unble 4-8 of the Modified IPE Results submitted with #k mponse to the RAI).

Caa" a'=aat isolation failure sequences are dominated by the RWST sum y&;s to the containment spray pump failing to close, the operator falling to manually initiate phase A rcw&r.ent isolation, and the lastrument bus inverter falling to provide power to the slave relays. According to the descriptions provided in the IPE submittal and the licensee's response to the RAI, all five areas identined in the Generic Letter regarding the evaluation of containment isolation failure are addressed in the IPE. ,

2.4.1.5 System / Human n =ra===

De availability of the' systems ths: are important to Level 2 accident progression is determined in the

. PRT and th ir status is described in PDS definition.

2.4.1.6 Radionuclide Release Characterisation .

Since the Braidwood containment event trees have been incorporated into the PRTs, the PRT end states define the radionuclide release characseristics for Braidwood. As discussed above in Section 2.4.1.1 of this report, the PRT end states (or accident sequences) are grouped to a set of PDSs, and each PDS ,

includes sequence with similar damage states in terms of the initiating event, expected timing of core damage, status of the ECCS and containment heat removal systems, and the state of the containment and

. fission product release. Each PDS tous defines a set of faulted functions that summarizes by function a '

set of system faults that would result in similar radiological consequences. To reduce the number of sequences to be analyzd for source term definition, the PDSs from the top 100 sequences were further -

grouped to 10 PDS groups. De highest frequency sequence from the representative PDS in each PDS

.. group was selected and used as a basis for estimating each group's source term characteristics. De CECO-specific version of the MAAP code was used to simulate the 10 sequences of events for source term definition. De sequences were analyzed for the 48 hour5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months mission time used for Level 2 analysis.

l , De fourth :haracter of the PDS designatpt, whicL characterizes containment status and fission product , .

I release, is used for release engory (RC) definition to summarize the Level 2 results. Among the sirtoen RCs defined seven hcve amaro frequencies. Dey are Fable 4.8 of the Braidwood Modified Results):

1. Release Category S - No contalament failure; leakage only, (53% total CDF) l 2. Release Category A - M containment failure within 48-hour mission time; failure could occur

! aRar 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months without accident management; less than 0.1% volatiles released, (95 total CDF), ,

I l

i i

"A penetration with diameter equal to 2 inches is retained if it is served as a containmaat sump line.

De only penetration of diameter equal to 2 inches retained for further evaluation is that for containment floor drain sump pump to the Auxiliary Building Drain Tank.

43 l

u.m..,e

7- - - - -

.. r

3. new Category K - Late containment failure; less than 0.1% volatiles released (containment failure 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months or longer aRer vessel failure,22% total CDF)

4. She Category L - Late containment failure: up to 1 % volatiles released (containment failure l 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months or longer after vessel failure,8% total CDF)

5. Raiasse Cahgory E - Containment isolation impaired; less than 0.1 % of volatiles released (0.3%

total CDF).

6. Rahmae Category F - Containment isolation impahdc, less than 1 % of volatiles released (0.5%

total CDF).

- 7. Release Category C - Containment bypassed; up to 1% of volatiles released, (7% total CDF).

De release categories are defined to provide a general charn:terization of the release profile obtained in the IPE for Braidwood. Although the classification of the accident sequences to the various release categories is in general adequate, the assignment of SGTR sequences to Release Cat 6 gory C is questionable. According to Table 3.6 of the Modified Results, the release fraction of volatile fission products for the SGTR sequence selected to represent this category (RL7C) is 27%, much greater than the link of 1% of volatlics released used for the C category, it is thus more appropriate te se Release Category T, whIch according to Table 4.1.0-2 of the Lubmittal, involves releases of volatile fission products of up to 50%, to characterire the release of the SGTR sequences.

De licensee agreed in a telephone conference call (involving NRC, BNL and Comed personnel) that,

' based on the information presented in the IPE submittal (including the RAI response) Category T is the correct release category for SGTR sequences. De assignment of all SGTR sequences to the T Category, although conservative, is acceptable. With this change, the conditional probability of significant early release (i.e., for volatiles release greater than 10%) for Braidwood is 6.8%, an average value in IPEs for PWR plants with large dry containments.

~

23.2 Accident Progression and Containanent Perforinance Analysis 2.4.2.1 Severt Accident 7. . #

1

. Sequence selection for fission product release characterization is discussed in Section 4.5.5 of the submittal. Sequences with no containment failure were not evaluated for fission product release. For the remaining sequences in the top 100 sequences, there are 17 different PDSs. Drough combination of PDSs with similar release characteristics,10 PDS groups were selected in the IPE for source term analysis. De sequence with the highest frequency in the representative PDS in each PI's group was l

analyzed by . CECO-specific version if the MAAP code for the determination of the release fractions for i

l the group. De sequences selected for source term calculations include one SGTR sequence, 2 SBO

! sequences,3 small LOCA sequences,1 loss of essential service water sequence, I loss of offsite power sequence, and two steam line break sequences.

De sequences selected for source term analysis seem adequate. However, the groupbg of some PDSs and the selection of the sequence for source term andysis in these PDS groups may not be adequate and

~

need further discussion. For example, the most probable PDS, X14K with 19% total CDF, is grouped to a much less likely PDS, Ll4K with only 0.25 total CDF and Ll4K is selected as the representative -

PDS. De selection of a low frequency sequence (Sequence 86,2.67E-8) to represent all the sequences it. this PDS group (which includes the nu:nber I sequence with frequency of 4.5E 6) should have been 44 i

s h

., ,~.m,,- s.i. . , . , - ,, ,-.,,.-,----~,-v- __

e - . . . . _ ... - ~--.--~.---..L-. .., ._ - , , , , , , ~ . . ... ,,--- - -- m. . - __

justified by further discussion". Even if the source terms for Sequence 86 (0.1% of total CDF) can bound those for Sequence 1, the sequence with the most dominant CDF contribution (16% of total CDF for Sequence 1) should be analyzed (or exaained in more detall) to provide data for IPE quantification and source term definition.

O Besides PDS XL6K, the grouping of PDS RL9K and VX9K to PDS Ll4K would also benefit from additional discussion. PDS RL)K involves SGTR initiated sequences and PDS VX9K involves ISLOCA initiated sequences. Although both have low frequencies (1.8% of CDF for RL9K and 0.34% of CDF for VX9K), the grouping of these bypass sequences to a late failure PDS with less than 0.1% volatiles released would also benefit from discussion.

Despite te above deficiencies, the MAAP calculations performed in the IPE provided a reasonable coverage of the s'qruces that could occur at Braidwood to allow a quantitative undersunding of accident progresion and fission product releases for Braidwood.

2.4.2.2 Dominan,t Contributors: Consistency with IPE Insights Level 2 results on radionuclide release characterization (or containment failure mode definition) are '

discussed in Section 4.5.5 and summarized in Section 7.1 of the submittal. Table 9, below, shows a comparison >of the conditional probabilities for the various containment failure modes obtained from the Braidwood YPE with those obtained from the Surry and 7 ion NUREG-1150 analyses. Results from both the origin 1 and the Modified IPEs are presented in Table 9.

As shown in Table 9, the conditional probabilly of containment bypass for Braidwood is 6.8% of total CDF (Discussions are based on modified IPE results.). All of it is from steam generator tube rupture as an initiating event. Induced SGTR is not considered in the IPE as a credible failure mode. ISLOCA

- initiated sequences (in PDS VX9K) have a frequency of about 0.3% of total CDF but are grouped 'n the IPE to a late failure PDS (PDS Ll4K). A small fraction of SGTR initiated sequences (in PDS RL9K, 1.8% of total CDF) is also grouped to late failure PDS Ll4K.

Sir.x all phenomena that may cause an early containment failure are considered in the IPE as "unlikely" to cause containment failure and are thus not included in failure quantification, the conditional probability of early containment failure for Braidwood is zero. The probability of containment isolation failure is 0.8%. Most of it is from sequences initiated by steam / feed line break (38% of isolation failure), small LOCA (29%), and loss of d power (9%). a

%e selection is appropriate in the original IPE submittal because the contribution from XL6K is negligible. XL6K is the dominant contributor only in the modified IPE results, not in ce original IPE results. According to a telephone conference call with the licensee (involving NRC, BNL, and Comed personnel on June 27,1997) although new sequences with dominating CDF contributions were identified in the modified IPE, additional MAAP calculations were not performed for the modified IPE. 'Ihe soucce terms of these new sequences were defined by tne MAAP calculations for the sequences selected in the original IPE based on an analysts engineering judgement, w

45 .

i

.- 4 f _-

r

- Table 9 Containment Failure as a Percentage of Total CDF Original - Modified Surry ;

ental FaHure Braldwood NUREG-

. Braldwood 1150 IPE+ - FE++ 1150 Early Failure Neglign>le+ + + Negligible + + + 0.7 1.4 h Late Failure 8.4 29.6 5.9 24.0 L Bypass 0.04 6.8 - 12.2 0.7 Isolation Failure 0.2 0.8 Intact 91.4

62.8

81.2 73.0 ,

CDF (1/ry)- 2.7E-5 2.8E-5 4.0E-5 3.4E-4

+ 'Ihe data passneed for P=W_ am sased on Table 7.13 of the IPE subaunal mot 9fied by the boomsee's_ mapaans to RAI Invol 2 Question 3.12.

++- '!1p data presented la this column are based on Table 4-8 of Enclosure 3 *Braidwood Modified IPE results" of the bosasse's response to RAI.

1

+ + + ne Ar r --- that may cause early -*=ia==ar failure are not comedered in containment failure quantifiantion based on f- --- --%ical evaluation summaries prepared by FAI.

locluded in Early Failure, approximately 0.02%

- Included in Early Failure, approximately 0.5%

- - ne ps,4=hiley of *Isenet* anat=ia===* include that from "no cone =ia==at failure within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , but failure could eventually occur without further mitigating action" (2.8% CDF in the original IPE submittal and 9.3% in the modified IPE results).

f

~

De conditional probability of late containment failure for Braidwood is 29.6% of total CDF. It is primarily imm containment overpressure failure due to loss of containment heat removal. Because of the long time it takes to melt through the containment basemat, late containment failure by basemat melt-through is not considered as a credible containment failure mode even if the debris is not coolable. Based I

on the results presented in the Modified IPE, the primary contributors to late containment failure are loss of ESW sequences (66% of late failure), SBO sequences (23% of late failure), and SG11t sequences (6%). The individual contribution to late failure from other initiators is less than about IC,. For the various initiating events, 84% of loss of ESW sequences,44% of steam (or feed) ilne break sequences,

~ 24% of SBO sequences, and 21% of'3GTR sequences result in late failure. He conditional pmbability

of late failure for LOCA sequences is small, less than about 2%.

l Comparison of the results from the modl6ed IPE and thc original IPE (see Table 9) sbows a significant

-increase in containment bypass and late containment failure probabilities for the modified IPE. De increase in containment bypass release probability (from 0.04% to 6.8%) is primarily due to the change in the treatment of the SGTR initiated events in the IPE. While most of the SGTRm ' itiated events were considered in tha original IPE to lead to a " Success with Accident Management (SAM)* end state (and thus were not considered for Level 2 source term analysis), some of these sequences, with additional

. evaluation, were considered as core damage sequences and grouped to the containment bypass release I group in the modified IPE. De increase in late containment failure probability (from 8.4% to 29.6%)

is primarily due to the significant increase in the probability of loss of ESW sequences in the modified IPE (less than 1 % in the original IPE and 23.3% in the modified IPE). ESW sequences are more likely 46 l l

I

A~

+ ~ to lead to late containment failure than other sequences because of the loss of cooling to the frontline -

systems. ' For example, Level 2 results indicate that while over 80% of ESW sequences and witn late

= containment failure, less than 25% of SBO seque ices cad with late containment failure.

2.4.2.3 Characterization of rb8=1-==8 Performance-As shown in Table 9, the core dacae frequency (CDF) for Braidwood is lower than that obtained in NUREG-1150 for Zion but similar to that obaland in NUREG-1150 for Surry, ne condklonal pmbability rif containment bypass obtained in the Braidwood IPE is less than that obtained in NUREG-1150 for Surry, but greater than that obtained in NUREG-il50 for Zion. Induced SGTR, which is cmidered in the NUREG ll50 study, is not considered in the Braidwood IPE.

4 Another feature of the Braidwood IPE is the lack of consideration of any early failure modes in containment failure guantification. De early containment failure modes that contribute to NUREG-1150 c:nalyses for Surry and Zion include those from steam emplosion and con 41 ament pressure load associated with HPME Should the data used in the NUREG-1150 analyses for in-vessel steam etolosion (0.8% and 0.08% for low presure and high presure sequences, respectively) and HPME (higher estimated pressure

,in NUREG 1150 than in Braidwood IPE) be used in Braidwood, the conditional probability of early containment failure could be comparable to, or greater than, those ol tained in NUREG-1150 (because of the smaller containment failure pressure for Braidwood).

2.4.2.4 bepect on Equipment Behavior Equipment important for prevention of core damage and/or containment failure was evaluated for survivability for a range of accident conditions postulated in the IPE. To accomplish this task, the Braidwood equipment survivability study was divided into three phases, and the Phase 11 study covers

-the IPE conditions. According to the licensee's response to the RAI (Level 2 Questica 3.11), the Phase 11 equipment rurvivability study was limited in scope to a review of the conditions encountered during a successful recovery from each of the initiating event, ne equipment was thus assessed only for the conditions prior to core damage. For example, as part of the Phase 11 assessment, the Reactor Containment Fan coolers (RCFCs) were considered in the IPE to face their harshest environmental challenge following a Large LOCA imtiator. The challenges to the equipment by the harsh environmental conditions following core damage, sudi as that from aerosol plugging, were considered to be beyond the scope of the IPE. Acmrding to the response to the RAI, the effees of aerosol plugging of RCFC cooling coils are cosidered in the Severe Accident, Management Guidance provided by the Westinghouse Owners ,

Group for trrnbers to use ' i developing Severe Accident Response procedures.

2.4.2.5 Uncertainties and Sensitivity Analysis

! Sensitivity studies were performed in the Braidwood IPE to evaluate the effects of uncertainties of in-vessel and ex-vessel phenomena on containnunt failure timing and related source term release.

Uncertainties were addressed by perform *mg MAAP sensitivity studies, nis was accomplished by varying certain MAAP medel parameters in selected bases:ase sequences. The ranges of MAAP model parameter variation for IPE sensitivity analyses were based on the recommendations provided in EPRI l

documentation. De parameters investigated in the Braidwood sensitivirf studies (for source terir.s)

.l include: 1 i

47

1. RPV failure timing - Ce sensitivity study includes the evaluation of the influence of core rnett progression mcdel (e.g., the MAAP core blockage model), induced isot leg rupture, and primary system loop seal clearing on timing of RPV failure.

2. Contalammt failure timing - The sensitivity study includes the evaluation of the influence of the core melt progression model, ex vessel core debris coolabillry, external vessel cooling, conta!nment failure pressure, increased fragmentation of core debris expelled at vessel failure, delayed vessel failure, snd induced hot leg rupture on wntainment failure timing.

3. Fission product release - he sensitivity study includes the evaluation of the influence of containment failure timing and sir.e on fission product release.

One sensitivity analysis that is of particular interest is the one that involves external vessel cooling. De external cooling model used in the CECO-specific version of the MAAP code basically prevents reactor vessel failure as lon.a as the lower head is submerged by water. As a result, reactor vessel failure was effectively preventpd during sequence calculation for these sensitivity cases. Because of extes. 41 cooling, containment failure time was delayed (by about 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ) but the release of volatile fission product releases significantly increased (by about 40 times) relative to the base case which assumed vessel falinre one minute after corium relocation to the lower head. In addition to the above effects, the high RCS temperatures that result fmm preventing vessel failure by succc sful externa! .essel cooling may increase the likdihood of creep rupture of the RCS (in the hot leg, surge line, and in steam generator tutss) and result in high:r fission product release. He licensee's response to the RAI (Level 2 Questions 3.8 and 3.9) provides some discussion on these issues, a %c sensitivity studies reponed in the submittal investigated the effects of uncertainties of some parameter

. values used in the MAAP code on calculation results. He effect of uncertainties of accident phenomena on containment failure probability are not included in the sensitivity studies of the IPE submittal but are disaased in the Phenomenological Evaluation Summari.s prepared by the licensee in support of the IPE and in the licensee's response to the RAl. He probabilities of induced SGTR and early containment failure due to energetic events such as those from hydrogen combustion or those associated with IIPME are discussed in the response to the RAl.

2.5 Evaluation of Decay IIcat Removal and Other Safety Issues and CPI 2.5.1 Evaluation oi Decay IIcat Removal 2.5.1.1 Examination of DHR he IPE nodresses decay heat removal (DilR). De decay heat removal is accomplished by the following Braidwood features:

1. During small LOCA: and transient events, decay heat is removed via the auxiliary feedwater system or via alternate feedwater (main feedwater, stutup feedwater or condensatelcondensate booster pumps with depressurization) through the secondary side, if secondary side cooling is not available, feed and bleed operations are needed on the primary side. De feed and bleed requires high pressure injection systems, the pressurizer PORVs and the associated operator actions; o

48 1- __ - - --

4 3

a^ 2.- During medium and large LOCAs, decay heat is removed by the break flow and the ECCS, Dis-includes the Si system, the RHR (or LPI) injection and recirculation subsystems, the charging system and the associated operator actions. Dese systems are backed vp by the containment fan coolers and the shutdown cooling mode of the RHR.-

The IPE describes in detail each system, associated operator actions a.d ha Jware and HRA ,

unavailabilities, along with any simplifying assumptions in modeling the system. For example, alternate sources of auxiliary feedwater (frorn the other unit CST and from the SX system) were not modeled. For non LOCA cases, only the charging system was modeled for success of feed and bleed cooling. De RWST refill is credited, as is the operation of the RCFCs for the decay heat removal.' It should be noted that the RCFCs have a very low unavailability due to the success criteria used (one out of 4).

De licensee notes that a review of NUMARC closure guidelines for the Braidwood sequence

-*% indicates that over 56% of the core damage sequences (in the original IPE) involve a loss of primary and secondary heat removal in the recirculation phase, while 24% (in the original IPE)

involves a loss of both primary and secondary best removal in the injection phase. De licensee then notes that one of t$e causes of failure in the sequences in question is a degraded state of the 4kV system, with one bus failed. His has led to the revision of the procedures to effect the cross-tie even if one bus ils energized (previously the cross-tie was effected only in an SBO). His improvement reduces the CDF -

by 61% and reduces the contribution of AFW and ECCS reciret!ation failures by approximately 25%

each, relative to the original IPE, The modified IPE has many modifications (e.g., in the area of HRA, SAM states resolution, CCF modeling) so that a direct mmparison of the impact of these changes was not made (the sensitivities above are not a comparison between the original and the modified IPE). For example, the AFW failure contribution to the CDF sequences was about 75% in the original IPE, but only about 10% in the

" modified IPE.

Two sensitivity studies were completed relative to decay heat removal. In the first study, an SX pump was modeled as providing sufficient AFW flow through an idle AFW pump (after depressurization) to remove the decay heat. His led to a 62% reduction in the total core damage frequency, la the second study, local v: tion to start the train A AFW pump was considered following a loss of de bus 111. A loss l of this bus contributes about 3% to the CDF and the CDF reduction due to credit for this action was also around 3%. Both of these actions were already proceduralized, but they were not credited in the base model. < a Note that the numerical data in this section comes from the orig' mal IPE, as the modified IPE did not include this section.

. De licensee appears to have fulfilled the request of the generic letter with respect to this issue. No DHR vulnerabilities were identified and the licensee considers the DHR issue resolved.

2.5.1.2 Diverse Manas of DHR De IPE evaluated the diverse means for DHR, as described in the section above.

4 4

49 .

.. .-. ..- , -- - . . . . ~ - - - - . - . . . - - . . - . -- - - . . - _ .

L --,.-

.1

^

2.5.1J Unique Festms of DHR De uniqu feaures e at Braidwood diat directly impacs the ability to provide DHR are described in Section 1.2 (" Key Features").-

2J.2 Other GSIs/USIs Addremed in the Submittal

- No GSIs or USis, other than USI A-45 (DHR Evaluation) are addressed in the submittal.

2.5.3 Response to CPI Program Recommendations He CPI recommendation for PWRs with a dry containment is the evaluation of containment and equipment vulnerabilities to localized hydrogen combustion and the need for improvements. Although '

the effects of hydrogen combustion on containment integrity and equipment are discussed in the submittal, the CPI issue is not specifically addressed. More detailed information on this issue is provided in the

-l l'=mae's respoese,to the RAI (level 2 Question 3.13). According to the response, hydrogen combustion issues are addressei in the PESs, which conclude that hydrogen deflagration and detonation are an unlikely containment failure mode. In addition to the PESs, plant walkdowns were performed at Eraidwood as part of the containment performance evaluation conducted for the Braidwood and Braidwood IPEs. The walkdown team identified the likely hydrogen release points into the containment from the primary system and a couple of locations which had a potential for hydrogen pocketing (i.e.,

the seal table room and the space between the primary shield wall and the secondary shield wall). ,

Subsequent investigation showed that the Braidwood containment has a very low likelihood of localized detonation and the accompanying potential for missile generation.

Severe accident management procedures are currently being prepared for Braidwood and Braidwood Stations. His guidance is based on the WOG Severe Accident Management Guidelines (SAMGs). The SAMGs include SAM straegies for controlling containment hydrogen concentrations to preclude hydrogen burns and/or detonation.

2.6 Vulnerabilities and Plant Improvements 2.6.1 Vulnerability The licensee stated that a potential vulnerability exists with respxt to flooding. His _ )tential vulnerability is addressed in improvement #2 in section 7.6.2 below. In addition, the liceneee used the NUMARC 9104 severe accident issue closure guidelines to assess if any improvements are =~m.

De NUMARC guidelines group sequences in the categories defined in Table 10, with 'mstructions as to what action is needed if a category CDF exceeds a certain threshold value. He Table also shows contributions of the NUMARC category to the CDF at Braidwood. His Table is taken from Table 4-4 of Enclosure 4 of the RAI response.

50 l

-. . . - --. . - = . .- . - .

Table 10 NUMARC Categories and BwS Roolution NUMARC BwS Gewup Action Required (threshold Category CDF (lyr) in /yr) 1A lass of primary and nannattary beat 7.4E-7 < 104; do nothing removal in injection phase IB loss of primary and secondary best 9.43-7 < 104; do nothing removal in recirculation phase IIA 1.3E-5 10d - 10 8, consider induced (seal) LOCA with loss of injection procedural, nunor hardware modifications or SAMG IIB induwd (seal) LOCA with loss of 2.0E4 108 - 10', SAMG recirculation IIIA small LOCA with loss ofinjection 1.5E-7 < 104, do nothing IIIB small LOCA with loss of recirculation 2.2E4 108 - 10', SAMG IEC large/ medium LOCA with loss of 2.4E4 10'8 - 104 , SAMG injection IIID 2.7E4 104 - 10', SAMG larEe/ medium LOCA with loss of recirculation IV accident sequences involving failure of 2.0E-7 < 104, do nothmg reactivity control VA interfacing system LOCA 7.8E-8 < 104, do nothmg VB steam generator tube rupture accidents 2.2E4 104 - 10', consider procedural, minor hardware modification, SAMG De licensee states "For most bins, no actidn is needed, or adequate treatment is to ensure such sequences a are covered in severe an ient management guidance. Bins IIA and VB require cc:iideratica of procalure changes, minor modifications, or treatment in severe accident management guidance. For IIA, the CDF is so close to 1.0E 05 that Comed concludes that procedure changes or minor modifications would not be cost effective. For VB, Comed's conclusk>n is also tt at there is no cost effective procedure or hardware changes to reduce the risk. Therefore, in response to this analysis of the response to the NUMARC Closure Guidelines, Comed's Braidwood Station will " flood-proof" the SX pump rooms."

As indicated above the licensee commits to %J proof' the SX pump rooms in response to the NUMARC closure guidelines. De ==m in question is discussed in the flooding section of this TER, results in a dual unit loss of service water, has a dual unit core damage frequency of 3.2E-5/yr, and is not included in Table 10, or any other results because the licensee takes credit for the flood-proofing.

nat sequence is similar to sequence 1 in Table 7, and would fall into category IIA in Table 10.

51

Also' the licensee did implement or consider several other improvements, as a result of the IPE (but not

- as a result of NUMARC guidelines), which are discussed in the next section.

Vulnerability is not defined in the IK submittal for Level 2, and no Level 2 vulnerabilities were identified in the IPE process.

2.6.2 Proposed Isoprovesnents and Modifications Two Level 1 improvements have resulted from the IPE process. De IPE takes credit for both. In addition, the submistal states that the CECO's insights process identified numerous insights for procedure eahancements to improve opsrator response, both before and _after core damage, as well as strategies anni featurw to be included in Severe Accident Management Guidance. . It is stated in the submittal that much of the generic guidance in the Westinghouse Owners Group Severe ' Accident Management Guidelines is based on the insights from the Zion and Byron (i.e., Braidwood) IPEs.

- De following two Level I improvements are dia-M:

.: 1. Cross-tying emergency ac buses. His insight was identified in the original IPE. Emergency procedurer developed as a result of the blackout rule directed use of this crosstie in the event of an SBO. De principal insight from the original IPE was that there were other situations for which the cross-tie is valuable, i.e., one bus deenergized and equipment on the other bus failed.

Cross-tyirg when only one bus is deenergired had therefore been implemented in the procedures, even prior to the IPE submittal (but was not credited in the original IPE). De CDF change (the original to the enhanced IPE) is a reduction of 1.7E-5/yr (from 2.7E-5/yr, a 61% reduction),

while the SBO CDF was reduced from 6.3E4/yr to 5.1E4/yr, a 20% reduction. (RAI Responses

. Ouesilon 18)

De modified IPE credits causs4ying of either or bth 4 kV buses (141 and 142) to the other unit.

De original and the enhanced IPE (prior to the modified IPE)just credited cross-tying of bus 141.

Crediting both crossties, (on top of allowing crossties in case of one bus energized), reduced the Byron enhanced IPE total CDF a further 11% (the SBO CDF was reduced a further 28%). No such calculation was done for Braidwood, but the results are expected to be similar.

Note that the enhanced IPE apparently differed from the original IPE in allowing the cross-tie

with one bus (.e) energized.

2. Sealing SX pump room ventilation duct. His arose out of consideration tsf pipe rupture events in the SX system some of whidi may lead to a loss of SX or flooding events. He ventilation duct in question would allow propgation of flooding from such an event from a sump room to all SX

pump rooms, leading to a dual unit los: of essential service water event (discussed in the flooding section) with a high frequency. A modification is being developed to prevent the flooding, although installation dates have not yet been established. Removing the credit for this modification would increase the modified IPE CDF by' 3.2E-5/yr. (RAI Responses Question 5)

~

De SBO rule changes are also discussed in the RAI responses. De cross-tying of the emergency ac

buses in case of an SBO was the modification ~ implemented for the SBO rule. No sensitivity was available for this modification as this procedure change is'already embedded in the original IPE.

52 4

"* u -*

wham em mar mem -- +en o , w . , , ,

4

.. De plant anhwa-t resulting from the Level 2 analysis is the installation of an opening in the reactor cavity cover plate. His opening permits adequate flow of water to the reactor cavity from the coolament basement to immerse the vessel lower head before core damage. While the becefit of suel.

an opening was not quantified in the IPE, the licensee felt it was clear that water in the reactor cavity is beneficial, his enhancement is only required for Braidwood. According to the submittal, the cover plate for Byron is "not leak tight" and thus allows water to flow from the containment bs.mment to the reactor cavny. According to licensee's response to the RAI, an opening has been provided in the access plate in Braidwood Unit 1. Installation of such an opening for Braidwood Unit 2 is planned for the next refueling outage.

O T &

53 _

1 i

4

'O

.e 4

e t- sk 54

4

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS De strengths of the Level I IPE analysis are:

1. De treatment of plant specific initiating events is comprehensive;

2. Common cause analysis is applied to most types of components;

3. He plant specific data which was collected for me pumps and the MOVs discriminated based on the system (S! pumps versus CCW pumps, etc.)

4. De submittal contains a good discussion of insights on plant features as well as a comparison of design differences with another CECO plant (Zion) and their impact on the differences in results.

5. De decay-heat removal discussion is relatively comprehensive;

6. De RAI responses were generally very detailed and thorough;

7. The discussion of IPE modifications was also very complete, with generally credible analyses just!fying the modifications.

De weaknesses of the Level 1 analysis are:

1. Dere are questions about some of the data used, for example employment of generic data for the

- MDAFW and DDAFW pumps when plant specific data indicated much higher failure rates. In a subsequent phone conversation, the licensee stated that a sensitivity analysis using plant specific data was performed resulting in a substantial increase in the CDF, 2.

/

In general, there is a lack of plant specific data (which was collected only for the diesel generators, the pumps and the MOVs).

3. Some of the common cause factors used are still low, even with establishment of the floor for such val .a in the modified IPE (this isgomewhat offset by performance of a sensitivity analysis). ,,,

A The documentation .or certain aspects of the rnalysis is not very clear, making it very hard to understand the analysis or some of the results. For example, there is no description of modeling of accident sequences for spe:ific plant response trees (i.e., the PRT logic), nor is there a thorough discussion of the tc,p sequences in the results section. For example, we could not find a complete discussion of the RCP seal LOCA model utilized, offsite power recovery model or modeling of containment failure feedback to the status of ECCS operation. The system section was also not very helpful in answering our questions. Here was no discussion of success criteria where they deviated from the established PWR practice. Subsequent conversations with the licensee led to a satisfactory resolution of these issues.

De HRA review of the Byron /Braidwood modified IPE did not identify any significant problems or errors. A viable approach was used in performing the HRA and nothing in the licensees submittal 55

~

.- indicated thtt, based on the HRA, it failed to meet the objectives of Generic Letter 88-20. Important elements (including weaknesses) pertinent to this determination include the following:

1. De modified IPE . Indicates that utility personnel were involved in the HRA and that the prncedure reviews, plant examinations, and operator action interviews represented a viable process for confirming that the HRA portions of the IPE represent the as built-as operated plant.

- 2. De analysis of pre-initiator human actions included both miscalibrations and restoration faults.

However, while a shorough analysis and evaluation of plant-specific dati relating to pre-initiators -

was performed,- only four restoration faults were actually included in the PRA models. All others were dismissed on the basis of qualitative (and in a few cases quantitative) screening criteria.

While the approach was not without merit, the lack of a full modeling of pre-initiator events (and the lack of a clear explanation of the pre-initiator quantification technique) must be considered a weakness of the modified IPE.

3. De combination of the EPRI Cause Based Decision Tree Methodology (CBDTM) : ..d THERP (NUREG/CR-1278) provided a reasonable basis for assessing post Initiator response type human actions. The CBDTM as applied in the Byron /Braidwood modified IPE does a good job of ;

asse. sing the diagnosis portion of operator actions. In addition, the impact of plant-specific performance shaping fetors was adequately addressed. One limitation of the :BDTM is that it -

does not, in itself, have a unique approach for analyzing time-critical actions. Dat is, those actions where the difference between the time available and the time required to perform the actions is short and the possibility exists for the operators to fail to accomplish the actions in time, are not evalumed directly as a function of time. Therefore, even with the CBDTM, the potential exists for underestimating HEPs for short time frame events. However, the licensee performed an acceptable evaluation to ensure that short-time frame events were not inappropriately quantified. s

4. A thorough treatment of dependencies between post-initiator operator actions was conducted for the modified IPE.

5. De Byron /Braidwood modified IPE presents a list of the important " operator action nodes" as o a function of their contribution to CDF. De licensee noted, however, that "in these lists all cases of each operator action are combined." For example, the OSX event includes OSX-1 [ HEP Byron

= 1.3E-3, Braidwood = 4.0E-4] for LSX sequences as well as OSX-4 [ HEP = 1.G for DSLX "

seque as. As stated by the ' censee, "thus, the operator action importance can be misleamg sirwe k includes cases of defined failure [ HEP = 1.0]." In addition, the top event report does not include events in the fault trees. Rus, the list does not provide useful informntion about the

- important human actions.

He strengths of the Level 2 analyses are the in depth examination and plant specific evaluation of

, . Important containment pheno;nena in the Phenomenological Evaluation Summaries (PESs), and the 4-artansive MAAP calculations performed for source term definition and sensitivity analyses. It seems that :

the licensee has developed an overall appreciation of were accident behavior and a quantitative l

. understanding of the overall probability of core damage and radioactive material releases. He licensee 1 1has also addressed the recommendations of the CPI program. I 56 s

, , v w. , s-cw.-- +-a. _w , <- -. , . , . -- , ____m --_ _ _ _ _ _

I*

There are some weaknesses in the Level 2 IPE:

1. "Ihe most significant weakness is the lack of consideration of some of the containment phenomena in the IPE quantifica: ion model. Except for containment overpressure failure, isolation failure, and

~

bypass, all other containment failure modes are considered as "unlikely" to cause cortainment failure and thus not included in containment failure quantification. These include all phenom-na that may cause early containmerit failure (steam explosica, hydrogen combustion, and DCH), and some phenomena that may cause late containment failure (molten core debris interaction and thermal attack of containment penetrations). Because of the uncertainties associated with these phenomena and containment pressure capability, their contributions to early containment failure may not be negligible. The problem is more significant for Unit 2 becaust of its relatively low containment failure pressure. Although a rough estimate provided in the response to an RAI indicates that the contributions to containment failure probability from these "unlikely failure modes

are s I (about 1% of total CDF) and their exclusion from containment failure quantification tray be justified, the lack of consideration of these failure modes in the IPE in a structured way, such as can be provided by a CET, precludes a systematic means to examine the relative importance of these failure modes and the effects of some recovery actions on these failure modes.

2. De assignment of SGTR sequences to Release Category C is another problem. Release Category C, according to the IPE submittal, involves accident sequences that have up to 1% of the volatiles released. However, the predicted release fraction of volatile fission products for the sequence selected to represent the SGTR sequences is 27%, much greater than the limit of 1% of volatiles for Category C. It is thus more appropriate to use Release Category T (instead of C) to characterize the release of the SGTR sequences. Release Category T is defined as containment byi ss with up to 50% of the volatiles released.

He licensee agreed in a telephone conference call (involving NRC, BNL and Comed personnel) that, based on the information presented in the IPE submittal (including the RAI response)

Category T is the correct release category for SGTR sequences. De assignment of all SGTR sequences to the T Category, although conservative, is acceptable. With this change, the conditional probability of significant early release (i.e., for volatiles release greater than 10%) for Braidwood is 6.8%, about the mean value of all PWR plants with large dry containments.

Alth. tgb the MAAP alculation performed in the IPE for the SGTR case may be con-rvative because the relief valves on the secondary side were assutaed to fail open (e.g., due to excusive cycling)in the calculation, there is no basis in the IPE submittal and the RAI responses to assign the SGTR sequences to the C Category. Any future effort (e.g., additional MAAP calculation) to justify the assignment ot' the SGTR sequences to Category C needs to address the probability of SG valve failure due to adverse operation conditions in severe accidents.

3. Equipment survivability study in the IPE is limited in scope to a review of the conditions encountered during a successful remvery from each of the initiating events. The equipment is thus assessed only for the conditions prior to core damage. For example, the Reactor Containment Fan Coolers (RCFCs) are considered as facing their harshest environmental challenge following a Large LOCA initiator. De challenges to the equipment by the harsh enviromnental conditions following core damage, such as aerosol plugging, were considered to be beyond the scope of the 57

__________ __Z_Zi__r_TJ_r_ _1_n __ _ _ _ _ . _ _ _ _ -

IPE. According to the response to an RAI question, the effects of aerosol plugging of RCFC

< cooling coils are considered in the Severe Accident Management Guidance provided by the Westinghouse Owners Group for members to use in developing Severe Accident Response ;

procedures.

{

His is not a significant deficiency, however, because containment failure due to equipment failure under harsh environmental conditions would be late and most likely with low fission product releases. "Ihe effect on the overall fission product release profile for Braidwood should not be significant because of the a,' ready relatively high contribution from late containment failure for Braidwood (29.6%).

4. De treatment of induced steam generator tube rupture (SGTR) is not well treated in the submittal.

Induced SGTR is not included in the PRT model or addressed in the PESs. Rough estimates of

, the probabilities of hot leg failure and induced SGT2 by creep rupture using a decomposition svent tree structure are presented in the licensee's response to the RAI. It shows an overall probability of induced SGTR of 18%. De probabil!!y is increased to 24% if the RCPs are restarted by the operator. Although these high probability values do not seem to justify the omitting of this failure mode in IPE quantification, further discussion is not provided in the RAI response. It is noted, however, that these probability values are obtained based on an analyst's judgement and may be overly conservative. .(ne probability of induced SGTR obtained in the RAI response is much higher than that obtained in NUREG-ll50.) Since containment bypar.

from SGTR 'nitiated sequences is the dominant failure mode in the IPE, additional contribution to containment bypass from induced SGTR may not change significantly the release profile of the plant. However, this issue needs to be re-examined if contribution from the SGTR initiated sequences to the total CDF is significant!y reduced in a future IPE update.

' 5. Although the sequences selected for source term definition seem adequate, the selection of a sequence with very low frequency to represeni a PDS group that includes the most likely mm and the lack of sufficient discussion on the selection, is a weakness. Even if the source terms defined by the MAAP calculation for the selected sequence can bound or are representative of all the sequences in the PDS group, the most likely sequence with significant CDF contribution should be analyzed (or examined in more detail) to provide data for 110 quantification and source term definition.

On the other hand, the MAAP hlculations performed in the IPE provided a reasonable mverage of the sequences that could occur at Braidwood to allow a quantitative understanding of accident progression and fission product releases for Braidwood.

2 It appears that the licensee has met the objectives of Generic Letter 88-20. Some strengths and several wamb-= of the Level 1, HRA, and I.4 vel 2 analyses have been identified above.

58

v.

o 4. REFERENCES h .. ..

(IPE) Braidwod Nudear Pour Station Individual Plant Examinatica, Commonwealth Edison Company, April,1994.

(RAI Responses} Response to NRC Requestfor Additional information ard Modifed Individual Plant Examination, Byron /Braidwood Nuclear Power Station IPE,"

Commonwealth Edison Company, March,1997.

(EPRI TR-100259) G. W. Parry, et al. An Approach to the Analysis of Operator Actions in PRA, Electric Power Research Institute Report, EPRI TR-100259, Palo Alto, CA, June, 1992.

(M11REGICR-12]8) A. D. Swain and H. E. Guttman, Handbook of Human Re.' bility Analysis with ~

Emphasis on Nudear Pour Applications : Technique for Human Error Rate Prediaion, NUREG/CR-1278, U.S. Nuclear Regulatory Commission, Washington D.C.,1983.

N

=

59

- _ L___ __ ~~r r:r z L :- - _ - _ _ _ _ _ _ _ _ _ _ _-__

ML20198R306

Text

SUMMARY

Navigation menu

Search